Domain 1: Security and Risk Management 15%

Question 1

Due Diligence

Answer 1

The research to build the IT Sec. architecture of your org. Best practices and common protection mechanisms. Research of new sys. before implementing.

Question 2

Due Care

Answer 2

Prudent person rule. Implementing the IT Security architecture, keeping sys patched. If comprimised: fix the issue, notify affected users.

Question 3

Negligence

Answer 3

is the opposite of Due Care. If a system under your control is compromised and you can prove you did your Due Care, you are most likely not liable. If a system under your control is compromised and you did NOT perform Due Care, you are most likely liable.

Question 4

Real Evidence

Answer 4

Tangible and physical objects in IT Security: Hard disks, USB drives –NOT the data on them.

Question 5

Direct Evidence

Answer 5

Testimony from a first hand witness, what they experienced with their 5 senses.

Question 6

Circumstantial Evidence

Answer 6

Evidence to support circumstances for a point or other evidence.

Question 7

Corroborative Evidence

Answer 7

Supports facts or elements of the case: not a fact on its own but support other facts.

Question 8

Hearsay

Answer 8

Not first-hand knowledge - normally inadmissible in a case. Rule 803 provides for the admissibility of a record or report that was “made at or near the time by. Must have clear chain of custody and hash the files/logs to assure the data was not modified.

Question 9

Best Evidence Rule

Answer 9

The courts prefer the best evidence possible. Evidence should be accurate, complete, relevant, authentic, and convincing.

Question 10

Secondary Evidence

Answer 10

This is common in cases involving IT. Logs and documents from the systems are considered secondary evidence.

Question 11

Evidence Integrity

Answer 11

It is vital that the evidence integrity cannot be questioned. We do this with hashes. Any forensics is done on copies and never originals. Check hashes on both original and copy before and after the fornsics.

Question 12

Chain of Custody

Answer 12

This is done to prove the integrity of the data; that no tampering was done. Who handled it? When did they handle it? What did they do with it? Where did they handle it?

Question 13

Entrapment

Answer 13

Illegal and unethical: When someone is persuaded to commit a crime they had no intention of committing and is then charged with it

Question 14

Enticement

Answer 14

Legal and ethical: Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so. Honeypots can be a good way to use Enticement.

Question 15

Copyright

Answer 15

Automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for coporations.
Attack: Software piracy and copyright infringement (songs and images)

Question 16

Trademarks

Answer 16

Brand names, logos, slogans - Must be registered, is valid for 10 years at a time, can be renewed indefinitely.
Attack: Counterfeiting - fake Rolexes

Question 17

Patents

Answer 17

Protects inventions for 20 years. Cryptography algorithms can be patented. Inventions must be novel, useful, nonobvious.
Attack: Patent infringment using someone else’s patent in your product without permission.

Question 18

Trade Secrets

Answer 18

You tell no one about your formula, your secret sauce. If discovered anyone can use it; you are not protected.

Question 19

HIPAA

Answer 19

Health Insurance Portability and Accountability Act. Puts strict privacy and security rules on how Personal Health Info. is handled by health insurers, providers and clearing house agencies (Claims). Has 3 rules: Privacy rule, Security rule and Breach Notification rule. Risk Analysis is required.

Question 20

Electronic Communications Privacy Act (ECPA)

Answer 20

Protection of elect. comm. against warrantless wiretapping. This Act was weakened by the Patriot Act.

Question 21

Patriot Act of 2001

Answer 21

Expands law enf. elect. monitoring cabapbilities. Allows search and seizure without immediate disclosure.

Question 22

Computer Fraud and Abuse Act. (CFAA)

Answer 22

Most commonly used law to prosecute computer crimes. Enacted in 1986 and aamended many time including 2002 (Patriot Act) and 2008 (Identity Theft Enforcement and Restitution Act).

Question 23

Gramm-Leach-Bliley Act (GLBA)

Answer 23

Applies to financial instit. Enacted in 1999, requires protection of the confidentiality and integrity of consumer financial information.

Question 24

Sarbanes-Oxley Act of 2002 (SOX)

Answer 24

Directly related to the acct scandals in the late 90’s. Regulatory compliance mandated standards for financial report of publicily traded companies. Intential violations can result in criminal penalties.

Question 25

EU Data Protection Directive

Answer 25

Very aggressive pro-privacy law. Orgs must notify individ of how their data is gathered and used. Orgs must allow for opt-out for sharing with 3rd parties. Opt-in is required for sharing “most” sensitive data. No transmission out of EU unless the recieving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard.

Question 26

Organization for Economic Cooperation and Development (OECD) Privacy Guidelines

Answer 26

Eight driving principles. Security safeguards principles: Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification, and disclosure.

Question 27

Wassenaar Arranagement

Answer 27

Export/import controls for Conventional Arms and Dual-Use Goods and Technologies. 41 countries are a part of the arrangement. Cryptography is considered “Dual-Use” Iran, Iraq, China, Russia and others have import restrictions on strong cryptography.

Question 28

Procurement

Answer 28

When we buy products or services from a 3rd party, security is included and not an afterthought.

Question 29

Service Level Agreement (SLA)

Answer 29

a certain uptime can be promised.

Question 30

Acquisitions

Answer 30

Your company acquires another. How do you ensure their security standards are high enough? How do you ensure data availability in the transition?

Question 31

Divestures

Answer 31

You org is being split up. How do you ensure no data crosses boundaries it shouldn’t? Who gets the IT Infrastructure?

Question 32

GDPR, General Data Protection Regulation

Answer 32

is a regulation in EU law on data protection and privacy for all individuals within the EU and European Economic Area (EEA). It does not matter where we are based, if we have customers in EU/EEA we have to adhere to the GDPR. Violators of the GDPR may be fined up to 20 million Euros or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

Question 33

ISC Code of Ethics Preamble

Answer 33

The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is condition of certification.

Question 34

ISC Code of Ethics Canons

Answer 34

Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competant service to principles.
Advance and protect the profession.

Question 35

IAB’s Ethics and the Internet

Answer 35

Defined as RFC #1087. Considered unethical behavior: 1. Seeks to gain unauthorized access to the resources of the Internet. 2. Disrupts the intended use of the Internet. 3. Wastes resources.

Question 36

Informaton Security Governance Mandatory items

Answer 36

Policies, Standards, Procedures

Question 37

Informaton Security Governance non-Mandatory items

Answer 37

Guidelines, Baselines (Benchmarks)

Question 38

Informaton Security Governance: Personnel Security

Answer 38

Users often pose the largest security risk:
Awareness, Training, Hiring Practices, Employee Termination Practices, Vendors, Consultants, and Contractor Security, Outsourcing and Offshoring

Question 39

Administrative (Directive) Access Controls

Answer 39

Organizational policies and procedures. Regulation. Training and awareness

Question 40

Technical Access Control

Answer 40

Hardware/software/firmware-Firewalls, routers, encryption

Question 41

Physical Access Controls

Answer 41

Locks, fences, guards, dogs, gates, bollards

Question 42

Preventative

Answer 42

Prevents action from happening - least privilege, drug tests, IPS, firewalls, encryption

Question 43

Detective

Answer 43

Controls that detect during or after an attack - IDS, CCTV, alarms, anti-virus

Question 44

Corrective

Answer 44

Controls that Correct an attack - Anti-virus, patches, IPS

Question 45

Recovery

Answer 45

Controls that help us Recover after an attack - DR Enviroment, backups, HA Enviroments

Question 46

Deterrent

Answer 46

Controls that Deter an attack - Fences, security guards, dogs, lights, Beware of the dog signs

Question 47

Compensating

Answer 47

Controls that Compensate - other controls that are impossible or too costly to implement

Question 48

Qualitative Risk Analysis

Answer 48

How likely is it to happen and how bad is it if it happens? Most often done to know where to focus the Quantitative Risk Analysis. Sometimes used with a Risk Analysis Matrix. Think “quality” This concept is semi-vague, e.g., “pretty good quality.”

Question 49

Quantitative Risk Analysis

Answer 49

What will it actually cost us in $? This is fact based analysis, Total $ value of asset, math is involved.

Question 50

Threat

Answer 50

A potential harmful incident.

Question 51

Vulnerability

Answer 51

A weakness that can allow a Threat to do harm.

Question 52

Risk

Answer 52

Threat x Vulnerability

Question 53

Impact

Answer 53

Can at times be added to give a more full picture.

Question 54

Total Risk

Answer 54

Threat x Vulnerability x Asset Value

Question 55

Residual Risk

Answer 55

Total Risk - Countermeasures

Question 56

Single Loss Expectancy (SLE)

Answer 56

Asset Value (AV) x Exposure factor (EF)

Question 57

Annual Rate of Occurrence (ARO)

Answer 57

How often will this happen each year?

Question 58

Annualized Loss Expectancy (ALE)

Answer 58

This is what it cost per year if we do nothing.

Question 59

Transfer the Risk

Answer 59

The insurance risk approach.

Question 60

Risk Avoidance

Answer 60

Don’t issue laptops to employees or build data-center where there are no floods.

Question 61

Risk Rejection

Answer 61

This is never acceptable.

Question 62

Secondary Risk

Answer 62

Mitigating one risk may open up another risk.

Question 63

Risk Analysis: NIST 800-30

Answer 63

9-step process for Risk Management

Question 64

White Hat hackers

Answer 64

Professional pen testers trying to find flaws so we can fix it. Ethical Hackers

Question 65

Black Hat hackers

Answer 65

Malicious hackers, trying to find flaws to exploit them

Question 66

Grey Hat hackers

Answer 66

They are somewhere between the white and black hats. Look for a vulnerability and publish it if the company does nothing to fix it.

Question 67

Hacktivist

Answer 67

Hacking for political or socially motivated purposes

Question 68

Bots

Answer 68

are a system with malware controlled by a botnet

Question 69

Botnets

Answer 69

is a Command and Control network, controlled by the people (bot-herders)

Question 70

Phishing

Answer 70

social engineering email attack

Question 71

Spear Phishing

Answer 71

targeted phishing, not just random spam, but targeted at specific individuals

Question 72

Whale Phishing (Whaling)

Answer 72

Spear phishing targeted at senior leadership of an organization.