Domain 1: Security and Risk Management

Question 1

CIA Triad

Answer 1

Confidentiality, Integrity, Availability

Question 2

Ex: Violation of Confidentiality

Answer 2

capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, sniffing…

Question 3

Sensitivity

Answer 3

quality of info, which could cause harm or damage if disclosed

Question 4

Discretion

Answer 4

act or decision where an operator can influence of control disclosure to minimize damage

Question 5

Criticality

Answer 5

level to which info is mission critical

Question 6

Concealment

Answer 6

act of hiding or preventing disclosure

Question 7

Seclusion

Answer 7

Storing info in an out of the way location

Question 8

Ex: Violation of Integrity

Answer 8

Accidental deletion of files, entering invalid data, including errors in commands…

Question 9

Availability

Answer 9

Authorized subjects are granted timely and uninterrupted access to objects

Question 10

Ex: Violations of Availability

Answer 10

Accidental deletion of files, over utilization of HW/SW, underallocating resources…

Question 11

AAA Services

Answer 11

Identification, Authentication, Authorization, Auditing, Accounting

Question 12

Identification

Answer 12

who you are

Question 13

Authentication

Answer 13

you are who you say you are

Question 14

Authorization

Answer 14

allows and denials of resource and object access for who you are

Question 15

Auditing

Answer 15

recording of events

Question 16

Accounting/Accountability

Answer 16

holding subjects accountable for their actions

Question 17

Nonrepudiation

Answer 17

ensures that the subject of an activity or event cannot deny that the event occurred, possible through AAA services

Question 18

Layering

Answer 18

Defense in Depth, Delay an intruder

Question 19

Abstraction

Answer 19

Similar elements are put into groups, classes, or roles and assigned security controls as a collective

Question 20

Data Hiding

Answer 20

positioning data in a logical storage compartment not seen by subjects (think classification levels)

Question 21

Encryption

Answer 21

art and science of hiding the meaning or intent of a communication from unintended recepients

Question 22

Security Governance

Answer 22

Collection of practices related to supporting, defining, and directing the security efforts of an org

Question 23

The best key plan is useless without ________

Answer 23

approval by senior mgmt

Question 24

Security Plan Timeline

Answer 24

Strategic (5 year - risk assessment, stable, security purpose), Tactical (1 year - midterm, schedules tasks, project plans, hiring plans, budget plans), Operational (Months -short term, highly detailed, training plans, system deployment plans)

Question 25

Importance of CM

Answer 25

Change can introduce new loopholes, overlaps, and oversights that lead to new vulnerabilities

Question 26

Goal of CM

Answer 26

ensure that change does not lead to reduces security, backups and rollbacks

Question 27

Data Classification

Answer 27

data is protected based on its need for secrecy, sensitivity, or confidentiality

Question 28

Primary Objective of Data Classification

Answer 28

formalize and stratify the process of securing data based on assigned labels of importance and sensitivity

Question 29

7 steps to implement a classification scheme

Answer 29

1. Identify the custodian and define responsibilities
2. Specify the evaluation criteria of how the info will be classified and labeled
3. Classify and label each resource
4. Document any exceptions to the classification policy
5. Select the security controls
6. Specify the procedures for declassifying resources
7. Create an enterprise-wide awareness program

Question 30

Levels of Government Classification

Answer 30

Top Secret, Secret, Confidential, Sensitive but Unclass, Unclassified

Question 31

Commercial Classification Levels

Answer 31

Confidential/Proprietary, Private, Sensitive, Public

Question 32

Senior Manager

Answer 32

ultimately responsible for security maintained

Question 33

Security Professional

Answer 33

experienced network, systems, and security engineer who is responsible for following the directives mandated by senior mgmt (functional responsibility)

Question 34

Data Owner

Answer 34

responsible for the classifying of info

Question 35

Data Custodian

Answer 35

responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management

Question 36

User

Answer 36

person who has access to the system

Question 37

Auditor

Answer 37

responsible for reviewing and verifying that the security policy is properly implemented

Question 38

COBIT & COSO

Answer 38

goals for meeting security - COBIT is IT, COSO is org

Question 39

Due Care

Answer 39

using reasonable care to protect the interests of the org

Question 40

Due Diligence

Answer 40

Practicing the activities that maintain due care

Question 41

Security Policy

Answer 41

document that defines the scope of security needed by and org and discusses assets that need protection. Assigns responsibilities, defines roles, specify audit requirements, defines acceptable risk levels

Question 42

3 Categories of Security Policies

Answer 42

Regulatory (industry and legal standards), Advisory (acceptable use policy) and Informative (support, background)

Question 43

Standards

Answer 43

define requirements for homogeneous use of hw, sw, tech, and security controls. Tactical docs that defines steps to accomplish goals defined by the security policy

Question 44

Baseline

Answer 44

minimum level of security that every system must meet

Question 45

Guidelines

Answer 45

recommendation on how standards and baselines are implemented

Question 46

Procedures

Answer 46

step by step how to

Question 47

Relationship of Policy Components

Answer 47

(Inverted Triangle) Procedures -> Guidelines -> Standards -> Policies

Question 48

3 Approaches to ID Threats

Answer 48

Focus on Assets, Focus on Attackers, Focus on Software

Question 49

STRIDE

Answer 49

Threat Categorization Scheme - Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privileges

Question 50

Reduction Analysis

Answer 50

decomposing the application, system or environment

Question 51

5 key concepts of decomposition

Answer 51

Trust Boundaries, Data Flow Paths, Input Points, Privileged Operations, Details about Security Stance and Approach

Question 52

DREAD

Answer 52

Threat Ranking - Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability

Question 53

Acquisition Assessment

Answer 53

On-Site Assessment, Document Exchange and Review, Process/Policy Review

Question 54

Protection Mechanisms

Answer 54

Layering, Abstraction, Data Hiding, Encryption

Question 55

Applying Threat Modeling

Answer 55

Identifying threats
Determining potential attacks
Performing reduction analysis
Prioritization and response

Question 56

Separation of Duties

Answer 56

work tasks are divided among several individual administrators

Question 57

Collusion

Answer 57

occurrence of negative activity undertaken by two or more people

Question 58

Job Responsibilities

Answer 58

Specific work tasks an employee is required to perform on a job

Question 59

Job Rotation

Answer 59

rotating employees among multiple positions to provide knowledge redundancy and reduce the risk of fraud, misuse of info, data modification, etc.

Question 60

NDA

Answer 60

Nondisclosure agreement used to protect the confidential information within an organization from being disclosed by a former employee

Question 61

NCA

Answer 61

Noncompete Agreement prevents employees with secrets from working in a competing org

Question 62

6 parts of employee termination policy

Answer 62

Return of assets, remove or disable the employees network user account, notify HR to issue final paycheck, arrange for security to escort out, inform security personnel at entrance points that employee does not reenter unescorted

Question 63

SLA

Answer 63

Service Level Agreement

Question 64

Compliance

Answer 64

the act of conforming to or adhering to rules, policies, regulation, standards, or requirements

Question 65

Third-party Governance

Answer 65

security oversight on third parties that your org relies on

Question 66

Risk

Answer 66

the possibility that something could happen to damage, destroy, or disclose data or other resources

Question 67

The primary goal of risk management is __________

Answer 67

to reduce risk to an acceptable level

Question 68

Risk Analysis

Answer 68

The process by which the goals of risk management are achieved

Question 69

Asset

Answer 69

anything within an environment that should be protected

Question 70

Asset Valuation

Answer 70

dollar value assigned to an asset

Question 71

Threats

Answer 71

Any potential occurrence that may cause an undesirable or unwanted outcome

Question 72

Vulnerability

Answer 72

The weakness in an asset or the absence or weakness of a safeguard or countermeasure

Question 73

Exposure

Answer 73

being susceptibility to asset loss because of a threat

Question 74

Risk = A x B

Answer 74

Threat X Vulnerability

Question 75

Safeguard

Answer 75

countermeasure, anything that removes or reduces a vulnerability or protects against one of more specific threats

Question 76

Attack

Answer 76

exploitation of a vulnerability by a threat agent (intentional attempt)

Question 77

Breach

Answer 77

occurrence of a security measure being bypassed or thwarted by a threat agent

Question 78

Elements of Risk

Answer 78

THREATS exploit VULNERABILITIES which results in EXPOSURE which is RISK which is mitigated by SAFEGUARDS which protect ASSETS which are endangered by THREATS

Question 79

Risk management/analysis is primarily an exercise for _______

Answer 79

upper management

Question 80

Six Major Elements of Quantitative Risk Analysis

Answer 80

Assign Asset Value, Calculate Exposure Factor, Calculate SLE, Assess ARO, Derive ALE, Perform cost/benefit analysis of countermeasures

Question 81

EF

Answer 81

Exposure Factor - loss potential %

Question 82

SLE

Answer 82

Single Loss Expectancy = AV * EF

Question 83

ARO

Answer 83

Annualized Rate of Occurrence is the expected frequency with which a threat or risk will occur in a single year

Question 84

ALE

Answer 84

Annualized Loss Expectancy = SLE * ARO

Question 85

Cost/Benefit Analysis steps

Answer 85

Pre-countermeasure ALE, Post-countermeasure ALE, Annual Cost of safeguard

Question 86

Delphi Technique

Answer 86

anonymous feedback and response process used to enable a group to reach an anonymous consensus

Question 87

4 Possible Risk Responses

Answer 87

Reduce/Mitigate, Assign/Transfer, Accept, Reject/Ignore

Question 88

Risk Mitigation or Reduction

Answer 88

implementing safeguards and countermeasures to reduce threats

Question 89

Risk Assignment

Answer 89

Insurance

Question 90

Residual Risk

Answer 90

Risk remaining once countermeasures are implemented

Question 91

Total Risk = _______

Answer 91

Threats * Vulnerabilities * AV (Not multiplications)

Question 92

Difference between total risk and residual risk

Answer 92

Controls gap - amount of risk reduced by implementing safeguards

Question 93

3 Categories of Security Control Implementation

Answer 93

Physical, Logical/Technical, Administrative

Question 94

Technical Controls

Answer 94

involves hw or sw mechanisms used to manage access and provide protection

Question 95

Administrative Controls

Answer 95

policies and procedures

Question 96

Physical Controls

Answer 96

Controls you can physically touch

Question 97

Control Types (7)

Answer 97

Deterrent - convinces user to not taking actions Preventative - blocks user from taking action
Detective - post action, discover activity
Compensating- aid in enforcement
Corrective - modifies environment to return to normal
Recovery - extension of corrective, more advanced
Directive - direct, control, or confine the actions of subjects to force or encourage compliance

Question 98

A prerequisite to security training is ______

Answer 98

Awareness

Question 99

Training vs Education

Answer 99

education is more detailed and provides more than users needs to know for their jobs

Question 100

BCP

Answer 100

Business Continuity Planning involves assessing the risks to organizational processes and creating policies, plans, and procedures to minimize the impact those risks might have on the organization if they were to occur

Question 101

The top priority of BCP and DRP is always __________

Answer 101

people

Question 102

The overall goal of BCP is ____________________

Answer 102

to provide a quick, calm, and efficient response in the event of an emergency

Question 103

4 main steps of the BCP process

Answer 103

Project Scope and Planning
Business Impact Analysis
Continuity Planning
Approval and implementation

Question 104

Project Scope and Planning Requirements

Answer 104

■ Business Org Analysis
■ BCP Team Creation
■ Resource Assessment
■ Legal and regulatory analysis

Question 105

Business Org Analysis

Answer 105

identify all departments and individuals who have a stake in the BCP

Question 106

BCP Team Selection

Answer 106

Reps from core service departments, reps from key support departments, IT reps, security reps, legal reps, senior management reps

Question 107

Three Phases of BCP

Answer 107

BCP Development, BCP Testing, Training, and Maintenance, and BCP Implementation

Question 108

The most significant resources consumed by the BCP plan are ________

Answer 108

people

Question 109

BIA

Answer 109

Business Impact Analysis - identifies the resources that are critical to an organization’s ongoing viability and the threats posed to those resources, assess likelihood and impact of those threats being realized

Question 110

5 Steps of BIA

Answer 110

1. Identify Priorities
2. Identify Risks
3. Likelihood Assessment
4. Impact Assessment
5. Resource Prioritization

Question 111

Identify Priorities

Answer 111

1st step of BIA, determine most essential activities to day to day operations

Question 112

MTD/MTO

Answer 112

Maximum Tolerable Downtime, Maximum Tolerable Outage - maximum length of time a business function can be inoperable without causing harm to the business

Question 113

RTO

Answer 113

Recovery Time Objective - amount of time in which you think you can feasibly recover the function in the event of a disruption

Question 114

Goal of BCP is to ensure that RTO is _____ than your MTD

Answer 114

less

Question 115

Sources for Likelihood Assessment

Answer 115

NOAA, FEMA, USGS

Question 116

Categories of Law

Answer 116

Criminal, civil, adminstrative

Question 117

CCCA of 1984

Answer 117

Comprehensive Crime Control Act, exclusively cover computer crimes that crossed state boundaries to
avoid infringing on states’ rights and treading on thin constitutional ice

Question 118

CFAA of 1986

Answer 118

Computer Fraud and Abuse Act - changes to cover all federal interest computers

Question 119

1994 CFAA Amendments (4)

Answer 119

■ Outlawed the creation of any type of malicious code that might cause damage
■ Modified the CFAA to cover any computer used in interstate commerce
■ Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage
■ Provided legal authority for the victims of computer crime to pursue civil action

Question 120

CSA of 1987

Answer 120

Computer Security Act, mandated baseline security requirements for all federal agencies, gave NIST responsibility for developing standards

Question 121

Following the CSA, the NSA retained authority over __________ and NIST gained responsibility for _________

Answer 121

NSA retained authority over classified systems, NIST gained responsibility for securing all other federal govt systems

Question 122

Three Major provisions of Federal Sentencing Guidelines

Answer 122

Prudent Man Rule (hold senior executives responsible), Minimize punishment by showing due care and due diligence, Three burdens of proof (legalize recognized obligation, failure to comply with standards, and relationship between act of negligence and damages)

Question 123

National Information Infrastructure Protection Act of 1996

Answer 123

Amendments to CFAA, covers international commerce, covers national infrastructure, treats damage causing act as felony

Question 124

Law Timeline

Answer 124

1984 - CCCA
1986 - CFAA
1987 - CSA
1991 - Federal Sentencing Guidelines
1994 - CFAA Amendments
1995 - Paperwork Reduction Act
1996 - National Info Infrastructure Protection Act
2000 - GISRA
2002 - FISMA

Question 125

Paperwork Reduction Act

Answer 125

agencies must obtain OMB approval before requesting info from the public

Question 126

GISRA

Answer 126

Government Information Security Reform Act of 2000 amended Paperwork Reduction Act to implement additional information security policies and procedures

Question 127

FISMA

Answer 127

Federal Information Security Management Act, requires that federal agencies implement an information security program that covers the agency’s operations

Question 128

The most valuable asset of most organizations is their __________

Answer 128

Intellectual Property

Question 129

Copyright Law

Answer 129

guarantees the creators of “original works of authorship” protection again the unauthorized duplication of their work

Question 130

The precedent for copyrighting computer software puts software under the scope of _______

Answer 130

literary works

Question 131

Copyright law as it pertains to computer software protections ___________

Answer 131

the actual source code - the Expression inherent in the computer software

Question 132

Copyright law: Works by one or more authors are protected until __ years after ____________

Answer 132

70 years after the death of the last surviving author

Question 133

Works for hire and anonymous works are provided protection for ________

Answer 133

95 years from the date of the first publication or 120 years from the date of creation, whichever is shorter

Question 134

Trademarks

Answer 134

Protect words, slogans, and logos sued to identify a company and its products or services

Question 135

Patents

Answer 135

protect the intellectual property rights of inventors, 20 years of exclusive rights then public

Question 136

Trade Secrets

Answer 136

Not time limit, IP that is critical to business, best wya to protect computer software

Question 137

Licensing types

Answer 137

Contractual (written contract), shrink-wrap, Click-through, Cloud services

Question 138

4th Amendment

Answer 138

protection of privacy

Question 139

Privacy Act of 1974

Answer 139

limits federal governments ability to disclose and retain private information

Question 140

ECPA of 1986

Answer 140

Electronic Communications Privacy Act of 1986 makes it a crime to invade the electronic privacy of an individual

Question 141

CALEA of 1994

Answer 141

Communications Assistance for Law Enforcement Act amended ECPA and requires all communication carries to make wiretaps possible for law enforcement with an appropriate court order

Question 142

Economic and Protection of Proprietary Information Act of 1996

Answer 142

extends definition of property to include proprietary economic information (expands definition of theft)

Question 143

HIPAA

Answer 143

Health Insurance Portability and Accountability Act - privacy and security regulations requires strict security for medical information

Question 144

HITECH

Answer 144

Health Information Technology for Economic and Clinical Health Act, update to HIPAA, data break notification law

Question 145

COPPA

Answer 145

Children’s Online Privacy Protection Act - state information collected, parents can review and collected information, verifiable consent for under age 13

Question 146

Gramm-Leach-Biley Act

Answer 146

types of info which can be exchanged by banks

Question 147

USA PATRIOT Act

Answer 147

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism

Question 148

FERPA

Answer 148

Family Educational Right and Privacy Act - affects any education institution that accepts any federal funding

Question 149

Identify Theft and Assumption Deterrent Act

Answer 149

made identify theft a crime

Question 150

ITIL

Answer 150

IT service mgmt

Question 151

OCTAVE

Answer 151

self directed risk assessment

Question 152

ISO 27001

Answer 152

intro on the control for ISMS

Question 153

ISO 27002

Answer 153

the how to implement security controls for ISMS