Domain 1: Security and Risk Management

Question 1

CIA

Answer 1

Confidentiality, Integrity and Availability

Question 2

States of Data

Answer 2

At rest
In process
In transit

Question 3

Password Masking CIA principle

Answer 3

Condifentiality

Question 4

Data in transit basic protection

Answer 4

TSL or SSL

Question 5

Confidentiality overt and covert techniques

Answer 5

Cryptography
Masking
Steganograhy

Question 6

Protection against system or software modification

Answer 6

Integrity

Question 7

Methods to ensure integrity

Answer 7

CRC
Checksum
Message Digest
Hashes
MAC
Input Validation!!!

Question 8

Availability description

Answer 8

Provide timely access to a resource

Question 9

Availability metrics

Answer 9

Tolerance for losses: MTD/RTO/RPO
Lega: SLA
Life expectancy: MTBF/MTTR

Question 10

MTBF

Answer 10

Mean Time Between Failure: the expected lifespan of the device

Question 11

MTTR

Answer 11

Mean Time To Repair: how much time will be required to restore de component to functionality

Question 12

RPO

Answer 12

Recovery Point Objective: how much data can be lost after a restoration

Question 13

MTD

Answer 13

Maximum Tolerance Downtime: how long can the component/system can be down before our lose is unacceptable.

Question 14

SLA

Answer 14

Service Legal Agreement

Question 15

IAAA

Answer 15

Identification
Authentication
Authorization
Accountability

Question 16

FAR

Answer 16

False Accept Rate

Question 17

FRR

Answer 17

False Reject Rate

Question 18

Access Control Models

Answer 18

DAC
MAC
RBAC
RuBAC

Question 19

DAC

Answer 19

Discretionary Access Control: Zero knowledge

Question 20

MAC

Answer 20

Mandatory Access Control: Labels

Question 21

RBAC

Answer 21

Role Based Access Control

Question 22

RuBAC

Answer 22

Rule Based Access Control

Question 23

CRUD operations

Answer 23

Create
Read
Update
Delete

Question 24

Accountability requirements

Answer 24

Time
Action
Subject
Object

Question 25

Tenets or secure architecture and design (16)

Answer 25

1. How much security is enough?
2. Defense in depth
3. Fail-safe
4. Economy of Mechanism (the K.I.S.S principle)
5. Completeness of Design
6. Least Common Mechanism
7. Open Design
8. Consider the Weakest Link
9. Redundancy
10. Psychological acceptability
11. Separation of Duties (SOD)
12. Mandatory Vacations
13. Job Rotation
14. Least privilege
15. Need to know
16. Dual Control

Question 26

Risk

Answer 26

Likelihood that a threat will exploit a vulnerability in an asset

Question 27

Threat (amenaza)

Answer 27

Has the potential to harm an asset

Question 28

Vulnerability

Answer 28

A weakness; lack of a safeward

Question 29

Exploit

Answer 29

Instance of compromise

Question 30

Security Controls

Answer 30

Protective mechanisms to secure vulnerabilities
Safeguards: Proactive (Deters and/or Prevents)
Countermesures: Reactive (Detects and/or Corrects)

Question 31

Secondary Risk

Answer 31

Risk event that comes as a result of another risk response

Question 32

Residual Risk

Answer 32

The amount of risk left over after a risk response.

Total Risk * Control GAP

Question 33

Fallback Plan

Answer 33

Plan B

Question 34

Workarround

Answer 34

Unplanned response

Question 35

Asset

Answer 35

Something that has value and we need to protect

Question 36

Total Risk

Answer 36

Amount of risk without implementing mitigation.

Threats * Vulnerabilities * Asset Value

Question 37

Risk assessment

Answer 37

Identify an valuate assets; identify threats and vulnerabilities

Question 38

Risk analisys

Answer 38

Value of potential risks

Question 39

Risk mitigation

Answer 39

Respond to risk

Question 40

Risk monitoring

Answer 40

Risk 4 ever

Question 41

Risk Management (AAMM)

Answer 41

Assessment
Analisys
Mitigation
Monitoring

Question 42

Risk assessment methodologies

Answer 42

OCTAVE
FRAP
NIST 800-30

Question 43

NIST 800-30 9 steps

Answer 43

1. System characterization
2. Threat identification
3. Vulnerability identification
4. Control analisys
5. Likelihood determination
6. Impact analysis
7. Risk determination
8. Control recommendations
9. Results documentations

Question 44

Risk analysis types

Answer 44

Qualitative: Nature. (High, Medium, Low). Objective opinions.
Quantitative: Determine money value. More expertise and time

Question 45

Delphi Technique

Answer 45

Qualitative risk analysis technique

Question 46

AV

Answer 46

Asset Value: Money

Question 47

EF

Answer 47

Exposure Factor: Percentage of loss expected when an event happends

Question 48

SLE

Answer 48

Single Loss Expectancy: Cost of a single occurrence of a threat instance. AV * AF

Question 49

ARO

Answer 49

Annual Rate of Occurrence: How often the threat is expected to materialize

Question 50

ALE

Answer 50

Annual Loss Expectancy: Cost per year as a result of a threat. SLE * ARO

Question 51

TCO

Answer 51

Total Cost of Ownership: total cost of implementing safeguards and maintenance.

Question 52

ROI

Answer 52

Return On Investment: Money saved implementing a safeguard. ALE_before - ALE_after - TCO

Question 53

Risk mitigation strategies

Answer 53

Reduce: final step is Avoid (eliminate)
Accept: Cost of mitigation > Asset Value. Final step is Reject (not studying the risk)[3 monkeys]
Transfer: Insurance or SLA