Domain 1 -- Security and Risk Management

Question 1

What are the ways to achieve Availability?

Answer 1

• RAID disks
• Clustering
• Load Balancing
• Redundant Data and Power lines
• Software and data backups
• Disk shadowing
• Co-location and off-site facilities
• Rollback functions
• Failover configurations

Question 2

What are the ways to achieve Integrity?

Answer 2

• Hashing (data integrity)
• Configuration management (system integrity)
• Change Control (process integrity)
• Access Control (Physical and technical)
• Software digital signing
• Transmission Cyclic Redundancy Check (CRC Functions)

Question 3

What are ways to achieve Confidentiality?

Answer 3

• Encryption for data at rest (whole disk or DB encryption)
• Encryption for data in transit (IPSec, TLS, PPTP, SSH)
• Access Control (physical and technical)

Question 4

Definition of Vulnerability

Answer 4

A vulnerability is a weakness in a system that allows a threat source to compromise its security

Question 5

What is a threat?

Answer 5

A threat is any potential danger that is associated with the exploitation of a vulnerability.

The entity that takes advantage of a vulnerability is a threat agent

Question 6

What is a risk?

Answer 6

A risk is a likelihood of a thread source exploiting a vulnerabilty.

Question 7

What is an exposure?

Answer 7

An exposure is an instance of being exposed to losses.

A vulnerability exposes an organization to possible losses

Question 8

What is a control?

Answer 8

A control is a countermeasure put in place to mitigate (reduce) the potential risk

Note: Control, Countermeasure and safeguard are interchangeable terms

Question 9

What is the relationship between Vulnerabilities, threats, risks, exposures and controls?

Answer 9

See Image

Question 10

What are the three types of Controls?

Answer 10

• Administrative
• Technical
• Physical

Question 11

Give Examples of Physical Controls

Answer 11

• Fence
• Locked external doors
• CCTV
• Security Guard
• Locked internal doors
• Locked server room
• Physically secured computers (cable locks)

Question 12

What are examples of Technical Controls?

Answer 12

• Firewalls
• Intrusion Detection Systems
• Intrusion Prevention systems
• Antimalware
• Access control
• Encryption

Question 13

What are examples of administrative controls?

Answer 13

• Security Documentation
• Risk Management
• Personnel security
• Training

Question 14

What are the six different control functionalities?

Answer 14

• Preventive
• Detective
• Corrective
• Deterrent
• Recovery
• Compensating

Question 15

Give examples of Administrative Preventive Contols

Answer 15

• Policies and procedures
• Effective hiring practices
• Pre-employment background checks
• Controlled termination processes
• Data Classification and labeling
• Security awareness

Question 16

Give examples of Physical Preventive Controls

Answer 16

• Badges and swipe cards
• Guards, dogs
• Fences, locks, mantraps

Question 17

Give examples of Techical Preventive Controls

Answer 17

• Passwords, biometrics, smart cards
• Encryption, secure protocols, call-back systems, database views, constrained user interfaces
• Antimalware software, access control lists firewalls, intrusion prevention systems

Question 18

Is Security through Obscurity a good idea or a bad idea?

Answer 18

Bad idea

Question 19

What is a framework for developing a Security Program?

Answer 19

ISO/IEC 27000 Series

Examples:

• ISO / IEC 27014 Information Security Governance
• ISO / IEC 27031 Business Continuity
• ISO / IEC 27035 Incident Management
• ETC.

Question 20

What are Standards for Enterprise Architecture Development?

Answer 20

• Zachman Framework
• TOGAF - The Open Group Arch Framework
• DoDAF - Dept of Defense Arch Framework
• MODAF - Arch frameword developed by British Ministry of Defence
• SABSA Model - Model and methodology for the Dev of Security enterprise architectures

Question 21

What are the Security Controls Development Frameworks?

Answer 21

• COBIT 5 - Developed by the Information Systems Audit and Control Association (ISACA)
• NIST SP 800-53 – Set of controls developed by NIST to protect Federal Systems
• COSO Internal Control - Integrated Framework. Developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commision

Question 22

What are the three key Process Management Development Frameworks?

Answer 22

• ITIL - IT Service Management (started in UK)
• Six Sigma
• CMMI - Capability Maturity Model Integration (developed by Carnegie Mellon)

Question 23

What are the key things to remember about the Zachman Framework?

Answer 23

• Interogatives / Perspectives
• What / How / Where / Who / When / Why
• Top to bottom Executives to Technicians

Question 24

What are the key things to remember about TOGAF

Answer 24

Used to develop

• Business Architecture
• Data Architecture
• Application architecture
• Technology architecture
• Architecture Development Model

Question 25

What are the key things to remember regarding DoDAF and MODAF?

Answer 25

• These are military architectural frameworks
• These are designed to solve the problem of communicating information from a very large collection of agencies/stakeholders

Question 26

What does SABSA stand for and why is it important?

Answer 26

• SABSA stands for Sherwood Applied Business Security Archicture
• Similar to Zachman framework for security architecture
• What are you trying to do at this layer?
• Why are you doing it?
• How are you trying to do it?
• Who is involved?
• Where are you doing it?
• When are you doing it?

Question 27

What does ISMS stand for and what is a synonym for it?

Answer 27

ISMS stands for Information System Management System

An ISMS is the same as a Security Program

Question 28

What does COBIT stand for and what are its five key principles?

Answer 28

COBIT – Controls Objectives for Information and related Technology

5 principles

• Meeting stakeholders needs
• Covering the enterprise end to end
• Applying a single integrated framework
• Enabling a holistic approach
• Separating governance from management

Note – COBIT deals with all aspects of IT, not just security

Note – COBIT is used in the private sector, NIST SP 800-53 is used in gov

Question 29

What does COSO stand for and what are its five control principles?

Answer 29

COSO stands for Committe of Sponsoring Organizations (COSO)

The COSO Internal Control – Integrated Framework is a set of internal corporate controls to help reduce the risk of financial fraud.

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring Activities

Question 30

What’s the difference between the COSO IC framework and COBIT?

Answer 30

• The COSO Integrated Controls Framework is a model for corporate governance
• COBIT is a model for IT governance

Question 31

Which is more dangerous – a script kiddie or an Advanced Persistent Threat (APT)?

Answer 31

An Advanced persistent threat is more dangerous

Question 32

What does GDPR stand for and what is its goal?

Answer 32

GDPR stands for General Data Protection Regulation

It is intended to protect personal data and privacy for EU citizens

Question 33

What does the Wassenaar arrangement deal with and what is its goal

Answer 33

The Wassenaar arrangement implements export controls for Conventional Arms and Dual-use Goods and Technologies.

• It is designed to prevent one country from building up too much military capability
• Part of the Wassenaar arrangement deals with cryptography

Question 34

What is the strongest form of intellectual property protection?

Answer 34

a patent

Question 35

What’s the difference between the following?

• Freeware
• Shareware/Trial Software
• Commercial Software
• Academic software

Answer 35

• Freeware - Free
• Shareware/Trial Software - Free trial version
• Commercial Software
• Academic software - software used by academic institutions at a reduced cost

Question 36

What does DMCA stand for and what is its intent?

Answer 36

DMCA stands for Digital Millennium Copyright Act.

It makes it illegal to circumvent copyright protection mechanisms

Question 37

What do policies need to be independent of?

Answer 37

Policies need to be independent of technologies and solutions.

Policies should outline goals and missions, but leave it up to the organization to decide how to accomplish them

Question 38

Name three types of policies

Answer 38

• Regulatory
• Advisory
• Informative

Question 39

What is a baseline?

Answer 39

The term baseline refers to a point in time that is used as a comparison for future changes

Question 40

What is a Guideline?

Answer 40

Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standards does not apply.

Question 41

What are procedures?

Answer 41

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.

Question 42

What is Risk Management?

Answer 42

Risk Management (RM) is the process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level.

Question 43

What are the three tiers of Risk Management?

Answer 43

1. Organizational Tier
2. Business process Tier
3. Information Systems Tier

Question 44

What does ISRM stand for?

Answer 44

Information Systems Risk Management

Question 45

What are the four components of the NIST SP 800-39 standard for Risk Management?

Answer 45

1. Frame Risk
2. Assess Risk
3. Respond to Risk
4. Monitor Risk

Question 46

What is Threat Modeling?

Answer 46

Threat Modeling is the process of describing feasible adverse effects on our assets caused by threat sources.

Question 47

What are three components of vulnerabilities in threat modeling?

Answer 47

• Information
  
  • Data (at rest, in motion, in use)
• Processes
• People

Question 48

What are two common threat modeling methodologies?

Answer 48

• Attack Trees - make a graph to show the threat
• Reduction analysis
  
  • Reduce the number of attacks that must be considered
  • Reduce the threat posed by the attack

Question 49

What’s the difference between Risk Assessment and Risk Analysis?

Answer 49

For the CISSP exam. . .

Risk Assessment is the broader effort

Risk Analysis are the specific tasks performed in order to support the goal of risk assessment

Question 50

What are the four main goals of Risk Management?

Answer 50

1. Identify assets and their value to the organization
2. Determine the likelihood that a threat exploits a vulnerability
3. Determine the business impact of these potential threats
4. Provide economic balance between the impact of the threat and the cost of the countermeasure

At a high level Risk Analysis provides a cost/benefit comparison

Question 51

Should the risk assessment team only include specialists from IT and from Security?

Answer 51

No – It should include representatives from a broad cross section of the company

Question 52

What are four good questions to ask during a Risk Assessment?

Answer 52

1. What event could occur (threat event)?
2. What could b the potential impact (risk)?
3. How often could it happen (frequency)?
4. What level of confidence do we have in the answers to the first three questions (certainty)?

Question 53

What is the document that NIST developed for Conducting Risks Assessments?

Answer 53

NIST SP 800-30 Revision 1

Question 54

What does FRAP stand for and what should be remembered about it?

Answer 54

FRAP stands for Facilitated Risk Analysis Process

It is a qualitative methodology

It’s IT focused

Question 55

What does OCTAVE stand for and what is it used for?

Answer 55

OCTAVE stands for:
Operationally Critical Threat, Asset, and Vulnerability Evaluation

It’s a Risk Assessment Methodology.

IT focused

Question 56

How does the ISO 27005 Risk Assessment Methodology differ from other risk assessement methodologies?

Answer 56

Other methodologies are focused on IT and operations.

The ISO 27005 is focused not only on IT and operations, but on other softer issues as well, such as documentation and training

Question 57

What does FMEA stand for and what is it used for?

Answer 57

FMEA stands for

Failure Mode Effect Analysis

Figure out where things are most likely to break and then determine what to do about it.

It is a methodology used in product development

Question 58

What does CRAMM stand for and what is it used for?

Answer 58

Central Computing and Telecommunications Agency Risk Analysis and Management Method

Was created by the United Kingdom and now an automated tool sold by Siemens

Question 59

What’s the difference between a risk assessment and a risk analysis?

Answer 59

A risk assessment is used to gather the data

A risk analysis examines the gathered data to produce results that can be acted upon

Question 60

What are the two main risk analysis approaches?

Answer 60

1. Quantitative
2. Qualitative

Question 61

What’s the difference between a vulnerability assessment and a risk assessment?

Answer 61

A vulnerability assessment just identifies the vulnerabilities (holes)

A risk assessment calculates the probability of the vulnerabilities being exploited and the associated business impact

Question 62

What does SLE stand for and give an equation that uses it

Answer 62

SLE stands for Single Loss Expectancy

SLE = Asset Value x Exposure Factor (EF)

Question 63

What is the Exposure Factor (EF)?

Answer 63

The Exposure Factor represents the percentage of loss a realized threat could have on a certain asset.

If a data warehouse was valued at $150K and the EF was 25%, then the SLE would be ($150K x 25%) = $37.5K

Question 64

What does ALE stand for and how is it used?

Answer 64

ALE stands for Annual Loss Expectancy.

ALE = SLE x Annualized Rate of Occurrence (ARO)

ARO stands for Annual Rate of Occurence and it is the estimated frequency of a specific threat taking place within a 12-month timeframe

Key point – Never spend more per year than the ALE to protect something.

Question 65

What are the five expected results of a Quantitative Risk Analysis?

Answer 65

1. Monitary value assigned to assets
2. Comprehensive list of all significant threats
3. Probability of the occurrence rate of each threat
4. Loss potential the company can endure per threat in a 12-month time span
5. Recommended controls

Question 66

What’s the quantitative equation for cost/benefit analysis in Risk Management

Answer 66

(ALE before implementing safeguard)

-

(ALE after implementing safeguard) -

-

(Annual cost of safeguard)

=Value of Safeguard to company

Question 67

A Business Impact Analysis (BIA) is a component of what Broader Effort?

Answer 67

Business Continuity Planning

Question 68

What is Residual Risk

Answer 68

Even after implementing a countermeasure, there is still some risk left over. Risk is never completely eliminated

Question 69

What are the four ways of dealing with risk?

Answer 69

1. Transfer it
2. Avoid it
3. Reduce it
4. Accept it

Question 70

What is Supply Chain Risk Management and what is the Target Example?

Answer 70

Some attackers will attack the supply chain of a company, rather than the company itself.

Target’s HVAC vendor was targeted and compromised.

From there, the attackers were able to target Point of Sale systems and get credit card info.

Question 71

What does RMF stand for?

Answer 71

Risk Management Framework

Question 72

List three Commonly accepted Risk Management Frameworks

Answer 72

• NIST RMF (SP 800-37r1)
• ISO 31000:2018
• ISACA Risk IT

Question 73

What are the six steps in the NIST Risk Management Framework?

Answer 73

1. Categorize information system
2. Select Security Controls
3. Implement Security Controls
4. Assess security controls
5. Authorize information system
6. Monitor Security Controls

Question 74

What is the equation for Residual Risk?

Answer 74

(threats x vulnerability x asset value) x controls gap = residual risk

Question 75

What is the order of steps in the Capability Maturity Model Integration?

Answer 75

1. Initial
2. Repeatable
3. Defined
4. Quantitively Managed
5. Optimizing

Question 76

What is the purpose of the Organization for Economic Cooperation and Development (OECD)?

Answer 76

Almost every country has its own rules pertaining to what constitutes private data and how it should be protected. As the information/digital age upon us, the different laws started to negatively affect international trade.

Thus, the OECD was born to develop guidelines so that data is protected and everyone follows one set of rules.

Question 77

Define the roles of the following committees:

• Security policy committee
• Audit committee
• Risk Management Committee
• Security Steering Committee

Answer 77

• Security Policy Committe – chosen by senior management to produce security policies
• Audit Committe – goal is to provide independenct and open communication among the board of directors, management, internal auditors and external auditors.

Reports its findings to the steering committee

• Risk Management Committee – purpose is to understand the risks that an organization faces as a whole and work with senior management to reduce them to acceptable levels
• Security Steering Committe - Responsible for making decisions on strategic and tactical issues within an organization
  
  • Should be made up of individuals throughout the org.
  • Responsible for Vision statement and Mission statement for CIA
  • Does not create the actual policies themselves

Question 78

What is the purpose of AS/NZS 4360?

Answer 78

AS/NZS 4360 takes a very broad approach to risk management. It can be used to understand a company’s financial, captial, human safety and business decision risks.

While it can be used to analyze security risks, it was not created for that purpose.

Question 79

What are the four ways of dealing with risk?

Answer 79

• Risk Mitigation
• Risk Transference
• Risk Acceptance
• Risk Avoidance

Question 80

Define the following:

• ISO/IEC 27002
• ISO/IEC 27003
• ISO/IEC 27004
• ISO/IEC 27005

Answer 80

• ISO/IEC 27002 - Code of practice for information security management
• ISO/IEC 27003 - Guideline for ISMS implementation
• ISO/IEC 27004 - Guideline for information security management measurement and metrics framework
• ISO/IEC 27005 - Guideline for information security risk management

Question 81

What are the 8 steps of a Business Impact Analysis (BIA)?

Answer 81

1. Select individuals to interview for data gathering
2. Create data gathering techniques (surveys,questionnaires, etc.)
3. Identify the company’s critical business functions
4. Identify the resources these functions depend on
5. Calculate how long these functions can survive without these resources (maximum tolerable downtime)
6. Identify vulnerabilities and threats to these functions
7. Calculate the risk for each different business function
8. Document findings and report to management

Question 82

What’s the best way to keep the BCP plan up to date?

Answer 82

Integrate the BCP with the Change Management process

Question 83

What does the ISO/IEC 27031 standard deal with?

Answer 83

ISO/IEC 27031 is a set of guidelines for information and communications technology readiness for business continuity. It is a component of the overall ISO/IEC 27000 series

Question 84

What are the key features of the Digital Millennium Copyright Act (DMCA)?

Answer 84

The DMCA is a US copyright law that criminalizes the production and dissemination of technology, devices or services that circumvent access control measures that are put into prlace to protect copyright material.

Question 85

What is the Internet Architecture Board and what role does it play?

Answer 85

The Internet Architecture Board (IAB) is the coordinating committee for Internet design, engineering and management. It is responsible for:

• The architectural oversight of the Internet Engineering Task Force (IETF) activities
• The Internet Standards Process oversight
• Appeal and editor of Request for Comments
• It issues ethics related statements concerning the use of the Internet

Question 86

What was the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation?

Answer 86

The Council of Europe Convention on Cybercrime

Question 87

What is the European Union Data Protection Directive?

Answer 87

The Data Protection Directive is a set of principles addressing using and transmitting information that is considered private.

All EU contries must comply

Any company that wants to do business in the EU must comply

Question 88

What is the purpose of the Safe Harbor requirements?

Answer 88

The Safe Harbor requirements were created to harmonize the data privacy practices of the US with the EU’s stricter privacy controls and to prevent accidental information disclosure and leaks.

US companies certify against the Safe Harbor rule base.

Question 89

How many sets of instructional books are included in ITIL and which is considered the core set?

Answer 89

• ITIL consists of 5 sets of books.
• The core fundamental approach of ITIL lies in the creation of a Service Strategy, which is focused on overall planning for intended IT Services.
• Other components of ITIL:
  
  • Service Design
  • Service Transition Stage
  • Service Operation
  • Continual Service Improvement