Domain 1: Security and Risk Management Flashcards

Question 1

Q

What is the CIA Triad?

Answer

A

Confidentiality, Integrity and Availability

Question 2

Q

What is the principle of ‘confidentiality’?

Answer

A

It is about protecting secrecy of data, objects, or resources by preventing unauthorised access to data. Prevent unauthorised disclosure, need to know, and least privilege, assurance that information is not disclosed to unauthorised programs, users, processes, encryption, logical and physical access control.

Question 3

Q

What is the principle of ‘integrity’?

Answer

A

Protecting the reliability and correctness of data. Examples include access controls, IDS/IPS, and hashing.

Question 4

Q

What is the principle of ‘availability’?

Answer

A

Providing authorised subjects timely and uninterrupted access to objects. This means access to data is reliable, timely, accessible, fault tolerant, and has recovery procedures in place. Examples include, monitoring network traffic.

Question 5

Q

What is an ‘object’?

Answer

A

Passive element, such as files, computers, network connections, and applications

Question 6

Q

What is a ‘subject’?

Answer

A

Active element in a security relationship, such as users, programs and computers.

Question 7

Q

What is defense in depth?

Answer

A

Use of multiple controls in a series to protect an asset

Question 8

Q

What is abstraction?

Answer

A

Where details of something is hidden. Security controls can be applied to the entire group (thus hiding the details)

Question 9

Q

What is ‘IAAA’?

Answer

A

Identification, Authentication, Authorisation, and Auditing

Question 10

Q

What is ‘Authentication’?

Answer

A

Proving one’s identity. Process of verifying or testing that the claimed identity is valid. Examples include providing a correct password, or other correct information.

Question 11

Q

What is ‘Authorisation’?

Answer

A

About defining the permissions (e.g. grant or deny) of a resource and object access for a specific identity. It involves evaluating an access control matrix that compares the subject, the object, and the intended activity.

Question 12

Q

What is ‘Auditing’?

Answer

A

Process of recording log files to check for compliance and violations in order to hold subjects accountable for their actions. Ensures that a subject’s actions are non-repudiation.

Question 13

Q

What is ‘layering’?

Answer

A

Use of multiple controls in a series. Also known as Defense in Depth. Serial configurations (controls in a row) are very narrow but very deep, alternatively parallel configurations are very broad, but lack depth.

Question 14

Q

What is ‘data hiding’?

Answer

A

Preventing data from being discovered or accessed by a subject positioning the data in a logical storage compartment that is not accessible or seen by the subject. Such as polyinstantiaton.

Question 15

Q

What is the weakest element in any security solution?

Question 16

Q

What role does job descriptions play when hiring new staff?

Answer

A

Ensure job descriptions consider separation of duties to separate key functions to limit ability for one employee to circumvent key security controls. Further, ensure a classification for the job.

Question 17

Q

What is ‘job rotation’?

Answer

A

Rotating employees among multiple job positions. This is the best way to investigate an employee’s daily business activity to uncover any potential fraud that may be taking place.

Question 18

Q

Strategic Plan

Answer

A

Long term plan defining organisation’s security purpose. Aligns the plan with the organisations goals, mission, objectives. This is a 5 year plan with annual reviews

Question 19

Q

Tactical Plan

Answer

A

Mid term plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredictable events. This lasts a year

Question 20

Q

Operational Plan

Answer

A

Short term (for a month or quarter) highly detailed plan. Purpose to retain compliance with tactical plans. The plans may include: resource allotments, budgetary requirements.

Question 21

Q

Data Classification Process

Answer

A

Identify the custodian, specify evaluation criteria, document any exceptions, select security controls for each level, specify the procedures for declassifying, and create enterprise wide awareness program

Question 22

Q

Levels of Government/military classification

Answer

A

Top Secret, Secret, Confidential, Sensitive but Unclassified, Unclassified

Question 23

Q

Levels of Corporate classifications

Answer

A

Confidential, Private, Sensitive, Public

Question 24

Q

Due care

Answer

A

Using responsible care to protect the interests of an organisation. Company must do all that it could have reasonably done to try and prevent a security breach /compromise/disaster, and take the necessary steps required as countermeasures/controls (safeguards).

Question 25

Q

Due diligence

Answer

A

Practicing activities that maintain due care effort. Company properly investigated all of its possible weaknesses and vulnerabilities AKA understanding the threats.

Question 26

Q

Information security program

Answer

A

Designing and implementing security practices to protect critical business process and assets.

Question 27

Q

Types of policies

Answer

A

Corporate policy, security policy, system specific policy and issue specific policy

Question 28

Q

Dual control

Answer

A

Where two people must simultaneously authorise an action, such as use of two keys. This is similar to M of N control

Question 29

Q

What is the order of security documents in an organisation?

Answer

A

Policies –> Standards/Baseline –> Guidelines –> Procedures

Question 30

Q

What is a security policy?

Answer

A

Document that defines the scope of security needed by the organisation at a high level. Discusses the assets that require protection, and assigns roles and responsibilities.

Question 31

Q

What is a ‘standard document’?

Answer

A

Mandatory document that provides compulsory requirements for systems to enable consistent use

Question 32

Q

Guidelines

Answer

A

Not mandatory, suggestive in nature actions to guide users

Question 33

Q

Procedure documents

Answer

A

For example, these are Standard Operating Procedures that provide step by step instructions on a given topic

Question 34

Q

Baselines

Answer

A

Mandatory minimum acceptable security configuration for a system or process, e.g. performing hardening, has a standard image

Question 35

Q

Risk

Answer

A

Possibility or likelihood of a threat exploiting a vulnerability to cause harm. Calculated as Risk = Threat x Vulnerability

Question 36

Q

Threat

Answer

A

Potential cause of an unwanted incident, which may result in harm to a system or organisation. Threats exploit vulnerabilities.

Question 37

Q

Vulnerability

Answer

A

Weakness in a system that allows a threat source to compromise its security

Question 38

Q

Exposure

Answer

A

Being susceptible to asset loss because of a threat

Question 39

Q

Safeguards

Answer

A

Security control to reduce/remove a vulnerability. Can be a technical, physical or administrative control

Question 40

Q

Attack

Answer

A

Exploitation of a vulnerability by a threat agent

Question 41

Q

Breach

Answer

A

Intentional or unintentional release of private data to an untrusted environment.

Question 42

Q

Threat agent

Answer

A

Entity that takes advantage of a vulnerability

Question 43

Q

What is ‘DAD’?

Answer

A

Negative to CIA, this is the

Disclosure
Alteration
Destruction

Question 44

Q

Privacy

Answer

A

Maintaining the confidentiality of data

Question 45

Q

ISO 27005

Answer

A

Risk management framework

Question 46

Q

Risk management approach

Answer

A

It is not possible to get rid of all risk, therefore, aim is to bring risk to an acceptable/tolerable level

Question 47

Q

Responsibilities of the Information Security Officer

Answer

A

Written products - ensure they are done
Cyber Incident Response Team - implement and operate
Security awareness - provide leadership
Communicate - risk to higher management
Report to as high a level as possible
Security is everyone’s responsibility

Question 48

Q

Control Frameworks

Answer

A

Ensure control frameworks are:

Consistent - approach and application
Measurable - way to determine progress
Standardised - all the same
Comprehension - examine everything
Modular - to help in review and adaptive. Layered, abstraction.

Question 49

Q

Patent

Answer

A

Grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention. After 20 years the idea is open source of application.

Question 50

Q

Copyright

Answer

A

Protects the expression of ideas but not necessarily the idea itself. For example, poem or song. Expires 70 years after author dies.

Question 51

Q

Trade secret

Answer

A

Something that is proprietary to a company and important for its survival and profitability (like formula of Coke or Pepsi). This is NOT registered

Question 52

Q

Trademarks

Answer

A

Words, name, product shape, symbol, color or a combination used to identify products and distinguish them from competitor products. For example, McDonald’s ‘M’. Expires in 10 years

Question 53

Q

Wassenaar Agreement (WA) AKA International Traffic in Arms Regulations

Answer

A

Agreement which implemented controls on the export of cryptographic systems.

Question 54

Q

SOX

Answer

A

Sarbanes Oxley. Protects shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures.

Question 55

Q

Section 302 SOX

Answer

A

CEO’s and CFO’s can be sent to jail when the information they sign is incorrect. CEO must sign

Question 56

Q

Section 404 SOX

Answer

A

This is about internal controls assessment: describing logical controls over accounting files, good auditing and information security.

Question 57

Q

Legal Liability for Executives

Answer

A

Executives are now held liable if the organisation they represent is not compliant with the law

Question 58

Q

Negligence

Answer

A

It is a breach of duty of care. This occurs if there is a failure to implement recommended precautions, if there is no contingency/disaster recovery plan, failure to conduct appropriate background checks, failure to institute appropriate information security measures, failure to follow policy or local laws and regulations.

Question 59

Q

COSO

Answer

A

Internal control system/framework to work with Sarbanes Oxley 404 compliance. Developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognised as the definitive standard against which organisations measure the effectiveness of their systems of internal control.

Question 60

Q

COBIT

Answer

A

IT governance and management framework created by ISACA.

Question 61

Q

Incident

Answer

A

An event that has the potential to do harm

Question 62

Q

Data disclosure

Answer

A

Unauthorised acquisition of personal information

Question 63

Q

Event

Answer

A

Threat events are accidental and intentional exploitations of vulnerabilities

Question 64

Q

Fourth Amendment

Answer

A

Basis for privacy rights in fourth amendment to the constitution

Answer 64

A

Protection of PII on federal databases

Answer 65

A

Established the first internationally agreed upon privacy principles.

Answer 66

A

Protects computers used by the Government or in interstate commerce from a variety of abuses.

Answer 67

A

Makes it a crime to invade the privacy of an individual

Answer 68

A

Amended version of HIPAA. The HITECH Act encouraged healthcare providers to adopt electronic health records and improved privacy and security protections for healthcare data. Federal law requires notification of individuals when a HIPAA-covered entity breaches their protected health information.

Answer 69

A

Prohibits the circumvention of copy protection mechanisms placed in digital media and limits the liability of ISP’s for the activities of their users. ISP’s are no longer liable for the transitory activities of the user.

Answer 70

A

Provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties apply when the individual knows that the information will benefit a foreign government.

Answer 71

A

General Data Protection Regulation governs the use and exchange of personal information.

Answer 72

A

ISC has established four key cannon/principles

Answer 73

A

Protect society, the commonwealth, and the infrastructure

Answer 74

A

Act honorably, honestly, justly, responsibly, and legally

Answer 75

A

Provide diligent and competent service to principals

Answer 76

A

Advance and protect the profession

Answer 77

A

Don’t compromise the privacy of users. Access to and use of Internet is a privilege and should be treated as such. It is defined as unacceptable and unethical if you, for example, gain unauthorised access to resources on the internet, destroy integrity, waste resources or compromise privacy

Answer 78

A

Based on the ISC2 BCP Process:

Project scope and planning
BIA
Continuity Planning
Approval and Implementation

Answer 79

A

Goal is to create a document to be used to help understand what impact a disruptive event would have on the business.

Answer 80

A

Business organisation analysis: analyse organisation, including teams
BCP Team Selection: make sure to include senior executives
Resource Requirements: who do you need?
Legal and Regulatory Requirements

Answer 81

A

Identify priorities: valuation of assets, including MTD and RTO for each business function
Identify risks for those assets, such as natural, man made and perform a likelihood assessment

Answer 82

A

Determine appropriate responses: such as risk reduction/mitigation, assign/transfer, risk acceptance, and risk rejection

Answer 83

A

Get approval from CEO
Plan Training
Plan implementation

Answer 84

A

Assigns parts of tasks to different individuals thus no single person has total control of the system’s security mechanisms; forces collision.

Answer 85

A

Requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks. So, implementing three of eight controls would require three people out of the eight with the assigned work task of key escrow recovery agent to work together to pull a single key out of the key escrow database.

Answer 86

A

A system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest time. Three types exist: Read only, read/write, and access/change.

Answer 87

A

Two persons review and approve the work of each other, for very sensitive operations

Answer 88

A

Two persons are needed to complete a task

Answer 89

A

Limiting the amount of time a person is assigned to perform a security related task before being moved to different task to prevent fraud; forces collusion

Answer 90

A

Prevent fraud and allowing investigations, one week minimum; kill processes

Answer 91

A

The subject is given only the amount of information required to perform an assigned task, business justification

Answer 92

A

NDA, non compete, and acceptable use

Answer 93

A

Staff members pose more threat than external actors. Loss of money, stolen equipment, loss of time work hours, loss of reputation, declining trusts and loss of resources, bandwidth theft, due diligence.

Answer 94

A

Ensure you perform exit interview

Answer 95

A

Vendors, consultants, and contractors. Make sure they are properly supervised, with their rights based on policy.

Answer 96

A

Chance it will happen

Answer 97

A

Amount of risk left over. Organisations own the risk, and risk is determined as a byproduct of likelihood and impact. Further, the cost of applying extra countermeasures is more than the estimated loss resulting from a threat or vulnerability (C > L). Legally the remaining residual risk is not counted when deciding whether a company is liable.

Answer 98

A

Best practices for IT core operational processes, not for audit. This includes Service, change, release, and configuration, Strong end-to-end customer focus/expertise. Focused on services and service strategy.

Answer 99

A

Goal is to determine impact of threat and risk of threat occuring, then reduce risk to an acceptable level.

Answer 100

A

Categorise the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

Answer 101

A

Conduct Assessment:

ID threat sources and events
ID vulnerabilities and predisposing conditions
Determine likelihood of occurrence
Determine magnitude of impact
Determine risk

Answer 102

A

Implement the security controls and describe how the controls are employed within the information system and its environment of operation

Answer 103

A

Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Answer 104

A

Chance of making an error with no controls in place

Answer 105

A

Chance that controls in place will not prevent, detect or control errors

Answer 106

A

Chance that auditors won’t find an error

Answer 107

A

Concerns about effects of unforseen circumstances

Answer 108

A

Combination of all risks aka Audit Risk

Answer 109

A

Helps to gather the elements that you will need when the actual Risk Analysis takes place.

Answer 110

A

Prepare
Perform
Communicate
Maintain

Answer 111

A

Approval
Form Team
Analyse Data
Calculate Risk
Countermeasure Recommendations

Answer 112

A

Uses quantitative values to calculate risk

Answer 113

A

Asset Value * Exposure Factor (% loss of asset). It is the dollar value lost when an asset is successfully attacked.

Answer 114

A

SLE * ARO

Answer 115

A

Number of times an event occurs in a year

Answer 116

A

Accept: live with it and pay the cost
Mitigate: Reduce by implementing controls by calculating costs
Assign/Transfer: insure the risk to transfer it. Passing it to another entity.
Avoid: stop business activity

Answer 117

A

Loss = probablity * cost

Answer 118

A

Is the amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows: Total Risk - Controls Gap = Residual Risk

Answer 119

A

Recovery Time Objective: How quickly you need to have that application’s information available after downtime has occurred.

Answer 120

A

Recovery Point Objective: Point in time that application data must be recovered to resume business functions. Amount of data you are willing to lose. For example, you may be willing to loose one day of data.

Answer 121

A

Maximum Tolerable Downtime: Maximum Delay a business can be down and still remain viable. 
MTD: minutes to hours = critical
MTD: 24 hours = urgent
MTD 72 hours = important
MTD 7 days = normal
MTD 30 days = non-essential

Answer 122

A

How much of an asset is exposed to loss, expressed as a percentage (0 to 100%).

Answer 123

A

Human life, dollars, prestige, market share

Answer 124

A

Accountability
Auditability
Source trusted and known
Cost effectiveness
Security
Protection for CIA of assets
Other issues created?

Answer 125

A

Control costs should be less than the value of the asset being protected

Answer 126

A

Preventive: hiring policies, screening security awareness (also called soft measures)
Detective: screening behaviour, job rotation, review of audit records

Answer 127

A

Preventive: protocols, encryption, biometrics, smartcards, routers, firewalls
Detective: IDS and automatic generated violation reports, audit logs, CCTV (never preventative)
Preventive: fences, guards, locks
Detective: motion detectors, thermal detectors, video detectors

Answer 128

A

Things you can see and touch, such as fences, doors and lock, windows

Answer 129

A

Reduce effects of security threats and vulnerabilities to a tolerable level

Answer 130

A

Process that analyses threat scenarios and produce a representation of the estimated potential loss

Answer 131

A

7 Types of controls

Answer 132

A

Specify rules of behaviour

Answer 133

A

Discourage people, change my mind

Answer 134

A

Prevent incident or breach

Answer 135

A

Substitute for loss of primary controls

Answer 136

A

Signal warning, investigate

Answer 137

A

Mitigate damage, restore control. For example, correct a system by deleting its virus.

Answer 138

A

Restore to normal after incident

Answer 139

A

Accuracy: data checks, validity checks
Security: labels, traffic padding, encryption
Consistency: DBMW, data dictionary

Answer 140

A

Accuracy: cyclic redundancy
Security: IDS, audit trails
Consistency: comparison tools

Answer 141

A

Accuracy: checkpoint backups
Security: emergency response
Consistency: database controls

Answer 142

A

Deterrence
Denial
Detection
Delay

Answer 143

A

Testing a network’s defenses by using the same technique as external intruders

Answer 144

A

Port scanners (such as nmap)

Answer 145

A

Capturing data packets

Answer 146

A

War dialing for modems

Answer 147

A

Searching paper disposal areas

Answer 148

A

Most common, get information by asking

Answer 149

A

Blue Team: Had knowledge of the organisation, can be done frequent and least expensive
Red Team: is external and stealthy

Answer 150

A

Ethical hacker knows what to look for, see code as a developer

Answer 151

A

Partial knowledge of the system, see code, act as a user

Answer 152

A

Hacker does not know what to find

Answer 153

A

Planning
Discovery: recon/discover, and enumeration
Attack: Vulnerability analysis, and execution/exploitation
Reporting: document findings/reporting

Answer 154

A

Kernal flaws, buffer overflows, symbolic links, file descriptor attacks

Answer 155

A

Footprint network (information gathering) port scans, vulnerability mapping, exploitation, report scanning, tools are used in penetration tests

Answer 156

A

Operating system penetration testing

Answer 157

A

External, internal, blind, double blind.

Categories: zero, partial, full knowledge tests

Answer 158

A

Plan: ID opportunity and plan for change
Do: implement change on small scale
Check: Use data to analyse results of change
Act: If change successful, implement wider scale, if fails begin, cycle again

Answer 159

A

Individuals must be qualified with the appropriate level of training. This includes:

Developing job descriptions
Contact references
Screen/investigate background
Develop confidentiality agreements
Determine policy on vendor, contractor, consultant and temporary staff access

Answer 160

A

Public Domain; available for anyone to use
Open Source: source code made available with a license in which the copyright holder provide the rights to study, change, and distribute the software to anyone
Freeware: proprietary software that is available for use at no monetary cost. May be used without payment but may usually not be modified, re-distributed or reverse-engineered without the author’s permission.

Answer 161

A

Degree of confidence in satisfaction of security requirements. Is another word for security

Answer 162

A

Don’t assume what client wants, involve users early, define and agree on scope.

Answer 163

A

Technical training to react to situations, best practices for security and network personnel. Employees need to understand policies.

Formal security awareness training provides exact prep on how to do things.

Answer 164

A

Eavesdropping on communication - only legal with prior consent or warrant

Answer 165

A

Act of modifying information, progrms, or documents to commit fraud, tampers with INPUT data

Answer 166

A

Data collected must be collected fairly and lawfully and used only for the purpose for the purpose it was collected

Answer 167

A

Create a bunch of websites with similar names

Answer 168

A

The difficulty of obtaining the clear text from the cipher text as measured by cost/time

Answer 169

A

In this escrow approach, the secret keys used in a communication are divided into two or more pieces, each of which is given to an independent third party. When the government obtains legal authority to access a particular key, it provides evidence of the court order to each of the third parties and then reasembles the secret key.

Answer 170

A

Agreement between IT service provider and customer, document service levels, divorce: how to dissolve relationship

Answer 171

A

Requirements for a service from client viewpoint

Answer 172

A

Insight into a service providers ability to deliver the agreed upon service quality

Answer 173

A

The Federal Information Security Management Act (FISMA), passed in 2002, requires that federal agencies implement an information security program that covers the agency’s operations. FISMA also requires that government agencies include the activities of contractors in their security management programs.

Answer 174

A

Phase 1: categorising, selecting minimum controls, assessment
Phase 2: create national network of secure services to assess

Answer 175

A

Known as the health informatics, and its purpose is to provide guidance to health organisations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002.

Answer 176

A

Six Sigma: Business management strategy that can be used to carry out process improvement
CMMI: organisational development for process improvement developed by Carnegie Mellon

Answer 177

A

Are carried out to protect human life, and then other procedures need to be executed to reduce the damage from other threats.

Answer 178

A

The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in 1991.

Answer 179

A

Requires financial institutions to provide written privacy policies to all their customers.

Answer 180

A

Threat modelling technique. 
S: Spoofing
T: Tampering
R: Repudiation
I: Information disclosure
D: Denial of access
E: Elevation of privilege

Answer 181

A

Threat modelling diagramming where a greater understanding of the logic of the product as well as its interactions with external elements.

Answer 182

A

Requires all carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.

Answer 183

A

Authorise information system operation based on a determination of the risk to organisational operations and assets, individuals, other organisations, and the country resulting from the operation of the information system and the decision that this risk is acceptable.

Answer 184

A

Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organisational officials.

Brainscape's Knowledge GenomeTM

Domain 1: Security and Risk Management Flashcards

Brainscape's Knowledge Genome^TM