Domain 1 - Security and Risk Management COPY

Question 1

what is CIA

Answer 1

confidentiality
integrity
availability

Question 2

what are we protecting when we are talking about integrity

Answer 2

ensuring there is no unauthorized modifications to the data or systems (no data has been altered)

Question 3

what are we protecting when we are talking about availability

Answer 3

authorized persons have access to the data or system at a reasonable amount of time

Question 4

what are we protecting with confidentiality

Answer 4

only authorized persons or systems have access to the data when they need it

Question 5

tools that are used to ensure confidentiality

Answer 5

1. encryption for data at rest (example AES256)
2. secure transport protocols (SSL, TLS, IPSEC)
3. best security practice for data in use ( clean desk, no shoulder surfing, screen view protector, pc locking policy,
4. strong passwords, multi-factor authentication, masking data entry, access controls, need-to-know, least privilege

Question 6

threats to confidentiality

Answer 6

1. attacks on encryption (cryptanalyst)
2. social engineering
3. key loggers (software/hardware), cameras, steganography
4. IOT (internet of things) the numbers of these items pose a threat. less secure, most are not updated, can be used as backdoors to other systems

Question 7

what software/tools can we use to ensure integrity

Answer 7

1. cryptography (again)
2. check sums (this could be CRC)
3. message digest (hash) this could be MD5, SHA1 or SHA2
4. digital signatures
5. access control

Question 8

examples of threats to integrity

Answer 8

1. alteration of our data
2. code injection
3. attacks on your encryption (cryptanalysis)

Question 9

tools used to ensure availability

Answer 9

1. IPS/IDS
2. Patch management
3. redundancy (multiple power supplies/UPS’s/generators), disks (raid), traffic paths(network design), HVAC, staff, HA and more
4. SLA’s - how much uptime do we want (what is that cost?)

Question 10

threats to availability

Answer 10

1. malicious attacks (DDOS, physical, system compromise, staff)
2. application failures (errors in the code)
3. component failure (hardware)

Question 11

what does IAAA stand for

Answer 11

identification
authentication
authorization
accountability (monitoring/logging)

Question 12

what is Identification

Answer 12

you name, username, serial number, id number, employee number
“I am XXXX”

Question 13

what is authentication

Answer 13

proving you are who you say you are (always should be multifactor)

Question 14

what is Type 1 authentication

Answer 14

something you know -Type 1 Authentication: (passwords, pass phrase, PIN, etc.)

Question 15

what is type 2 authentication

Answer 15

something you have -Type 2 Authentication: (ID, passport, smart card, token, cookies on PC, one time password (OTP) etc. )

Question 16

what is type 3 authentication

Answer 16

something you are - Type 3 Authentication: (biometrics) fingerprint, iris scan, facial geometry, etc)

Question 17

what is the opposite of CIA

Answer 17

Disclosure - (confidentiality)
destruction - (availability)
alteration - (integrity)

Question 18

formula for risk

Answer 18

risk = threat X vulnerability
Sometimes an added variable of impact is added
Risk = threat x vulnerability x impact

Question 19

if there is a vulnerability but no threat towards that vulnerability, is there risk?

Answer 19

no

if there is not threat towards the vulnerability there is not current risk

Question 20

what is authorization?

Answer 20

1. what you are allowed to access

2. access control models ( DAC, MAC, RBAC(role based access), RUBAC(rule based access))

Question 21

what is the last A in IAAA

Answer 21

accountability -

1. auditing(logs)
2. prove who/what a given action was performed by (non-repudiation)

Question 22

explain least privilege

Answer 22

1. give users/system exactly the access they need, no more

Question 23

explain need to know

Answer 23

1. you are generally given more access than you need(in a need to know environment) but if you do not have a need then you should not be accessing that data.
   example: doctors, they need to have access to all patients but if they are not their patients the do not have the need to access their data

Question 24

what is non-repudiation and what two functions are used to provide it

Answer 24

• can not deny having performed a certain action
• authentication
• integrity

Question 25

what is a subject

Answer 25

(active) most often a user but can be a system. subjects manipulate objects

Question 26

what is an object

Answer 26

1. (passive) object is manipulated by subjects
2. any passive data (both physical paper and data)
3. a program can be both object and subject depending on if its accessing data or something is accessing it

Question 27

what is governance not (security governance)

Answer 27

• how an organization is managed

* actions and controls placed on those charged with managing a business entity

Question 28

what is security governance

Answer 28

1. how security is managed through policies, roles, processes used to make security decisions.

Question 29

In this list there are 6 truths about organizational security goals. name as many as you can

Answer 29

• security must align with the organization goals, not dominate or drive them
• security is optional, its a support function
security and the budget that funds it, can be done away with at any time (probably not wise but it can be)
• security practitioners must align with organizational goals
• implemented correctly, it helps keep cost down
• the security program must serve the organization properly

Question 30

what is a governance committee

Answer 30

a formal decision making body within the organization

Question 31

list the need to know C-level (senior leadership) - ultimately liable.

Answer 31

1. CEO - chief executive officer
2. COO - chief operations officer
3. CIO - chief information officer
4. CTO - chief technology officer
5. CSO - chief security officer
6. CISO - chief information security officer
   7 CFO - chief financial officer

Question 32

what does pci-dss stand for and what is it

Answer 32

payment card industry data security standard..

its a standard but IS required if you want to handle credit cards or debits cards

Question 33

what is COBIT and what to remember about it

Answer 33

• framework created by ISACA for IT management and governance
• has 5 principals
• business framework for governance and management of enterprise IT

Question 34

what is the goal behind COSO

Answer 34

• auditing controls framework
• designed to prevent fraud reporting of financial activities
• provides guiding principles for internal controls over the entire enterprise

Question 35

what is ITIL

Answer 35

• is a framework (best practices) for IT service management for (ITSM)
• ITIL v4, essentially it’s a best practice for service management (IT)

Question 36

what does ITSM stand for and what is it

Answer 36

Information Technology service management..
• improving business performance through better IT deliver.
• making IT better for
••• business operations
••• Employees
••• customers

Question 37

Define ITSM

Answer 37

• information technology service management
• the craft of implementing, managing, and delivering and improving IT services
• focuses on aligning IT processes and services with the business objectives to help an organization grow

Question 38

quickly define the FRAP methodology

Answer 38

• focus is on IT security threats
• qualitative risk management
• focus only on systems that really need assessing, reducing cost and time needed
• the author felt that trying to use mathematical formulas to figure risk was too complicated

Question 39

what is ISO/IEC 27001?

Answer 39

this international standard provides requirements for establishing, implementing, maintaining and improving an Information Security management System (ISMS)

Question 40

what does ISO/IEC 27002 accomplish

Answer 40

it is to be used as a reference for determining and implementing controls for information security risk treatment in a information security management system (ISMS) based on ISO/IEC 27001

Question 41

what does ISO/IEC 27004 accomplish

Answer 41

intended to assist organizations to evaluate the performance and effectiveness of and ISMS (information, security management system).
* monitor
* measurement
* analysis
* evaluation
based from ISO 27001

Question 42

what does ISO/IEC 27005 provide

Answer 42

guidelines for information security risk management in an organization.
• its just guidelines, it is up to the organization to define their approach to risk management

Question 43

what does IS/IEC 27799 provid

Answer 43

standard that provides guidance to healthcare organizations and other custodians of protected health information (PHI) on how to best protect confidentiality, integrity and availability of that information

Question 44

a couple of facts about criminal law

Answer 44

• society is the victim
• proof must be beyond a reasonable doubt
• incarceration, death, financial fines

Question 45

facts about civil law

Answer 45

• another name is tort law
• individuals, groups and organizations are the victims
• proof must be “the majority of proof”
• financial fines to compensate the victim(s)

Question 46

facts about administrative law

Answer 46

• regulatory law

* enacted by government agencies (FDA laws, HIPAA, FAA laws etc.)

Question 47

facts about private regulations

Answer 47

• compliance is required by contract (example: PCI-DSS)

Question 48

facts about customary laws

Answer 48

• mostly handles personal conduct and patterns of behavior

* traditions and customs of the area or region

Question 49

facts about religious law

Answer 49

• pretty much what it sounds like
• religious beliefs in that area or country
• often include their code of ethics and morality

Question 50

who is ultimately liable?

Answer 50

• senior leadership

* this does not mean you are not liable if you did something wrong (depends on due care)

Question 51

what is due care

Answer 51

• actions/behaviors
• prudent person rule
• what would a prudent(reasonable) person would do in this/that situation
• implementing/applying proper policies, procedures, processes etc.
• examples: changing systems settings (crypt algorithms, key size, protocols), employee training and awareness about security and their responsibility, disabling employee access when needed.

Question 52

what is due diligence

Answer 52

• researching
• preparation
• leg work
• knowledge and understanding
• making sure the right things are done correctly (research, investigation)
• anything done before decisions are made
• example: knowledge of laws, regulations, industry standards, knowledge of best practices

Question 53

explain negligence

Answer 53

• opposite of due care

* if your systems are compromised and you did nothing to prevent it, you are likely negligent or gross negligent

Question 54

explain real evidence

Answer 54

• tangible and physical objects (hard disks, usb drives) (but not the data))

Question 55

what does evidence have to be in order to be considered in court

Answer 55

• relevant
• material
• complete

Question 56

direct evidence is

Answer 56

• testimony from first hand witness

* what they experiences with their 5 senses

Question 57

what is circumstantial evidence

Answer 57

• evidence to support circumstances or other evidence

Question 58

explain hearsay evidence

Answer 58

• mostly what it sounds like - not first hand knowledge

* computer generated records

Question 59

what type of evidence are logs and documents from the system

Answer 59

secondary evidence

Question 60

the integrity of evidence is mandatory, what are a few things done during forensics

Answer 60

• disks are hashed (cd, hard drive, sd card, blue ray etc.)
• make a copy using a write blocker to prevent changes to drive - hash again to make sure there was no change
• all investigation is done on the copy
• hash the copy when done to prove no changes were made

Question 61

evidence chain of custody

Answer 61

• who obtained the evidence and secured it
• where and when it was obtained
• who had control or possession of the evidence
• secure storage in a monitored vault is common

Question 62

reasonable searches - a few details

Answer 62

• the fourth amendment protects citizens from unreasonable search and seizure by the government
• in all cases the court will decide if the evidence was obtained legally
• exigent circumstances

Question 63

when does exigent circumstances apply

Answer 63

• if there is an immediate threat to human life

* or if evidence is about to be destroyed

Question 64

define entrapement

Answer 64

• illegal and unethical

* when someone is persuaded to commit a crime that they did not intend to and charged for that crime

Question 65

define enticement

Answer 65

• legal and ethical
• making committing a crime more enticing - the person has broken the law or at least decided to do so
• an example would be honeypots
• check with legal before department before using honeypots - they pose both legal and practical risks

Question 66

what does copyright cover

Answer 66

books, art, music, software

Question 67

how long does a copyright last

Answer 67

• 70 years after creator’s death

* 95 years after creation by a corporation

Question 68

what is the exceptions to copyright law

Answer 68

• first sale

* fair use

Question 69

what do trademarks cover

Answer 69

• brand names, logos, slogans(must be registered)

Question 70

how long do trademarks last

Answer 70

• valid for 10 years

* can be renewed indefinitely

Question 71

what do patents cover

Answer 71

• inventions

* cryptographic algorithms can be patented

Question 72

how long do patents last

Answer 72

• 20 years

Question 73

what is the criteria for a patent

1. profitable
2. novel
3. previously unknown
4. nonobvious
5. music\books\art
6. useful

Answer 73

2. novel (new idea no one has had before)
3. useful (can be used and is useful to others)
4. nonobvious (inventive work involved)

Question 74

trade secret attributes

Answer 74

• you keep your secret recipe secret (KFC)
• if discovered, anyone can use it
• there is no protection

Question 75

what are some attacks on a copyright

Answer 75

• piracy (software piracy is the most common)

* copyright infringement (use of someone else’s copyrighted material, often songs and images)

Question 76

what are some attacks on trademarks

Answer 76

• counterfeiting (fake Rolexes, Prada, Nike) either using the real name or something similar

Question 77

what are some attacks on patents

Answer 77

• patent infringement - using someone else’s patent in your product without permission

Question 78

what are some attacks on tradesecrets

Answer 78

• there is no law that protect trade secrets but you also cant break the law to discover it.

Question 79

what is cybersquating

Answer 79

• buying a URL that you know someone else will need for the soul purpose of selling at a profit

Question 80

what is typo squatting

Answer 80

• buying URL that are very close the the real thing (this can be illegal in some circumstances)

Question 81

what does HIPAA stand for

Answer 81

• Health Insurance Portability and Accountability Act

Question 82

what is the core protection of HIPAA

Answer 82

• Strict privacy and security rules on handling PHI (protected health information)

Question 83

what does PHI stand for

Answer 83

• protected health information

Question 84

what does SOX stand for, what was it and when was it created

Answer 84

• Sarbanes-Oxley Act
• created 2002
• created to prevent a repeat of accounting scandals in the 1990s

Question 85

what sector is Gramm-Leach-Briley act (GLBA) aimed at

Answer 85

• applies to financial institutions

* drive by the federal financial instutution

Question 86

what did the patriot act do

when was it

Answer 86

• expand law enforcement electronic monitoring capabilities
• allows search and seizure without immediate disclosure
• 2001

Question 87

what does PCI-DSS stand for

Answer 87

• Payment Card Industry Data Security Standard

Question 88

is PCI-DSS a law

Answer 88

• no, its a standard enforced by the payment card industry

Question 89

what do PCI-DSS standards apply to and what is its purpose

Answer 89

• credit cards
• debit cards
• requires merchants and anyone dealing with credit cards and debit cards to meet a minimum set of security requirements

Question 90

what does GDPR stand for and when was it enacted

Answer 90

• General data protection regulations
• enacted in 2016
° enforced in 2018

Question 91

what region does GDPR apply to

Answer 91

• anyone living in the European Union

Question 92

1. does GDPR (general protection privacy act) apply to anyone outside the EU
2. how about EU citizens living outside the EU

Answer 92

• no

* it does not apply to EU citizens living outside the EU

Question 93

what are possible fines if you break GDPR rules

Answer 93

• 20 million euro or 4% of annual revenue

Question 94

list GDRP personal data types

Answer 94

name(even common), email address, living address, unsubscribe confirmation URLs that contain email and/or names, IP address etc.

Question 95

according to GDPR what is required to use personal data and what are the limitations

Answer 95

• the individual has to give expressed consent to user the personal data and only the person data that the consent was given for
• the individual has the right to opt out
• no other personal data is legal to process, unless there is a legal reason to do so
• even after consent is given, the identity has to be anonymized

Question 96

according to GDPR what are the only reasons that personal data would be allowed to be unmasked

Answer 96

• national security
• military
• police
• or the justice system

Question 97

In GDPR - - what is right to access

Answer 97

• article 15, you have the right to request a copy of your personal data or request a electronic copy and it must be provided

Question 98

GDPR what is right to erasure

Answer 98

• you have the right to request to be forgotten (all personal data about you must be destroyed), except for laws and regulatory reasons like credit cards etc.

Question 99

GDPR breach notification is what

Answer 99

• users and data controllers must be notified of data breaches within 72 hours

Question 100

in the US, are you required to report a data breach if your data was encrypted

Answer 100

• no

Question 101

from a company perspective, what are some thoughts when dealing with GDPR and personal data

Answer 101

• care must be taken to ensure personal data security
• only store personal data that is absolutely necessary - if its not needed, do not store it, you are not legally allowed to do so
• of you are data processing and monitoring information in the EU you must appoint a data protection officer

Question 102

what are some legacy laws between the EU and US

Answer 102

• EU data protection directive (predecessor to GDPR)
• EU-US safe harbor
• Privacy Shield

Question 103

is it legal to transport data outside the EU

Answer 103

• only if the county has equal to or greater privacy protection as GDPR
• the US does not
Note: there are agreements/ requirements to allow data to and from the US (safe harbor act is an example)

Question 104

what laws dealing with privacy did the European court of justice declare invalid

Answer 104

• EU-US safe harbor in 2015

* Privacy shield in 2020

Question 105

Wassenaar Arrangement attributes

Answer 105

• 41 members
• was originally for conventional arms
• “dual-use” good and technologies was added (cryptography is part of that)
• import and export restriction on cryptographic algorithms
• Iran, Iraq, China, Russia have restrictions on how strong the encryption is allowed in their country (they don’t want it to be too hard to spy on their citizens)

Question 106

which is not mandatory

1. policies
2. standards
3. guidelines
4. procedures
5. baselines (benchmarks)

Answer 106

3. guidelines

Question 107

which are mandatory

1. policies
2. standards
3. guidelines
4. procedures
5. baselines (benchmarks)

Answer 107

1. policies
2. standards
3. procedures
4. baselines

Question 108

define policies

Answer 108

• mandatory
• high level - none specific (broad umbrella)
• strategic
• why and what we are doing (not how)
• can contain “patches, updates, strong encryption”
• not specific to OS, encryption type or vendor technology

Question 109

define standards

Answer 109

• standards set a describes a specific use of technology ( all laptops will be windows 10 64bit , 8 gigs of memory 1TB hard drive etc.)
• tactical
• formalization of regulatory or compliance
• laws and regulations from outside the organization
• mandatory
• A perfect example is when a standard sets a mandatory requirement, such as that encryptions must be applied to all email communications.

Question 110

define guidelines

Answer 110

• recommendations, discretionary
—- suggestions on how you would do things
• non-mandatory
• do not confuse guidelines with best practices. they are not the same

Question 111

define procedures

Answer 111

• mandatory
• very detailed step by step approach on how to implement a security practice
• most specific
• they will contain “ OS type, encryption type, vendor technology”

Question 112

define baseline

Answer 112

• mandatory
• benchmarks for server hardening, apps, network
• minimum requirements
• stronger can be implemented if needed but these are minimum requirements

Question 113

users often pose the largest security risk. what are some ways to minimize

Answer 113

• awareness training - change users behavior
• training - provide users with a skillsets
• hiring practices - background checks, check references, degrees, employment, criminal and maybe credit history.
• employee termination practices - coach and train employees before firing them (they get warnings)
• •• proper termination process, all access is properly shut down at the right time

Question 114

what should you do to ensure you are protected when dealing with vendors, consultants etc.

Answer 114

• vendors, consultants and contractor security should be trained on processes for handling data.
• their systems need to secure enough for our policies and procedures

Question 115

what are the 3 access control categories

Answer 115

• administrative
• technical
• physical

Question 116

what are the 6 access control categories

Answer 116

1. preventative
2. detective
3. corrective
4. recover
5. deterrent
6. compensating

Question 117

define administrative access controls

Answer 117

• policies and procedures defined by organization security policy to implement and enforce overall access control.
• (personnel and business practices)
• •• examples: policies and procedures, background checks, hiring practices, data classification, vacation history, reviews, security training awareness

Question 118

define technical access control

Answer 118

• hardware/software/ that manages access control to systems and resources
• firewalls, routers, encryption, protocols, smart cards, ACLs, passwords, constrained interfaces

Question 119

define physical access control

Answer 119

• barriers deployed to prevent direct contact with systems or facilities.
• •• examples: locks, fences, guards, dogs, gates, bollards,

Question 120

define preventive access control

Answer 120

• stops unwanted or unauthorized activity from happening, prevents actions from happening
• ••• examples: fences, least privilege, security policies, security awareness training, drug testing, IPS, firewalls, encryption, data classification, strong authentication, biometric access, mantraps

Question 121

define detective access control

Answer 121

• controls that detect during or after unauthorized activities
• •• examples: IDS, CCTV, alarms, anti-virus, security guards, mandatory vacations, honey pots, audit trails, incident investigation, security guards

Question 122

define corrective controls

Answer 122

• any measures taken to repair damage or restore resources and capabilities to prior state
• •• examples: patching a system, updating an outdated antivirus, quarantine a virus, terminating a process, rebooting a system, business continuity plan, applying a fix, restoring from backup

Question 123

define recovery access control

Answer 123

• deployed to repair or restore resources. can repair damage as well as stop further damage
• •• examples: DR environment, backups, HA environment, fault tolerant drive systems, server clustering, database shadowing.

Question 124

define deterrent access controls

Answer 124

• deployed to discourage the violation of security policies - deter an attack
• •• examples: locks, fences, security badges, security guards, mantraps, cameras, trespass or intrusion alarms, separation of duties, encryption, auditing, firewalls, awareness training, dogs

Question 125

define compensating access controls

Answer 125

• provide various options to other existing controls, to aid the enforcement and support of a security policy.
• •• examples: security policies, personnel supervision, monitoring, work task procedures

Question 126

what is the formula for risk

Answer 126

• risk = threat X vulnerability
• impact can be added
• risk = threat X vulnerability X impact (how bad is it)

Question 127

what are the 4 steps to risk management lifecycle that Thor teaches

Answer 127

• Risk identification 
• risk assessment (analysis)
• risk response/mitigation
• risk and control monitoring 
       its an iterative process

Question 128

what is an asset

Answer 128

• anything of value to the company

Question 129

what is a vulnerability

Answer 129

• a weakness, the absence of a safeguard

Question 130

what is a threat

Answer 130

• an incident that could negatively effect the organization

* Any natural or man-made circumstance that could harm an organizational asset

Question 131

what is a threat agent

Answer 131

• the entity which carries out the attack

Question 132

what is an exploit

Answer 132

• an instance of compromise

Question 133

what is a risk

Answer 133

• the probability of a threat materializing

* the probability of exposure or loss resulting from a cyber attack or data breach on your organization

Question 134

what are controls

Answer 134

• physical, administrative, technical protections (including safeguards and countermeasures)

Question 135

two types of risk assessments

Answer 135

• qualitative

* quantitative

Question 136

what is qualitative risk assessment

Answer 136

• how likely is it to happen
• how bad is it if it happens
• some guess work, estimations based off feel - very subjective
• a pretty quick process

Question 137

what is quantitative risk analysis

Answer 137

• this is dealing with dollars. what is the actual cost
• dealing with actual value of the asset
• based on facts
• labor intensive
• objective

Question 138

what is asset value

Answer 138

• the value of the asset

Question 139

what does EF stand for and what is it

Answer 139

• exposure factor

* percentage of asset lost due to an incident

Question 140

what is SLE and how do you figure it

Answer 140

• single loss expectancy
• SLE = (AV X EF)
single loss expectancy = asset value X exposure factor

Question 141

what is ARO and how do you figure it

Answer 141

• annual rate of occurrence

* how often will this loss happen per year (usually shown as a percentage)

Question 142

what is ALE and how to figure it

Answer 142

• Annualized loss expectancy
• yearly cost due to a risk
• ALE = SLE X ARO
annualized loss expectancy = single loss expectancy X annual rate of occurrence

Question 143

what is TCO and how is it figured

Answer 143

• total cost of ownership
• the total cost of a mitigating safeguard. (upfront cost plus the annual cost of maintenance) this includes staff hours, vendor maintenance fees, software subscriptions, etc.

Question 144

what are the 4 types of risk response and some details if needed

Answer 144

• accept risk - we know the risk but the cost to mitigate is more costly than the risk
• mitigate the risk (reduction)
• avoid - decide to no longer do that activity because mitigation is too expensive
• transfer - insurance or 3rd party support (msp etc.)

Question 145

• can you mitigate all risk?

* what is residual?

Answer 145

• no

* residual risk is what is left after you mitigate the risk to an acceptable level

Question 146

what is risk avoidance

Answer 146

• we choose not to do the action to avoid the risk

* ••• example: maybe there is a risk to loss of data on stolen laptops. to avoid that risk, you don’t deploy laptops.

Question 147

what is risk rejection

Answer 147

• you know the risk is there and you do nothing

* we never do this, its not an acceptable answer

Question 148

what is transfer of risk

Answer 148

• handing the risk off to a willing 3rd party
• think insurance
• possibly any 3rd party vendor if you are choosing them to transfer risk (order fulfillment, payroll services, customer service, managed service provider)

Question 149

what is secondary risk

Answer 149

• mitigating one risk, may open up another risk

Question 150

according to nist 800-39 what does the risk management process include

Answer 150

• Framing risk
• assessing risk
• responding to risk
• monitoring risk

Question 151

according to nist 800-39 what are the 3 tiers that risk assessments can be conducted

Answer 151

• organization
• missions/business processes
• information systems
• ••• process should start at the top, go down the stack then the inter tier and and intra tier feedback loop goes back to the top.

Question 152

according to nist 800-39 why should all 3 tiers in the risk assessment be considered

Answer 152

• traditionally risk assessment is focused at the information system tier. many risks can be missed by not looking at organization and mission tiers.

Question 153

what is nist 800-30

Answer 153

• guide to conducting risk assessments

Question 154

what is nist 800-37

Answer 154

• RMF (risk management framework for Information Systems and Organizations)

Question 155

according to NIST 800-37 what are the 7 risk management framework steps

Answer 155

• Prepare - to execute RMF
• Categorize - the systems and information
• select - initial set of controls
• implement - the controls and document
• assess - are controls implemented correctly and working
• authorize - sign off by senior management or data owner
• monitor - continue to monitor controls, conduct risk assessments and impact analysis

Question 156

what are the NIST cybersecurity framework core funcitons

Answer 156

• Identify
• protect
• detect
• respond
• monitor

Question 157

what falls in the Identify function in the NIST cybersecurity framework

Answer 157

• asset management
• governance
• risk assessment
• supply chain risk management

Question 158

what falls in the protect function in the NIST cybersecurity framework

Answer 158

• awareness training
• data security
• Identity management and access control
• maintenance

Question 159

what falls in the detect function in the NIST cybersecurity framework

Answer 159

• anomalies and events
• security monitoring
• detection process

Question 160

what falls in the respond function in the NIST cybersecurity framework

Answer 160

• response planning
• communications
• mitigation
• improvements
• analysis

Question 161

what falls in the recover function of the NIST cybersecurity framework

Answer 161

• recovery planning
• improvements
• communications

Question 162

what is KGI

Answer 162

• key goal indicators

* KGI are lagging indicators, the function is to confirm whether or not a business goal has been reached.

Question 163

what is KPI

Answer 163

• key performance indicators

* are used to show how the organization is performing based on the goals set by leadership.

Question 164

what is KRI

Answer 164

• key risk indicators
• measures the organizations risk and how its risk profile changes
• metrics that demonstrate the risks that an organization is facing or how risky and activity is
• metrics used by organizations to provide an early signal of increasing risk exposures in various areas

Question 165

what is a risk register

Answer 165

• an information repository an organization creates to document the risks they face and the responses the are taking to address the risks.
• at a minimum each risk documented should contain a description of each risk, the likelihood and impact from a cost standpoint.
• each risk should be ranked in priority relevant to other risks, the response for each risk and how owns it.

Question 166

what is C&C

Answer 166

• command and control, when talking about botnets and malware

Question 167

what protocols do botnets often use

Answer 167

• IRC, HTTP, HTTPS

Question 168

what are the 4 types of fishing and the media/target they us

Answer 168

• phishing - social engineering, small attacks or mass emails, not specific target
• spear phishing - targeted phishing at a specific person. still using social engineering but there has been information gathered on a person or group
• whale phishing - spear phishing targeted at senior leadership
• vishing - attacks over voice. automated calls “your taxes are due” “your account is locked, enter your PII to prevent this”

Question 169

what is the purpose of the business continuity plan

Answer 169

• to respond to disruptions, activate recovery teams, handle tactical disaster status communication, assess damage caused by disruption

Question 170

what does BCP stand for

Answer 170

• business continuity plan

Question 171

define BCP

Answer 171

• a document that outlines how a business will continue to operate during an unplanned disruption in service
• isthe process of ensuring the continuous operation of your business before, during, and after a disaster event

Question 172

what are the important NIST publications for security and risk management

Answer 172

• NIST 800-30 - guide for conducting risk assessments
• NIST 800- 39 Managing Information Security Risk
• NIST 800-34 Contingency Planning Guide for Federal Information Systems
• NIST 800-53

Question 173

what is the focus of continuity planning and what section of the company does it normally apply to

Answer 173

• Continuity Planning normally applies to the mission/business itself; it concerns the ability to continue critical functions and process during and after an emergency event.

Question 174

what is the focus of contingency planning and what section of the company does it normally apply to

Answer 174

• contingency planning applies to information systems, and provides the steps needed to recover the operations for all or part of designated information systems

Question 175

define cyber incident response planning

Answer 175

• a plan that normally focuses on detection, response and recovery to a computer security incident or event

Question 176

define (BCP)

Answer 176

• business continuity plan focuses on sustaining the organizations mission/business processes during and after a disruption
• BCP can be scoped for a single business unit or the entire organization
• BCP may be used as a long-term recovery in conjunction with the COOP
• ••• an example: how do deal with payroll processes during a disruption

Question 177

what does COOP stand for

Answer 177

• continuity of operations

Question 178

what is the function of COOP

Answer 178

• focuses on restoring an organizations missions essential functions (MEF) at an alternate site and performing those functions for 30 days before returning to normal operations
• may also be activated with BCP, ISCP or DRP

Question 179

what is the function of the crisis communication plan

Answer 179

• documents standard procedures for internal and external communications in the event of a disruption
• provides various formats
• often defines specific people as the “only” authority to answer questions from or providing information to the public
• should be communicated to COOP and BCP planners

Question 180

what does CIPP stand for

Answer 180

• critical infrastructure protection plan (CIPP)

Question 181

what is the function of CIP (critical infrastructure protection plan)

Answer 181

• critical infrastructure and key resources (CIKR)
• components of the national infrastructure that are deemed so vital that their loss would have debilitation effect of the safety, security, economy, and/or health of the Unites States.

Question 182

what is Cyber Incident Response plan

Answer 182

• establishes procedures to address cyber attack’s against an organization’s information system.
• this plan may be an appendix in the BCP
• this may activate a ISCP or DRP

Question 183

what does DRP stand for

Answer 183

• disaster recovery plan

Question 184

what is the function of the DRP

Answer 184

• DRP is a information system-focused plan designed to restore operability of the target system, applications, or computer facility infrastructure at an alternate site after an emergency
• DRP only address information system disruptions the require relocation
• DRP may support BCP or COOP

Question 185

what does ISCP stand for

Answer 185

• information system contingency plan
• provides procedures for the assessment and recovery of a system following a system disruption
• differs from the DRP in the fact that the plan focuses on recovery and is not specific to site (primary or failover site)
• can work in conjunction with coop, drp and bcp

Question 186

what does OEP stand for

Answer 186

• occupant emergency plan

Question 187

what is the OPE (occupancy emergency plan) focus on

Answer 187

• people are most important
• first response procedures for occupants of a facility in the event of a threat or incident to the health and safety of personnel, the environment, or property.
• physical threat
• fire, bomb threat, chemical release, domestic violence in the work place, or medical emergency
• initiated preceding a COOP or DRP activation

Question 188

what is the BIA pupose

Answer 188

• to correlate the system with the critical mission/business processes and services provided, and based on that information, characterize the consequences of a disruption.

Question 189

what plans should the BIA be incorporated into

Answer 189

• BCP
• DRP
• COOP

Question 190

3 stages typically involved with BIA

Answer 190

1. determine mission/business process and recovery criticality
2. Identify resource requirements - what resources are needed to resume mission critical processes
3. Identify recovery priorities for system recourses - prioritize the mission critical processes

Question 191

what is MTD

Answer 191

• Maximum Tolerable Downtime
• the total amount of time the system owner/authorizing official is willing to accept for a mission process outage or disruption.

Question 192

what is RTO

Answer 192

• Recovery time Objective
• the amount of time to restore the system (hardware)
• RTO and WRT must not exceed MTD

Question 193

what two formulas should be equal to or less than MTD

Answer 193

• RTO and WRT

Question 194

what is WRT

Answer 194

• Work Recovery Time (software)

Question 195

what is MTBF

Answer 195

• Mean Time Between Failures

* •••• example: average time that drives fails is 5 years. MTBF is 5 years

Question 196

what is MTTR

Answer 196

• Mean Time To Repair – how long it takes to recovery the failed system

Question 197

what is MOR

Answer 197

• Minimum Operating Requirements - the minimum requirements for critical systems to function

Question 198

what will suffer if you have too much confidentiality

Answer 198

• availability

Question 199

what will suffer if you have too much integrity

Answer 199

• availability

Question 200

what will suffer if you have to much availability

Answer 200

• confidentiality and integrity

Question 201

what is IT security’s main purposes

Answer 201

• to support the business mission statement
• support business goals
• we are not the most important department but we span all departments
• we are security leaders and business leaders

Question 202

should senior management be part of the BCP and DROP process

Answer 202

• yes, they need to be involved and committed
• ultimately they are liable
• they must show due care and due diligence
• be careful during the process, most departments feel they are the most important therefore their systems should be take priority

Question 203

what is the ISC2 ethics mnemonic

Answer 203

• PAPA
• Protect
• Act
• Provide
• Advance

Question 204

what is type 1 authentication

Answer 204

• something you know — password, pass, phrase, PIN, etc.

Question 205

what is type 2 authentication

Answer 205

• something you have – ID, passport, smart card, token, cookies on PC, one time password(OTP) etc.

Question 206

what is type 3 authentication

Answer 206

• something you are – (biometrics) fingerprint, iris scan, facial geometry, your gait (walking pattern)

Question 207

what is the subject of ISO 27799

Answer 207

• Directives on how to protect PHI

Question 208

what is the subject of ISO 27005

Answer 208

• standards based approach to risk management

Question 209

explain Sabsa

Answer 209

• layers and framework create and define a top down architecture for every requirement, control and process available in COBIT
• model and methodology for developing a risk-driven enterprise information security architecture and service management, to support critical business processes

Question 210

explain TOGAF framework

Answer 210

• TOGAF is useful for defining the architecture goals, benefits and vision, and setting up and implementing projects to reach those goals.

Question 211

types of evidence

Answer 211

• Demonstrative evidence
• Documentary evidence
• Real evidence
• Testimonial evidence

Question 212

what is corroborative evidence

Answer 212

is supporting evidence used to help prove an idea or point. It cannot stand on its own but is used as a supplementary tool to help prove a primary
piece of evidence.

Question 213

what is secondary evidence

Answer 213

• is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases). Oral evidence, such as a witness’s testimony, and copies of original documents are placed in this category.
• Logs and documents from the systems are considered secondary
evidence.

Question 214

corrective access control is what

Answer 214

Corrective controls include any measures taken to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity. Examples of technical corrective controls include patching a system, quarantining a virus, terminating a process, or rebooting a system

Question 215

Which of these is automatically granted, you do NOT have to apply for it?

1. patent
2. trademark
3. copyright
4. legal immunity

Answer 215

3. copyright

Question 216

We are considering how we should protect our intellectual property. Which of these do you need to apply for to be protected? (Select all that apply).

1. patent
2. trademark
3. trade secret
4. copyright

Answer 216

1. patent

2. trademarks

Question 217

Which of these would be a type of corrective access control?

1. encryption
2. backups
3. patches
4. IDS

Answer 217

3. patches

Question 218

Jane is working on strengthening our preventative controls. What could she look at to do that?

1. patches
2. IDS
3. drug tests
4. backup

Answer 218

3. drug test

Question 219

Healthcare insurers, providers and clearing house agencies must comply with HIPAA (Health Insurance Portability and Accountability Act) if they operate in the United States. Which of these are rules they MUST follow? (Select all that apply).

1. privacy
2. disclosure rule
3. encryption rule
4. breach notification
5. security rule

Answer 219

1. privacy rule
2. breach notification rule
3. security rule

Explanation
Puts strict privacy and security rules on how Protected Health Information (PHI) is handled by health insurers, providers and clearing house agencies (Claims). Health Insurance Portability and Accountability Act (HIPAA) has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate Administrative, Physical and Technical safeguards. Security Breach Notification Laws. NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many have an encryption clause. Lost encrypted data may not require disclosure.

Question 220

If we are wanting to implement a governance standard and control framework focused on IT service management, which of these should we implement?

coso
frap
cobit
ITIL

Answer 220

ITIL

Explanation
ITIL (Information Technology Infrastructure Library) focuses on ITSM (IT Service Management).

Question 221

One of our senior VPs calls you up to explain a term he heard at a conference. He heard about cybersquatting and wants to know more. Which of these is TRUE about it?

never profitable
potentially illegal
always illegal
legal

Answer 221

legal

Explanation
Cybersquatting – Buying an URL you know someone else will need (To sell at huge profit – not illegal).

Question 222

Which type of companies are subject to the Sarbanes-Oxley act (SOX)?

1. startup companies
2. healthcare companies
3. private companies
4. publicly traded companies

Answer 222

4. publicly traded companies

Explanation
Sarbanes-Oxley Act of 2002 (SOX): Directly related to the accounting scandals in the late 90’s. Regulatory compliance mandated standards for financial reporting of publicly traded companies. Intentional violations can result in criminal penalties.

Question 223

Jane is looking at the CIA triad and working on mitigating our availability vulnerabilities. Select all the threats against our availability:
software coding errors  
code injections
keyloggers
hardware failure
ddos

Answer 223

software coding errors (meaning fault error. something failing to a halt) “I did not read this correctly the first time”
hardware failure
DDOS

Explanation
Common attacks on our availability includes Distributed Denial Of Service (DDOS) attacks, hardware failures, software failures. Keyloggers are normally attacks on our confidentiality and code injections are attacks on our integrity.

Question 224

The US HIPAA (Health Insurance Portability and Accountability Act) laws have 3 core rules. Which of these is NOT one of them?

encryption rule
breach notification rule
security rule
privacy rule

Answer 224

encryption rule

Explanation
HIPAA (Health Insurance Portability and Accountability Act) has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate administrative, physical and technical safeguards. Risk Analysis is required.

Question 225

What could be a security concern we would need to address in a procurement situation?

1. who gets the IT infrastructure
2. all of these
3. how do we ensure their security stands are high enough
4. security is part of the SLA

Answer 225

4. security is part of the SLA (read this question wrong. this is buying from a 3rd party not buying a business)

Explanation
Procurement: When we buy products or services from a 3rd party, security part of the SLA.

Question 226

You hear that senior management is looking at the ISO 27005 standard, and a colleague asks you, “What is that focused on?”

1. PHI
2. risk management
3. HIPAA
4. ITSM

Answer 226

2. risk management

Explanation
ISO 27005: Standards based approach to Risk Management.

Question 227

What would be one of the security concerns we would need to address in a divestiture?

1. who gets the IT infrastructure
2. all of these
3. security is part of the SLA
4. how do we ensure their security standards are high enough

Answer 227

1. who gets the IT infrastructure

Explanation
Divestitures: Your organization is being split up. How do you ensure no data crosses boundaries it shouldn’t? Who gets the IT Infrastructure?

Question 228

With the CIA triad in mind, if we have too much confidentiality which other control will suffer the MOST?

1. authentication
2. integrity
3. availability
4. accountability

Answer 228

3. availability

Explanation
Finding the right mix of Confidentiality, Integrity and Availability is a balancing act. This is really the cornerstone of IT Security – finding the RIGHT mix for your organization. Too much Confidentiality and the Availability can suffer.