Domain 1 - Security and Risk Managment

Question 1

What is CIA?

Answer 1

Confidentiality
Integrity
Availability

Question 2

Opposite of CIA

Answer 2

DAD

Disclosure
Alteration
Destruction

Question 3

Confidentiality

Answer 3

Prevent unauthorized disclosure, need to know, and least privilege.

Assurance that information is not disclosed to unauthorized programs, users, processes, encryption, logical and physical access control,

Question 4

Integrity

Answer 4

• No unauthorized modifications,

- consistent data, protecting data or a resource from being altered in an unauthorized fashion

Question 5

Availability

Think of…

FART

Answer 5

FART

• Fault tolerance
• Accessible
• Reliable
• Timely

Recovery procedures WHEN NEEDED

Question 6

What is required for Accountability?

Answer 6

IAAA

Identification
Authentication
Accountability
Authorization

Question 7

Privacy

Answer 7

level of confidentiality and privacy protections

Question 8

What is the goal of risk management?

Answer 8

Get risk to acceptable /tolerable level.

Not possible to get rid of all risk`

Question 9

What are Baselines?

Answer 9

Minimum standards

Question 10

What is ISO 27005?

Answer 10

Risk Management Framework

Question 11

What are the responsibilities of the Information Security Officer (ISO) ?

Answer 11

Written Products – ensure they are done

CIRT – implement and operate Security

Awareness – provide leadership

Communicate – risk to higher management

Report to as high a level as possible Security is everyone’s responsibility

Question 12

What are the characteristics of a Control Frameworks?

Answer 12

Consistent – approach & application

Measurable – way to determine progress

Standardized – all the same Comprehension – examine everything

Modular – to help in review and adaptive. Layered, abstraction

Question 13

What is Due Care?

Answer 13

Taking action and doing what is reasonable that a Prudent man would do in the same situation.

Taking the necessary steps required as countermeasures, Controls (safeguards).

Question 14

What is Due Diligence?

Answer 14

Doing the necessary research. Means that the company properly investigated all of its possibly weaknesses and vulnerabilities.

AKA understanding the threats

Question 15

Intellectual Property Laws

Think of a computer, a PC
PCTT

Answer 15

Patent
Copyright
Trade Secret
Trademarks

Question 16

Define Patent

Answer 16

Grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention. After 20 years the idea is open source of application

Question 17

Define Copyright

Answer 17

Protects the expression of ideas but not necessarily the idea itself ex. Poem, song @70 years after author dies

Question 18

Define Trade Secret

Answer 18

Something that is propriety to a company and important for its survival and profitability (like formula of Coke or Pepsi)

DON’T REGISTER – no application

Question 19

Define Trademarks

Answer 19

Words, names, product shape, symbol, color or a combination used to identify products and distinguish them from competitor products (McDonald’s M) @10 years

Question 20

Sarbanes Oxley, Section 302

Answer 20

The essence of Section 302 of the Sarbanes-Oxley Act states that the CEO and CFO are directly reponsible for the accuracy, documentation and submission of all financial reports as well as the internal control structure to the SEC.

Question 21

Sarbanes Oxley, Section 404

Picture a big Ox in front of a bank vault protecting the money (financial reporting)

Answer 21

Mandates that all publicly-traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness.

The purpose of SOX is to reduce the possibilities of corporate fraud by increasing the stringency of procedures and requirements for financial reporting.

logical controls over accounting files; good auditing and information security

Question 22

What are the Corporate Officers’ liability under Sarbanes Oxley (SOX)?

Answer 22

Executives are now held liable if the organization they represent is not compliant with the law. Negligence occurs if there is a failure to implement

Negligence occurs if there is a failure to implement recommended precautions, if there is no contingency/disaster recovery plan, failure to conduct appropriate background checks, failure to institute appropriate information security measures, failure to follow policy or local laws and regulations.

Question 23

What is COSO?

“CRC IM”

Answer 23

Framework to work with Sarbanes-Oxley 404 compliance (internal controls to financial reporting).

European laws: TREADWAY COMMISSION

Need for information security to protect the individual. Privacy is the keyword here! Only use information of individuals for what it was gathered for

COSO helps a company define organizational risks at a business level.

CRC IM

Control environment— Management’s philosophy and operating style; the company culture as it pertains to ethics and fraud

Risk assessment— Establishment of risk objectives; the ability to manage internal and external change

Control activities—Policies, procedures, and practices put in place to mitigate risk

Information and communication—A structure that ensures that the right people get the right information at the right time

Monitoring—Detecting and responding to control deficiencies

Question 24

ITSEC

Answer 24

The Information Technology Security Evaluation Criteria

The European version of TCSEC

Question 25

COBIT

Answer 25

Control Objectives for Information and Related Technologies Examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of high level control objectives. Having controls, GRC heavy auditing, metrics, regulated industry

Question 26

Incident

Answer 26

An event that has potential to do harm

Question 27

Breach

Answer 27

Incident that results in disclosure or potential disclosure of data

Question 28

Data Disclosure

Answer 28

Unauthorized acquisition of personal information

Question 29

Event

Answer 29

Threat events are accidental and intentional exploitations of Vulnerabilities.

Question 30

ITAR

Answer 30

International Traffic in Arms Regulations Defense goods, arms export control act

Question 31

FERPA

Answer 31

Family Educational Rights and Privacy Act

Question 32

Graham, Leach, Bliley (GLBA) Think of a leach sucking on a credit card

Answer 32

Credit related Personally identifiable information (PII)

Question 33

ECS

Answer 33

Electronic Communication Service (Europe) Notice of breaches

Question 34

Fourth Amendment

Answer 34

The basis for privacy rights is the Fourth Amendment to the Constitution. Prevents unauthorized search and seizure

Question 35

1974 US Privacy Act Think of... Privacy=Protect -->Personal

Answer 35

Protection of PII on federal databases

Question 36

1980 Organization for Economic Cooperation and Development (OECD)

Answer 36

Provides for data collection, specifications, safeguards A global organization that provides guidelines to various countries on collecting, handling, and protecting personal data

Question 37

US Computer Fraud and Abuse Act

Answer 37

Trafficking in computer passwords or information that causes a loss of $1,000 or more or could impair medical treatment. A Federal crime to access a protected computer without proper authorization

Question 38

Electronic Communications Privacy Act

Answer 38

Prohibits eavesdropping or interception w/o distinguishing private/public

Question 39

Communications Assistance for Law Enforcement Act (CALEA) of 1994

Answer 39

Amended the Electronic Communications Privacy Act of 1986. CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.

Question 40

1987 US Computer Security Act

Answer 40

Security training, develop a security plan, and identify sensitive systems on govt. agencies To improve the security and privacy of sensitive information in federal computer systems and to establish a minimum acceptable security practices for such systems

Question 41

US Economic and Protection of Propriety Information Act

Answer 41

Industrial and corporate espionage

Question 42

Health Insurance and Portability Accountability Act (HIPPA)

Answer 42

Provides data privacy and security provisions for safeguarding medical information

Question 43

Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

Answer 43

Congress amended HIPAA by passing this Act. This law updated many of HIPAA’s privacy and security requirements. One of the changes is a change in the way the law treats business associates (BAs), organizations who handle PHI on behalf of a HIPAA covered entity. Any relationship between a covered entity and a BA must be governed by a written contract known as a business associate agreement (BAA). Under the new regulation, BAs are directly subject to HIPAA and HIPAA enforcement actions in the same manner as a covered entity. HITECH also introduced new data breach notification requirements

Question 44

ISC2 Code of Ethics

Answer 44

Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.

Question 45

Internet Advisory Board (IAB) Ethics and Internet (RFC 1087)

Answer 45

Don’t compromise the privacy of users. Access to and use of Internet is a privilege and should be treated as such It is defined as unacceptable and unethical if you, for example, gain unauthorized access to resources on the internet, destroy integrity, waste resources or compromise privacy.

Question 46

Business Continuity plans development (BCP)

Answer 46

BCP Steps: 1. Project Initiation (Develop policy and management approval) 2. BIA 3. Recovery Strategy 4. Plan design and development 5. Implementation 6. Testing 7. Continual maintenance Defining the continuity strategy Computing strategy to preserve the elements of HW/SW/ communication lines/data/application - Facilities: use of main buildings or any remote facilities People: operators, management, technical support persons Supplies and equipment: paper, forms HVAC Documenting the continuity strategy

Question 47

What is the Goal of a Business Impact Assessment (BIA)?

Answer 47

Goal: to create a document to be used to help understand what impact a disruptive event would have on the business.

Question 48

What are the key steps in a BIA? "My Science Resume is Wonderful''! SCI | CV | RAD ``` SCI = Science CV = Curriculum Vitae = Resume RAD = is slang for Wonderful ``` Think of a teenager with long hair from California who is in school in a Science classroom looking at a microscope and holding in his hand is his CV (Resume) and he is shouting "Dude! My Science Resume is RAD, it's Wonderful"!

Answer 48

Select individuals to interview for Data-gathering Create Data-gathering techniques (qualitative and quantitative analysis) Identify Company's Critical Business Functions and Resources Calculate how long these functions can survive without these resources ( Maximum Tolerable Downtime - MTD) Vulnerability Assessment Risk Assessment Analyze the compiled information Documentation and Recommendation

Question 49

BIA Step 1 - Gathering assessment material

Answer 49

Org charts to determine functional relationships Examine business success factors

Question 50

BIA Step 2 - Vulnerability assessment

Answer 50

Identify Critical IT resources out of critical processes, Identify disruption impacts and Maximum, Tolerable Downtime (MTD) Loss Quantitative (revenue, expenses for repair) or Qualitative (competitive edge, public embarrassment). Presented as low, high, medium. Develop recovery procedures

Question 51

BIA Step 3 - Analyze the compiled information

Answer 51

Document the process Identify interdependabilit Determine acceptable interruption periods

Question 52

BIA Step 4 - Documentation and Recommendation

Answer 52

Provide Documentation and Recommendation to managment

Question 53

In a BIA, the RTO

Answer 53

The Recovery Time Objective (RTO) must be less than the Maximum Tolerable Downtime

Question 54

What are some Administrative Management Controls?

Answer 54

``` M of N Control Least privilege Two-man control Dual control Rotation of duties Mandatory vacations Need to know Employee Agreements - NDA, no compete, acceptable use ```

Question 55

Who are the greatest threat to security?

Answer 55

Employees, staff members pose more threat than external actors, loss of money stolen equipment, loss of time work hours, loss of reputation declining trusts and loss of resources, bandwidth theft, due diligence Voluntary & involuntary ------------------Exit interview!!!

Question 56

Who are Third Party Controls geared towards?

Answer 56

- Vendors - Consultants - Contractors Properly supervised, rights based on policy

Question 57

Threat

Answer 57

Damage

Question 58

Vulnerability

Answer 58

Weakness, flaw or lack of a countermeasure Weakness to a threat vector (never does anything)

Question 59

Likelihood

Answer 59

chance it will happen

Question 60

Residual Risk

Answer 60

amount of risk left over after countermeasures have been put in place You can never completely eliminate risk

Question 61

How is Risk determined?

Answer 61

Risk is determined as a byproduct of likelihood and impact . Organizations own the risk

Question 62

What is ITIL?

Answer 62

Best practices for IT core operational processes, not for audit - Service - Change - Release - Configuration Strong end to end customer focus/expertise About services and service strategy Risk

Question 63

What is the goal of Risk Management?

Answer 63

Determine impact of the threat and risk of threat occurring. The primary goal of risk management is to reduce risk to an acceptable level.

Question 64

What are the steps in conducting a Risk Management Analysis?

Answer 64

Step 1 – Prepare for Assessment (purpose, scope, etc.) Step 2 – Conduct Assessment - ID threat sources and events - ID vulnerabilities and predisposing conditions - Determine likelihood of occurrence - Determine magnitude of impact - Determine risk Step 3 – Communicate Risk/results Step 4 – Maintain Assessment/regularly

Question 65

What are the different types of Risk?

Answer 65

``` Inherent Control Detection Residual Business Overall ```

Question 66

Inherent Risk

Answer 66

chance of making an error with no controls in place

Question 67

Control Risk

Answer 67

chance that controls in place will prevent, detect or control errors

Question 68

Detection Risk

Answer 68

chance that auditors won’t find an error

Question 69

Residual Risk

Answer 69

risk remaining after control in place

Question 70

Business Risk

Answer 70

concerns about effects of unforeseen circumstances

Question 71

Overall Risk

Answer 71

combination of all risks aka Audit risk

Question 72

Preliminary Security Examination (PSE)

Answer 72

Helps to gather the elements that you will need when the actual Risk Analysis takes place.

Question 73

Risk Analysis steps?

Answer 73

Identify assets, identify threats, and calculate risk.

Question 74

ISO 27005

Answer 74

deals with risk

Question 75

Four Major Risk Assessment Steps

Answer 75

Prepare, Perform, Communicate, Maintain

Question 76

What are the steps in a Qualitative Risk Assessment?

Answer 76

Approval – Form Team – Analyze Data – Calculate Risk – Countermeasure Recommendations Note: Remember Hybrid Risk Assessment which is a combination of a Qualitative and Quantitative Risk Assessment

Question 77

Hybrid Risk Assessment

Answer 77

A combination of a Qualitative and Quantitative Risk Assessment

Question 78

Quantitative Risk Analysis

Answer 78

Deals with numbers and values which is conducted after a Qualitative Risk Analysis.

Question 79

SLE (single Loss Expectancy)

Answer 79

= Asset Value * Exposure factor (% loss of asset)

Question 80

ALE (Annual loss expectancy)

Answer 80

= SLE * ARO (Annualized Rate of occurrence)

Question 81

What are some Risk responses after a Quantitative Risk Analysis has been performed?

Answer 81

Accept Mitigate (Reduce) Assign or Transfer Avoid

Question 82

Risk: Mitigation

Answer 82

Reduce by implementing controls calculate costs

Question 83

Risk: Assign/Transfer

Answer 83

Insure the risk to transfer it

Question 84

Risk: Avoidance

Answer 84

Stop the business activity that is causing the risk because you don't want to accept the risk

Question 85

Risk: Loss

Answer 85

Probability x Cost

Question 86

Residual Risk

Answer 86

Where cost of applying extra countermeasures is more than the estimated loss resulting from a threat or vulnerability (C > L). Legally the remaining residual risk is not counted when deciding whether a company is liable.

Question 87

Controls Gap

Answer 87

The amount of risk that is reduced by implementing safeguards

Question 88

How to calculate Residual Risk?

Answer 88

Total risk – controls gap = residual risk

Question 89

RTO (Recovery Time Objective) Time=Quickly Objective=Target

Answer 89

How quickly you need to have that application’s information available after downtime has occurred The recovery time objective (RTO) is the maximum tolerable length of time that a computer, system, network, or application can be down after a failure or disaster occurs. RTO, or Recovery Time Objective, is the target time you set for the recovery of your IT and business activities after a disaster has struck. The goal here is to calculate how quickly you need to recover, which can then dictate the type or preparations you need to implement and the overall budget you should assign to business continuity.

Question 90

RPO (Recovery Point Objective)

Answer 90

Point in time that application data must be recovered to resume business functions; AMOUNT OF DATA YOUR WILLING TO LOSE

Question 91

MTD (Maximum Tolerable Downtime)

Answer 91

Maximum delay a business can be down and still remain viable MTD minutes to hours: critical MTD 24 hours: urgent MTD 72 hours: important MTD 7 days: normal MTD 30 days non-essential PLAN Accept Build Risk Team Review Once in 100 years = ARO of 0.01

Question 92

Define SLE

Answer 92

The dollar value lost when an asset is successfully attacked

Question 93

What are consequences of an Impact?

Answer 93

Life, dollars, prestige, market share

Question 94

Risk: Acceptance

Answer 94

live with it and pay the cost Accept the consequences of the risk

Question 95

Risk Framework Countermeasures

Answer 95

- Accountability - Auditability - Source trusted and known - Cost-effectiveness - Security - Protection for CIA of assets - Other issues created? If it leaves residual data from its function

Question 96

How do you determine if a company shall proceed with a Control for Risk mitigation?

Answer 96

Primary Controls (Types) – (control cost should be less than the value of the asset being protected)

Question 97

Administrative/Managerial Policy Controls

Answer 97

Preventive | Detective

Question 98

Administrative: Preventive Control

Answer 98

hiring policies, screening security awareness (also called soft-measures!)

Question 99

Administrative: Detective

Answer 99

screening behavior, job rotation, review of audit records

Question 100

Technical (aka Logical) :Preventive

Answer 100

protocols, encryption, biometrics smartcards, routers, firewalls

Question 101

Technical (Logical): Detective

Answer 101

IDS and automatic generated violation reports, audit logs, CCTV(never preventative)

Question 102

Physical: Preventive

Answer 102

fences, guards, locks

Question 103

Physical: Detective

Answer 103

motion detectors, thermal detectors video cameras

Question 104

What is the primary objective of implementing Controls?

Answer 104

To reduce the effects of security threats and vulnerabilities to a tolerable level

Question 105

Another definition of Risk Analysis

Answer 105

Process that analyses threat scenarios and produces a representation of the estimated Potential loss

Question 106

Access Control: Directive

Answer 106

Specify rules of behavio

Question 107

Access Control: Deterrent

Answer 107

Discourage people, change my mind

Question 108

Access Control: Preventative

Answer 108

Prevent incident or breach

Question 109

Access Control: Compensating

Answer 109

Sub for loss of primary control

Question 110

Access Control: Detective

Answer 110

Signal warning, investigate

Question 111

Access Control: Corrective

Answer 111

Mitigate damage, restore control

Question 112

Access Control: Recovery

Answer 112

Restore to normal after incident

Question 113

Preventive: Accuracy

Answer 113

Data checks, validity checks

Question 114

Preventive: Security

Answer 114

Labels, traffic padding, encryption

Question 115

Preventive: Consistency

Answer 115

DBMS, Data dictionary

Question 116

Detective: Accuracy

Answer 116

Cyclic Redundancy

Question 117

Detective: Security

Answer 117

IDS, audit trails

Question 118

Detective: Consistency

Answer 118

Comparison tools

Question 119

Corrective: Accuracy

Answer 119

Checkpoint, backups

Question 120

Corrective: Security

Answer 120

Emergency response

Question 121

Corrective:Consistency

Answer 121

Database controls

Question 122

What is Penetration Testing?

Answer 122

Testing a networks defenses by using the same techniques as external intruders

Question 123

Penetration Testing: Scanning and Probing

Answer 123

Scanning - port scanners Demon Dialing - war dialing for modems Sniffing – capture data packets Dumpster Diving – searching paper disposal areas Social Engineering – most common, get information by asking

Question 124

Blue team

Answer 124

Had knowledge of the organization, can be done frequent and least expensive

Question 125

Red team

Answer 125

Is external and stealthy

Question 126

White box

Answer 126

Ethical hacker knows what to look for, see code as a developer

Question 127

Grey Box

Answer 127

Partial knowledge of the system, see code, act as a user

Question 128

Black box

Answer 128

Ethical hacker not knowing what to find No prior knowledge

Question 129

What are the 4 Stages of Penetration Testing?

Answer 129

Panning, discovery, attack, reporting

Question 130

In Penetration Testing, what are some examples of vulnerabilities exploited?

Answer 130

Kernel flaws, Buffer overflows, Symbolic links, File descriptor attack

Question 131

Footprinting

Answer 131

External information gathering information gathering - port scans, vulnerability mapping, exploitation, report scanning tools are used in penetration tests

Question 132

Fingerprinting

Answer 132

Information gathering on the operating systems and web applications that are running on a target host.

Question 133

Penetration Testing strategies

Answer 133

External, internal, blind, double-blind

Question 134

Penetration Testing Strategies

Answer 134

Zero, partial, full knowledge tests

Question 135

Pen Test Methodology

Answer 135

- Recon/discover - Enumeration - vulnerability analysis - execution/exploitation - Document Findings/reporting - SPELL OUT AND DEFINE!!!!

Question 136

What is the Deming Cycle?

Answer 136

Plan – ID opportunity & plan for change Do – implement change on small scale Check – use data to analyze results of change Act – if change successful, implement wider scale, if fails begin cycle again

Question 137

Employee Administrative Controls

Answer 137

Individuals must be qualified with the appropriate level of training. - Develop job descriptions - Contact references - Screen/investigate background - Develop confidentiality agreements - Determine policy on vendor, contractor, consultant, and temporary staff access DUE DILIGENCE

Question 138

Software Licenses: Public domain

Answer 138

Available for anyone to use

Question 139

Software Licenses: Open source

Answer 139

Source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone

Question 140

Software Licenses: Freeware

Answer 140

Proprietary software that is available for use at no monetary cost. May be used without payment but may usually not be modified, re-distributed or reverse-engineered without the author's permission

Question 141

What is Assurance as it relates to Security?

Answer 141

Degree of confidence in satisfaction of security requirements Assurance = other word for security THINK OUTSIDE AUDIT

Question 142

What is Security Awareness?

Answer 142

Technical training to react to situations, best practices for Security and network personnel; Employees, need to understand policies then use presentations and posters etc. to get them aware Formal security awareness training – exact prep on how to do things

Question 143

What is Wire Tapping?

Answer 143

Eavesdropping on communication -only legal with prior consent or warrant

Question 144

What is Data Diddling?

Answer 144

Act of modifying information, programs, or documents to commit fraud, tampers with INPUT data

Question 145

What does Privacy Laws stipulate?

Answer 145

Data collected must be collected fairly and lawfully and used only for the purpose it was collected

Question 146

Water holing

Answer 146

Create a bunch of websites with similar names

Question 147

Work Function (factor)

Answer 147

The difficulty of obtaining the clear text from the cipher text as measured by cost/time

Question 148

Fair Cryptosystems

Answer 148

In this escrow approach, the secret keys used in a communication are divided into two or more pieces, each of which is given to an independent third party. When the government obtains legal authority to access a particular key, it provides evidence of the court order to each of the third parties and then reassembles the secret key.

Question 149

What is an SLA

Answer 149

Agreement between IT service provider and customer, document service levels, divorce; how to dissolve relationship

Question 150

SLR (requirements)

Answer 150

Requirements for a service from client viewpoint

Question 151

Service level report

Answer 151

Insight into a service providers ability to deliver the agreed upon service quality Legislative

Question 152

What is FISMA?

Answer 152

Regarding Federal Agencies Phase 1 categorizing, selecting minimum controls, assessment Phase 2: create national network of secures services to assess