First CBK Domain Flashcards

1
Q

What is the CIA Triad (sometimes referred to as AIC)?

A

Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Confidentiality in the CIA Triad?

A

what most think IT security is, in addition, its the measures taken to keep our data and secrets, secret and to insure no unauthorized persons can access the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Integrity in the CIA Triad?

A

It’s how we protect against modifications of the data and systems and
how we ensure the data has not been altered.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Availability in the CIA Triad?

A

How we ensure authorized people can access the data they need, when they need to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are some threads that target Confidentiality in the CIA Triad?

A

Attacks on your encryption (cryptanalysis)
Social Engineering
Key Loggers (software/hardware) cameras, steganography
IoT (Internet of Things) - The growing number of connected devices we have pose a new threat, they can be a back door to other systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are things we do to insure Confidentiality regarding the CIA Triad?

A

Encryption for data at rest (for instance AES256), full disk encryption.

Secure transport protocols for data in motion. (SSL, TLS or IPSEC).

Best practices for data in use - clean desk, no shoulder surfing, screen
view angle protector, PC locking (automatic and when leaving).

Strong passwords, multi-factor authentication, masking, access control,
need-to-know, least privilege.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some threats that target Integrity regarding the CIA Triad?

A

Alterations of our data

Code injections

Attacks on your encryption (cryptanalysis).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are some threats that target Availability regarding the CIA Triad?

A

Malicious attacks (DDOS, physical, system compromise, staff)

Application failures (errors in the code).

Component failure (Hardware).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are some things we do to insure Availability regarding the CIA Triad?

A

IPS/IDS.

Patch Management.

Redundancy on hardware power (Multiple power
supplies/UPS’s/generators), Disks (RAID), Traffic paths (Network
design), HVAC, staff, HA (high availability) and much more.

SLA’s – How much uptime do we want (99.9%?) – (ROI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the opposite of the CIA Triad?

A

DAD, Disclosure, Alteration, and Destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is “Disclosure” regarding the DAD?

A

Someone not authorized getting

access to your information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is “Alteration” regarding DAD?

A

Your data has been changed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is “Destruction” regarding DAD?

A

Your data or systems have

been destroyed or rendered inaccessible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is IAAA?

A

Identification and Authentication, Authorization and

Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Regarding the “I” Identification in IAAA, what is it?

A

Your name, username, ID number, employee

number, SSN etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the “A” Authentication, in IAAA?

A

It is the step to prove you are who you say you are and Should always be done with multi-factor
authentication!

Different types of Authentication are:

Something you know - Type 1 Authentication (passwords, pass phrase,
PIN, etc.).
Something you have - Type 2 Authentication (ID, passport, smart card,
token, cookie on PC, etc.).
Something you are - Type 3 Authentication (and Biometrics)
(Fingerprint, iris scan, facial geometry, etc.).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the Second “A” Authorization in IAAA?

A

What you are allowed to access

▪ We use Access Control models. What and
how we implement depends on the
organization and what our security goals
are.

▪ More on this in Domain 5 - Identity and
Access Management (DAC, MAC, RBAC,
RUBAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the third “A” accountability in the IAAA?

A

(also often referred to as Auditing)
Trace an Action to a Subject’s Identity:
Prove who/what a given action was performed by (non-repudiation)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the Security Governance Principles?

A

Least Privilege and Need to Know.

▪ Least Privilege – (Minimum necessary access) Give users/systems exactly the
access they need, no more, no less.

▪ Need to Know – Even if you have access, if you do not need to know, then you
should not access the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is Non-Repudiation?

A

A user cannot deny having performed a certain action. This uses both
Authentication and Integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Define Subject.

A

Something/someone that’s Active Most often users, but can also be programs – Subject
manipulates Object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Define Object.

A

Someone/something that’s Passive Any passive data (both physical paper and data) – Object is
manipulated by Subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Can someone/something be both a “Subject” and an “Object”?

A

Yes but at different times, an active program is a subject; when
closed, the data in program can be object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Define “Governance”

A

This is C-level Executives (Not you)

25
Q

In the Realm of “Governance”, Stakeholder’s needs, conditions and options are evaluated to define what?

A

Balanced agreed-upon enterprise objectives to be achieved.

Setting direction through prioritization and decision making.

Monitoring performance and compliance against agreed-upon direction and objectives.

Level of Risk appetite – Aggressive, neutral, adverse

26
Q

Define “Management”

A

How do we get to the destination (This is you)

27
Q

In the realm of “management”, what does this entail?

A

Plans, builds, runs, and monitors activities in alignment with the
direction set by the governance to achieve the objectives

Risk tolerance – How are we going to practically work with our risk
appetite and our environment

28
Q

For security purposes, what are the two types of Organizational structures?

A

Bottom up and Top down

29
Q

For a “Bottom-Up” Organization, how is IT Security viewed?

A

IT Security is seen as a nuisance and not a helper, often changes
when breaches happen

30
Q

For a “Top Down” organizational structure, how is IT Security viewed?

A

IT leadership is on board with IT Security, they lead and set the
direction. (The exam).

31
Q

What are C-Level Executives (Senior Leadership) referred to as?

A

Ultimately Liable

32
Q

What are some C-Level Executives (Senior Leadership) you will need to know?

A
▪ CEO: Chief Executive Officer.
▪ CIO: Chief Information Officer.
▪ CTO: Chief Technology Officer.
▪ CSO: Chief Security Officer.
▪ CISO: Chief Information
Security Officer.
▪ CFO: Chief Financial Officer.
▪ Normal organizations
obviously have more C-Level
executives, the ones listed
here you need to know.
33
Q

What are Governance standards and control frameworks?

A

▪ PCI-DSS - Payment Card Industry Data Security Standard
It is a standard but required if we want to handle or issue credit and
debit cards.
▪ OCTAVE® - Operationally Critical Threat, Asset, and Vulnerability Evaluation.
Self Directed Risk Management.
▪ COBIT - Control Objectives for Information and related Technology.
Goals for IT – Stakeholder needs are mapped down to IT related goals.
▪ COSO – Committee of Sponsoring Organizations.
Goals for the entire organization.
▪ ITIL - Information Technology Infrastructure Library.
IT Service Management (ITSM).
▪ FRAP - Facilitated Risk Analysis Process.
Analyzes one business unit, application or system at a time in a
roundtable brainstorm with internal employees. Impact analyzed,
threats and risks prioritized.
▪ ISO 27000 series

34
Q

what is the various ISO 27000 series?

A
ISO 27001: Establish, implement, control and improvement of the ISMS.
Uses PDCA (Plan, Do, Check, Act)

ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on
how to implement security controls. It has 10 domains it uses for ISMS
(Information Security Management Systems).

ISO 27004: Provides metrics for measuring the success of your ISMS.

ISO 27005: Standards based approach to risk management.

ISO 27799: Directives on how to protect PHI (Protected Health
Information)

35
Q

What is “Defense in Depth? Also called Layered Defense or Onion Defense.?

A

implementing multiple overlapping security controls to protect an asset.

      ▪ This applies both to physical and logical controls.

               example: To get to a server, you may have to go through multiple locked doors, security guards, man traps.
               example: To get to the data, you may need to get past firewalls, routers, switches, the servers and the  applications security. Each step may have multiple security controls.

▪ No single security control secures an asset.

▪ By implementing Defense in Depth, you improve your organization’s
Confidentiality, Integrity, and Availability

36
Q

What are the various types of Laws one should be familiar with?

A

Criminal Law, Civil Law, Administrative Law, Private Regulation, Customary Law, and Religious Law. For testing purposes focus on first 4 but be familiar with last two.

37
Q

Define “Criminal Law”

A

“Society” is the victim and proof must be “Beyond a reasonable doubt”.

Entails Incarceration, death, and financial fines to “Punish and deter”

38
Q

Define “Civil Law” (Tort Law)

A

Individuals, groups or organizations are the victims and proof must be
”the majority of proof”.

Results in Financial fines to “Compensate the victim(s)”

39
Q

Define “Administrative Law” (Regulatory Law)

A

Laws enacted by government agencies (FDA Laws, HIPAA, FAA Laws,
etc.)

40
Q

Define “Private Regulations”

A

Compliance is required by contract (For instance PCI-DSS).

41
Q

Define “Customary Law”

A

Mostly handles personal conduct and patterns of behavior and it is
founded in traditions and customs of the area or region.

42
Q

Define “Religious Law”

A

Based on the religious beliefs in that area or country, they often include
a code of ethics and moralities which are required to be upheld.

43
Q

Who could “Liability” fall on?

A

If the question is who is ULTIMATELY liable, the answer is Senior Leadership.

This does not mean you are not liable; you may be, that depends on Due Care.
Who is held accountable? Who is to blame? Who should pay?

44
Q

What is “Due Diligence” and “Due Care” and what is the difference between the two?

A

Due Diligence ((Do Detect)) (the research, the preparing, or the practical stuff you do before you implement something) – The research to build the IT Security architecture of your organization, best practices and common protection mechanisms, research of new systems before implementing.

Due Care ((Do Correct aka fixing something ))  (The implementation, the monitoring, and confirming that everything is working how it should)  – Prudent person rule – What would a prudent person do in this
situation?
45
Q

What is Negligence (and gross negligence)?

A

the opposite of Due Care. If a system under your control is compromised and you can prove you
did your Due Care, you are most likely not liable.

If a system under your control is compromised and you did NOT
perform Due Care, you are most likely liable.

46
Q

What are the difference types of “Evidence” and their definitions?

A

Real Evidence: Tangible and physical objects in IT Security: Hard disks, USB drives – NOT the data on them.

Direct Evidence: Testimony from a firsthand witness, what they experienced with their 5 senses.

Circumstantial Evidence: Evidence to support circumstances for a point or other evidence.

Collaborative Evidence: Supports facts or elements of the case: not a fact on its own, but support other facts.

47
Q

Define “Hearsay”

A

Not first-hand knowledge – normally inadmissible in a case.

Computer-generated records - For us, that means log files are considered hearsay, but case law and updates to the Federal Rule of Evidence have changed that

48
Q

What change to the “hearsay” principle was changed to allow computer-generated records in a court of law?

A

Rule 803 provides for the admissibility of a record or report that was:

“made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation.”

49
Q

Define “Best Evidence Rule”

A

The courts prefer the best evidence possible.

Which means, the Evidence should be accurate, complete, relevant, authentic, and
convincing.

50
Q

What is “Secondary Evidence”?

A

This is common in cases involving IT.

Logs and documents from the systems are considered secondary
evidence.

51
Q

Define “Evidence Integrity”

A

It is vital that the evidence’s integrity cannot be questioned.

We do this with hashes. Any forensics is done on copies and never the
originals.

We check hash on both original and copy before and after the
forensics.

52
Q

Explain “chain of custody”

A

This is done to prove the integrity of the data; that no tampering was done.

Who handled it?
When did they handle it?
What did they do with it?
Where did they handle it?

53
Q

What Amendment of the United states constitution protects the citizens from unreasonable search and seizure by the government?

A

The 4th Amendment.

54
Q

Evidence should be obtained legally which a court will determine. Search warrant, etc. Under what circumstances can evidence be obtained without a warrant?

A

Under Exigent circumstances apply if there is an immediate threat to human life or of
evidence destruction.

55
Q

Entrapment VS Enticement, Define each.

A

Entrapment (Illegal and unethical): When someone is persuaded to commit a crime, they had no intention of committing and is then charged with it.

Enticement (Legal and ethical): Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so.

Honeypots can be a good way to use Enticement

If there is a gray area in some cases between Entrapment and Enticement, it is ultimately up to the jury to decide which one it was.

Check with your legal department before using honeypots. They pose both legal and practical risks.

56
Q

Different types of Intellectual Property:

A

Copyright © - (Exceptions: first sale, fair use). Books, art, music, software. Automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for corporations.

Trademarks ™ and ® (Registered Trademark). Brand names, logos, slogans – Must be registered, is valid for 10 years at a time, can be renewed indefinitely.

Patents: Protects inventions for 20 years (normally) – Cryptography algorithms can be patented. Inventions must be: Novel (New idea no one has had before). Useful (It is actually possible to use and it is useful to
someone). Nonobvious (Inventive work involved)

Trade Secrets. You tell no one about your formula, your secret sauce. If discovered, anyone can use it; you are not protected.

57
Q

How are attacks on Intellectual Property conducted?

A

Copyright. Piracy - Software piracy is by far the most common attack on Intellectual Property. Copyright infringement – Use of someone else’s copyrighted material, often songs and images.

Trademarks. Counterfeiting – Fake Rolexes, Prada, Nike, Apple products – Either using the real name or a very similar name.

Patents. Patent infringement – Using someone else’s patent in your product without permission.

Trade Secrets. While an organization can do nothing if their Trade Secret is discovered, how it is done can be illegal.

Cyber Squatting – Buying a URL you know someone else will need (gray area legally).

Typo Squatting – Buying a URL that is VERY close to real website name (Can be illegal in certain circumstances).

58
Q

What are some Rules, Regulations and Laws you should know for the exam (US)?

A

HIPAA (Not HIPPA) – Health Insurance Portability and Accountability Act. Strict privacy and security rules on handling of PHI (Protected Health Information).

Security Breach Notification Laws. NOT Federal, all 50 states have individual laws, know your state.

Electronic Communications Privacy Act (ECPA): Protection of electronic communications against warrantless wiretapping. The Act was weakened by the Patriot Act.

PATRIOT Act of 2001: Expands law enforcement electronic monitoring capabilities. Allows search and seizure without immediate disclosure.

Computer Fraud and Abuse Act (CFAA) – Title 18 Section 1030: Most commonly used law to prosecute computer crimes.

Gramm-Leach-Bliley Act (GLBA): Applies to financial institutions; driven by the Federal Financial Institutions

Sarbanes-Oxley Act of 2002 (SOX): Directly related to the accounting scandals in the late 90s.

Payment Card Industry Data Security Standard (PCI-DSS) Technically not a law, created by the payment card industry. The standard applies to cardholder data for both credit and debit cards. Requires merchants and others to meet a minimum set of security requirements. Mandates security policy, devices, control techniques, and monitoring. NOT Federal, all 50 states have individual laws, know your state.

General Data Protection Regulation (GDPR) Restrictions: Lawful Interception, national security, military, police, justice Personal data – covers a variety of data types including: Names, Email Addresses, Addresses, Unsubscribe confirmation URLs that contain email and/or names, IP Addresses Right to access: Data controllers must be able to provide a free copy of an individual’s data if requested. Right to erasure: All users have a “right to be forgotten”. Data portability: All users will be able to request access to their data “in an electronic format”. Data breach notification: Users and data controllers must be notified of data breaches within 72 hours. Privacy by design: When designing data processes, care must be taken to ensure personal data is secure. Companies must ensure that only data is “absolutely necessary for the completion of duties”. Data protection officers: Companies whose activities involve data processing and monitoring must appoint a data protection officer.