Infosec Bootcamp Day 1

Question 1

Identification, Authentication, Authorization

Answer 1

• Identification - identifying factors of user
• Authentication - confirming identification of user
• Authorization - once I&A is completed, system will authorize user based on permissions

Question 2

Protecting Integrity

Answer 2

• Least privilege - only giving access based on need to know
• Separation of duties - different parts of process is done by different personnel to ensure integrity of process
• Rotation of Duties - determines if primary user is doing something wrong

Question 3

Protecting Availability

Answer 3

• Redundancy - multiple instances of critical components
• **Fault Tolerance **- systems can suffer disruption and continue to run
• Contingency Planning - i.e. Back up plans

Question 4

Non-repudiation

Answer 4

Sender cannot deny having sent a message to recipient

Question 5

Bulk Data is typically sent with what kind of algorithm?

Answer 5

Symmetric!! i.e. AES, private key cryptography

Question 6

• Data owner
• Data custodian

Answer 6

* data owner - classifies data and determines who needs access
* data custoadian - day to day activities; administer, maintain, protect data, back up data

Question 7

Deming Model

Answer 7

PDCA
* Plan
* Do
* Check
* Act

Question 8

GDPR drivers

Answer 8

Question 9

OECD Fair Information Practices

Answer 9

Question 10

Privacy Law

Answer 10

Question 11

• Criminal Law
• Common Law
• Civil (Tort) Law
• Administrative Law

Answer 11

Question 12

Code of Ethics

Answer 12

Question 13

Calculation of ALE

Tonardo is estimated to damage 50% of a facility if it hits. The value of the facility is $1,000,000. What is the probability of one tornado in ten years?

Answer 13

AV x EF = SLE
1,000,000 x .5 = 500,000
SLE x ARO = ALE
500k x 1/10 = 50k

Question 14

STRIDE

Answer 14

• Spoofing - false identity
• Tampering - unauthorized changes
• Repudiation - attacker deny having performed action
• Information disclosure
• Denial of service
• Elevation of privilege

Question 15

BIS
CFAA
ECPA
COPPA

Answer 15

Bureau of Industry and Security - sets regultaions on export of encryption products outside of U.S.

CFAA - computer fraud

ECPA - governemnt wiretap restrictions

COPPA - children’s online privacy protection act

Question 16

Due Diligence vs Due Care

Answer 16

Due diligence is establishing a plan, policy, and process to protect the interests of an organization.

Due care is practicing the individual activities that maintain the security effort.

Question 17

During the annual review of the company’s deployed security infrastructure, you have been reevaluating each security control selection. How is the value of a safeguard to a company calculated

Answer 17

ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard

Question 18

Governance

Answer 18

compares the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.

Question 19

Gamification

Answer 19

Gamification is a means to encourage compliance and engagement by integrating common elements of game play into other activities, such as security compliance and behavior change.

Question 20

Renee’s organization is establishing a partnership with a firm located in France that will involve the exchange of personal information. Her partners in France want to ensure that the transfer will be compliant with the GDPR. What mechanism would be most appropriate?

Answer 20

The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data were being shared internally within a company, binding corporate rules would also be an option. The EU/US Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but that is no longer valid. Privacy Lock is a made-up term.

Question 21

• GLBA
• SOX

Answer 21

GLBA - regulations on how financial institutions handle private information belonging to their customers

SOX - mandates certain practices in financial record keeping and reporting for corporations

Question 22

Delphi Technique

Answer 22

qualitative risk assessment that seeks to rech an anonymous consensus

Question 23

• Copyright
• Patent

Answer 23

• Copyright - i.e. Coding, music, 70 years after death of last author
• Patent - i.e. invention, 20 year from time of submission to USPTO

Question 24

BCP vs DRP

Answer 24

BCP - continues operations during the disaster
DRP - recovery efforts to normalcy after disaster

Question 25

CIA

Answer 25

• **Confidentiality **- most important in government agencies like FedRAMP, DOD; prevents unauthorized disclosure of sensitive information; encryption
• **Integrity **- most important in banking/financial; prevent unauthorized modification to information - password security, hashing
• Availability - most important in health industry and infrastructure (pipeline criss); prevent disruption in services and ensures information is available when needed; BC/DR

Question 26

Ignore Risk vs Accept Risk

Answer 26

In both scenarios, no action is done on the risk that is presented however when accepting risk, that means management has reviewed a control to determine the risk will be accepted whereas if a risk is ignored, there is no review of the risk, it is simply ignored and no action is done on the risk