Matching And Brain Dump

Question 1

Approves audit budget and resource allocation.

Answer 1

Executive mgmt

Question 2

Provide audit oversight

Answer 2

Audit committee

Question 3

Ensure the achievement & maintenance of org requirements with applicable certifications

Answer 3

Compliance officer

Question 4

Develop and maintain knowledge and subject matter expertise relevant to the type of audit

Answer 4

External auditor

Question 5

What are the correct order of steps in an information security assessment

Answer 5

1. Define the perimeter
2. Identify the vulnerability
3. Assess the risk
4. Determine the actions

Question 6

A physical or electronic token stores a set of secrets between the claimant and the credential service provider.

1. Out of band token
2. Memorized secret token
3. Pre-registered Knowledge Token
4. Look up Secret Token

Answer 6

Pre-registered Knowledge Token

Question 7

A physical token that is uniquely addressable and can receive a verifier selected secret of one time use

1. Out of band token
2. Memorized secret token
3. Pre-registered Knowledge Token
4. Look up Secret Token

Answer 7

Out of band token

Question 8

A series of responses to a set of prompts or challenges established by the subscriber and credential service provider during the registration process.

1. Out of band token
2. Memorized secret token
3. Pre-registered Knowledge Token
4. Look up Secret Token

Answer 8

Look up secret token

Question 9

A secret shared between the subscriber and credential service provider that is typically character strings

1. Out of band token
2. Memorized secret token
3. Pre-registered Knowledge Token
4. Look up Secret Token

Answer 9

Memorized secret token

Question 10

Name the type of control: labeling of sensitive data
1. Logical
2. Technical
3. Physical
4. Administrative

Answer 10

Administrative

Question 11

Name the type of control: Biometrics for authentication
1. Logical
2. Technical
3. Physical
4. Administrative

Answer 11

Technical

Question 12

Name the type of control: Constrained user interface
1. Logical
2. Technical
3. Physical
4. Administrative

Answer 12

Logical

Question 13

Name the type of control: Radio frequency identification (RFID) badge
1. Logical
2. Technical
3. Physical
4. Administrative

Answer 13

Physical

Question 14

Match the name of access control model with the restriction: End user cannot set controls
1. Role based
2. Discretionary
3. Mandatory
4. Rule based

Answer 14

Mandatory

Question 15

Match the name of access control model with the restriction: Subject has total control over objects
1. Role based
2. Discretionary
3. Mandatory
4. Rule based

Answer 15

Discretionary

Question 16

Match the name of access control model with the restriction: Dynamically assigns permissions to particular duties on job function
1. Role based
2. Discretionary
3. Mandatory
4. Rule based

Answer 16

Role based

Question 17

Match the name of access control model with the restriction: dynamically assigns roles to subjects based on criteria assigned by a custodian
1. Role based
2. Discretionary
3. Mandatory
4. Rule based

Answer 17

Rule based

Question 18

A software security engineer is developing a black box-based plan that will measure the system’s reaction to incorrect or illegal inputs or unexpected operational errors and situations. Match Input parameter with the functional testing technique:

Select one input that doesn’t belong to any of the identified partitions.

1. Equivalence class
2. State-based
3. Boundary value
4. Decision table

Answer 18

State-based

Question 19

A software security engineer is developing a black box-based plan that will measure the system’s reaction to incorrect or illegal inputs or unexpected operational errors and situations. Match Input parameter with the functional testing technique:

Select inputs that are at the external limits of the domain of valid values

1. Equivalence class
2. State-based
3. Boundary value
4. Decision table

Answer 19

Equivalence class

Question 20

A software security engineer is developing a black box-based plan that will measure the system’s reaction to incorrect or illegal inputs or unexpected operational errors and situations. Match Input parameter with the functional testing technique:

Select invalid combinations of input values.

1. Equivalence class
2. State-based
3. Boundary value
4. Decision table

Answer 20

Decision table

Question 21

A software security engineer is developing a black box-based plan that will measure the system’s reaction to incorrect or illegal inputs or unexpected operational errors and situations. Match Input parameter with the functional testing technique:

Select unexpected inputs corresponding to each known condition.

1. Equivalence class
2. State-based
3. Boundary value
4. Decision table

Answer 21

boundary value

Question 22

Below are the common phases to creating a Business Continuity/Disaster Recovery (BC/DR) plan starting with the Risk assessment. Put the remaining BC\DR phases to the appropriate corresponding order.

BC/DR Plan Development
Plan Maintenance
Business Impact Analysis
Training, Testing, & Auditing
Mitigation Strategy Development

Answer 22

Risk Assessment

BIA
Mitigation Strategy Development
BC/DR Plan Development
TTA
Maintenance

Question 23

Match the objectives to the assessment question in the governance domain of Software Assurance Maturity Model (SAMM).

Do you advertise shared security services with guidance for project teams?

1. Eduction & Guidance
2. Secure Architecture
3. Strategy & Metrics
4. Vulnerability Management

Answer 23

Secure Architecture

Question 24

Match the objectives to the assessment question in the governance domain of Software Assurance Maturity Model (SAMM).

Are most people tested to ensure a baseline skill set for secure development practices?

1. Eduction & Guidance
2. Secure Architecture
3. Strategy & Metrics
4. Vulnerability Management

Answer 24

Education & guidance

Question 25

Match the objectives to the assessment question in the governance domain of Software Assurance Maturity Model (SAMM).

Does most of the org know about what’s required based on risk ratings?
1. Eduction & Guidance
2. Secure Architecture
3. Strategy & Metrics
4. Vulnerability Management

Answer 25

Strategy & metrics

Question 26

Match the objectives to the assessment question in the governance domain of Software Assurance Maturity Model (SAMM).

Are most project teams aware of their security point(s) of contact and response team(s)?

1. Eduction & Guidance
2. Secure Architecture
3. Strategy & Metrics
4. Vulnerability Management

Answer 26

Vulnerability mgmt

Question 27

In the network design below, where is the MOST secure Local Area Network (LAN) segment to deploy a Wireless Access Point (WAP) that provides contractors access to the Internet and authorized enterprise services?

Answer 27

LAN 4

Question 28

Given the various means to protect physical and logical assets, match the access management area to the technology.

TECHNOLOGY
1. Authentication
2. Firewall
3. Window
4. Encryption

MANAGEMENT AREA
A. Information
B. Devices
C. Systems
D. Facilities

Answer 28

1. Authentication ==> C. Systems
2. Firewall ==> B. Devices
3. Window ==> D. Facilities
4. Encryption ==> A. Information

Question 29

Order the below steps to create an effective vulnerability management process.

Implement Patch Deployment
Implement Change Management
Implement recurring scanning schedule
Identify Risks
Identify assets

Answer 29

1. Identify assets
2. Identify Risks
3. Implement Change Management
4. Implement Patch Deployment
5. Implement recurring scanning schedule

Question 30

What is the correct term for:

A measure of the extent to which an entity is threatened by a potential circumstance or event, the adverse impacts that would arise if the circumstance or event occurs, and the likelihood of occurrence.

1. Threat Assessment
2. Risk
3. Protection Needs
4. Security Treatment

Answer 30

Risk

Question 31

What is the correct term for:

The method used to identify the confidentiality, integrity, and availability requirements for organizational and system assets and to characterize the adverse impact or consequences should the asset be lost, modified, degraded, disrupted, compromised, or become unavailable.

1. Threat Assessment
2. Risk
3. Protection Needs
4. Security Risk Treatment

Answer 31

Protection needs

Question 32

What is the correct term for:

The method use to identify and characterize the dangers anticipated throughout the life cycle of the system.

1. Threat Assessment
2. Risk
3. Protection Needs
4. Security Risk Treatment

Answer 32

Threat assessment

Question 33

What is the correct term for:

the method used to identify feasible security risk mitigation options and plans.

1. Threat Assessment
2. Risk
3. Protection Needs
4. Security Risk Treatment

Answer 33

Security Risk Treatment

Question 34

Identity the component that MOST likely lacks digital accountability related to information access.

Answer 34

Backup Media
In the given components of an IT infrastructure – Backup Media, Backup Server, Database Server, Web Server, and Storage Area Network (SAN) – the one that most likely lacks digital accountability is typically Backup Media. This is because backup media (like tapes, disks, or other physical media) often do not have the capability to independently log who accessed them or what was done, especially when they are removed from the backup server or storage area network.

Question 35

Place in order, from BEST (1) to WORST (4), the following methods to reduce the risk of data remanence on magnetic media.

1. Overwriting
2. Degaussing
3. Destruction
4. Deleting

Answer 35

1. Destruction
2. Degaussing
3. Overwriting
4. Deleting

Question 36

Place the following information classification steps in sequential order.

Declassify information when appropriate
Apply the appropriate security markings
Conduct periodic classification reviews
Assign a classification level
Document the information assets

Answer 36

1. Document the information assets: Before you can protect information, you need to know what exists. This step involves identifying and recording all information assets that an organization possesses. Understanding what information you have is crucial to determining how it should be classified.
2. Assign a classification level: Once information assets are documented, each item needs to be assessed for its sensitivity, value, and the impact of its disclosure or loss. Based on this assessment, an appropriate classification level is assigned (e.g., Public, Confidential, Secret, Top Secret) that reflects the level of protection needed.
3. Apply the appropriate security markings: After classification levels are assigned, the next step is to physically or digitally mark the information. These markings indicate the classification level and handling requirements, ensuring that anyone who comes into contact with the information understands how it must be protected.
4. Conduct periodic classification reviews:** Over time, the sensitivity of information can change. Regular reviews of the classification levels are necessary to determine if the current classifications are still appropriate or if they need to be adjusted up or down. This ensures that the protection measures remain aligned with the value and sensitivity of the information.
5. Declassify information when appropriate: **As part of the review process or when certain conditions are met (such as time-sensitive information reaching a certain date), information may be declassified. Declassification must be done deliberately, following a process that ensures information is not prematurely released.

Question 37

In which order from MOST to LEAST impacted does user awareness training reduce the occurrence of the events below?

Disloyal Employees
User-instigated
Targeted Infiltration
Virus Infiltrations

Answer 37

User-instigated
Virus Infiltrations
Targeted Infiltration
Disloyal Employees

1. User-instigated: Incidents that are user-instigated, such as clicking on phishing links, using weak passwords, or inappropriate handling of data, are often the most impacted by user awareness training. Training can significantly reduce these incidents by educating users on recognizing and properly responding to security threats.
2. Virus Infiltrations: Viruses often infiltrate systems through actions taken by users, such as downloading infected files or visiting malicious websites. Awareness training helps users identify potentially dangerous files and websites, thus reducing the occurrence of such events.
3. Targeted Infiltration: While targeted attacks by sophisticated threat actors can be more challenging to prevent, user awareness can still play a role. Educated users are more likely to notice and report suspicious activities, which can be early indicators of a targeted attack.
4. Disloyal Employees: The impact of awareness training on disloyal or malicious insiders is generally the least because such individuals intentionally bypass security controls. However, training can still have an indirect effect by fostering a security-conscious culture and educating bystanders on how to recognize and report suspicious insider behavior.

User awareness training might not prevent all malicious actions by disloyal employees, but it can reduce the risk of accidental insider threats and make it more difficult for malicious insiders to operate without detection.

Question 38

Which Web Services Security (WS-Security) specification maintains a single authenticated identity across multiple dissimilar environments?

Answer 38

“WS-Federation”

The Web Services Security (WS-Security) specification that maintains a single authenticated identity across multiple dissimilar environments is “WS-Federation”. WS-Federation is a part of the larger WS-Security framework and is specifically designed to allow different security realms to federate, enabling users to authenticate across different systems or organizations using a common set of credentials.

WS-Federation works in conjunction with WS-Trust, which provides the mechanisms to issue, renew, and validate security tokens, and enables the implementation of various identity models including federation. However, WS-Federation extends this to provide the way those security tokens can be used to allow systems to interoperate and share the identity of the authenticated user in a secure manner across different security domains.

Question 39

Which Web Services Security (WS-Security) specification negotiates how security tokens will be issued, renewed and validated?

Answer 39

“WS-Trust”

The WS-Security specification that negotiates how security tokens will be issued, renewed, and validated is “WS-Trust”. WS-Trust is an extension of the WS-Security specification which provides extensions for issuing, renewing, and validating security tokens. It defines the protocols for request and issuance of security tokens and also outlines how clients can obtain access to secure resources using those tokens.**

The Web Services Security (WS-Security) specification that handles the management of security tokens and the underlying policies for granting access is “WS-Trust”. WS-Trust provides extensions to WS-Security for issuing, renewing, and validating security tokens, and establishes the relationship between a security token service and the requester. It also defines how policies for access to resources are applied and enforced using these tokens.

In conjunction with WS-Policy, which outlines the capabilities and constraints of the security policies, WS-Trust plays a crucial role in managing the lifecycle of security tokens and controlling access to resources based on those policies.

Question 40

Rank the Hypertext Transfer protocol (HTTP) authentication types shows below in order of relative strength. Drag the authentication type on the correct positions on the right according to strength from weakest to strongest

Answer 40

“Basic” as the weakest
“Digest” as weak
“Integrated Windows Authentication” as strong
“Client Certificate” as the strongest

image seems to depict various HTTP authentication methods ranked by their relative strength. Based on standard security practices, the correct order from weakest to strongest should be:

Basic: This is considered weak because it sends credentials in clear text (base64 encoded, which can be easily decoded), and is only secure over HTTPS.
Digest: Stronger than Basic as it uses a challenge-response mechanism for password transmission, which does not send the password in clear text.
Integrated Windows Authentication (IWA): This can be stronger than Digest as it can use more secure methods like NTLM or Kerberos, which don’t send passwords over the network and can provide mutual authentication.
Client Certificate: This is the strongest as it uses certificates rather than passwords. It establishes a mutual authentication where both the server and the client authenticate each other, and it relies on public key infrastructure (PKI) which is significantly more secure against various attack vectors.

Question 41

Match the level of evaluation to the correct common criteria (CC) assurance level.

Answer 41

FT, ST, MT, MD, SD, SV, FV
Fun time, sometime, mountain time, my day, shannon day, shannon vag, finger vag

EAL1 – Functionally Tested: This level is the most basic form of testing and is used for assurance that the product functions in a manner consistent with its documentation, but without any in-depth testing or independent verification.
EAL2 – Structurally Tested: Provides assurance that security features have been implemented correctly and includes a combination of security-enforcing functional tests and structural tests.
EAL3 – Methodically Tested and Checked: Adds more in-depth testing and checking to EAL2, including a review of the security-related documentation and an analysis of the product structure and its security features.
EAL4 – Methodically Designed, Tested, and Reviewed: At this level, the product undergoes a thorough and methodical review and testing process. This includes both functional and penetration tests and is considered to be the highest level that is normally achievable for commercially developed products.
EAL5 – Semiformally Designed and Tested: Involves a semi-formal design process with testing that goes beyond EAL4. This level applies to products that require a high level of independently assured security in a planned and systematic manner.
EAL6 – Semiformally Verified Design and Tested: Provides a higher and more comprehensive level of assurance than EAL5 by using a semiformal verification process. It is generally applicable to security-critical components and can be used in situations where the risk of attack is high.
EAL7 – Formally Verified Design and Tested: Represents the highest level of assurance, which is achievable with rigorous testing and formal verification methods. This level is appropriate for the most secure, safety-critical, and high-risk environments where the cost of failure is considered extremely high.

Question 42

RAID ____ is known for mirroring without striping. It would duplicate the data exactly on another disk, so “123456789” would be on two separate disks in its entirety.

Answer 42

1

Known for mirroring data across two or more disks. While it provides redundancy, it does not offer the same level of performance enhancement as RAID 0

Question 43

RAID ___ is known for striping without parity or mirroring. It would split “123456789” across two or more disks without any redundancy. For instance, “12345” on one disk and “6789” on another.

Answer 43

0

RAID-0 is primarily configured for high-performance data reads and writes. In RAID-0, data is split across multiple disks in a process known as striping. This configuration allows multiple disks to read and write data simultaneously, significantly increasing performance. However, it’s important to note that RAID-0 does not provide redundancy, which means if one disk fails, all data in the array is lost. Despite this drawback, RAID-0 is preferred when performance is the primary concern over data redundancy.

Question 44

RAID ___ uses both striping and parity. The file “123456789” would be distributed across three or more disks with parity data such that any single drive’s data can be recovered in the event of a disk failure. For example, “123” on one disk, “456” on the next, and “789” on another, with parity data distributed across them.

Answer 44

5

Uses both striping and parity for data storage, providing a balance of improved performance and data redundancy, but not as performant as RAID-0 for pure read/write speed.

Question 45

RAID ___ uses an additional parity block. It provides higher redundancy at the cost of write performance, and it’s not primarily configured for high-performance reads and writes

Answer 45

6

Question 46

RAID ____ equires at least four disks and creates a mirrored set out of two striped sets. So, “123” and “456” might be striped across the first two disks and then mirrored onto two more disks.

Answer 46

10 which is a combination of RAID 1 and RAID 0

Question 47

Identify the generic software testing methods with their major focus and objective.

• “Tests functionality related to changes in software or the environment”

1. Structural Testing
2. Regression Testing
3. Nonfunctional Testing
4. Functional Testing.

Answer 47

Regression Testing:

This method of testing is used to ensure that new code changes do not adversely affect the existing functionality of the product. It’s focused on finding bugs that may have been introduced during changes such as enhancements, patches, or configuration changes.

Question 48

Identify the generic software testing methods with their major focus and objective.

• “Tests suitability, accuracy, interoperability, and security characteristics”

1. Structural Testing
2. Regression Testing
3. Nonfunctional Testing
4. Functional Testing.

Answer 48

Functional Testing

This type of testing is concerned with checking the functional requirements of software; it tests the software functions by feeding them input and examining the output. It includes checking user interfaces, APIs, databases, security, client/server applications, and functionality of the software.

Question 49

Identify the generic software testing methods with their major focus and objective.

• “Tests control flow, call hierarchies, menu, component, and integration characteristics”

1. Structural Testing
2. Regression Testing
3. Nonfunctional Testing
4. Functional Testing.

Answer 49

Structural Testing

Also known as white-box testing, structural testing is concerned with the internal structure of the software. It involves testing the internal logic, code structure, and software architecture; it’s generally done at the unit level.

Question 50

Identify the generic software testing methods with their major focus and objective.

• performance, reliability, or other non-functional characteristics

1. Structural Testing
2. Regression Testing
3. Nonfunctional Testing
4. Functional Testing.

Answer 50

Nonfunctional Testing

This testing method focuses on the nonfunctional aspects of the software, such as performance, scalability, and reliability. It does not test specific software functions but rather how the software behaves and performs under certain conditions.

Question 51

what are the private IP address ranges?

Answer 51

10.X.X.X – Class A

172.16.X.X to 172.31.X.X – Class B

192.168.X.X – Class C

Question 52

What are the port ranges?

Answer 52

Well Known 1 to 1023
Registered 1024 to 49151
Dynamic/Private/Ephemeral 49152 to 65535

Question 53

Compare the OSI model to the TCP/IP model

Answer 53

Question 54

Describe the biometric error chart.

Answer 54

Question 55

What are examples of Hash Algol’s?

Answer 55

SHAs & MDs
NOTE: one-way and creates a unique message digest with no way to reverse
REMEMBER: hash for integrity

Question 56

What are examples of symmetric key algos?

Answer 56

AES, fishes (Blow, Two, & Skip), DESs, & RCs

Question 57

What are examples of Asymmetric algos?

Answer 57

RSA, DSA, ECC, & DH (Diffie-Helmon) which was replaced by El Gamal
NOTE: key management is easier than with symmetric & speed is slower
Use for non-repud

Question 58

How are asymmetric keys used for data encryption?

Answer 58

To encrypt a message, use the recipient’s public key. To decrypt, use your own private key.

Question 59

How are asymmetric keys used for digital signature?

Answer 59

To sign a message, use your own private key.

To validate a signed message, use the sender’s public key.

Question 60

Calculate Exposure Factor (EF)

Answer 60

Exposure Factor (EF) . The % of value an asset lost due to an incident, represented in a decimal.

Expressed as a percentage or decimal, ex: If a hurricane will cause 50% damage to a building per occurrence, the EF is:
50% or .5

Question 61

Single Loss Expectancy (SLE)

Answer 61

How much would it cost you
if it happened just ONE time?
SLE = Asset Value x Exposure Factor (SLE=AV*EF)

If a hurricane happens one time to a
$1,000,000 building, with a 50% EF:
SLE = $1,000,000 x .5 = $500,000

Question 62

Assess the Annualized Rate of Occurrence (ARO)

Answer 62

Annualized Rate of Occurrence (ARO). How many times does it happen in one year? Watch for AROs longer than 1 year!

If a hurricane will occur once every 10 years, the annual rate of occurrence (ARO) is:
1 time in / 10 years = .10

If a hurricane will occur twice every year, the annual rate of occurrence (ARO) (*greater than 1 year example!!!) is:
2 times in / 1 year = 2

Question 63

Derive the Annualized Loss Expectancy (ALE)

Answer 63

Annualized Loss Expectancy (ALE). How much you will lose per year? ALE = SLE x ARO

Since we have already calculated
the SLE, our solution is:
$500,000 * .10 = $50,000

Question 64

Controls Gap is ?

Residual risk is ?

Value of safeguard

Answer 64

Gap: The amount of reduced by implementing safeguards!

Residual Risk. The risk that remains even with all conceivable safeguards in place. ==> total risk - controls gap = RR

So, if the company buys a $500,000 insurance policy to cover risk of loss. The policy has a $75,000 deductible. Then, $500,000 – $425,000 = residual risk = $75,000. Note: the $425K is the “controls gap.”

Annualized cost (based on .10 ARO) $7,500

(ALE1 - ALE2) - ACS = value of safeguard

$50,000 – $7,500 – $10,000 = value of safeguard = $32,500 *a value > 0 indicates that it is a good financial choice

Question 65

What is the memorization for incident management framework?

Answer 65

DRMRRRL

Detection
Response
Mitigation
Reporting
Recovery
Remediation
Lessons Learned

Question 66

Software Capability Maturity Model

Answer 66

1. I — Initial
2. Read — Repeatable
3. Data — Defined
4. Maps — Managed
5. Online — Optimized

Question 67

What are the 4 types of cryptography?

Answer 67

Asymmetric keys
Symmetric keys
Hashes
Block ciphers

Question 68

What are the 2 key types of security models?

Answer 68

1. Integrity & 2. Confidentiality