Misc. CISSP Tables/Equations (Secondary)

Question 1

Total Risk (TR)

Answer 1

TR=(AV)(threats)(vulnerabilities)
TR=AV*R
TR=CG+RR

AV -Asset Value
R -Risk
CG -Controls Gap
RR -Residual Risk

Question 2

Risk (R)

Answer 2

R=Threat*vulnerability

Question 3

Single Loss Expectancy (SLE)

Answer 3

Describes how much it would cost you if it happened just ONE time

SLE=AV*EF
AV -Asset Value
EF -Exposure Factor

Question 4

Annualized Loss Expectancy (ALE)

Answer 4

How much will you lost per year

ALE=AVEFARO
AV -Asset Value
EF -Exposure factor
ARO -Annualized rate of Occurance

Question 5

Annualized Rate of Occurrence (ARO)

Answer 5

Expected frequency with which a specific threat or risk will occur

Question 6

Seven steps of NIST Risk Management Framework

Answer 6

1) Prepare
2) Categorize
3) Select
4) Implement
5) Assess
6) Authorize
7) Monitor

*People Can See I am Always Monitoring

Question 7

OSI Model

Answer 7

1) Application
2) Presentation
3) Session
4) Transport
5) Network
6) Data Link
7) Physical

Forwards: All People Seem To Need Data Processing

Backwards: Please Do Not Toss Security Processes Asside

Question 8

Steps of the data lifecycle

Answer 8

1) Create
2) Classify
3) Store
4) Use
5) Share
6) Archive
7) Destroy

Consultants Can Send Use Some Attack Data

Question 9

Five Steps of “Common Criteria” Validation

Answer 9

1) Describe Assets
2) Identify Threats
3) Analysis & Rating of Threats
4) Determination of Security Objectives
5) Selection of Functional Security Requirements

Don’t Insult Any Data Scientists

Question 10

The incident Response Process

Answer 10

1) Detection
2) Response
3) Mitigation
4) Reporting
5) Recovery
6) Remediation
7) Lessons Learned

DRMRRRL (Drum Roll)

Question 11

Process for Quantitative Risk Analysis

Answer 11

1) Inventory the Assets (use asset value)
2) Identify the Threats (use exposure factor)
3) Analyze the Threats (use single loss expectancy)
4) Estimate the potential loss (use annualized loss expectancy)
5) Research Countermeasures for each threat
6) Cost-Benefit Analysis

I Imagined An Enormous Rosiere Chicken

Question 12

Exposure factor (EF)

Answer 12

The percentage (%) of value an asset lost due to an incident, represented in a decimal

Question 13

Safegaurd Evaluation

Answer 13

The process of determining whether a safeguard is cost effective

Question 14

Controls Gap (CG)

Answer 14

The amount of risk reduced by implementing safeguards

CG=TR-RR

This is subtracted from the total risk to calculate the residual risk…

And vice versa (This can be added to the residual risk to calculate the total risk)

Question 15

Residual Risk (RR)

Answer 15

The risk that remains even with all conceivable safeguards in place. Often the deducible on an insurance policy)

RR=TR-CG

Question 16

Value a safeguard

Answer 16

(ALE-ALE_SG)-ACS

ALE -Annualized Loss Expectancy (with no safegaurds/controls)
ALE_SG -Annualized Loss Expectancy with the safegaurd in place
ACS -Annual Cost of Safeguard

Question 17

Class A Fires

Answer 17

Caused by combustibles

Recommended suppression material: Water, soda acid (dry powder)

Question 18

Class B Fires

Answer 18

Caused by Liquids

Recommended suppression material: CO2, halon, soda acid

Question 19

Class C Fires

Answer 19

“Electrical Fires”

Recommended suppression material: CO2, halon

Question 20

Class D Fires

Answer 20

Burning Metals

Recommended suppression material: Dry Powder

Question 21

Class K fires

Answer 21

“Kitchen Fires”

Recommended suppression material: Wet Chemicals (not water)

Question 22

CO2 as fire suppression material

Answer 22

Does not require clean up after use

Puts out fires by removing oxygen, not heat

Recommended for Class B fires “Burning Liquids” and for Class C fires “Electrical fires”

Question 23

Halon as fire suppression material

Answer 23

any of a number of unreactive gaseous compounds of carbon with bromine and other halogens, used in fire extinguishers

Recommended for Class B fires “Burning Liquids” and for Class C fires “Electrical fires”

Question 24

Dangers of using water as a fire suppressant

Answer 24

In Kitchen fires (Class K) it can allow grease to splash, allowing the fire to spread

In metal fires (Class D) it can separate into hydrogen and hydroxide. The hydrogen gas is combustible

In liquid fires (Class B) it can allow the burning liquid to splash, allowing the fire to spread

Question 25

Static voltage required to destroy sensitive circuits and components

Answer 25

40 Volts

Question 26

Static voltage required to scramble monitor displays

Answer 26

1 kV

Question 27

Static voltage required to destroy harddrive data

Answer 27

1.5 kV

Question 28

Static voltage required to cause an abrupt system shutdown

Answer 28

2 kV

Question 29

Static voltage required to cause permanent damage to a circuit

Answer 29

17 kV

Question 30

The only wiring type the is impervious to EMI

Answer 30

Fiber Optic

Question 31

Wiring types in order of their susceptibility to EMI

Answer 31

MOST effected to LEAST effected

10BaseT (UTP)
100BaseT
1000BaseT
10Base2
STP
10Base5
Fiber Optic

*As a general rule, the easier the cables are to install, the more effected they are going to be by EMI
*UTP is unshielded twisted pair

Question 32

Wiring types in order of their cost/difficulty to install

Answer 32

LEAST difficult/expensive to MOST difficult/expensive

10BaseT (UTP)
100BaseT
1000BaseT
10Base2
STP
10Base5
Fiber Optic

*As a general rule, the easier the cables are to install, the more effected they are going to be by EMI
*UTP is unshielded twisted pair

Question 33

Wiring types in order of the length you can use

Answer 33

Fiber-optic (2 km)
10Base5 (500 m)
10Base2 (185 m)
10BaseT (100 m)
STP (100 m)
100BaseT (100 m)
1000Base (100 m)

Question 34

Wiring types in order of the max speed you can get

Answer 34

Fiber-optic (2 Gbps)
1000BaseT (1 Gbps)
STP (155 Mbps)
100BaseT (100 Mbps)
10Base2 (10 Mbps)
10Base5 (10 Mbps)
10BaseT (10 Mbps)

*The names are based on how many Mbps you get from that cable

Question 35

File Transfer Protocol Details

Answer 35

TCP
Ports 20/21

Question 36

Secure Shell

Answer 36

TCP
Port 22

Question 37

Examples of Logical Controls in Physical security

Answer 37

These are technical controls
-Intrusion Detection
-Alarms
-CCTV
HVAC
-Fire Detection and Supression

Question 38

Examples of Administrative controls in physical security

Answer 38

Facility construction
Facility Selection
Site Management
Personnel Controls
Awareness Training
Emergency Response

Question 39

Physical Controls in physical security

Answer 39

-fencing
-lighting
-locks
-construction matrtials
-mantraps
-dogs
-gaurds

Question 40

The importance of physical security

Answer 40

*there is no security without physical security

The technology is not enough

If you don’t control the physical environment, then an attacker can walk in and place a wire tap, destroy your hardware, or cut the power to your systems

Question 41

Importance of Humidity controls

Answer 41

Should be between 40% and 60%

Too much humidity can cause corrosion. Too little humidity causes static electricity.