Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

cissp exam prep 2023 > Module 1: Security and Risk Management > Flashcards

Module 1: Security and Risk Management Flashcards

1
Q

What are the primary goals and objectives of a security infrastructure?

A

CIA Triad
Confidentiality: measures used to ensure protection of secrecy of data, objects, resources.
Integrity: protecting reliability and correctness of data
Availability: authorized subjects are granted timely and uninterrupted access to objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the goal of Confidentiality protection?

A

The goal of Confidentiality is to prevent or minimize unauthorized access to data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Give examples of Countermeasures that can be used to protect Confidentiality agianst possible threats

A
  • encryption
  • strict access control
  • rigorous authentication procedures
  • data classification
  • extensive personnel training
  • network traffic padding
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

List the concepts of Criticality

A
  • Sensitivity: Quality of Information
  • Discretion: Act of decision of operator
  • Criticality: Level of mission critical
  • Concealment: hiding to prevent disclosure
  • Secrecy: Keeping something secret
  • Privacy: Personally Identifiable information
  • Seclusion: Storing out of the way
  • Isolation: Keep separate from others
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the primary goal of Integrity in the CIA triad?

A
  • Protecting reliabilty and correctness of data
  • Allow for authorized changes while protecting against unintended and malicious changes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

List and describe the main concepts related to Integrity?

A
  • Accuracy: Is the Data correct and precise?
  • Accountability: A person is responsible for the data, action, or result
  • Truthfulness: True reflection of reality
  • Validity: Being factual and logically sound
  • Completeness: Having everything needed for the result
  • Responsibility:Control of the data and that has been defined
  • Comprehensiveness:Is all the data included and does it have all the necessary parts for the scope
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the primary goal of Availaibity in the CIA triad?

A

Authorized subjects are granted timely and uninterupted access (be available when needed)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List and describe the main concepts of Availabilty

A
  • Usability: How easy it is to use, learn, understood by a person
  • Accessabilty: How easy or hard to manage
  • Timeliness: Prompt, on time, or within a reasonable time for recovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Provide examples of Threats to Integrity

A
  • Virus and logic bombs
  • Errors in coding and applications
  • Intentional replacement
  • System backdoors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Provide some examples of threats to Availabilty

A
  • Device failure
  • Software errors
  • Environmental issues
  • DoS attacks
  • Communicatation interruptions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Provide some examples of threats to Confidentiality

A
  • Human error, oversite, ineptitude
  • Intentional attacks (man in the middle)
  • Misconfiguration
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

List some Countermeasures to ensure confidentiality against possible threats.

A
  • Encryption
  • Network traffict padding
  • strict access control
  • rigorous authentication procedures
  • data classification
  • extensive user training
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

List some countermeasures that ensure integrity against possible threats

A
  • strict accdess control
  • rigorous authenitcaion procedures
  • intrusion detection systems (IDS)
  • data encryption
  • has verification
  • input function checks
  • extensive personnel training
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

List some countermeasures that can ensure availability against possible threats

A
  • desinging intermediary delivery systems properly
  • using access controls effecgtively
  • monitoring performance and network traffic
  • using firewalls and routers to prevent DoS attacks
  • implementing reduncancy for crytical systems
  • Maintaining testing and backup systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the failures of security protections in the CIA Triad (DAD)

A
  • Disclosure (Confidentiality)
  • Alteration (Integrity)
  • Distruction (Availabilty)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the 5 concepts tied to AAA Services

A

AAA = Authenitcation, Authorization, Accounting
* Identification: Claiming to be an entity when attempting to access secure area
* Authentication: Proving you are the claimed entity
* Authorization: Defines the permissions (Allow/Grant/Deny)
* Auditing: Recording a log of events and activities related to the system
* Accounting: Revieiwing the files looking for compliance and violations

17
Q

What is the first step in the AAA security mechanism for all security environments?

A

Identification

Identification starts the process of authentication, authorization, and accountability. Without an identiy the system has no way to correlate an authentication factor with the subject.

18
Q

What is the second step in the AAA security mechanism for all security environments? What does it do?

A

Authentication

  • Proving that you are are the claimed entity
  • Requires person to provide additional information that matches identity
  • Identification and authentication are commonly used together
  • Without both you cannot access the system/device
19
Q

If a user has been verified as a authenticated user, then they still need to pass another gate in the AAA security mechanism. What is it? Why?

A

Authorization

  • Defining the permissions (Allow/Grant/Deny)
  • Once authenticated then authorization must ensue
  • Ensures the request activity or access is granted
  • Individual may have Identity / Authentication but no authorization
20
Q

What are the last two elements of the AAA Services? Why are they important?

A

Auditing
* Recording a log of events and activities related to the systems
* A program by which a subject’s actions are tracked/recorded
* Holding a person accountable for actions
* Additionally, it is process of looking for Unauthorized/abnormal activity

Accounting
* Reviewing the log files looking for compliance and violations
* Accountability must be maintained
* Linking an individual to online activities

21
Q

Many controls offer their protection through the use of Protection Mechanisms. What are they?

(4 protection mechanisms)

A
  • Network / System Layering: Commonly called defense in depth: Example: Industrial Control Systems
  • Abstraction: used when classifiying objects or assigning roles to subjecst. Simplifies security by enabling assignment of security controls to a group of people or objecs
  • Obfuscation: (Hiding) of the Data: Preventing data/information from being discovered and/or accessible. Example: Labeling “Secret Sauce” to file 1234
  • Encryption: Science of hiding the meaning or intent of a communication from unintended recipients. Shoud be applied to everey type of electronic communication or storage.
22
Q

Recite the ISC2 COde of ethics

A
  • Protect Society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibility, and legally
  • Provide diligent an competent service to principals
  • Advance and protect the profession
23
Q

It is important to act ethically at all times. What are some examples of unethical behavior?

RFC 1087: Internet Activities Board (IAB)

A
  • Do not seek to gain unauthorized access
  • Do not disrupt the intended use of the internet
  • Do not waste resources through actions
  • Do not destroy integrity of the computer information
  • Do not compromise the privacy of users
24
Q

What is Security Governance?

A
  • Set pf rules, policies, processes that protect the organization.
  • Security governanceis the set of responsibilities and practices exercised by the board and executive management with thegoalof providing strategic direction, ensuring thatobjectivesare achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”
25
Q

LIst some of the frameworks that are available to help establish a solid security control program.

A
  • ISO 27001/2: provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.
  • NIST: 800-53: comprehensive set of data controls for government offices.
  • NIST CSF: Cybersecurity Framework: provides additional coverage of comprehensive data security.
  • CIS Critical Security Controls: prescriptive, prioritized, and simplified set of best practices that you can use to strengthen your cybersecurity posture.
  • AICPA Trust Services Criteria: Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (SOC for Cybersecurity)

cissp exam prep 2023 (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions