Other stuff

Question 1

Identification -> Assessment -> Treatment -> Tracking -> Review. What’s this?

Answer 1

Risk management phases

Question 2

What’s the annual loss expectancy?

Answer 2

Single loss expectancy x annual rate of occurrence

Question 3

Name the 6 types of security controls.

Answer 3

Physical, technical, administrative. Preventive, detective, corrective

Question 4

What’s MAC?

Answer 4

Mandatory access control - set by administrator

Question 5

What’s DAC?

Answer 5

Discretionary access control - set by the user

Question 6

What’s RBAC?

Answer 6

Role-based access control

Question 7

What’s a standard?

Answer 7

Mandatory rules that must be followed

Question 8

What’s a baseline?

Answer 8

Provides the minimum necessary security

Question 9

What’s a guideline?

Answer 9

Flexible, but recommended

Question 10

What’s a procedure?

Answer 10

Step-by-step guides

Question 11

Promiscuous, Permissive, Prudent, Paranoid. Explain?

Answer 11

Promiscuous - wide open. Permissive - only block “known bad”. Prudent - block all “known bad”, but allow based on business needs. Paranoid - no bad at all!

Question 12

Name 6 of the 9 vulnerability types.

Answer 12

Misconfiguration, Buffer overflow, Default installation, Unpatched, Open services, Default passwords, Design flaws, OS flaws, App flaws

Question 13

What’s the CC?

Answer 13

Common Criteria for Information Technology Security Evaluation - an itnernational standard (SIO/IEC 15408)

Question 14

What’s the EAL and how can it be ranked?

Answer 14

Evaluation Assurance Level - from 1 to 7

Question 15

What’s the TOE?

Answer 15

Target of evaluation - what’s being tested

Question 16

What’s the ST?

Answer 16

Security target - a document that identifies the security properties of the TOE

Question 17

What’s the PP?

Answer 17

Protection profile - a document that identifies the security requirements for the service or product

Question 18

Name 5 relevant laws or standards and what they’re relevant to.

Answer 18

HIPAA - medical
SOX - corporate disclosure
PCI-DSS - cards, ATMs, PoS
COBIT - IT governance framework
ISO/IEC 27001 - standards for secure IS
FISMA - US legislation to protect government information

Question 19

What’s HIPAA for?

Answer 19

Medical

Question 20

What’s SOX for?

Answer 20

Corporate disclosure

Question 21

What’s PCI-DSS for?

Answer 21

Cards, ATMs, PoS

Question 22

What’s COBIT?

Answer 22

IT governance framework created by ISACA and ITGI

Question 23

What’s ISO/IEC 27001?

Answer 23

International standards for secure IS

Question 24

What’s FISMA?

Answer 24

US legislation to protect government information

Question 25

Name the standards that govern medical systems.

Answer 25

HIPAA

Question 26

Name the standards that govern corporate disclosure.

Answer 26

SOX

Question 27

Name the standards that govern cards, ATMs, point of sale.

Answer 27

PCI-DSS

Question 28

Name the IT governance framework created by ISACA and ITGI.

Answer 28

COBIT

Question 29

Name the international standards for secure IS.

Answer 29

ISO/IEC 27001

Question 30

Name the US legislation to protect government information.

Answer 30

FISMA

Question 31

Name the four attack types.

Answer 31

OS attacks, Application attacks, Shrink-wrap code, Misconfiguration.

Question 32

What’s an OS attack?

Answer 32

Default settings, default passwords, admin panels

Question 33

What’s an application attack?

Answer 33

Programming code, software logic

Question 34

What’s shrinkwrap code?

Answer 34

Build-in code and scripts (eg jQuery)

Question 35

What’s misconfiguration?

Answer 35

Easier for users = less secure

Question 36

Name the 3 phases of the pen-test.

Answer 36

Preparation (scope, ROE), assessment, reporting

Question 37

What’s GBLA?

Answer 37

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to take steps to protect customer information. It also forces them to provide their privacy practices to the public.