Practice tests Flashcards
Who in our organization would be the BEST person to set the RPO (Recovery Point Objective) for our business applications? InfoSec Manager COO Internal Audit Manager Business continuity coordinator
COO
Of the people listed the COO would be the person BEST suited to set the RPO. We would ideally want the data owner to set it, but if they are not available the COO would be the person who would be most suited. The Information Security manager, audit manager or the business continuity coordinator should not determine the RPOs for business applications.
Which of these would be an indicator that we need to take a look at our change request procedures? A lot of emergency change requests A lot of postponed change requests A lot of similar change requests A lot of canceled change requests
A lot of emergency change requests
If we get a lot of emergency change request, we should take another look at our change procedures and processes. Emergency change request will happen, but they should be the exception, not the rule. With emergency change requests we rarely have the required time to test the change properly. Changes being postponed, canceled, or many of them being similar is what we would want to see. They are all indicators of a well-functioning change management process.
Who in our organization is responsible for us being in compliance with the legal and regulatory requirements for our line of business? CISO Chief Legal Counsel (CLC) Infosec steering committee Board of directors and senior mgmt
Board of directors and senior mgmt
The board of directors and senior management are always ultimately responsible (and liable). The steering committee would be the ones who chose which Information Security measures we implement, the CISO and CLC may also responsible, but the board/senior management is MORE correct.
With how rapidly Information Security is evolving we often need to update our documentation, standards, and procedures. Which of these would we update MOST often?
Server hardening procedures
Standards for password complexity
Standards for data retention and destruction
Policies for Infosec governance
Server hardening procedures
We would update our server hardening procedures MOST often, they need to be constantly updated to reflect the latest patches and updates. We would still update our standards, and policies, but not very often, and definitely not as often as our specific procedures.
Why is it important to classify and determine the sensitivity of our assets?
Ensure very sensitive assets are protected
Ensure the cost of controls are minimized
Cost of protections should be proportionate with the sensitivity of the asset
Ensure countermeasures are appropriate to the risk
X Ensure countermeasures are appropriate to the risk
We always implement countermeasures that are appropriate for the risk, that is why we clearly classify and determine the sensitivity of our assets. Protection cost being appropriate for sensitivity makes no sense, we base the appropriate cost on the risk. Naturally we want risks to be minimized and sensitive assets are protected, but that is not why we do the classification.
What would be BEST protection against data loss from a stolen laptop? Strong passwords Multifactor authentication Encrypted hard drives Real time network backups
X Encrypted hard drives
The best protection against data loss on a stolen laptop would be if we had the drives encrypted. Strong passwords can be bypassed if a skilled hacker, and multifactor authentication can often be bypassed if we remove the drives and add them to another computer. Backups would do nothing to protect the data, it would just give us a copy of it.
We are deploying VPN (Virtual Private Network) access for our remote employees. As part of the project requirements we need to ensure we have strong authentication. Which of these is the STRONGEST authentication method available? Biometric readers SSL (Secure Socket Layer) authentication Symmetric encryption 2FA (2-factor authentication)
X 2FA (2-factor authentication) 2FA (2-factor authentication) is considered more secure than any of the other answers. That means 2 types of authentication (something you know (type 1), something you have (type 2), or something you are (type 3 or biometrics). Symmetric encryption is normally not used for authentication, neither is SSL normally. Biometrics is an authentication type, but it is not as strong as 2FA (2-factor authentication) by itself.
We use both IDSs (Intrusion Detection Systems) and IPSs (Intrusion Prevention Systems) in our environment. What is the MAIN purpose of the IDSs?
To alert on true negatives
To identify potential attacks on our internal network
To block traffic seen as malicious
To identify network misconfigurations
To identify potential attacks on our internal network
IDSs (Intrusion Detection Systems) are detection systems, they do not act, and their MAIN purpose is to identify potential attacks on our internal network. They do not block malicious traffic, that would be an IPSs (Intrusion Prevention Systems). We could discover potential misconfigurations with vulnerability scanners, not IDSs. Finally, an IDS would alert on “True Positives” (which is good); an attack is happening, and the system detected it, and “False Positives” the system sees normal traffic as malicious (which is bad). The system would not alert on “True Negatives”; that is normal traffic and the system seeing it as such.
Which type of access control is the MOST efficient? Centralized Decentralized Discretionary Role-based
Role-based
Role based access control would be the most efficient type of access control based on the answer options. Access is assigned to job roles reducing administrative overhead and making it more efficient. Decentralized would require more administrative overhead, so would discretionary access control, where the data owner would assign access at their discretion. Centralized access control is more efficient than decentralized, but in this example, we do not have enough information for it to the be the right answer.
Bassam is using GAP analysis to prepare for a board meeting presentation. Which of these MOST accurately describes a GAP analysis?
Analysis of current state versus desired state
analysis on the control objects we have to ensure they align with business goals
evaluating the BIA (business impact analysis) to make sure it is aligned with our business goals
Analysis on what we as an org is good at and see if we can use that to our advantage
Analysis of current state versus desired state
A GAP analysis is used for mapping our current state versus our desired state. We would use the GAP analysis to plan out the actionable steps we need to take to get from our current to desired state. The BIA is us analyzing the impact of a certain incident. The analysis where we look at what we are good at is SWOT analysis, and obviously control objects should align with business objectives, but that was not the question here.
Which of these could be MOST effective against internal threats to our confidential information? Defense in depth A privacy policy Role-based access control Monitoring of our audit trails
Role-based access control
Of the options available here, role-based access control would protect our information from internal threats the BEST. A privacy policy is not related to risk, defense in depth is mostly focused on outsider threats and audit trails is detective controls we use after the fact.
Out credit card database has been compromised; what should we do FIRST?
Verify there was an incident
Notify the data owner
Notify the Infosec steering committee
Start containment and network segmentation
Verify there was an incident
Our first step should be to confirm the incident actually happened. After we confirm the incident, then we would contain, segment and notify the data owner and leadership. The sequence is very important, it is possible the incident was a false positive (normal traffic seen as malicious).
We are a large multinational organization with offices in Europe, the US, Asia, Australia, Russia and Africa. Which type of information would we expect to have the LOWEST level of security protection? Previous financial results Strategic plan Upcoming financial results Customer PII
Previous financial results
Our previous financial results would have the LOWEST level of protection, they are already public. Exposing our strategic plan, our upcoming financial results or customer PII would have adverse effects.
A new regulatory requirement has been published for our industry. It looks like the implementation cost will be very high. What should you as the Information Security manager do FIRST? Implement immediate countermeasures Implement compensating controls Start and Infosec steering committee Do a gap analysis
Do a gap analysis
We would start with a GAP analysis, what is our current state, and what is our desired state? Then we would plan how to get from current to desired state. The steering committee would choose which initiatives we move forward with and would not be a FIRST step. Compensating controls, we may implement later, after we know more. We can’t implement immediate countermeasures; we need to do the analysis first.
Who would be responsible in our organization for classifying our information? Data owner CISO DB administrator Data custodian
Data owner
The owner of the data is always responsible for classifying the data, they know the best how sensitive (or not) their data is. The data custodian would do the practical things (patches, security, updates), but never classify anything. The CISO or the DBA are not appropriate for assigning sensitivity, they may have no clue what the data is or how sensitive the data is.
In order to mitigate newly discovered security vulnerabilities in an operating system, we would use which of these processes to address the vulnerability in a timely manner? Patch mgmt Security vulnerability mgmt Change mgmt Server mgmt
Patch mgmt
We would use patch management to address new operating system security vulnerabilities. Change management is the control process we have in place to ensure changes to our environment are planned, tested, and implemented properly; patch management would be part of our change management process. Server management is the management of everything regarding the server, and security vulnerability management is managing vulnerabilities on a server, including patch management, but patch management is a MORE right answer.
Which of these would be the MOST important for our security policies to do?
Be in clear and easily understood language
Be tailored to each business unit
Have verbiage about our network vulnerabilities
Address the process for communication internally and externally during a security incident.
Be in clear and easily understood language
Our security policies should be clear and easy to understand, they should be available to our entire staff. We would not have network vulnerabilities in our policies, and we do not want our entire organization to know about them. The process for communication would be in our DRP (Disaster Recovery Plan) or CCP (Crisis Communication Plan). The security policies are high level and vague, we would never want to have tailored versions for each business unit. The security policies are built from the vision and mission of the business, they should be consistent across the organization.
Our organization is spread across many smaller offices across the country. Which of these would present the LARGEST security risk?
System operations are not being followed
System capacity mgmt process are not being followed
Software dev is outsources
Change mgmt process are not being followed
X Change mgmt process are not being followed
If our branches do not follow proper change management, it is a cause for concern. Implementing fixes and solutions without proper change control can introduce a lot of security risks. System operating procedures and capacity management procedures should always be followed, but they are not as severe as lack of proper change management. We often outsource our software development, it in itself poses no security risk, as long as security is designed into the software and we do proper change control and management.
If we want to protect our organization against internal security threats, which of these would be the BEST to use? User training Server hardening Background checks Static IP addresses
Background checks
Background checks is the best way to protect against internal security threats of the options, their past behavior and actions are good indicators how and what they will do in the future. Server hardening may help, but we have no clue which type of internal threat we are dealing with. Static IPs really do nothing to protect us against internal security threats. User training is us giving them the training, in itself it does nothing. What we want is to raise their awareness, which is them acting on the knowledge and doing the right thing.
We want to ensure non-repudiation. Which of these would be the BEST for that? Collisions resistant hashes Digital signatures Strong complex passwords Symmetric encryption
Digital signatures Digital signatures (or PKI (Public Key Infrastructure) would be the BEST to ensure non-repudiation. You should be the only person with your private key; if a file was signed with your private key, you would have a very hard time proving you didn't. Strong passwords would possibly make us more secure, hashes would ensure integrity, and symmetric encryption can possibly ensure confidentiality, but none of them would give us non-repudiation.
One of our critical systems has an administrator account, the account prevents account locking, privileges and name changes. What could we implement that would protect us BEST against brute force password attacks?
Make a strong random password for the account
Don’t allow the system to be accessed from outside our org
Log all account usage
Request a patch from the vendor
Make a strong random password for the account
Since we are unable to lock the account, our best option is to create a very strong random password. It may not be an option to only allow internal access, and even if we do, attackers could get onto our network and brute force from there. We can request a patch, but we have no way making them provide it, and logging usage is a detective control and does not prevent attacks.
We are doing audits on our firewalls. What would be the best metric for measuring their effectiveness?
How many firewall rules we have configured on each firewall
The number of attacks they have blocked
The average throughput
The number of packets they have dropped
X The number of attacks they have blocked
Of the options available the best metric to evaluate the effectiveness of our firewalls would be how many attacks they have blocked. How many packets they dropped, the throughput, and how many rules we have configured are not indicators of the effectiveness of the firewall.
Bob has been tasked with integrating our new risk management processes into our existing production systems. What would be the BEST way to do that? Process monitoring Update our policies Change management User training
X Change management
We would use our change management to integrate new processes into exciting production systems. We would also as part of the integration do user training, update our policies and possibly monitor the processes, but they are not the BEST way to integrate.
As the Information Security Director, you are assisting the Information Security steering committee and the application owners in assigning RTO's (Recovery Time Objectives) for the applications we use in our organization. Which of these should have the SHORTEST RTO? Our intranet Our change mgmt system Our VPN access for remote contractors Our e-commerce website
Our e-commerce website
Of the systems listed here, the e-commerce system would have the SHORTEST RTO. We would want it to be back to at least limited capacity within less than an hour. In most cases we should have a true redundant solution in place with no downtime. Our change management system would have procedures in place in case of a change management outage, it is non-critical. Our intranet is possibly important depending on our work process flow, but it is not as important as our e-commerce. The same with our VPN access for contractors, it is important, but not as important as e-commerce.
Jane needs to determine an assets value. What would be the BEST source for her to use? Business mgr. for the asset Infosec mgr. Business analyst for the asset Average industry cost
Business mgr. for the asset
The business manager for the asset (also often the system owner) would be the person who would be best at assigning the real asset value. They have the in-depth knowledge of what the system does and how critical it is. We may need to assist them with quantifying the value, but they are the best resource. The business analyst knows how the system works, but not the value, and average industry costs is never something we should use for asset value. Our systems are unique, our organization is unique, we would at best use the industry average as a benchmark.
What is our Information Security governance PRIMARILY driven by? The potential of lawsuits Our business strategy Regulatory requirements in our industry Technology constraints we face today
Our business strategy
Governance is directly tied back to the organization’s strategy, vision and mission. Our technological constraints, the legal requirements, and the potential for lawsuits is important, but the primary driver is our strategy.
The relationship between different security technologies would BEST be defined in which of these? The process improvement models we use Our security architecture Our network topology Our security metrics
Our security architecture
Our security architecture would define how we use and the relationships of different security mechanisms. The security metrics would show improvement in our security practices. The process improvement models are focused on us improve our processes but does nothing to explain the relationship between our security mechanisms. Our network topology would show us our network layout, but not how our security mechanisms relate.
We are making an entirely new set of user awareness training materials. Which of these is the MOST important element?
The materials are easy to read and understand
Detailed info about social engineering
Buy-in from the infosec steering committee
Detailed info about our security policies and consequences for not following them
The materials are easy to read and understand
It is critical that the information is easy to read and understand. If it is too confusing or use too many technical words, many employees will either not read it at all or forget it almost right away. We would want senior managements buy-in, but for the materials to be effective, it is more important they are easy to understand. Staff should learn about social engineering and our policies, but in a simplified language they can understand and relate to.
Our organizations risk appetite is represented by which of these? Audit risk Control risk Residual risk Inherent risk
Residual risk
Senior management sets our risk appetite and residual risk is what is what is left after we have implemented the countermeasures and senior management has decided it is not worth mitigating the risk anymore. Inherent risk is the unmitigated risk, control risk is when control fail, and audit risk is how auditors approach their work.
What should the retention of our business records PRIMARILY be based on?
A business case and value analysis
Our storage capacity and how long we are keeping the data for
Our business strategy
The regulatory and legal requirements we need to adhere to
X Our business strategy
Our retention is dictated by our business strategy. We can chose not to comply with regulations if the cost of compliance is higher than the penalties for instance. Just like anything else we do a cost-benefit analysis. Business case and value analysis would be based on our strategy, making strategy a MORE right answer. How easy it is to use or the capacity on our data stores should never be a deciding factor.
Which group of people would be the BEST for performing risk analysis on our organization?
The process owners
External auditors
An external mgmt. consultant specialized on our line of business
A group of peers from our competitors
The process owners
Our process owners would be the group best suited for performing the risk analysis, they have the most accurate overview of the risks to their areas. Management consultants, our peers, or external auditors may be able to help in other aspects, but they would not be the BEST risk analysis for our organization.
Jane is working on risk analysis for all of our systems, facilities, and applications. Where would it be BEST to use quantitative risk analysis?
A power outage
To deal with stolen customer data
Half of our marketing department leaving our or to work for a competing business
When our ecommerce website is defaced by hackers
X A power outage
We would be able to quantify the financial loss we would see after a power outage. The loss of customer data and confidence, our website being defaced or how it would impact us if we lose half of your marketing team would be hard to quantify, for those we would probably use qualitative risk analysis.
Jane is building a business case for adding IDSs (Intrusion Detection Systems) to our network. Where would it be BEST to place those? On a screened subnet Outside of our firewalls On an external router On the firewall
X On a screened subnet
We would place our IDSs on our screened subnet (our DMZ (demilitarized zone)). Placing them outside our firewalls would leave them vulnerable to attacks, the same if we placed them on external routers. Placing them on the firewall would not be appropriate since the firewall is a hardened device and adding non-firewall services to it would weaken its security posture.
Bob is making a risk mitigation report; the report would include recommendations for which of these? Risk evaluation Risk acceptance Risk quantification Risk assessment
Risk acceptance
Part of the risk mitigation report would be risk acceptance, either as an alternative to the mitigation or after the mitigation, we would consider accepting the residual risk. Risk assessments, evaluations and quantifications would be part of the risk analysis we did to make the risk mitigation report, but not part of the report itself.
When a security standard conflicts with a business objective, the situation should be resolved by:
Do a risk analysis
Make updates to the security standard to match the business objective
Accept the risk
Make updates to the business objective to match the security standard
Do a risk analysis
Any discrepancy between our objectives and policies should be resolved by a risk analysis. What is the potential gain and loss from changing the policy or the objective? As part of our due diligence we would never just let policy or objective be updated without doing the proper analysis. We may choose to accept the risk, but that would be after the analysis.
The server team is building an intranet server. As the Information Security member of the project team, where should Bob recommend the server is placed? On our internal network Behind an external router Attached to a firewall In the DMZ
On our internal network
We would want the intranet server on our internal network, where it would be accessible for our employees and inaccessible to external sources. It would not be appropriate to place the intranet server attached to a firewall, behind an external router, or in the DMZ, we would want in further inside our internal network and not so close to the external network.
Bassam is finishing up this iteration of our risk management program. What is the BIGGEST benefit of the program?
It can align our risk with the cost of countermeasures
It can identify and remove all threats posed by people
It can bring our losses in alignment with what we have budgeted for
In can eliminate or transfer all organizational risks
It can align our risk with the cost of countermeasures
When our risk management process is successful, we are able to align our risk reduction with the cost of the countermeasure. We can never eliminate or transfer all organizational risks or man-made risks. We can also not budget with risk losses with any degree of certainty.
Bassam has just been hired as our new CISO (Chief Information Security Officer). Which of these options should Bassam focus on FIRST?
He should develop a new security architecture
He should hire a highly skilled staff
He should establish good communication with the steering committee
He should do a risk analysis on the entire enterprise and present that to senior management
He should establish good communication with the steering committee
Bassam should establish good communication with the steering committee first. They make most of the Information Security decisions and prioritization. While he may at some point need to develop the security architecture, do an enterprise wide risk analysis or hire more staff, we have no information about the need for any of those in the question and regardless we would always want to build report and communication channels with the steering committee and senior management.
We want to reduce risk to an acceptable level, what is that determined by the requirements of: International standards Our org Our IT systems Information Security
Our org
When a risk is reduced to an acceptable level is determined by our organizational requirements. We would never base it on the requirements of our IT systems, Information Security or international standards. Those factors may guide us, but they would never be the determining factor.
In any organization the PRIMARY goal of the risk management program is to ensure that:
Critical IT assets are protected
Business risks we face are acted on with preventative controls
Objectives are achievable
IT systems are always available
X Objectives are achievable
The PRIMARY goal of our risk management program is to ensure the business objectives are achievable. We are there to make sure the business is successful and reaches its objectives, by having an efficient and effective risk management program. Part of that could be protecting our critical IT assets, having IT systems always available and us having preventative controls for the business risks we face. They are however not the PRIMARY goal.
What would the data owner be responsible for?
Deploying security controls
Moving updated application changes from dev to prod
Determining the required levels of security for the data
Applying emergency patches
Determining the required levels of security for the data
The data owner would be responsible for determining the level of security required, the classification of the data, and who has access to it. The patches, deploying security controls, and moving updated applications from development to production would be performed by different data custodians.
As the CISO of our organization, it is one of Jane's responsibilities to get senior management's commitment and support for Information Security. Which of these would be the MOST effective for Jane to do? Explain the need for Infosec User enterprise wide metrics Explain the needs of the operation units Explain the organizational risk
Explain the organizational risk
For senior leadership it is important to understand Information Security in relations to organizational risk, and we would often use a cost benefit analysis for this. We may use enterprise metrics, but it would be possibly be part of the organizational risk. The needs of organizational units or Information Security would have to tie back to the organizational risk and the cost benefit analysis.
We are a financial institution and changes are being made to some of the security aspects of the PCI-DSS standard. What should our Information Security manager do FIRST?
Assess if existing controls fulfill the new requirements
Meet with the financial and legal leadership teams and decide how to comply
Update our current security and privacy policies
Analyze the key risks in the compliance
Assess if existing controls fulfill the new requirements
The first thing we should assess is if our current controls are sufficient. If they are there is no need to meet with the financial or legal teams, nor update any policies or procedures. Risk analysis of the compliance would come much later, if we decide our current countermeasures are not sufficient.
Which of these is the MOST important ability we should look for when we are interviewing candidates for a new CISO (Chief Information Security Officer) for our organization?
A clear understanding of how to map Infosec tech to the needs of the org
A clear understanding of the regulatory and legal requirements that are relevant to our industry and our org
Knowledge about he latest IT technology platforms, trends and development methodologies
The ability to lead a diverse group of employees efficiently and effectively
A clear understanding of how to map Infosec tech to the needs of the org
Information Security should always be aligned to the organizational needs, a clear understanding of what those needs are is critical for a new CISO. They should also know the technologies, the regulatory requirements and be able to effective lead their team, but MOST important is understanding our mission, vision and goals.
Which of these is MOST important to ensure is in place before we have outside contractors do a penetration test on our organization?
Everyone including senior mgmt. is unaware of the penetration test to ensure the pen test is as close to a real attack as possible
The goals and objectives are clearly defined
Out IT staff has been inform about the pen test
The pen testers show us what the plan to do on a test system
The goals and objectives are clearly defined
It is MOST important to have very clearly defined goals and objectives for the penetration test. We would also possibly have certain timeframes the attackers are allowed to use, certain IP ranges, and also clear guidance on what they are not allowed to do. We may have them try to access a test system, but that is after the clear goals and objectives. On top of that test systems often do not have the same posture as production systems, being able to get access to a test system may not mean they can access our production systems. We may inform the IT staff, but not always. Senior management HAS to know about the penetration test, they sign off on it, and they are ultimately liable.
We have had a year with a lot of security incidences, we have experienced all of these. Which of them would have the MOST negative impact? A power outage at our data center Internal fraud with monetary loss The loss of customer confidence Stolen software
The loss of customer confidence
One of the most valuable assets to any business is the confidence our customers have in us. If we lose it, it can be very hard to repair. Internal fraud, a power outage and stolen software are all problems, but ones we can most likely fix without a lot of problems.
When we are implementing a security control, the cost should NOT exceed what?
The financial benefit gained from the implementation
Annual loss expectancy (ALE)
The asset value
The cost of an incident
X The asset value
The cost of the security control should not exceed the asset value. If the cost of a countermeasure is greater than the asset value, we would not implement. We always base our security controls on a cost-benefit analysis. We would use the ALE and the cost of an incident in the analysis, but we would not base the decision on just those. The cost of the security control not exceeding the benefit from the implementation doesn’t even make sense.
We are implementing wireless networks at our new corporate office. Which of these would be the MOST secure way of doing so? Use WPA-2 (Wi-Fi Protected Access-2) Filter traffic based on MAC addresses Hide our SSIDs Use WEP (Wired Equivalent Privacy)
Use WPA-2 (Wi-Fi Protected Access-2)
Of the options here WPA-2 (Wi-Fi Protected Access-2) is the most secure protocol to implement on our new wireless network. Hiding our SSID does very little, since it still broadcasts, it takes a few seconds to find it regardless of it being hidden. Adding MAC filtering on our switch ports is also easy to bypass, the attacker would just have to spoof the MAC address of a trusted divide on a specific port and they would have network access. Finally, WEP is very easy break today, there are weaknesses in the algorithm, even very long complex passwords can be broken in less than 10 minutes.
We are considering implementing a risk reduction control. Which of these would BEST determine if the control should be implemented? Qualitative risk analysis Cost benefit analysis Penetration testing Quantitative risk analysis
Cost benefit analysis
Any risk reduction control should be based on a cost benefit analysis. We would probably use quantitative and qualitative risk analysis as input to the cost benefit analysis, but they are not the BEST at determining if we should implement the control. Penetration testing could also assist but would be part of a bigger analysis and auditing.
What would be the BEST way to treat a natural disaster risk with a low probability and high impact? Transfer the risk Implement countermeasures Eliminate the risk Accept the risk
Transfer the risk
We would most often transfer risks with low probability and high impact. This could be flooding of our data center. If we chose to implement countermeasures it is often cost prohibitive. We may not be able to eliminate the risk and accepting the risk could have a catastrophic impact if it actualized.
What should we do FIRST when we are implementing Information Security governance in our organization?
Make our security policies
Adopt security best practices for our industry
Determine our security baselines
Define our security strategy
Define our security strategy
The FIRST step would be for us to define our security strategy, we would then use that to make our security policies, and baselines, we may use best practices for our industry as well.
What is the MAIN focus of security audits?
To ensure our security controls operate as they should
The ensure our security controls are based on the latest technology
To ensure our security controls are cost-effective
To ensure our security controls focus on preventative measures
To ensure our security controls operate as they should
The main focus of our security audits is to ensure our security controls operate as they should. We would want cost-effective controls, but that is not the purpose of the security audit. It is possible we would want to use the latest technology, but again not something the security audit would look at. Security reviews should look at all controls, not just preventative ones.
We are wanting to build new software for our organization, at what stage of the software development lifecycle should we involve Information Security?
When they start programming the software
When the sw dev team starts testing the sw
When they start to define the detailed requirements for the sw
When requested by the sw dev team
When they start to define the detailed requirements for the sw
Information Security should be involved from the very beginning and security should be a requirement just like the functionality of the software. If we wait for the software developers to contact us, we will wait forever, software testing is at the very end of the development process and when they start programming is also too late, at this point they already have all the requirements and changes will be duct-tape solutions.
Bassam is the Information Security manager of our organization. With us having offices across the globe, Bassam has to ensure that our local security program is in compliance with what?
The data privacy directives that are applicable across the world
The data privacy policies where our headquarters are located
Our corporate data privacy policy
The data privacy policies where we collect the data
X The data privacy policies where we collect the data
Our local offices have to comply with the local law, where the data is collected. Our corporate data privacy policy, the policy where our headquarters are located, or the global data directives never supersede the local laws and regulations.
Which of these would be the BEST option if we wanted to prevent employees from copying files from their workstation to a USB drive?
Disable all USB ports on all workstations
Limit the number of available mappable drives to one
Implement Mandatory Access Control
Do frequent user training
X Limit the number of available mappable drives to one
The BEST option would be to limit the number of drives on the workstations. Users can insert the USB drives, but they would not be registered as a drive. We would not want to disable all USB ports; they are also used for mice and keyboards. Training should be conducted, but it is more efficient to lock down the workstations. Mandatory Access Control would do nothing in this scenario.
Which of these would be BEST to ensure the data in a file has not been altered?
Look at the file size
Encrypt the file using symmetric encryption
Use strong access control to ensure the file can’t be accessed by anyone with out the proper permissions
Hash the original file and compare the hashes
Hash the original file and compare the hashes
If we want to ensure the data has not been altered, the best way to do that is to compare a hash of the original file and a hash of the current file. The 2 hashes should be identical, if they are not the data was altered. We would not be able to tell what was changed, just that something was. The file size can easily be made to look the same as the original even if the data was altered. Using symmetric encryption can give us confidentiality, but not an integrity check. If the file is important, we would most likely use strong access control, but again it would not tell us if the file was altered, only that it would be difficult to access.
In order to evaluate the effectiveness our IDSs (Intrusion Detection Systems), which of these would be the BEST metric to use?
The number of attacks we detect
The ration of successful attacks to unsuccessful attacks
The number of successful attacks
The ratio of false positives to false negatives
X The ratio of false positives to false negatives
Looking at the ratio of false positives to false negatives would be the BEST metric to determine how effective our IDSs are. If it is configured to be as effective as possible, we would have minimal false positives (alert on allowed traffic), and minimal false negatives (no alert on malicious traffic). The number of attacks we detect, and number of successful attacks, or the ratio of successful to unsuccessful attacks in themselves are not enough to determine if our IDS is effective
Which of these would help us the MOST to ensure our risk management program to be as effective as possible? A solid risk baseline A flexible Infosec budget Accurate risk reporting New risk detection
X New risk detection
We would want all of these for our risk management program, but us being able to detect new risks would be the MOST helpful.
What would be MOST useful for Jane, when she is working on RTOs (Recovery time objectives) for some of our critical system?
A risk analysis
A gap analysis
A business impact analysis
A SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis
A business impact analysis
We get the RTO from our business impact analysis, and it is part of our MTD (Maximum tolerable downtime). What is the maximum amount we can have a system or function down before we are severely impacted? A GAP analysis we use to map a path from our current state to our desired state. A SWOT analysis is analyzing the Strengths, Weaknesses, Opportunities and Threats of our organization. The risk analysis would be part of the business impact analysis, but not what we use for the RTO.
As the CISO (Chief Information Security Officer) Bob is overseeing risk analysis. Which of these BEST describes what is in scope?
All critical systems and infrastructure
Anything subject to regulatory compliance
All our critical financial systems
All organizational activities
X All organizational activities
We do risk analysis on ALL our organizational activities; we would never limit it to specific systems or infrastructure. We need that holistic approach and protection profile.
When we make investments in Information Security technologies, what should those investments be based on? The business climate Vulnerability assessments Recommendations from our audits A value analysis
A value analysis
We do all our Information Security investments on value analysis. How will this benefit the organization? In most cases it is not revenue gained, but it is loss minimized to an acceptable level. We might look at the audits, the business climate and the vulnerability assessments, but we would still do a value analysis to justify the cost. We want that positive ROI.
What would we use to determine the amount of resources we use to mitigate risks? How much is left in the infosec budget Pen test results Audit reports Risk analysis results
Risk analysis results
The amount of resources we would use on a mitigation would be based on our risk analysis. Everything we do is based on a positive ROI (return on investment). We may use audit reports and penetration testing in our risk analysis, but they are by themselves to incomplete to determine the amount of resources we should use on mitigation. How much is left of the Information Security budget is something we need to consider but should not be how we determine how much we spend on mitigation.
We use risk analysis to determine how to protect our assets the best and mitigate risks as much as it makes sense. We have already rated incidences on likelihood and impact, now we want to get more precise numbers assigned to our assets that got a "High Risk" score. Which of these risk analysis approaches would be the BEST to use? Quantitative Qualitative Iterative Adaptive
Quantitative
When we want to put actual numbers and dollar amounts on both the risks and the mitigations; we would use Quantitative risk analysis (think quantity - it is a specific number). Qualitative risk analysis is where we rate risks on likelihood and impact, we then use that to determine which assets are high enough risk to move to quantitative risk analysis. Our risk analysis is iterative, but there is no risk analysis approach that is named iterative risk analysis. There is also no adaptive risk analysis.
Bob is scanning our internal network for security vulnerabilities. What is the MOST important thing Bob should ensure?
To not interrupt production environments
To not use open sources vulnerability scanners
To follow the normal attack cycle
To only scan production environments
To not interrupt production environments
It is MOST important that Bob does not disrupt any production environments or processes. If we have to run intrusive tests, they would be done off-hours and in a service window. There is not good reason to not use open source scanners, some of the better ones are open source. We would want to scan all environments, not just production. We would not follow the normal attack cycle; this is just scanning.
What is the MAIN reason for our Information Security objectives being clearly defined?
To measure the effectiveness
To ensure our objectives are consistent with the standards
To clearly understand the objectives
To get the staff’s buy-in
X To measure the effectiveness
We need our Information Security objectives to be clearly defined, so we can measure how effective they are. If our objectives are vague, we will have no clue how good or bad we are doing. We do need to clearly understand the objectives but measuring the effectiveness of them is more important. The objectives being clearly defined will help with getting the buy-in from our staff, but again those are secondary objectives.
We have chosen to implement decentralized information security management, because we have a geographically dispersed organization. What would the BEST reason to do so?
To lower the cost of ownership
To be able to follow our policies better
To be in better alignment with business unit needs
To be able to provide a more uniform quality of service
To be in better alignment with business unit needs
Decentralized information security management would normally give us better alignment with business unit needs. It would also often give us less uniform quality of service, deviate more from our policies and cost us more.
Who would be the BEST person in our organization to sponsor the creation of an information security steering group? Chief Operating Officer (COO) Lead internal auditor Legal Counsel Infosec mgr.
Chief Operating Officer (COO)
The chief operating officer (COO) is ideally whom you should report to. They are high enough in the organization and they have the 30,000ft view of both business operations and objectives. If not the COO, it should be the CEO, but that is not an answer option here, even if it was the COO would still be first choice. Legal counsel, auditors, and the Information Security manager would be key members of the steering committee, but none of them should sponsor the committee.
Our leadership has decided for 2 of our critical applications it is impossible to minimize the residual risk to an acceptable level. Even with all our countermeasures the residual risk is always too high. What can we do to mitigate that?
Buy insurance
Build a SOC and implement live monitoring
Update to state-of-the-art firewalls
Get professional pen testers to test the 2 apps
Buy insurance
With the residual risk ALWAYS being too high, the only option is to buy insurance and transfer the risk. The SOC, Pen testing and firewalls may minimize the incidences, but all those are irrelevant in this question, since senior management has determined it is never enough.
After a security incident the incident management team does a post-incident review. They do the review to produce what? Determine the areas affected Determine the hacker's identity A lessons learned document Relevant electronic
A lessons learned document
The result of the post-incident review would be our lessons learned report. What went well, what went wrong, and what can we do next time to improve our incident response. The electronic evidence, the areas effected and possibly who attacked us would already be covered reporting and possibly in response.
What would be the BEST reason to get help from external resources to work on our Information Security program?
They can be more cost effective and have expertise we do not internally
They can give us more redundancy for internal employees
They would be responsible for our Infosec program meeting the requirements
They can deliver the product faster because of their external knowledge
They can be more cost effective and have expertise we do not internally
The BEST reason would be for us to get cost effective assistance who has skills we do not have within the organization. We still need internal key stakeholders who have the detailed knowledge of our organization but getting outside help can help us deliver a better product sooner. Even if we contract external people, they might be responsible for producing a result, but as the Information Security manager or director it is your responsibility to deliver the program. In this case getting outside help would not help with employee redundancy, they are there to help us in areas where we lack the skilled employees. They may, or may not, be able to deliver the program with their knowledge, we simply do not have enough information to see determine if this is a viable option. Even if they could, the questions said, “Best reason”, which is the cost effective and knowledge we do not have internally.
One of our servers has been compromised and our incident response team is now examining it. The system is segmented from our network; what should they do FIRST?
Make a bit-level copy of all the hard drives
Make a bit-level copy of the memory
Reboot the server
Get a full set of logs to determine which parts of the system were compromised
Make a bit-level copy of the memory
When we do forensics, we always work from MOST volatile to LEAST volatile, meaning we would start with the memory. We would never reboot the server, that would clear volatile memory and possibly any evidence. We would later do the bit-level copy of the hard drives and look at the logs, but we would examine the memory FIRST.
Bassam is our Information Security manager, what can he use to BEST prepare for our annual regulatory reviews?
Assign someone from his team to be a liaison with the auditors
Do a self-assessment using the guidelines for that type of audit
Review the previous audit reports and talk them over with our process owners’ input
Make sure all inquiries are approved by our legal dept.
Do a self-assessment using the guidelines for that type of audit
Doing a self-assessment would be the best way to prepare for the annual audit/review. We would also assign someone as liaison, look at the previous reports, and involve our legal department, but the question was BEST way.
Jane is implementing a new heuristic IDS (Intrusion Detection System) solution. For that implementation what should be the MOST important consideration? Tuning it Encrypting it Set up packet filtering Patching it
Tuning it
The most important thing when implementing a heuristic IDS is tuning it. If it is not tuned right, we would get a lot of false positives (permitted traffic is denied), and false negatives (malicious traffic is not detected). We would apply patches when they are released, but they are not the MOST important thing. Encryption and packet filtering in this case are distractors, they would not be appropriate.
At a change control meeting, a system owner requests a change to their system that would conflict with our security standards. What would be the BEST way to resolve this conflict?
Add mitigating controls to the system
Make changes to the proposed system change to match the security standard
Enforce the security standard
Calculate the risk
Calculate the risk
We should always base decisions on a risk analysis, even when we consider deviating from our security standards. After we do the risk analysis and the risk is calculated, we may choose to enforce the security standard, make changes to the proposed system change, or add mitigating controls, but we would need the risk analysis to determine if any of those are suitable. We would never just do any of them without the proper analysis.
We are considering moving our BCP (Business Continuity Plan) to an automated solution to ensure specific users have access to only what they need from the plan to do their job. Which of these should be our primary concern?
Making sure the plans are accessible during a disaster
Ensuring the content of all weblinks in the plan are available through alternative means
Ensure that the plan automatically updates users when personnel join or leave the org.
Correct versioning of the BCP and its sub-plans
Making sure the plans are accessible during a disaster
If we move our BCP to an automated solution it is critical we are able to access it during a disaster. If we place it on our intranet it may not be available during a disaster. The other options are important, but not as critical as the availability of the plans during a disaster. We would want the correct versioning, if we do not have correct versioning staff may use old information making the disaster even worse. If the plan has web links, they should be accessible through alternative means, but again if we can’t access the plan at all the web links are less important. Integrating the plan with an user authentication system with content-based access control is smart, users gets access to exactly what they need and no more, and we would want the system to give user access when new users join and remove access when employees leave our organization; all this is still secondary to the availability of the plan.
We keep our backup data for as long as the information is usable or if we are required to by law, standards, or regulations. What is this an example of? Data handling Data storage Data retention Data encryption
Data retention
Data Retention: Data should not be kept beyond the period of usefulness or beyond the legal requirements (whichever is greater).
During a Distributed Denial of Service (DDoS) attack, we log into a system where we see the notifications. The system does not act on the notification other than sending us an alert. Which system are we logged in to? NIDS NPS HIPS HIDS
NIDS Only alert (intrusion detection) and DDOS would be network based, so NIDS.
What would an IT Security professional’s role be when we talk about patching systems? Apply them Nothing Review them Everything
X Review them
The security team would review the patches and approve them before the server team applies them.
There are many risks in today’s increasing complex IT world, how we deal with them should be part of an overarching strategy. We could for instance be risk neutral or averse. Who would decide our organization's risk appetite? IT leadership team IT security team Rules and regulations Senior mgmt.
Senior mgmt.
Governance, This is C-level Executives. Stakeholder needs, conditions and options are evaluated to define: Balanced agreed-upon enterprise objectives to be achieved. Setting direction through prioritization and decision making. Monitoring performance and compliance against agreed-upon direction and objectives. Risk appetite – Aggressive, neutral, adverse.
We have acquired a competing organization and your team is working on the risk analysis for the applications they use internally. You would use which of these as PART of your Qualitative Risk Analysis? A risk analysis matrix Risk = threat x vulnerability ALE, SLE and ARO Fact-based analysis
A risk analysis matrix
Qualitative Risk Analysis: This is vague, guessing, based on a feeling, and relatively quick to do. We add all our assets to a matrix and assign them values on “how likely is it to happen and how bad is it if it happens?” It is often done to know where to focus the Quantitative Risk Analysis.
What is one of the MAIN benefits of using VPN (Virtual Private Network) tunneling, to allow our remote users to access our internal network? Reduces the need for complex passwords Makes the traffic secure Decreases the administrative overhead Removed the need for 2FA
Makes the traffic secure
VPNs allow our staff to connect securely, because the traffic is encrypted in the VPN tunnel. We would want 2FA with the VPN, and we definitely do not want to remove it. We would not want to have less complex passwords, and VPN’s may or may not reduce administrative overhead, for this question it is irrelevant.
Where in our application development would we initially address encryption key management? System deployment Beginning of programming Requirements development Code debugging
Requirements development
We need to start looking at encryption key management in the initiation or planning phase of the project, when we develop our project requirements. If we do not do it until programming, deployment or debugging, we are doing it after the fact, and it will be bolt-on security. It will never be as secure as security designed in as a functional requirement.
At which phase of our systems or software development lifecycle should risk assessments be built in, to ensure risks are addressed in the project development? Programming Feasibility Specifications User testing
Feasibility
We should address risk as early on in the project as possible, of the phases listed here that would be feasibility. In the programming or the user testing phase is way too late, if the feasibility phase was not an option, then we would do it in specifications, but feasibility is much better.
If we want to protect our organization against external security threats, which of these would be the BEST to use?
Writing server logs to an external WORM (Write Once Read Many) media
Background checks
NAT (Network Address Translation)
Static IP addresses
NAT (Network Address Translation)
NAT is the only option that may help us against external security threats. Local IP addresses are not routable. Using static Is would really do nothing, background checks would be for our internal employees, and the WORM media may prevent the attacker from deleting the logs, it will do nothing to protect us against attackers.
Which project management tool would be the BEST to determine how long a security project should take to implement? Gantt chart Ideal path SWOT chart Critical path
X Critical path
We would look at the critical path to determine how long a project would take to complete. The critical path is the longest distance between the start and the finish of your project, including all the tasks, their duration, which gives you a clear picture of the project’s actual schedule. We would use SWOT analysis to determine our strengths, weaknesses, opportunities, and threats. The Gannt chart is used to estimate required resources and resource allocation, as well as task sequencing. Ideal path is not a project management term.
You are the CISO (Chief Information Security Officer) of our organization, who should you ideally report to? CTO COO Head of internal audit Head of legal counsel
COO
As the CISO of our organization, you should ideally report as high up in the organization as possible. That would at best be the CEO but given the options in the question the COO (Chief Operations Officer) would be the best choice.
We want our employees to be able to access our internal network over the internet from an external connection. For this implementation we also want to make sure attackers are not able to gain access pretending to be authorized users. Which of these technologies would make it the MOST secure? 2FA (Two-factor authentication) IDS SSO Challenge response
2FA (Two-factor authentication)
2FA would make it the MOST secure, the user would most likely use Type 1 and Type 2 authentication (something you know and something you have). The IDS would detect attacks, but not attackers pretending to be authorized users. Challenge response would make the connection more secure, but 2FA is much more secure. SSO makes it easier for users but does nothing for user authentication.
You are working on our Information Security risk analysis, what would be your MOST important deliverable from that process?
List of assignable risk to process owners
List of actionable items on how to mitigate risks
BIA report
Clear quantification of organizational risk
X List of actionable items on how to mitigate risks
All of these are important deliverables of our risk analysis, but the MOST important is the actionable items we can do to mitigate our risk to an acceptable level. We use the BIA to determine mitigations, the process owners need to know they are responsible for their risks, and we want the clear quantification of organizational risks, but they are all secondary to the actionable items we need to minimize our risks to acceptable levels.
What would be the BEST way for us to send a message securely? Send the message with a hash Send the message using PKI Password protected portable media Send the message using steganography
Send the message using PKI
The MOST secure way to send messages today based on the answer options would be using (PKI) Public Key Infrastructure. Hashing would not make it secure, that would just provide integrity checks. Password protected portable media would be secure, but nowhere near as secure as using PKI. Steganography is hiding a message in an image or audio file; it is mostly security through obscurity.
What would be the BEST security measure we could use to prevent data disclosure and data exfiltration? Very strong key storage Very strong encryption Very complex firewall rules User authentication in all apps
X Very strong key storage
We would want a very strong key storage, if the attackers can get to our encryption keys, most of the other security measures are irrelevant. Most encryption today is strong enough to not be breakable with current technologies, making it stronger does often not make it significantly more secure. Complex firewall rules do not mean more secure, and in this example is a distractor. We would want user authentication in all applications, but not relevant for this question.
What is the primary objective of our risk management program? Eliminate business risk Implement effective controls Minimize residual risk Minimize inherent risk
X Minimize residual risk
Of the answer options the PRIMARY goal of our risk management program is to minimize our residual risk. We can never eliminate business risk completely. We may not be able to minimize inherent risk. We want to implement effective controls, but we do that to minimize residual risk.
An incident response policy HAS to contain which of these?
An inventory of our critical backup files
Up-to-date call trees
Criteria for escalation
Templates for press releases
Criteria for escalation
Our incident response policy is like any other policies high-level and vague. It would have the criteria for escalation; who can do it and when can they do it, what has to have happened? It would not contain call trees, press releases or specific backup information.
The requirements of which of these would have the lowest level priority in Information Security? Business Regulatory Technical Privacy
Technical
The technical requirements are the lowest priority, technology is there to enable the business requirements, and often we adhere to regulations and privacy requirements and make them part of our business requirements.
To protect against SQL (Structured Query Language) injection attacks. Which of these would be the BEST to implement? Input field restrictions Proper change control Referential integrity checks An IPS
Input field restrictions
Adding input field restrictions would be the best way to protect against SQL injections. We would only allow the needed amount of characters for names, phone numbers, social security numbers and drop-down menus for country and state. Only certain characters would be allowed. We want proper change control, but it does not directly help with SQL injections. The IPS for protecting against other types of attacks. We would have referential integrity checks on our SQL, but that is a backend check we perform to optimize and remove data errors from the SQL database.
What is the PRIMARY reason we would implement a risk management program?
It allows us to satisfy regulatory requirements
It will allow our org to eliminate risk
It is part of our management’s due diligence
It helps provide a positive ROI
It is part of our management’s due diligence
The primary reason for implementing a risk management program is for our management to do their due diligence. Being in compliance with regulatory requirements is important, but not the primary reason. The program may provide a positive ROI, but that is not the purpose. It is impossible to eliminate risks completely; we can however manage them to an acceptable level.
We are wanting to promote Information Security awareness within our organization. Which of these tactics would be the MOST efficient and positive way to do so?
Locking user accounts if they mistype their password 3 times or clicked on a phishing email
Strict rules around phishing emails and reprimands and written warning when employees clock on phishing emails
Rewards and competitions for users and business units who are able to act on the infosec awareness training
Weekly reports sent to managers o how their staff performed the previous week in regard to phishing and other awareness topics
X Rewards and competitions for users and business units who are able to act on the infosec awareness training
Rewarding employees for good behavior is much more effective than punishing them for bad behavior. Highlighting the competitions and getting different business units to compete with each other is a great way for employees to keep each other accountable for good Information Security practices. Warnings, locking accounts, and reports sent to the managers may be needed, but it should never be the first or second course of action.
Senior management has asked us to build a new data center in a county where flooding is common. They are aware of the risk and has asked you to suggest mitigation strategies since they do not want to accept the risk. Which of these would be the BEST to recommend to senior management? Acceptance Rejection Transference Avoidance
Transference
The BEST mitigation to recommend senior management would be risk transference (We buy flooding insurance). Senior management were clear, they did not want risk acceptance, they wanted to mitigate. Risk rejection is knowing the risk is there but ignoring it (never OK). Senior management did also not want risk avoidance, we could have done that by not building the data center in the area that is prone to flooding.
What is the PRIMARY purpose of the change control process? Document changes Apply changes Test changes Authorize changes
Authorize changes
The PRIMARY reason for the change control process is for us to approve and authorize changes to our environment. It is secondary that the changes are applied, documented and tested. Those 3 are still important, but they are not the primary reason for change control.
We want our mobile users to be able to access sensitive intranet data. Which type of access control would be BEST for this? Strong passwords Data encryption Multifactor auth Digital signatures
Multifactor auth
Multifactor authentication would be the BEST type of access control to implement for mobile users. In this case we would most likely use Type 1 (Something you know), and Type 2 (something you have) authentication here. That could be username/password and a security token. Data encryption, digital signature, and strong passwords would help with the security posture, but multifactor authentication would be BEST.
What should be the PRIMARY goal when we develop a new Information Security strategy?
Define security metrics, goals and performance monitoring
Train business process owners and raise their awareness
Support the business objectives
Ensure we meet all legal and regulatory requirements
Support the business objectives
The business objectives of our organization are always the most important consideration, that is what everything else is there to enable. The security metrics, goals, performance monitoring, and training and awareness are all there to support the business objectives. Legal and regulatory requirement are important and often part policies and procedures, but they are still not the primary goal of our Information Security strategy.
What does encrypting a message with the sender's private key and then encrypting it again with the receiver's public key give us? Authentication and non-repudiation Confidentiality and integrity Confidentiality and non-repudiation Authentication and authorization
Confidentiality and non-repudiation
Encrypting with the receiver’s public key gives us confidentiality, because only they can decrypt the message. Encrypting with the sender’s private key gives us non-repudiation. Remember the public key can decrypt the private key for either user or vice versa. Since the receiver has their own private key and the sender’s public key, they can decrypt the entire message.
Which type of authorization policy would be BEST suited if we want regular staff rotation, cross training, and minimalize the risk of fraud? Rule-based access control Role-based access control Multi-tiered access control Discretionary access control
Role-based access control
If we want staff rotation, cross training and minimize the risk of fraud, the type of access control that is best for that would be role-based access control. Here rights are assigned based on job role, and as part of that we can use job rotation and mandatory vacations to cross train and lower the risk of fraud. Discretionary access control is based on the data owner’s discretion and does nothing for what we are trying to do here. The same goes for rule-based access control, that is what our older firewalls use, IF this, THEN that.
Which of these events would normally have the LARGEST impact on Information Security? Moving a data center Upgrading firewalls Acquisition of a competing org Opening a new office
Acquisition of a competing org
Acquiring a competing organization would have the largest impact on Information Security impact. We would need to integrate their staff, hardware, software, and everything else they have into our organization. We need to ensure everything in their organization is at the same high level of security standards as we have. This can often take months or years to ensure they are as secure as we are, and first then would we possibly connect the networks. Building a new office, moving a data center or upgrading our firewalls would still have Information Security impacts, but we already have procedures and policies in place to deal with events such as these.
What do we use to ensure our password policies are MOST effective?
Regular password audits
Security awareness
Single sign-on
Penalize employees for not complying with policies
Security awareness
For us to implement our password policies in the MOST effective way, we would need to raise user awareness about Information Security and proper password complexity and why we do it. Audits and penalizing employees can help, but them understanding how to do it right and why we do it is much more efficient. Single sign on (SSO) would make access to systems easier for users, but it also comes with some inherent security issues.
We have hired an external company to perform penetration testing on a new application we just finished building. They have a clear SOW (Statement Of Work) and we give them an internal user account with regular user privileges to use in their penetration testing. Which type of penetration testing are they performing? Gray box Blue box Black box White box
Gray box
If the penetration tester has an internal regular user account/knowledge, they are conducting a gray box penetration test. Black box would be no knowledge or access. White box would be administrator access and detailed knowledge of our network. There is no blue box penetration testing, we do however use red and blue team in testing. Red team are the attackers and blue team the defenders.
What would be the BEST protection against phishing attacks?
User awareness training
Firewall filtering
Complex email filters
Restrict email usage to only the internal network
User awareness training
The best protection against any type of phishing (normal, spear, whale, vishing) is user awareness training. We would also implement the email filtering, and it would help, but it is less effective than user awareness. Limiting emails to the internal network would not do anything to prevent phishing, neither would firewall filtering.
What would be the BEST metric we could use to evaluate how effective our security awareness training is? Number of failed login attempts Number of password resets Number of resolved security incidents Number of security incidents reported
Number of security incidents reported
If our staff is trained sufficiently, and we have raised their awareness, we would see an increase of reported security incidents. While this may at first seem counter intuitive, we see the increase because our staff understands what to report to us. Before we raised their awareness, we would have less reports because they did not know what to report to us. Password resets and failed login attempts would not be an effective metric in measuring our awareness training, users still forget passwords or enter credentials incorrectly. The number of resolved security incidences does not have to correlate to the raised awareness.
Bob has finished a risk assessment for a critical application. The cost of mitigation would be much higher than the benefit. What should he recommend we do with the risk? Mitigate Accept Transfer Reject
Accept
When the cost of mitigation is higher than the benefit, we should recommend risk acceptance. We want exactly enough Information Security, no more, no less, and the decision is based on cost vs. benefit. We would never reject a risk, that is us knowing it is there and doing nothing, in this case we already did the analysis, so we are past that point. Risk transference and mitigation makes little sense here, we already determined it was not cost effective to do any other risk responses.
Jane is doing risk analysis throughout our large international organization, she should:
Focus on the number of incidents over the potential size of the loss
Compare us with the benchmarks of other similar orgs
Consider the size and likelihood of the loss
Give he same protection profile to all assets
Consider the size and likelihood of the loss
In our risk analysis, we would look at the size and likelihood of a loss, we need to quantify it to design appropriate countermeasures. What similar organizations do is to us unimportant, every environment is unique. We would never give the same protection profile to all our assets, they are not created equally, we need to give them the protection profile that matches what we discovered in the risk analysis. The potential size of the loss is always more important than how likely the incident is to happen. Us losing $1,000,000 in one incident is much worse than us having 100 incidences costing us $10.
At what point do we reach our RTO (Recovery time objective)? The system is back in production The system sw is restored The system hw is restored The system is completely offline
X The system hw is restored The RTO (Recovery time objective) is when we have restored the system hardware. Us getting the system back into production is the MTD (Maximum Tolerable Downtime). When the system is completely offline is a distractor, and when the system software is restored is the WRT (Work Recovery Time). The maximum amount of time we can be down, must not exceed the time it takes us to rebuild the hardware, install the software and test the system (MTD ≥ RTO + WRT).
Which of these would be the BEST proof that our risk management practices are successful? Residual risk is minimized Inherent risk is eliminated Risk is maximized Overall risk is quantified
Residual risk is minimized
Successful risk management is when our residual risk is minimized to an acceptable level. We would our overall risk quantified, but only so we can minimize it. We can’t eliminate inherent risk and we never want to maximize our risk.
As part of our forensics after a security incident, we are looking at the slack space on the compromised servers’ hard drives. Why do we do that?
It can contain hidden data
It can contain system log files
Is can contain the login info the attackers used
It can contain unused data sectors
It can contain hidden data
Slack space is leftover space from when a file does not need the entire cluster for the data it is storing. The slack space is whatever is left over of the cluster, it may contain old data, or can be used intentionally by attackers to hide information. The slack space could technically contain login information or log files, but hidden data is MORE correct. Sectors can contain slack space, not the other way around.
In an internal security audit, we notice an entire department all has super user access to a critical application. What should the Information Security manager do FIRST?
Reviews our procedures for granting access to the critical app
Change the access rights policies
Meet with the data owner to understand the business need
Restrict the access until it is confirmed all member of the department have a need for the access
Meet with the data owner to understand the business need
The Information Security manager should meet with the data owner to understand the business needs, and why an entire department has access. There may be a good reason for it, we just need to ensure it is there. We would never restrict access without investigation. We may later want to change the access right policies, but we would advise, and senior management would decide. If we find access is being granted incorrectly or without proper security, we may review the procedures, but not at this stage.
Bob is making a presentation to senior management about Information Security. What would be BEST to include in the presentation to get their support?
In-depth illustrations that show successful attacks
Refer security risks back to the key business objectives
A full breakdown of the org against best security practices
Explanations of the technical risks the org is facing
Refer security risks back to the key business objectives
It is always important to speak to senior management in a language they understand, we need to tie what we do back to the goals, the vision and mission of the business. We can also use cost/benefit analysis, ROI or other big picture terms they are used to. As Information Security managers/CISOs we need to be the translating link between Senior management and the techies. If we start talking about successful attacks, technical risks, or security best practices, that is not information they can relate to. We need to talk their language.
We have implemented a new antivirus solution in our organization. If we automatically push the new signatures to all workstations every Friday at 19:00 (7PM); which of these would be the WORST security exposure in regard to the automatically updating signatures?
We don’t know if the update was successful until Monday morning
Helpdesk not being available during the weekend
Systems are vulnerable to any new viruses found between updates
Users not being able tot test during the weekend
Systems are vulnerable to any new viruses found between updates
Signatures should not be updated only once a week; the update schedule should be much more aggressive. If we only update once a week, we would be vulnerable to new viruses for up to 7 days. Even if we do minor or major changes over the weekend, we would still have users, testers, and helpdesk if needed available after the change, in the case of antivirus however it is critical we push updates either as soon as they are released or shortly after we test them in our test environment.
Bob needs to find our minimum standards for securing our IT infrastructure, where should he look? Security guidelines Security architecture Security publications Security strategy documentation
X Security architecture
Our minimum standards for securing our IT infrastructure would be defined in our security architecture document. Our strategy would be our high-level plans and visions, the security guidelines are suggestions, and we would use publications to educate ourselves or others.
Which of these would make us update our Information Security governance and it would NOT require any further justification?
It is required by regulatory compliance
It would benefit our org financially
We are aligning our org’s governance with the best practices for our industry
It will improve our BCP and give us full redundancy
X It is required by regulatory compliance
Regulatory can be something that would force us to update our Information Security governance without any further justification. Being aligned with best practices is nice but would need further justification. BCP and it benefitting us financially would be drivers, but they would on their own not make us update governance without further justification.
When we do risk assessments, they should be done:
Every quarter for critical processes
Annually or whenever we have significant change
By external auditors
Annually for each business unit
Annually or whenever we have significant change
The risks to our organization change all the time, we should at least do risk assessments every year or whenever there is a significant change, that can be to both our organization and outside influences. External auditors would not do risk assessments, they would do audits. Doing assessments every quarter may be too aggressive, we do not have enough information in the question to justify it, and annually for each business unit may not be enough if there are significant changes.
Our organization is a large online reseller. We realize a network attack, what should we do FIRST?
Shut off external access from all servers and devices
Enable logging on all affected devices
Write all the logs to WORM media
Isolate the affected network segments
X Isolate the affected network segments
We would isolate the affected networking segments FIRST, we need to contain the attack and ensure it does not spread. The rest of our network can keep functioning, but with heightened monitoring. We would never just shut off all external access, we would segment FIRST, and only as a very last resort shut external access. Logging should already be enabled, and it should write to a centralized logging server as well as WORM media. During an attack we have more important things to worry about than enabling logging, it should have been done when we moved the system into our production environment.
Jane is developing an information security plan, what should she do FIRST?
Assess our current business strategy
Perform a BIA
Assess our technical vulnerabilities
Asses the current levels of security awareness in the org
Assess our current business strategy
Everything we do in Information Security refers back to the business goals and strategy. Since the question was what we do FIRST when developing an IS plan, we need to know the business strategy, goals and vision. The BIA, vulnerabilities and awareness is something we would look at much later.
Which of these would we do FIRST after a successful DDOS (Distributed Denial-Of-Service) attack?
An impact analysis of the DDOS attack
An assessment of our system to determine their status
Restore servers using backup media from our offsite storage facility
Isolate the affected subnets
X An assessment of our system to determine their status
We would FIRST do an assessment to determine the status of our systems. We would not isolate the subnets, that would be done during the attack and not after as the question asked. Restoring systems would make no sense, this was a DDOS attack, no servers should have been compromised other than their availability. We would do an impact analysis of the attack, but it is definitely not what we would do FIRST.
Jane is the Information Security Manager in our organization. She has been tasked with developing a strategic plan for Information Security. The timeline of the plan she makes should be:
Agile to keep up with the changes in tech
Based on 3-4 year tech refresh cycle to ensure we are aligned with the trends and developments withing infosec
Aligned with the strategic plan for all of IT
Aligned with business strategy
Aligned with business strategy
Any planning for information security should be properly aligned with the needs of the business. We would possibly update it when significant changes happen, but not make it agile, it should align with the plan for all of IT, because it should be aligned with the business plan. It is also normal to use tech refresh cycles for all of IT, but it is not the most thing in our strategic Information Security plan.
Bassam is the lead of our incident response team; they have proof hackers have gained access to some of our systems and they have successfully altered some of our customer information. Bassam reports this to John, the Information Security Manager. Who should John notify FIRST?
Data owner
Customers who were compromised
Regulatory agencies that govern our sector
Infosec steering committee
Data owner
John should notify the data owner FIRST. They can with our help determine how bad the damage is, and with the incident response team determine the appropriate corrective actions. We will later inform the steering committee, the customers and the regulatory agencies, if it is appropriate based on our internal policies and the regulations and laws we need to adhere to.
What is the MOST important component of our privacy policy? How we deal with liabilities How we handle notifications The geographic area the policy covers The warranties we issue
X How we handle notifications
Our privacy policies have to have notifications and opt-out provisions. Policies are high level directions, they would most often not address warranties, the area they cover or our liabilities. Also, keyword MOST.
Changes to technology would very rarely make us change which of these? Standards Policies Guidelines Procedures
Policies
We would very rarely change our policies due to technology changes; they are the very high-level documents that we use to build the more specific, and at times technical procedures, standards and guidelines. We would update our procedures, standards, and guidelines to reflect technology changes.
What is the MOST important reason we have Information Security reviews our contracts throughout the enterprise?
Ensure appropriate controls are included
Ensure no confidential information is included in the contract
Ensure the right to audit is a requirement
Ensure that both parties can perform their contractual promises
Ensure appropriate controls are included
When our organization signs contracts with other entities, we need to ensure that the proper security controls are in place. Some contracts would have confidential information included, we can’t eliminate it completely, but we should limit it to what is strictly needed. We would possibly also reserve the right to audit, but not always, and it is less important than the security controls. If both parties can fulfil their obligations is important, but it is rarely a security concern.
When we are developing a business case for buying new security software which of these would help us the MOST?
Quantifying the cost of control failures
Calculating the ROI
Assessing how often the sw could help us mitigate specific security risks
Comparing the spending to what is normal in orgs similar to ours
Calculating the ROI
Our business cases and ultimately our Information Security decisions and purchasing should be based on the ROI (Return on investment). We would use how it could help us mitigate, and the cost of the control failures as part of the ROI calculation, but they in themselves is not what we base our decisions on. What other similar organizations spend is a benchmark, but also not something we would make decisions on, every organization is unique.
Which of these would be the MOST important information we would need to implement data classification in our organization? Identify data owners Do an initial risk assessment Determine our data retention policy Define job roles within the org
Identify data owners
It is MOST important that we know who all the data owners are, they would know how to classify their information. We would classify the data and do a risk assessment, but we need the data owners for that. Job roles is a distractor and has nothing to do with the question.
To protect against malicious activity by former employees; which of these is MOST important? User activity monitoring Good termination procedures Non-compete clauses Pre-employment background checks
Good termination procedures
The only one of these that would possibly protect us against former employees would be the good termination procedures. We would obviously still do the background checks, monitoring of activity, and possibly the non-compete clause, but all those are done before or during employment, not after.
Jane is conducting a network vulnerability assessment; what would the vulnerability assessment be able to identify? Missing patches Zero-day vulnerabilities Malware Security design flaws
Missing patches
We do vulnerability assessments to find known vulnerabilities on our network, that could often be missing patches, misconfigurations, open default ports or user accounts and passwords. 0-day are unknown, malware would be found with antivirus and antimalware and security design flaws would be found it we did an architectural audit.
One of our business units is planning to implement a new technology that would be in violation of our security standards. What is the FIRST thing you should do as an Information Security manager?
Do research and propose they use better technology
Make them follow the security standard
Change the standard
Do a risk analysis
Do a risk analysis
We would not just change standards or refuse the new technology without proper risk analysis. We do that first and depending on the risk analysis we may recommend to senior management that we change the standard, or we enforce the standard. Research better technology may also be a compromise, but it would happen after the risk analysis.
Our organization has just finished a companywide Information Security user awareness training effort and we are going to try to social engineer our employees to gauge how effective the training was. Which of these is NOT a type of social engineering attack? Scarcity Authority Vishing Reconnaissance
Reconnaissance
Reconnaissance is one of the phases of an attack or penetration testing, it is not a form of social engineering. Vishing (voice phishing), authority, and scarcity are all types of social engineering.
What is the PRIMARY reason we do Security awareness training in our organization?
Reduce human risk
Train staff to react in security incidents
Explain our security strategy to staff
Prove we are compliant with the laws and regs in our sector
Reduce human risk
The primary purpose of security training is to raise staff awareness and reduce the risk that staff poses. Most often the biggest security risk is our employees, and training and awareness can help with that. We do also need to be in compliance with training and we need our staff to know how to react in a security incidence, but for this it is a secondary objective.
We do risk assessments every so often. What is the MOST important reason for us doing that?
Risk assessments are not always accurate
Infosec risks often change
Prove to senior mgmt. that infosec is needed
Frequent reviews can help us optimize and save on costs
Infosec risks often change
The threat landscape is constantly changing and with that the risk we have to protect against. While previous risk assessments may not be accurate it is not the MOST important reason to do it, neither would optimizing, that is an added bonus. We would never do a risk assessment just to prove we are needed, we do that by giving valuable information that senior management can act on.
We just recovered from a security incident on a server. The systems administrator tried to stop the attack and did not notify the Information Security team right away. What could we have done to avoid this mistake?
Regular reviews of the incident response procedures
Regular testing of the incident response plan
Regular testing of our IDS and IPS
Creating mandatory infosec training for al employees
X Regular testing of the incident response plan
The best way to improve on incident performance and consistent employee responses would be to test the plan. Testing the IDS/IPS is good to do but would have done nothing in this situation. A review of the incident procedures may have helped, but the testing is much more efficient. Us making mandatory Information Security training is also good but would not have done anything in this case.
Which of these devices would we want to place in our DMZ (demilitarized zone)? Routers Mail relays Authentication servers Firewalls
Mail relays
We would place our mail relay in the DMZ, it is a simple mail server that accepts emails, and filter them based on a pre-defined set of criteria, then delivers the emails to another server. Our routers and firewalls would not be in the DMZ, but they may be on the edge of it. Authentication servers would keep behind the DMZ in our internal network.
During an attack what should be our FIRST priority? Containment Monitoring Restoration Documentation
Containment
Our first priority should always be containment, we need to stop the attack from propagating through our network. Monitoring should already be in place. Documentation is done in our lessons learned after the attack. Restoration is done when the attack is contained, and we have determined how and what was compromised. We fix the flaws and then restore systems and system access.
Our control objectives relate to our business objectives, making then the best metric. Everything we do should tie back to our business vision, mission and objectives. How many controls we have implemented, the percentage of our policy compliance and reduction in incidences are all indicators, but control objectives achieved is the better answer.Jane is our Information Security manager, which of these metrics would be the BEST for her to use to evaluate the results of an Information Security program?
What percent we are compliant with security policies
How many controls we have implemented
How large a reduction in security incidents we see
What percent of our control objectives we have achieved
Our control objectives relate to our business objectives, making then the best metric. Everything we do should tie back to our business vision, mission and objectives. How many controls we have implemented, the percentage of our policy compliance and reduction in incidences are all indicators, but control objectives achieved is the better answer.
Our Information Security manager Bob has been asked “What is of GREATEST importance when we decide if we should accept residual risk?”. What should he answer?
Potential business impact
Cost of additional mitigation compared to the benefit
TCO (Total cost of ownership)
Cost of the asset
Cost of additional mitigation compared to the benefit
We should always choose to reduce risk by implementing new countermeasures all the way until the cost of the mitigation is higher than mitigation benefit. We would use the TCO, the asset value and the business impact in our analysis, but they would not be of the GREATEST importance, they would be contributing factors.
For our information security program to be successful, which of these is the MOST important?
Security awareness training
Senior management buy-in
Sufficient initial budget and staff
The that goals and objectives are achievable
Senior management buy-in
The MOST important thing in the success of our information security program is senior managements buy-in. The other answer options are secondary to senior management. We would need the awareness training, the achievable goals and objectives, and initial budget and staff, but they are less important. If we do not have the buy-in from senior management, we are less likely to succeed.
Our company uses a lot of contractors and temporary employees. What would be the BEST way to ensure their access is removed when they no longer need it?
Request the overseeing manager emails infosec when the contractor has completed their work
Send an audit of their account activity to the manager overseeing them
Set automatic expiration dates
Have all contractors and temp employees sign an NDA
Set automatic expiration dates
Before the contractor or temporary employee starts, we would know how long their contract is set for. We would use that and set automatic expiration dates on their access. If the contract is extended, the overseeing manager would request an extension (with a new automatic expiration). Requesting the overseeing manager to send an email when the contractor is done, will often not happen, automation is always better than remembering. We may send the audit and have the contractors sign and NDA, but neither of those would help with access removal, once the contract is completed.
We have received a critical emergency security patch for our storage array via email from the company that made the array and its software. What is the FIRST thing we should do?
Do an extensive code review to ensure the patch addresses the issue
Validate the patch to ensure it is authentic
Deploy the patch in our production environment
Deploy the patch in our test environment
Validate the patch to ensure it is authentic
We FIRST need to confirm it is a real patch from the actual company that made the software. We do this before anything else. If we confirm it is from the company that made the software and it is critical, we would do proper change management, and if the patch was approved, we would deploy to our test environment first. If no issues we would either do another change management or deploy to production. It is very unlikely we would do (or be able to) do any code review of a patch.
Which of these would most often be something the Information Security steering committee would do?
Develop security awareness program content
Approve user access to mission critical financial servers
Interview new people for very technical infosec positions
Pick which order we would work on security initiatives
Pick which order we would work on security initiatives
The steering committee would prioritize our security efforts. They are the high-level governance over Information Security. It would be the IT manager and team that would interview technical Information Security personnel, they would also develop the awareness program. The approval for user access to any system would be approved by the data owner.
If we want to prevent our users from sharing files with unauthorized users; which type of access control would be BEST to implement? Mandatory access control Attribute-based access control Role-based access control Discretionary access control
X Mandatory access control
If we want to ensure no file sharing with unauthorized users, we would use MAC (Mandatory Access Control). Users without proper access would not be able to access the files, and other users with the proper access can’t share them. File sharing with unauthorized users is possible with DAC (Discretionary access control), RBAC (Role-based access control), ABAC (Attribute-based access control).
We are deploying biometric access readers for areas in our organization that are labeled as critical security. For those areas we should set the readers sensitivity to which of these? Low CER (Crossover error rate) High FRR (False rejection rate) High FAR (False acceptance rate) Exactly at the CER
X High FRR (False rejection rate)
For areas that are considered critical or high security, we would want a higher than normal FRR (False rejection rate). This means that we may reject slightly more authorized employees, but it is worth it because we also get a lot less FAR (False accept rate) errors. Lower or exactly at the CER (Crossover Error Rate), we would want for normal security areas, but for not for areas that are high or critical security.
As the Information Security manager, you are looking at antivirus software for our organization. What is the MOST important consideration before choosing a product?
How well it works with our IDSs, IPSs and firewalls
How large the market share the product has and the TCO
How easy it is to maintain and how often signature updates are released
How often the vendor releases major updates and their feature road map
How easy it is to maintain and how often signature updates are released
It is MOST important that the antivirus software’s signatures are updated frequently, and it is easy to use. How often the software vendor releases major updates is irrelevant, so is their feature roadmap. The antivirus solution should work with our other security hardware and software, but in most places, they would report back to our SIEM, and their interrelationship is secondary to the signature release frequency. The TCO is important, but again not as important as how often they update their signatures. Market share could be an indicator but is never a deciding factor.
Bob as the Information Security manager has been tasked with implementing more restrictive preventative controls. By implementing the controls, they will PRIMARILY help to reduce what? Threats Loss Likelihood Vulnerabilities
X Vulnerabilities
When we implement more restrictive preventative controls, that would reduce our vulnerabilities. The threats would still be there, we would just not be susceptible to those specific threats. Our loss or the likelihood of an incident may or may not be reduced, but it is not what PRIMARILY would be affected.
Rovana is looking at our administrative security controls, which of these would be discretionary? Guidelines Policies Standards Procedures
Guidelines
Our policies, procedures and standards are mandatory, making them non-discretionary. The guidelines are recommendations on how to do a certain task and we would use those in making our practices, they are discretionary. A way to remember it, is if it has “line” in it, it is discretionary (baseline, guideline)
Rovana is suggesting we use a centralized information security management system over a decentralized system. What is a characteristic a centralized system?
They are more aligned with business unit needs
Its adherence to our policies
It is more expensive
They can implement new requests faster
X Its adherence to our policies
Having a centralized information security management system will give us more predictable results and it will allow us to follow our policies much easier. Centralized systems are often cheaper than decentralized, but they are often less aligned with business unit’s needs, since we apply the same posture across the entire enterprise.
Rovana is the Information Security manager of an organization that spans the globe, meaning we need to follow the regulations of many different governments, to ensure we follow all these regulations Rovana should:
Establish baseline standards for all locations and then add additional standards for locations that require more security
Find the common requirement that all locations have and implement those
Incorporate all of the regulations into one overarching policy that covers all the requirements of all the locations and ensure all locations follow it
Find industry best practices and ensure all locations are in compliance with those.
Establish baseline standards for all locations and then add additional standards for locations that require more security
It is most efficient to make a standard baseline and add additional standards to locations that need higher security. It could be an issue if we implemented the maximum standards in every location, best practices are nice, but we have no clue if they would be enough, and just implementing what every location has in common is never enough.
Of these options; when is the BEST time to have penetration test conducted?
After an audit has found weaknesses in security controls
After an attempted intrusion
After significant system changes
After a high staff turnover
After significant system changes
If we have significant changes to our environment, we would most likely want to do a penetration test. The changes could easily have introduced new vulnerabilities. After an audit, we would fix the vulnerabilities they found and then maybe do a penetration test, but not right after. The same with the intrusion, we would fix any issues and then maybe do a penetration test. High staff turnover in itself is not a reason for a penetration test.
We can BEST ensure message integrity, sender authentication, and non-repudiation using which of these? Symmetric cryptography Hashing PKI Linear cryptanalysis
PKI
When we use PKI (Public Key Infrastructure), we can get message integrity, sender authentication, and non-repudiation. If we used symmetric encryption, we would get confidentiality, hashing can provide integrity and confidentiality, and linear crypt analysis is a form of breaking the encryption, not applying it.
We are wanting to protect certain servers against SQL (Structured Query Language) injection attacks. Which of the following would do that the BEST? Add IPSs Add HIDSs Add IDSs Add host-based firewalls
Add IPSs
Of the options here the IPS (Intrusion Prevention System) would have the greatest chance of stopping an SQL injection attack. The IDS and HIDS both detect and possibly alert, they do not prevent anything. SQL injection attacks happen on OSI layer 7, meaning a host-based firewall would not check the packets on the application layer.
As part of our BIA (Business Impact Analysis) we need to determine the recovery times and cost estimates for all our systems. Who would be responsible for those values? Business process owner BCP coordinator Infosec manager Infosec steering committee
Business process owner
The business process owner should assign the recovery times and cost estimates, they have the most in-depth knowledge about the system or application and the impacts of an outage. The BCP coordinator would coordinate our efforts in an incident or disaster. The Information Security manager is there to make sure we follow the plans and the steering committee would prioritize the systems and applications, but neither the Information Security manager or the steering committee has the in-depth knowledge needed to assign the recovery times and cost estimates.
Rovana is our Information Security Director; her team is going to do information risk analysis. Which of these options should be their FIRST step? Classify all assets Evaluate thee risks to all assets Determine the ownership of all assets Make an asset inventory
Make an asset inventory
We first need to have a complete asset inventory before we can do any of the other options. If we don’t know what all our assets are, how can we classify, evaluate risks or determine ownership of them?
As part of a security audit, we have found some security flaws. The IT Security team has been asked to suggest mitigation strategies using the OSI model. Which of these would address layer 7 issues? Installing UPSes in the data center Start using application firewalls Shut down open unused ports Access lists
Start using application firewalls
Application layer firewalls are on the 7th OSI Layer. The key benefit of application layer firewalls is that they can understand certain applications and protocols. They see the entire packet; the packet isn’t decrypted until layer 6; any other firewall can only inspect the packet, but not the payload. They can detect if an unwanted application or service is attempting to bypass the firewall using a protocol on an allowed port, or detect if a protocol is being used any malicious way.
We are implementing some new standards and framework in our organization. We chose to use scoping on one of the standards we are implementing. What does scoping mean?
To pick and choose which parts of the standard or framework we went to implement
To see if the standard is a good fit for our org
To implement the full standard or framework but implement higher standards in some areas
To find out how much the implementation will cost us
To pick and choose which parts of the standard or framework we went to implement
Scoping is determining which portion of a standard we will deploy in our organization. We take the portions of the standard that we want or that apply to our industry, and determine what is in scope and what is out of scope for us.
We have hired a team of penetration testers to audit our network for vulnerabilities. During a test, one of the testers discovers a real attack underway. What should the tester do?
Nothing. He was hired to test, nothing else
Shut the system down to prevent further damage
Stop the attacker by cutting off access
Notify the org immediately
Notify the org immediately
The tester should never act or fix anything on our network, if they notice an attack they need to let us know right away so we can act on it.
As part of improving the security posture of our organization we have added multifactor authentication. Which of these pairs does NOT constitute multifactor authentication? Fingerprint and PIN Password and username PIN and credit card Username and smartcard
Password and username
Multifactor authentication uses authentication from more than one factor (something you know, are or have). Passwords and usernames are not multifactor, they are both knowledge factors.
Looking at the governance of our organization, we can use policies, standards, procedures, or other frameworks. Which of these characteristics would BEST describe our policies?
Low-level step-by-step guides
Recommendations
Non-specific but can contain patches, updates, strong encryption
Specific: all laptops are W10, 64 bit, 8 GB memory etc.
X Non-specific but can contain patches, updates, strong encryption
Policies – Mandatory: High level, non-specific. They can contain “Patches, Updates, strong encryption”, they will not be specific to “OS, Encryption type, Vendor Technology”
