Security and Risk Management

Question 1

What is a Threat

Answer 1

Potential Danger associated with exploitation of a vulnerability

-A Tornado COULD happen.

Question 2

What is a Threat Agent

Answer 2

Entity taking advantage of vulnerability - the person, or actor

Example: The Wind of a tornado, or flying objects caused BY the tornado. If there was an actual tornado

Question 3

What is Risk

Answer 3

Likelihood a threat source exploits a vulnerability and the business impact involved

Question 4

What is Exposure

Answer 4

Instance of being exposed to losses. For instance a vulnerability exposing possible damage.

Question 5

What is a Control

Answer 5

Also known as a countermeasure or safeguard. Put into place to mitigate, or reduce, potential risk

Question 6

Types of Security Controls

Answer 6

Physical, Administrative, Technical

Question 7

Administrative Controls

Answer 7

“Soft Controls” ie security documentation, risk management, personnel security, and training

Question 8

Technical Controls

Answer 8

AKA Logical Controls. Software OR hardware such as Firewalls, IDS, IPS, HIPS, encryption, and identification and authentication methods

Question 9

Physical Controls

Answer 9

Protection of facility, personnel, and resources. IE Door Locks, Alarms, Security Guards, Lighting, fences, CCTV, Turn-styles

Question 10

Defense-In-Depth meaning

Answer 10

Mixture of admin, technical, and physical controls to help minimize exposure to risk of exploitation. Page 9 Shon Harris

Question 11

The more sensitive and asset the more____controls should be used

Answer 11

security

Question 12

What are the different functionalities of security controls?

Answer 12

Preventative, Detective, Corrective, Deterrent, Recover, and Compensating

Question 13

Preventative Function of Control

Answer 13

avoid an incident from occurring

Question 14

Detective Function of a Control

Answer 14

Assist in the detection of incident activities and potentially an intruder

Question 15

Corrective Function of a Control

Answer 15

Fixes components or systems AFTER an incident occurs

Question 16

Deterrent Function of a Control

Answer 16

Discourages potential hackers

Question 17

Recovery Function of a Control

Answer 17

Intended to bring environment back to regular ops

Question 18

Compensating Function of a Control

Answer 18

Provides an alternate measure of control that provides similar protection, but is often times cheaper or allows specific business functions to operate. Example: After evaluating cost of security guards, you use a fence instead since it is cheaper.

Question 19

Examples of Preventative Admin Controls

Answer 19

Policies, procedures, testing, effective hiring practices, pre-employment background checks, controlled termination processes, data classification, labeling, security awareness training

Question 20

Examples of Preventative Physical Controls

Answer 20

Badges, swipe cards, Guards, dogs, Fences, locks, mantraps, NOT A CAC OR SMART CARD

Question 21

Examples of Technical Controls

Answer 21

Passwords, biometrics, smart cards, CAC, Encryption, security protocols, call-back systems, database views, IPS, Antivirus Software, ACLs, Firewalls, IDS

Question 22

Corrective functions only apply to what type of control? How?

Answer 22

Technical via Server Images

Question 23

Recovery functions only apply to what type of controls? How?

Answer 23

Physical and Technical. Physical: Offsite facility Technical: Data backups

Question 24

Deterrent functions only apply to what type of control? How?

Answer 24

Physical: Fences, Lighting, Dogs

Question 25

Security through obscurity should be avoided? True or False? Why?

Answer 25

True! Like hiding a key under a doormat. Burglers know these tricks so try to avoid shortcuts to security.

Question 26

Ways to find vulnerabilities in code?

Answer 26

Fuzzing, input validation,

Question 27

Security Programs are also called?

Answer 27

Security Framework

Question 28

Security Framework

Answer 28

different types of technologies, methods, and procedures to accomplish the right protection level required to secure environment.

Question 29

ISO/IEX 27000

Answer 29

How to Develop and maintain an ISMS developed by ISO and IEC. AKA Security Program Development

Question 30

Zachman Framework

Answer 30

Model for development of enterprise architectures

Question 31

TOGAF

Answer 31

Model for development of enterprise architecture developed by THE OPEN GROUP.

Arhictecture Development Method (ADM)

Question 32

DoDAF

Answer 32

US DoD architecture framework that ensures interoperability of systems to meet military mission goals.

Question 33

MODAF

Answer 33

Framework used by British Ministry of Defense. Based on DoDAF

Question 34

SABSA Model

Answer 34

Framework for development of enterprise security architecture

Question 35

COBIT 5

Answer 35

business framework developed by ISACA “Information Systems Audit and Control Association”

Question 36

NIST 800-53

Answer 36

Security controls to protect US Fed Systems

Question 37

COSO Internal Control - Integrated Framework

Answer 37

Created to reduce risk of financial fraud by the Committee of Sponsoring Organization of the Treadway Commission

Question 38

ITIL

Answer 38

Developed by the UK office of Gov’t Commerce

Question 39

Six Sigma

Answer 39

Business management strategy used to carry out process improvement

Question 40

Capability Maturity Model Integration

Answer 40

AKA CMMI , process development created by Carnegie Mellon University

Question 41

ISO/27001

Answer 41

Remember this one most - Requirements for organizations- ISMS Requirements

Question 42

What is Enterprise Architecture?

Answer 42

Enterprise Structure (form) and behavior (function) embodies enterprise components and relationship to one another

Question 43

Framework

Answer 43

Like a blueprint. Blueprints can be modified to meet needs (enterprise) but all starts with blueprint

Question 44

Clinger-Cohen Act

Answer 44

Passed to reduce federal agency IT expenditure waste (spending) “Cling to the money”

Question 45

Zachman Architecture Framework

Answer 45

2-dimenstional chart that uses 6 comms interrogativeds (What, How, Where, Who, When, Why) vs. role prespectives (Executive, business Mans, sys ads, engineers…)

Question 46

What is Enterprise Security Architecture?

Answer 46

Subset of Enterprise Architecture,

Question 47

Governace Analogy

Answer 47

Policy: Employees will nail boards together using a company-issued hammer

Standard: Company-issued hammers will be 11 inches long, and made of fiberglass

Guideline: To avoid splitting wood, a pilot hole will be drilled before hammering

Prodedure: 1. Position nail on board. 2. Strike nail head with hammer. 3. repeat until nail is flush with board and board is secure. 4. If catch finger between hammer and nail, see “First-Aid Procedure”.

Question 48

ISC Code of Ethic Canons (1-4). Which one is the most important?

Answer 48

1. Protect society, the commonwealth, and the infrastructure. MOST IMPORTANT
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals
4. Advance and protect the profession LEAST IMPORTANT

Question 49

ISC2 Ethical Basis. Where were ethics derived?

Answer 49

• Golden Rule - reciprocity
• Kants Categorical Imperative - uniformity - No exceptions without extreme consideration
• Descartes Rule of change - Slippery slope - when you DO make exceptions opens the door to issues
• Utilitarian Principle - What does the most good. Subjective because it can be opinionated
• Risk Aversion Principle - least harm - also subjective
• Avoid Harm - Do No Harm.
• No Free Lunch Rule - assumes ownership
• Legalism - is it against the law?
• Professionalism - is it contrary to the code of ethics?
• Demonstrate due care/diligence?
• Evidentiary guidance - can you prove it?
• Client/customer choice - affected people make decisions “informed consent
• Equity - equal distribution of costs/benefits
• Competition - Market sets prices/quality
• Compassion - Most vulnerable parties protected - Elderly/Children
• Impartiality/Objectivity - biases?
• Impartiality/Full Disclosure - affected persons informed?
• Confidentiality - individual security
• Trustworthiness - is IT staff/technology accountable?

Question 50

Ways to obtain leadership support (3)

Answer 50

1. Financially - Probability * Magnitude (Value of items) = Cost (of plan to implement)
2. Reputation
3. Regulatory - Prudent Person Rule

Question 51

Data Retention Policies - Business Docs

Answer 51

7 yrs

Question 52

Data Retention Policies - Invoices

Answer 52

5 years

Question 53

Data Retention Policies - Accounts Payable/Receivable

Answer 53

7 Years

Question 54

Data Retention Policies - Human Resources

Answer 54

7 years for employees who leave

3 years for candidates who did not get hired

Question 55

Data Retention Policies - Tax Records

Answer 55

4 years AFTER tax has been paid

Question 56

Data Retention Policies - Legal Docs

Answer 56

FOREVER

Question 57

What are the information life cycle phases

Answer 57

Acquisition, Use, Archival, Disposal (AUAD)

Question 58

Recovery Point Objective

Answer 58

Amount of time an org can function until the function will cause irreversable damage, if not restored. ex 5 Days of lost customer revenue

Question 59

Recovery Time Obective

Answer 59

Amount of time that an org will start to lose data. Ex. 1 days worth of data.

Question 60

Differential Backup

Answer 60

All changes since last full backup

Question 61

Incremental Backup

Answer 61

All changes since last increment

Question 62

Mirrored Site

Answer 62

Full functioning backup with all data

Question 63

Hot site

Answer 63

Full network infrastructure, however data may not be loaded. RTO = 4 hours

Question 64

Warm Site

Answer 64

Partially equipped. More set up required than Hot site. RTO = a few days

Question 65

Cold Site

Answer 65

Site not equipped. Empty warehouse, long setup time.

Question 66

Service Level Agreement (SLA)

Answer 66

Agreement between 2 parties where a level of service is defined

Question 67

Business Partner Agreement (BPA)

Answer 67

Contract between 2 entities dictating their business relationship. Defining expectations and obligations of each party

Question 68

Memorandum of Understanding (MOU)

Answer 68

Letter of intent (not legally binding) with a means to document the specifics of an agreement or arrangement between 2 parties.

Question 69

Interconnection Security Agreement (ISA)

Answer 69

Formal declaration of the security stance, risks, and technical requirements of a link between 2 orgs

Question 70

5 Phases of SDLC

Answer 70

1. Initiation
2. Acquisition/Development
3. Implementation
4. Operation/Maintenance
5. Disposition

Question 71

Difference between trademark and copyright?

Answer 71

Trademark is something like a logo. Copyright is literary or artistic such as a book, drawing, or other written documentation.

Question 72

Which symmetric cipher is a Feistal-type block cipher with 64-128 bit blocks?

Answer 72

CAST

Question 73

What is a tangible asset?

Answer 73

Physical - Can be owned. If you can drop it on your head or bump your foot AND HAS VALUE, it is tangible

-Servers, Hard disks, Data Centers, Optical Disks, Facilities, workforce

Question 74

What is a intangible asset?

Answer 74

• Software, soft data, intellectual property.

- Software, databases, source code, data files, PII

Question 75

______ implies the absence of a countermeasure

Answer 75

Vulnerability

Question 76

Types of confidentiality threats

Answer 76

Eavesdropping, shoulder surfing, sniffing, dumpster diving

- an ACTIVE attack

Question 77

Types of Integrity threats

Answer 77

• Errors and omissions
• Insider Threats
• Man in the middle - NOT a sniffer because sniffer is passive. man in the middle is not passive. A person could intercept, modify, then deliver
• Falsified invoices.
• A PASSIVE attack

Question 78

Is a man in the middle attack effect confidentiality or integrity?

Answer 78

Integrity because it is not passive. They could intercept and alter network traffic, then redeliver.

Question 79

Threat to Availability examples

Answer 79

Hard disk crash

Server Failure

Corruption

DoS, DDoS

Question 80

Non-repudiation relates to C. I. or A.

Answer 80

Integrity

Question 81

What is nonrepudiation?

Answer 81

Proving validity of an action or task – being able to identify the origin of an event. Cannot be disproven

Question 82

Order of reliance for the C.I.A.

Answer 82

It all starts with confidentiality, then integrity, then accessibility. In that order.

Question 83

Authentication, Authorization, and Accounting (AAA) actually have 5 components – what are they

Answer 83

1. Identification
2. Authentication
3. Authorization
4. Auditing
5. Accountability

IN THAT ORDER – user (subject) must identify themselves, then authenticate themselves, then they are authorized based on permissions. Objects are auditing subject activity, logs, etc, and then are accounted for by reviewing logs

Question 84

3 types of organizational plans

Answer 84

Strategic - Long term ~5 year plan - includes risk assessment

Tactical - ~1 year plans - project plans, aquisitions plans, hiring plans, budget plans, system development plans

Operational - VERY short term plan. highly detailed. Staffing assignments, close-range schedule, budget requirements, training plans, system deployment plans, product design plans.

Question 85

Business Classifications NOT DoD

Answer 85

Confidential, Private, Sensitive, Public

Confidential - High Security relating to BUSINESS only – Propriatary business functions could be an example

Private - High Security relating to PERSONNEL data such as PII, or medical data.

Sensitive - causes a negative business impact if disclosed

Public - No impact

Question 86

What is a Security Manager

Answer 86

Ultimate responsibility for protection of assets. SIGNS off all security policies. All activities approved and signed by SM. Also held organizationally responsible for due care. due diligence. RARELY implements solutions and leaves this up to Security Professional

Question 87

What is a Security Professional

Answer 87

Information Security Officer, CIRT, or other experienced IT. IS/IT function role where responsible for writing the security policy and implementing it. NOT decision makers. ARE implementers.

Question 88

Data Owner

Answer 88

high-level manager whos sole responsibility is data protection. Usually delegates actual data management responsibilities to Data Custodian.

Question 89

Data Custodian

Answer 89

Assigned to user by Data Owner. Responsible for implementing protection defined by senior management. Performs all activities to provide CIA protection – backups, validating data, deploying security solutions, etc

Question 90

COBIT

Answer 90

Control Objectives for Information and Related Technology

ISACA framework

Question 91

COBIT 5

Answer 91

5 Principles:

1. Meeting Stakeholder needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management

Question 92

OSSTMM

Answer 92

Open Source Security Testing Methodology Manual - Testing and analysis of a security infrastricture

Question 93

ISO/IEC 27002

Answer 93

Replaced ISO 17799 - International standard used for implementing org security practices

Question 94

ITIL

Answer 94

Information Technology Infrastructure Library

Developed by British - recommended security practices

Question 95

Due Care is Dependent on Due Diligence?

Answer 95

False - Due Diligence is dependent on Due Care

Due Care - reasonable care to protect assets of an org

Due Diligence - activities that maintain the Due Care effort.

Question 96

What is a Security Policy

Answer 96

defines scope of security needed at org/discusses org assets

used as proof by senior management to show due care

Question 97

How many different types of security policies?

Answer 97

3 - Organizational, Issue-Specific, and System-Specific

Question 98

Organizational Security Policy

Answer 98

issues relevant to every aspect of the organization

Question 99

Issue Specific Security Policy

Answer 99

Focuses on specific organizational procedures – network services, departments, functions…

Question 100

System Specific Security Policy

Answer 100

focuses on individual systems or types of systems and appliance related security controls – Firewalls, base-lining, approved hardware and software use

Question 101

Security Policy Categories (3)

Answer 101

Regulatory, Advisory, Informative

Regulatory - Required by industry or legal standards
Advisory - Provide behaviors and activities that are acceptable (MOST POLICIES ARE ADVISORY)
Informative - Informational in nature, provides information about specific subjects

Question 102

Security Policies should address specific individual responsibilities? T or F

Answer 102

False – Policy should define tasks and responsibilities to FIT a role.

Question 103

Confidentiality Controls

Answer 103

Encryption
Least Privilege
Access Control (MAC, DAC, Physical…)
Need to Know

Question 104

Integrity Controls

Answer 104

Hashing
Separation of Duties
Dual Control

Question 105

Availability Controls

Answer 105

Backups
Remote site hosting / recovery
High Availability
Fault Tolerance