Security Architecture Domain 4 Flashcards
Three risk analysis methods
OCTAVE
NIST 800-30
ISO/IEC27005
Quantitative Risk Analysis
This approach employs two fundamental elements;
the probability of an event
occurring and a value or measure for the loss should it occur.
Quantitative risk analysis makes use of a single figure produced from these elements. This is called the _____________________ or the ______________
‘Annual Loss Expectancy (ALE)’
‘Estimated Annual Cost (EAC)’.
Quantitative risk is calculated by multiplying
Single loss event SLE x annual rate of occurrence AR0
Most qualitative risk analysis methodologies make use of a number of interrelated elements:
THREATS
Things that can go wrong or attack the system
VULNERABILITIES
These weaknesses make a system more prone to attack by a threat or make an attack more likely to have some success or impact.
CONTROLS
These are the countermeasures for vulnerabilities.
Where is the attack vector in emails
there are potentially two, the email itself and the attachment to the email
What are the key differences between a worm and a virus
Worms can generally spread without needing human interaction.
Virus needs a host file, it attaches to an executable file, document or program
Most European countries data protection laws follow principles detailed in two EU directives, whether or not these countries are part of the European Union. These directives are
- Directive 95/46/EC of the European Parliament on the Protection
of Individuals with Regard to the Processing of Personal Data and
on the Free Movement of Such Data (commonly called the Data
Protection Directive) 20 and - Directive 2002/58/EC Concerning the Processing of Personal Data
and the Protection of Privacy in the Electronic Communications
Sector 21. The first directive applies to the collection, storage,
disclosure, and other uses of personal data. The second directive
The __________________ was born out of the necessity to expand product security assurance programs in the United States, Canada, United Kingdom, France, and Germany.
Common criteria CC
Product evaluations began in the United States with the ___________________, which was the criterion for evaluating secure systems and vendor products.
Orange Book TCSEC
The Orange Book had an assurance range from
D2 up to A-3. The
D class had the least amount of rigorous testing, and A class consisted of more formal evaluation methods.
The Orange Book only addressed
Confidentiality
The next evaluation criteria, _____________, was created by Canada, the United Kingdom, France, Spain, and Germany.
the ITSEC
ITSEC addressed
Confidentiality and Integrity
The Common Criteria is useful as a guide for the development, evaluation, or procurement of IT products with security functionality. It addresses
Confidentiality, Integrity and availability
The Common Criteria consists of three parts
Introduction and general model
Security functional requirements
Security Assurance requirements
Common criteria
Part 2 - Security Functional Requirements establish a set of functional components as a standard way of
expressing the functional requirements for the Target of Evaluation (TOE).
Common Critera
Part 3 - Security Assurance Requirements establish a set of assurance components as a standard way of
expressing the assurance requirements for the TOE.
The purpose of this arrangement is to advance those objectives by bringing about a situation in which IT products and protection profiles that earn a Common Criteria certificate can be procured or used without
the need for further evaluation.
When did Australia and New Zealand join the mutual recognition arrangement
October 1999
The Common Criteria evaluated products begin the process by being
evaluated in a
certified laboratory
The National Voluntary Laboratory Accreditation Program (NVLAP) provides third-party accreditation to
testing and calibration laboratories
Part 2 of the Common Criteria defines the
Security functional components.
What does TOE mean
Target of Evaluation
Is a TOE a product
It could be but it does not have to be. It might be an IT product, a part of an IT product, a set of IT products, a unique technology
that may never be made into a product, or a combination of these.
How many Evaluation Assurance Levels are there?
Seven
When is EAL1 Applicable
EALI is applicable where some confidence in correct operation is required, but the threats to security are not viewed as serious. but the threats to security are not viewed as serious. It will be of value where independent assurance is required to support the contention that due care has been exercised with respect to the protection of personal or similar information.
When is EAL2 Applicable
EAL.2 is, therefore, applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record.
EAL1 means what kind of testing
Functional
EAL2 means what kind of testing
Structural
EAL3 means what kind of testing
Methodically tested and checked
EAL4 means what kind of testing
Methodically Designed, Tested, and Reviewed
EAL5 means what what kind of testing
Semiformally Designed and Tested
EAL6 means what what kind of testing
Semiformally verified design and testing
EAL7 means what what kind of testing
Formally verified design and testing
When is EAL3 applicable
It is applicable in those circumstances where developers or users require a moderate level of independently assured security, and require a thorough investigation of the TOE and its development
without substantial reengineering.
When is EAL4 applicable
It is the highest level at which it is likely to be economically feasible
to retrofit to an existing product line. It is, therefore, applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.
When is an EAL5 applicable
When users require a high level of independently assured security in a planned developments
When is an EAL6 applicable
Applicable to the development of security TOEs for application in high-risk situations where the value of the protected assets justifies the additional costs.
When is an EAL7 applicable
EAL7 is applicable to the development of security TOEs for application in extremely high-risk situations or where the high value of the assets justifies the higher costs.
The Common Criteria Part 3 begins with
a philosophy of the approach to
assurance that will permit the reader to understand the rationale behind the
assurance requirements.
IT security breaches come from the intentional exploitation or _______________ of vulnerabilities in the application of IT within business concerns.
unintentional triggering
To the extent feasible vulnerabilities should be
- Eliminated, by taking steps to expose, remove, or neutralize all
exercisable vulnerabilities. - Minimized, by taking steps to reduce to an acceptable level residual
potential impact of any risks or vulnerability. - Monitored, by taking steps to ensure that any attempt to exercise
a residual vulnerability will be detected so that steps can be taken
to limit the damage.
____________ is the traditional way of gaining assurance. It serves as the basis of the Common Criteria approach.
Evaluation
In the common criteria what is penetration testing
one method of evaluation
The Common Criteria philosophy asserts that greater assurance results from
the application of greater evaluation effort
What is The Common Criteria Evaluation Assurance Scale
Scope - That is, the effort is greater because a larger portion of the IT
product is included.
Depth - That is, the effort is greater because it is deployed to a finer
level of design and implementation detail.
Rigor - That is, the effort is greater because it is applied in a more
structured, formal manner.
The CMMI-DEV model provides guidance for
applying Capability Maturity Model best practices in a development organization. Best
Sources of the Capability Maturity Model (CMM)
The Software Engineering Institute (SEI) developed an initial version of a
maturity model with the assistance of the MITRE corporation
The CMMI for Development may be put to the following uses:
- Software process improvement,
- Software process assessments
- Software capability evaluations,
In CMM-DEV (Capability Maturity Model Integration for Development), the terms continuous representation and staged representation refer to
two different ways of assessing and improving process maturity within an organization.
What are two different ways of assessing and improving process maturity within an organization.
Continuous representation
Staged representation
The staged representation organizes process improvement into
five maturity levels, where each level builds on the previous one.
The continuous representation focuses on
improving specific process areas independently, rather than requiring an organization-wide maturity level.
What are the continuous representation maturity levels
Level 0 Incomplete
Level 1 Performed
Level 2 Managed
Level 3 Defined
Level 4 (N/A)
Level 5 (N/A)
What are the staged representation maturity levels
Level O (N/A)
Level 1 Initial
Level 2 Managed
Level 3 Defined
Level 4 Quantitatively Managed
Level 5 Optimizing
A capability level 2 process is characterised as a managed process. What is a managed capability or process
A managed process is a performed process that is planned and executed in accordance with policy
A capability level 3 process is characterised as a defined process. A defined process is
A managed process that is tailored from the organisation’s set of standard processes according to the organisation’s tailoring guidelines
The process discipline reflected by capability level 2 helps to ensure that
existing practices are retained during times of stress.
A critical distinction between maturity levels 3 and 4
is the predictability of process performance.
At maturity level 5, an organization continually
improves its processes based on a quantitative understanding of its business objectives and performance needs.
At maturity level ____, the
organisation and projects focus on understanding and controlling performance at the subprocess level and using the results to manage projects. At maturity level __________, the organisation is concerned with overall organisational performance using data collected from multiple projects.
4
5
Organizations wanting to understand and improve their capability to develop software effectively and professionals wanting to understand the key practices that are part of effective processes for developing or maintaining software could consider using which CMM
The Software Engineering Institute’s CMMI for Development
The CMMI for Development Level 2 says that processes must be repeatable in the areas of
Project planning, tracking and oversight
The CMMI for Development Level 2 says that processes must be repeatable all level 2 task areas and
have defined processes for organisational process focus, process definition, training, integrated software management, intergroup coordination, and peer reviews
What is the purpose of ISO 7498
To provide a common basis for the coordination of standards development for the purpose of systems interconnection
The term Open Systems Interconnection (OSI) qualifies standards for the exchange of information among systems that are
“open” to one another for this purpose by virtue of their
mutual use of the applicable standards.
Three primary elements of defense in depth include the following
People
Technology
Operations
ISSE
Information System Security Engineering
What is ISSE
The art and science of discovering users information protection needs and designing information systems to protect them
What is the first step of an ISSE process
Discovering the protection needs
What is the last step of an ISSE process
Assessing the effectiveness
What is the basis for creating and information Protection Plan
An information management model and a threat analysis
The results of these two activities should be documented in the information management plan
The threat analysis and the Information Protection Plan
What comes first the systems security requirements, or the information protection needs
Information protection needs
Where do you find the systems security requirements
In the Statements of Work, Statements of Requirement or Statements of Objective, or SLAs
Design validation requires the development of a
test and evaluation plan
Design validation is done during which phase of the systems development life cycle
Phase 2
- The approach in which policies, procedures, technology, and personnel
are considered in the system security development process is called
A. defense in depth.
B. requirements analysis.
C. risk assessment.
D. attack vectors.
The correct option is A
Best security practices should include an architecture that provides defense in depth where layers of technology are designed and implemented to provide data protection. These layers include people, technology, and operations (including processes and procedures).
- Software that adds hidden components to a system without end user knowledge is
A. Virus.
B. Spyware.
C. Adware.
D. Malware.
The correct option is B
Spyware is software that adds hidden components to your system on the sly.
- Risk is assessed by which of the following formulas?
A. Risk = Vulnerability × Threat × Impact Divided by Countermeasure
B. Risk = Annual Loss Opportunity ÷ Single Loss Expectancy
C. Risk = Exposure Facture divided by Asset Value
D. Risk = Vulnerability × Annual Loss Expectancy
The correct option is A
Option a is correct the others are mixed-up derivatives of risk management.
- Requirements definition is a process that should be completed in the following order:
A. Document, identify, verify and validate.
B. Identify, verify, validate, document
C. Characterize, analyze, validate, and verify.
D. Analyze, verify, validate, and characterize.
The correct option is B
- A path by which a malicious actor gains access to a computer or
network in order to deliver a malicious payload is a
A. penetration test.
B. attack vector.
C. vulnerability assessment.
D. risk assessment.
The correct option is B
Option b is the definition of an attack vector. Risk and vulnerability assessments
and penetration testing deal with ways of analyzing and protecting the system.
- Which of the following is BEST as a guide for the development,
evaluation, and/or procurement of IT products with security
functionality?
A. ISO/IEC 27001
B. FIPS 140-2
C. Common Criteria
D. SEI-CMM
The correct option is C
- Which of the following BEST defines evaluation criteria for Protection Profile (PP) and Security Target (ST) and presents evaluation assurance levels rating assurance for the TOE?
A. Part 3—Security assurance requirements
B. Part 2 Security functional requirements
C. Part 1-Introduction and general model
D. Part 4— History and previous versions
The correct option is A
Parts 2 and 1 deal with other security requirements and general CC model and
part 4 does not exist.
- The National Voluntary Laboratory Accreditation Program (NVLAP)
must be in full conformance with which of the following standards?
A. ISO/IEC 27001 and 27002
B. ISO/IEC 17025 and Guide 58
C. NIST SP 800-53A
D. ANSI/ISO/IEC Standard 17024
The correct option is B
Option a deals with best practice implementation on the system. Option
c provides IA controls for federal government systems, and Option d is the standard for certifications such as the CISSP*.
- A software application in combination with an operating system, a
workstation, smart card integrated circuit, or cryptographic processor
would be considered examples of a
A. Functional Communications (FCO)
B. Functional Trusted Path (FTP)
C. Target of Evaluation (TOE)
D. Security Target (ST)
The correct option is C
Options a and b refer to families of security functions, and Option d refers to the evaluation criteria that TOE (Option c) will be assessed by.
- A security architect requires a device with a moderate level of
independently assured security, and a thorough investigation of the
TOE and its development without substantial reengineering. It should
be evaluated at which CC EAL?
A. EAL6
B. EAL5
C. EAL4
D. EAL3
The correct option is D
Option d refers to the criteria for EAL3 evaluation by definition. EALG is semiformally verified design and tested, EALS is semiformally designed but not verified, and EAL4 is methodically designed, tested, and reviewed.
- At which Common Criteria EAL would a security architect select a
device appropriate for application in extremely high-risk situations or
where the high value of the assets justifies the higher costs?
A. EAL4
B. EAL5
C. EAL6
D. EAL7
The correct option is D
Again, Option d refers to the criteria for EAL 7 evaluation by definition. EAL6
is semi-formally verified design and tested, EAL 5 is semi-formally designed but not verified, and EAL 4 is methodically designed, tested, and reviewed.
Options a, b, or c would not be appropriate for extremely high-risk situations.
Which EAL is semi-formally designed but not verified
EAL 5
- A list of Common Criteria-evaluated products can be found on the Internet on the site at the
A. NIAP
B. CCEVS
C. IASE
D. CERIS
The correct option is B
NIAP is the partnership between NIST and NSA for the evaluation of products, and IASE is the site run by DISA to promote best security practices. CERIS is a consortium run by the University of Notre Dame Computer Science and Information Security department. * CCEVS is the site that lists all evaluated products, those in the evaluation process, and those that have been removed or superseded.
- Which of the following describes the purpose of the Capability
Maturity Model?
A. Determine business practices to ensure creditability for the
company’s commitment to quality and excellence.
B. Provide assurance through active investigation and evaluation of
the IT product in order to determine its security properties.
C. Establish a metric to judge in a repeatable way the maturity of
an organization’s software process as compared to the state of the
industry practice.
D. Provide an overview of standards related to the Information
Security Management family for uniformity and consistency of
fundamental terms and definitions.
The correct option is C
Options a and d are from ISO/IEC 27001, and Option b is from the Common Criteria.
- Which one of the following describes the key practices that correspond
to a range of maturity levels 1-5?
A. Common Criteria
B. SEI-CMM
C. ISO/IEC 27002
D. IATF v3
The correct option is B
- Which of the following CMMI levels include quantitative process
management and software quality management as the capstone
activity?
A. CMMI Level 5
B. CMMI Level 4
C. CMMI Level 3
D. CMMI Level 2
The correct option is B
CMMI Level 4 includes quantitative process management and software quality management as the capstone activity.
- Where can the general principles of the OSI Reference Model
architecture be found that describes the OSI layers and what layering means?
A. Clause 3
B. Clause 5
C. Clause 7
D. Clause 9
The correct option is B
ISO 7498 discusses the OSI model. Within the model are clauses that describe the basis reference model. Clause 7 provides the description of the specific layers, and Clause 9 specifies compliance and consistency with the OSI reference model.
ISO 7498 discusses the OSI model. Within the model are clauses that describe the basis reference model. Clause 7 provides the description of
of the specific layers
ISO 7498 discusses the OSI model. Within the model are clauses that describe the basis reference model. Clause 9 specifies
compliance and consistency with the OSI reference model.
ISO 7498 discusses the OSI model. Within the model are clauses that describe the basis reference model. Clause 5 describes
the OSI layers and what layering means
- A privately held toy company processing, storing, or transmitting
payment card data must be compliant with which of the following?
A. Gramm-Leach-Bliley Act (GLBA)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. Sarbanes-Oxley Act of 2002
D. PCI-DSS
The correct option is D
Options a, b and c do not have anything to do with card payment or credit card data.
- In which phase of the IATF does formal risk assessment begin?
A. Assess effectiveness
B. Design system security architecture
C. Define system security requirements
D. Discover information protection needs
The correct option is B
Although risk assessment occurs during the assess effectiveness process after each stage, a formal risk assessment is conducted at the end of the Design System Security Architecture phase.
