Security Governance

Question 1

What are the three parts of the CIA triad ?

Answer 1

Confidentiality, Integrity and Availability

Question 2

What is the Confidentiality part of the CIA Triad ?

Answer 2

Ensures sensitive information is only seen by authorised users.

Question 3

What are the three controls that ensure confidentiality ?

Answer 3

Encryption, Access Controls, Steganography

Question 4

What are the eight most common attacks that breech Confidentiality ?

Answer 4

Sniffing, Shoulder Surfing, Stealing Password files, Capturing Network Traffic, Social Engineering, Port Scanning, Eavesdropping and Escalation of Privileges

Question 5

What are the six countermeasures to ensure confidentiality ?

Answer 5

Encryption, Network Traffic Padding, Strong Access Control, Strict authentication procedures, Data classification, Personnel Training

Question 6

What are the four components of Confidentiality ?

Answer 6

Sensitivity, Discretion, Criticality, Concealment, Secrecy, Privacy, Seclusion, Isolation

Question 7

What is the Integrity part of the CIA triad ?

Answer 7

Refers to the prevention of unauthorised alterations to the data.

Question 8

Integrity ensures that data is _ _ _

Answer 8

Unaltered, Preserved Correct

Question 9

Besides encryption what other counter measures can be used to preserve integrity ?

Answer 9

Hashing

Question 10

What is the availability part of the CIA triad ?

Answer 10

Ensuring that resources are available to access whenever those authorised to do so need to.

Question 11

What are the three most common threats to availability ?

Answer 11

DOS, Human Error, Natural Disaster

Question 12

Name three common countermeasures for availability attacks

Answer 12

DOS mitigation and load balancers, backups and high fault tolerance

Question 13

What is identification ?

Answer 13

The process by which an individual submits proof of their identity to the system.

Question 14

What is authentication ?

Answer 14

The process by which the system checks and verifies the provided identity.

Question 15

What is authorisation ?

Answer 15

The set of permissions given to a user of the system

Question 16

What is auditing ?

Answer 16

Tracking and recording user activity to find out any anomalies in behaviour.

Question 17

What is the difference between monitoring and auditing ?

Answer 17

Monitoring doesnt record unlike auditing

Question 18

What is accounting ?

Answer 18

Linking user activity to identity

Question 19

What is threat modelling ?

Answer 19

Identifying all possible threats to a system so that they can be categorized and analyzed

Question 20

What does the phrase threat modelling is proactive mean ?

Answer 20

You are attempting to find and fix issue before they arise.

Question 21

What are the two categories of threats in threat modelling ?

Answer 21

Internal and External

Question 22

Where is the highest risks within threat modelling ?

Answer 22

Internal

Question 23

What are the seven stages of threat analysis ?

Answer 23

Definition of Objectives (DO), Definition of Technical Scope (DTS), Application Decomposition and Analysis (ADA), Threat Analysis (TA), Weakness and Vulnerability Analysis (WVA), Attack Modelling and Simulation (AMS), Risk Analysis and Management (RAM)

Question 24

What is the main threat modelling scheme for application threats ?

Answer 24

STRIDE - Spoofing, Tampering, Repudiation, Information Disclosure, DOS and Elevation of Privelege

Question 25

What is spoofing ?

Answer 25

The misrepresentation of identity - MAC Addresses, Wireless Access Points, IP addresses can be spoofed

Question 26

What is tampering ?

Answer 26

The altering of data at rest or in transit

Question 27

What is repudiation ?

Answer 27

The denying or shifting of blame for the attack

Question 28

What are the eight areas that a security policy should cover?

Answer 28

Encryption, Access Control, Authentication, Firewalls, Antivirus, Websites, Routers and switches.

Question 29

What are the four categories of security policy

Answer 29

promiscous, prudent, permissive and paranoid

Question 30

Workplace privacy policies should cover ?

Answer 30

Informing you employees, collecting only the information that is required, allow employees access to their own information, keeping information in a secure area.

Question 31

Who is responsible for enforcing policies ?

Answer 31

HR

Question 32

What is risk management ?

Answer 32

Ongoing process of identifying and addressing security risks that could damage or disclose data

Question 33

What is risk analysis ?

Answer 33

First step of Risk Management which identifies the risks the likelihood of occurrence and impact and determines the cost/benefit ratio for settting up safeguards

Question 34

What is an Asset ?

Answer 34

Any physical, intellectual property item that belongs to a business and must be protected.

Question 35

What is asset valuation ?

Answer 35

attributing a monetary and non monetary cost to an asset

Question 36

What is a threat ?

Answer 36

Anything that could cause damage to an organizations assets

Question 37

What is a vulnerability

Answer 37

A weakness that can be exploited to cause damage to an organizations assets

Question 38

What is exposure ?

Answer 38

An assets susceptibility to damage or loss to threat

Question 39

What is a risk ?

Answer 39

The likelihood that an asset can be exploited

Question 40

What are safeguards ?

Answer 40

Measures that are intended to reduce the likelihood of an asset being exploited

Question 41

What is an atttack ?

Answer 41

A concentrated effort to take advantage of a vulnerability

Question 42

What is a breach ?

Answer 42

Term used to describe a successfull attack on an asset

Question 43

What is quantitative risk analysis

Answer 43

Calculates the total monetary loss associated with damage or loss to an asset

Question 44

What is exposure factor (EF) ?

Answer 44

The percentage loss to the organisation if an asset were to be damaged or lost.

Question 45

What is single loss expectancy (SLE) ?

Answer 45

The expected loss to the organisation if a single risk was realised against the asset. Asset_Value(AV) * EF

Question 46

What is the annualised rate of occurrence (ARO) ?

Answer 46

The frequency with which a particular risk is to occur each year

Question 47

What is annualised loss expectancy ?

Answer 47

Expected yearly cost for all threats against each asset ARO * SLE

Question 48

What are safeguard cost calculations ?

Answer 48

The cost benefit ration of implementing safeguards

ALE (Before) - ALE (After) - Annual Cost of Safeguard

Question 49

What is Qualitative Risk Analysis ?

Answer 49

Determination of intangible cost of damage or loss to an asset

Question 50

What are six risk responses coming out of Qualitative Risk Analysis /

Answer 50

Reduce, Assign, Transfer, Deter, Reject, Avoid

Question 51

What is risk rejection ?

Answer 51

Ignoring the risk

Question 52

What is risk assignment ?

Answer 52

Transferring the risk to another entity or assignment