Sybex Chps 1-7

Question 1

Integrity is dependent on what?

Confidentiality
Availability

Answer 1

Confidentiality

Without confidentiality then integrity cannot be maintained.

Question 2

Availability depends on what?

Confidentiality
Integrity

Answer 2

Both.

Without Integrity and Confidentiality, Availability cannot be maintained.

Question 3

True / False

Identification and authentication are always used together as a single two-step process

Answer 3

True

Question 4

Should layers be used in serial or in parallel?

Answer 4

Serial - these are very narrow but deep configurations

Question 5

__________ simplifies security by enabling you to assign controls to a group of objects collected by type or function.

Answer 5

Abstraction

Question 6

True or False

Security governance is the implementation of a security solution and a management method that are loosely connected.

Answer 6

False

Security governance is the implementation of a security solution and a management method that are TIGHTLY connected.

Question 7

It is the responsibility of __________ to flesh out the security policy into standards, baselines, guidelines, and procedures.

Answer 7

Middle Management

Question 8

Security management is a responsibility of

Answer 8

Upper Management

Question 9

Developing and implementing a security plan is evidence of __________ on the part of senior management.

Due Care
Due Diligence

Answer 9

Both Due Care and Due Diligence

Question 10

Long term plan that is fairly stable (5 years of so)

Strategic Plan
Tactical Plan
Operational Plan

Answer 10

Strategic Plan

Question 11

Short-term plan, highly detailed

Strategic Plan
Tactical Plan
Operational Plan

Answer 11

Operational Plan

Question 12

midterm plan (about a year)

Strategic Plan
Tactical Plan
Operational Plan

Answer 12

Tactical Plan

Question 13

Change Management is a requirement for systems complying with what classifications of ITSEC?

Answer 13

B2, B3, A1

Question 14

True of False

Change Management requires:

1) Detailed inventory of every component and configuration
2) collection and maintenance of complete documentation for every system component

Answer 14

True

Question 15

True or False

Data Classification is used to determine how much effort, money, and resources are allocated to protect data and control access to it.

Answer 15

True

Question 16

What are the seven major steps to implement a classification scheme?

Answer 16

1. Identify the custodian
2. Specify the evaluation material
3. Classify and label each resource
4. Document any exceptions
5. Select the security controls
6. Specify procedures for declassifying resources / transferring custody
7. Create an enterprise-wide awareness program

Question 17

Will cause significant effects / critical damage

Top Secret
Secret
Confidential
Sensitive but Unclassified
Unclassified

Answer 17

Secret

Question 18

Will cause drastic effects / grave damage

Top Secret
Secret
Confidential
Sensitive but Unclassified
Unclassified

Answer 18

Top Secret

Question 19

Will cause noticeable effects / serious damage

Top Secret
Secret
Confidential
Sensitive but Unclassified
Unclassified

Answer 19

Confidential

Question 20

Does not compromise or cause any noticeable effects

Top Secret
Secret
Confidential
Sensitive but Unclassified
Unclassified

Answer 20

Unclassified

Question 21

In the private sector classification levels, which level is used for private or personal nature?

Confidential
Private
Sensitive
Public

Answer 21

Private

Question 22

In the private sector classification levels, which level is sometimes labeled proprietary?

Confidential
Private
Sensitive
Public

Answer 22

Confidential

Question 23

In the private sector classification levels, which level may contain medical information or PHI?

Confidential
Private
Sensitive
Public

Answer 23

Private

Question 24

Responsible for understanding and upholding the security policy by following the prescribed operational procedures and operating within defined security parameters.

Security Professional
Data Owner
Data Custodian
User
Auditor

Answer 24

User

Question 25

Ultimately responsible for data protection

Security Professional
Data Owner
Data Custodian
User
Auditor

Answer 25

Data Owner

Question 26

Performs all activities necessary to provide adequate protection to CIA of data to fulfill requirements

Security Professional
Data Owner
Data Custodian
User
Auditor

Answer 26

Data Custodian

Question 27

Responsible for implementing security policy

Answer 27

Security Professional

Question 28

True / False

COBIT is used not only to plan the IT security of an organization but also as a guideline for auditors.

Answer 28

True

Question 29

What is STRIDE used for?

Answer 29

Assessing threats against applications or operating systems.

Question 30

What does STRIDE stand for?

Answer 30

Used in Threat Modeling

Spoofing
Tampering
Repudiation
Information disclosure
DoS
Elevation of privledge

Question 31

What three things do company’s face threats from?

Answer 31

Nature
Technology
People

Question 32

What are the basics of Threat Modeling?

Answer 32

Threat Modeling is the security process where potential threats are identified, categorized, and analyzed.

Key concepts include:

• -assets / attackers / software
• -STRIDE
• -Diagramming
• -Reduction analysis
• -Rate threats (DREAD)

Question 33

What is DREAD stand for?

Answer 33

Used in Threat Modeling

Damage Potential
Reproducibility
Exploitability
Affected Users (% number)
Discoverability

Question 34

What needs to happen before actual security training can take place?

Answer 34

Security awareness needs to be created first.

Question 35

What is the primary purpose of the exit interview?

Answer 35

to review the liabilities and restrictions placed on the former employee based on the employment agreement, NDA, and other security documents.

Question 36

What is the primary goal of risk management?

Answer 36

To reduce risk to an acceptable level

Question 37

How is risk management achieved?

Answer 37

Primarily achieved through risk analysis (qualitative and quantitative)

Question 38

The absence or the weakness of a safeguard or countermeasure

Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration

Answer 38

Vulnerability

Question 39

The possibility that a vulnerability can or will be exploited by a threat agent or event

Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration

Answer 39

Exposure

Question 40

Threat * Vulnerability =

Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration

Answer 40

Risk

Question 41

Anything that removes or reduces a vulnerability

Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration

Answer 41

Safeguard

Question 42

The exploitation of a vulnerability by a threat agent

Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration

Answer 42

Attack

Question 43

The occurrence of a safety mechanism being bypassed by a threat agent

Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration

Answer 43

Breach

Question 44

When a breach is combined with an attack this can result

Vulnerability
Risk
Safeguard
Exposure
Attack
Breach
Penetration

Answer 44

penetration or intrusion

Question 45

AV * EF =

Answer 45

SLE

Question 46

SLE * ARO =

Answer 46

ALE

Question 47

What is the whole point of a safeguard?

Answer 47

The whole point of a safeguard is to reduce the Annualized Rate of Occurrence (ARO).

Even if the EF stays the same, a safeguard should change the ARO

Question 48

Should you accept the risk if:

The cost of the countermeasure is greater than the value of the asset?

Answer 48

Yes, accept the risk if the cost of the countermeasure is greater than the value of the asset

Question 49

How do you calculate the safeguard cost / benefit?

Answer 49

ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard (ACS) = value of the safeguard to the company

OR

(ALE1 - ALE2) - ACS

Question 50

This provides anonymous feedback and response to gain a consensus.

Answer 50

Delphi Technique

Question 51

True or False

If a security control’s benefits cannot be quantified, evaluated, or compared, then it does not actually provide any security.

Answer 51

True

Question 52

True or False

If an asset has no value - you do not need to protect it.

Answer 52

True

Question 53

True or False

Annual cost of safeguards should not exceed the annual cost of asset loss.

Answer 53

True

Question 54

What are the six steps of the NIST Risk Management Framework?

Answer 54

Categorize
Select
Implement
Assess
Authorize
Monitor

Question 55

True or False

Training established a minimum standard common denominator or foundation of security understanding.

Answer 55

False

Awareness established a minimum standard common denominator or foundation of security understanding.

Question 56

__________ is the amount of risk an organization would face if no safeguards were implemented.

Residual Risk
Total Risk
Controls Gap
Vulnerability

Answer 56

Total Risk

threats * vulnerabilities * asset value = total risk

Question 57

What is the difference between total risk and residual risk?

Residual Risk
Total Risk
Controls Gap
Vulnerability

Answer 57

The controls gap (the amount of risk that is reduced by implementing safeguards)

Question 58

Risk that remains after implementing a safeguard

Residual Risk
Total Risk
Controls Gap
Vulnerability

Answer 58

Residual Risk

total risk - controls gap = residual risk

Question 59

Copyright law protects works by one or more authors for __________ years

Answer 59

70 years after the last surviving author

Question 60

Copyright law protects works for hire for __________ years

Answer 60

95 years from the first date of publication or 120 years from the date of creation, whichever is shorter.

Question 61

Protects words, slogans, and logos

Copyright
Trademark
Patent
Trade Secret

Answer 61

Trademark

Question 62

Protects intellectual property rights of inventors

Copyright
Trademark
Patent
Trade Secret

Answer 62

Patent

Question 63

Patent law protects inventions for __________ years

Answer 63

20 beginning at the time of the patent application

Question 64

One of the best ways to protect computer software

Copyright
Trademark
Patent
Trade Secret

Answer 64

Trade Secret

Question 65

The best way to sanitize an SSD is:

Answer 65

The best way to sanitize a solid state drive is to destroy it.

Question 66

Oftentimes IPSec is combined with __________ for VPNs

Answer 66

L2TP

Question 67

What are the seven EU Data Protection Safe Harbor Principals?

Answer 67

Notice
Choice
Onward transfer
Security
Data integrity
Access
Enforcement

Question 68

ROT3 is another name for:

Answer 68

Caesar cipher

Question 69

Caesar Cipher is vulnerable to:

Answer 69

frequency analysis

Question 70

This type of cryptosystem does not guarantee non-repudiation

Answer 70

Secret key (symmetric key)

Public key or asymmetric key provides this

Question 71

What is the Kerchoff Principal?

Answer 71

a concept that algorithms known and made public are more secure (the enemy knows the system)

Question 72

AND (^) truth table:

Answer 72

0 ^ 0 = 0
0 ^ 1 = 0
1 ^ 0 = 0
1 ^ 1 = 1

Question 73

OR (˅) truth table

Answer 73

0 ˅ 0 = 0
0 ˅ 1 = 1
1 ˅ 0 = 1
1 ˅ 1 = 1

Question 74

NOT (~) truth table

Answer 74

~0 = 1
~1 = 0

Question 75

XOR truth table (circle with a plus inside it)

Answer 75

0 XOR 0 = 0
0 XOR 1 = 1
1 XOR 0 = 1
1 XOR 1 = 0

Question 76

modulo (mod) is remainder math.

8 mod 6 =

Answer 76

2

6 will go into 8 only 1 time with a remainder of 2

Question 77

modulo (mod) is remainder math.

10 mod 3 =

Answer 77

1

3 will go into 10 3 times with a remainder of 1

Question 78

modulo (mod) is remainder math.

10 mod 2 =

Answer 78

0

2 will go into 10 5 times with a remainder of 0

Question 79

True or False

A nonce is used in an IV as a random bit string that is the same length as the block size and is XORed with the message

Answer 79

True

Question 80

An example of Split knowledge is

Answer 80

M of N Control

Question 81

What is the difference between a code and a cipher?

Answer 81

A code are symbols that represent words or phrases that may or may not be secret.

Ciphers are always meant to be secret

Question 82

Rearrange letters of plaintext message

Transposition Cipher
Substitution Cipher

Answer 82

Transposition Cipher

Question 83

Replace each character or bit of the plaintext message with a different character.

Transposition Cipher
Substitution Cipher

Answer 83

Substitution Cipher

Question 84

What are the four rules of a one-time pad?

Answer 84

1. One-time pad must be randomly generated
2. physically protected against disclosure
3. Only used once
4. Key must be at least as long as the message

Question 85

What is another name for a running key cipher?

Answer 85

Book Cipher

Question 86

Major strength of symmetric key cryptography:

Answer 86

great speed that it can operate (1,000 to 10,000 times faster that asymmetric)

Question 87

Major weaknesses of symmetric key cryptography:

Answer 87

1. Key distribution (out of band)
2. no non-repudiation
3. not scaleable (number of keys needed for large implementations)
4. Keys must be regenerated often (each time a participant needs to leave the group)
5. Provides confidentiality only

Question 88

Major strengths of asymmetric key cryptography:

Answer 88

1. New users only require two new keys (public and private)
2. Users can be removed from the system very easily (key revocation)
3. Key regeneration is only required when a private key is compromised
4. Provides confidentiality plus integrity, authentication, and non-repudiation
5. Key distribution is simple process
6. No preexisting communication links need to exist

Question 89

Major weakness of asymmetric key cryptography:

Answer 89

Slow speed

Question 90

DES (Data Encryption Standard)

Answer 90

Symmetric Block Cipher
64-bit blocks of text
Key is 56 bits long

Electronic Codebook Mode (ECB)

• -vulnerable to creating a code book of all possible values (block)
• -do not use except for short transmissions

Cipher Block Chaining Mode (CBC)

• -IV must be sent to recipient
• • chaining (errors propagate)

Cipher Feedback Mode (CFB)

• -Streaming version of CBC
• -uses an IV and chaining (errors propagate)

Output Feedback Mode (OFB)

• -IV is a seed value (stream)
• -no chaining, errors do not propagate

Counter Mode (CTR)

• -stream, errors do not propagate
• -allows encrypt or decrypt to be broken into multiple independent steps - good for parallel computing

Question 91

Electronic Codebook Mode (ECB)

Answer 91

• -block
• -vulnerable to creating a code book of all possible values
• -do not use except for short transmissions

Question 92

Cipher Block Chaining Mode (CBC)

Answer 92

• -chaining
• -IV must be sent to recipient
• -errors propagate

Question 93

Cipher Feedback Mode (CFB)

Answer 93

• -Streaming version of CBC
• -uses an IV and chaining
• -errors propagate

Question 94

Output Feedback Mode (OFB)

Answer 94

• -stream
• -IV is a seed value
• -no chaining
• -errors do not propagate

Question 95

Counter Mode (CTR)

Answer 95

• -stream
• -errors do not propagate
• -allows encrypt or decrypt to be broken into multiple independent steps - good for parallel computing

Question 96

3DES

Answer 96

Do not use DES (Replacement for DES)

Uses three iterations of DES with two or three different keys to increase the effective key strength to 112 or 168 bits respectively.

Question 97

IDEA (International Data Encryption Algorithm)

Answer 97

Symmetric Block Cipher
64-bit blocks of text
Key is 128 bits long

Capable of the same five modes as DES
(ECB, CBC, CFB, OFB, CTR)

Question 98

Blowfish

Answer 98

Symmetric Block Cipher
64-bit blocks of text
Key is 32 to 448 bits long

Faster than DES and IDEA
Available for public use

Question 99

Skipjack

Answer 99

Symmetric Block Cipher
64-bit blocks of text
Key is 80 bits long

Supports the escrow of encryption keys (NIST and US Treasury)

Capable of the same five modes as DES
(ECB, CBC, CFB, OFB, CTR)

Question 100

AES (Advanced Encryption Standard)

Answer 100

Symmetric Block Cipher
128-bit blocks of text
Key is:
128-bit requires 10 rounds of encryption
192-bit requires 12 rounds of encryption
256-bit requires 14 rounds of encryption

Question 101

RC-4 (Rivest Cipher)

Answer 101

Symmetric Stream Cipher
Streaming (no block size)
Key is 128 bits long

Question 102

Three main ways to exchange symmetric keys

Answer 102

1. offline distribution
2. public key encryption
3. Diffie-Hellman (uses large integers and modular arithmetic to facilitate the secret exchange of keys over insecure channels)

Question 103

Modern keys should be at least what size to provide adequate protection?

Answer 103

128 bits long

Question 104

RSA

Answer 104

Asymmetric Cipher

Depends on the computational difficulty inherent in factoring large prime numbers

Question 105

El Gamal

Answer 105

Asymmetric Cipher

An extension of the Diffie-Hellman key exchange algorithm that depends on modular (remainder) math.

Question 106

Elliptical Curve

Answer 106

Asymmetric Cipher

Depends on the elliptic curve discrete logarithm problem

Provides more security than other algorithms when using the same key length (1088-bit RSA key is equal to a 160-bit Elliptical curve key)

Question 107

What are the five basic requirements for a hash function?

Answer 107

1. The input can be any length
2. The output has to be a fixed length
3. The hash function is relatively easy to compute for any input
4. The hash function is one-way
5. The hash function is collision free

Question 108

SHA

Answer 108

SHA-2 or SHA-256
512-bit blocks of text produces
256-bit message digest

SHA-1 is broken

Question 109

Two goals of Digital Signatures

Answer 109

1. create non-repudiation

2. assure integrity of message (has not changed in transit)

Question 110

In email, if you need confidentiality, what do you do?

Answer 110

Encrypt the message

Sender always encrypts the message

Question 111

In email, if you need integrity, what do you do?

Answer 111

Hash the message

Sender always hashes the message

Question 112

In email if you need authentication, integrity, or non-repudiation, what do you do?

Answer 112

Digitally sign the message

Sender always digitally signs the message

Question 113

In email, if you need confidentiality, authentication, integrity, or non-repudiation, what do you do?

Answer 113

Encrypt and digitally sign the message

Sender ALWAYS is responsible for using proper mechanisms to ensure the CIA of the email message

Question 114

PGP commercial version uses what?

Answer 114

RSA for key exchange
IDEA for encryption
MD5 for message digest

Question 115

PGP free version uses what?

Answer 115

Diffie-Hellman for key exchange
CAST 128-bit for encryption
SHA-1 for message digest

Question 116

MD5

Answer 116

MD5
512-bit blocks of text produces
128-bit message digest

Uses four distinct rounds
Padding: message length must be 64-bits less than 512-bits

Question 117

S/MIME

Answer 117

Secure Multipurpose Internet Mail Extensions

Supported by Outlook, Mozilla Thunderbird, MAC OS X Mail

Uses:

• -RSA encryption (public key)
• -AES encryption (symmetric key)
• -3DES encryption (symmetric key)

Question 118

True or False

SSL relies on the exchange of server digital certificates to negotiate encryption

Answer 118

True

1. User accesses a website, browser retrieves web server’s certificate and extracts server’s public key
2. Browser creates random symmetric key, uses server’s public key to encrypt it, and sends it back to the server.
3. Server decrypts the symmetric key using it’s own private key, and the two systems exchange all future messages via symmetric key encryption

Question 119

Protects the entire communications circuit by creating a secure tunnel between two points (using hardware or software that encrypts all traffic entering one end of the tunnel and decrypts all traffic exiting the other end)

End-to-end encryption
Link encryption

Answer 119

Link encryption

All data, including the header , trailer, address, and routing data is encrypted.

This slows down traffic routing as each packet has to be decrypted and encrypted at each hop to understand routing information.

When encryption happens at lower OSI layers, it is usually link encryption

Question 120

Protects communications between two parties (for example, a client and a server) and is performed independently of link encryption. Example: TLS between a user and a web server

End-to-end encryption
Link encryption

Answer 120

End-to-end encryption

Does not encrypt header, trailer, address, and routing data so it moves faster from point to point but is more susceptible to sniffers and ease-droppers.

When encryption happens at higher OSI layers, it is usually end-to-end encryption (TLS, SSH)

Question 121

True or False

IPSec relies on public key cryptography

Answer 121

True

IPSec uses public key cryptography to provide encryption, access control, non-repudiation, and message authentication using all IP-based protocols

Primary use of IPSec is VPNs and is commonly paired with L2TP

Question 122

True of False

WPA provides end-to-end encryption

Answer 122

False

WPA only encrypts traffic between the wireless computer and the AP. After the AP, the traffic is in the clear again.