1 Security Principles

Question 1

5 Domains

Answer 1

1 Security Principles 2 Business Continuity, Disaster Recovery, and Incident Response (10%) 3 Access Control Concepts 4 Network Security 5 Security Operations

Question 2

ISC2 Canon 1

Answer 2

Protect society, the common good, necessary public trust and confidence, and the infrastructure

Question 3

ISC2 Canon 2

Answer 3

Act honorably, honestly, justly, responsibly, and legally

Question 4

ISC2 Canon 3

Answer 4

Provide diligent and competent service to principals (employer or client)

Question 5

ISC2 Canon 4

Answer 5

Advance and protect the profession

Question 6

3 main goals/concerns of information security

Answer 6

CIA

Question 7

Confidentiality:

Answer 7

ensuring only authorized individuals have access to information and resources

Question 8

Integrity:

Answer 8

protecting information from unauthorized changes

Question 9

Availability:

Answer 9

ensures authorized access to systems and data whenever needed

Question 10

Confidentiality concerns/attacks (5):

Answer 10

1 Snooping, 2 dumpster diving, 3 eavesdropping, 4 wiretapping (electronic eavesdropping) 5 social engineering

Question 11

Integrity attacks (4)

Answer 11

1 unauthorized modification 2 impersonation (social engineering) 3 MITM 4 replay

Question 12

Availability disruptions (5)

Answer 12

1 DoS 2 power outages 3 hardware failure 4 destruction of equipment 5 service outages

Question 13

Access Control - 3 steps

Answer 13

1 Identification (“i’m Dave” , username) 2 authentication (ID, password) 3 Authorization (permissions)

Question 14

AAAs

Answer 14

Authentication, Authorization, Accounting

Question 15

An SSO ______

Answer 15

shares authenticated sessions across systems

Question 16

Privacy concerns/responsibilities (3)

Answer 16

1- we are concerned about our own private information
2 - we have a responsibility to educate users in our own organization
3 - we have a responsibility to assist privacy officials

Question 17

2 common forms of private information

Answer 17

1 PII 2 PHI

Question 18

A legal principle that privacy programs are based on

Answer 18

Reasonable Expectation of Privacy

Question 19

The main responsibility of a cybersecurity professional is to

Answer 19

Manage Risk

Question 20

Main Risk categories (2)

Answer 20

1 Internal
2 External

Question 21

Risk shared among different organizations

Answer 21

Multiparty Risk (SaaS attack)

Question 22

Risk assessment =

Answer 22

• the process of identifying and triaging risks (prioritize) based on the likelihood of occurrence and the expected impact

Question 23

Threat =

Answer 23

• external forces that jeopardizes the security of your information and systems

Question 24

Threat vector

Answer 24

the method that an attacker uses to get to your target

Question 25

Vulnerabilities

Answer 25

- weaknesses in your security controls that a threat might exploit to undermine the CIA of your information or systems

Question 26

Risk =

Answer 26

Threat * vulnerability (exists when both a vulnerability and a corresponding threat that might exploit that vulnerability are present)

Question 27

Likelihood =

Answer 27

the probability that the event (risk) will actually occur. (low, medium, high)

Question 28

Risk (definition):

Answer 28

- the possibility that the occurrence of an event will adversely affect the achievement of the organization’s objectives

Question 29

Impact =

Answer 29

- the amount of damage that will occur if the risk (event) materializes

Question 30

2 techniques to assess the likelihood and impact of a risk for risk assessment

Answer 30

1 Qualitative 2 Quantitative

Question 31

Risk Treatment/Risk Management =

Answer 31

The process of analyzing potential responses to risks (on your list) and implementing those responses to control each risk appropriately

Question 32

4 basic Risk Treatment Options

Answer 32

1 Risk Avoidance 2 Risk Transference 3 Risk Mitigation 4 Risk Acceptance

Question 33

Risk Profile =

Answer 33

the combination of risks that affect an organization

Question 34

Inherent Risk/Raw Risk =

Answer 34

- the level of risk an organization faces before any internal controls are applied

Question 35

Residual Risk/Net Risk =

Answer 35

- the level of risk an organization faces after internal controls have been applied

Question 36

Control Risk =

Answer 36

new risks introduced by the implementation of controls

Question 37

Risk Tolerance

Answer 37

- the level of risk an organization is willing to accept (before action is required)

Question 38

The goal of risk management is

Answer 38

to make sure that the combination of the residual risk and the control risk is below the organization’s risk tolerance

Question 39

Control objective =

Answer 39

the purpose of a security control

Question 40

Defense in Depth =

Answer 40

- applying multiple overlapping controls to achieve the same (control) objective

Question 41

Security Control categories by purpose (3)

Answer 41

1 Preventative (stops a security issue from occurring) - firewall 2 Detective - IDS 3 Corrective/Recovery (remediates security issues that have already occurred) - backup tapes

Question 42

Security Control categories by mechanism of action (3)

Answer 42

1 Technical/Logical (uses technology to achieve security objectives) 2 Administrative 3 Physical

Question 43

Configuration management purpose =

Answer 43

ensures change occurs when desired and in a controlled manner (ensures a stable operating environment)

Question 44

Baseline purpose =

Answer 44

a configuration snapshot used to assess whether a system has changed

Question 45

2 critical components of change management

Answer 45

Versioning and Version Control (major version of the software.major update.minor update)

Question 46

Security Governance =

Answer 46

- a framework of policies, practices and strategies (from senior management) with the goal of providing direction and ascertaining that risks are managed appropriately to achieve security goals

Question 47

GDPR =

Answer 47

(General Data Protection Regulation) - applies to all EU residents, regardless of where they are located

Question 48

PCI-DSS

Answer 48

Payment Card Industry Data Security Standard

Question 49

Security Policy Framework (4 different types of documents)

Answer 49

1 Policies 2 Standards 3 Guidelines 4 Procedures

Question 50

Policies are

Answer 50

Rules - mandatory bedrock documents from the top level of the organization. “sensitive information must be encrypted using approved technology” (allows for change)

Question 51

Standards are

Answer 51

mandatory (derive their authority from policy) and prescribe the specific details of security controls that the organization must follow (approved encryption algorithms)

Question 52

Guidelines are

Answer 52

Advice. Not mandatory - best practices. “employees should use encrypted wireless networks whenever they are available”

Question 53

Procedures are

Answer 53

step-by-step instructions to perform a specific task. May be mandatory or optional.

Question 54

AUP =

Answer 54

(Acceptable Use Policy) describes authorized uses of technology and what is prohibited

Question 55

Data Handling Policies =

Answer 55

defines what is considered sensitive information and how to protect that sensitive information

Question 56

Password Policies =

Answer 56

documentation of requirements

Question 57

BYOD (Bring Your Own Device) Policies =

Answer 57

the security controls that must be in place and the types of information that may be accessed

Question 58

Privacy Policies =

Answer 58

what PII is retained, and how it will be used (stored, transmitted, etc)

Question 59

Change Management Policies =

Answer 59

describe how changes are made to the organization’s technology infrastructure (approval, rollout and rollback)

Question 60

2 ways to protect for service outages:

Answer 60

1 Resilient systems (backup hard drives, power supplies, etc) and 2 Redundant systems with failover (back up servers, cloud, etc)

Question 61

AAA in IT (3 steps example)

Answer 61

1 username, 2 password (MFA), 3 access control list

Question 62

2 factors used to evaluate (rank/triage) risks:

Answer 62

1 likelihood, 2 impact

Question 63

Common Security Policies Content (6)

Answer 63

AUP, Data Handling, Password, BYOD, Privacy, Change Management