CBK1 - terms

Question 1

what is steganography

Answer 1

a way of hiding information in plain sight. it is a method/technique that is part of the confidentiality tenet (CIA)

Question 2

what is traffic padding (in network security)

Answer 2

adding content to traffic so as to make it appear less readable/more random

Question 3

what is a logic bomb

Answer 3

a set of instructions secretly incorporated into a program so that if a particular condition is satisfied they will be carried out, usually with harmful effects. typically affects the INTEGRITY tenet (CIA)

Question 4

how many items comprise a AAA system

Answer 4

identification, authentication, authorization, auditing, accounting

Question 5

what does AAA stand for

Answer 5

Access, Authorization, Accounting

Question 6

What is the purpose of DATA CLASSIFICATION

Answer 6

To determine what level of effort should be put into place to protect the data in question. It is part of SECURITY GOVERNANCE. Another item of SECURITY GOVERNANCE is CHANGE CONTROL

Question 7

What are the steps/phases to implementing a DATA CLASSIFICATION SCHEME - how many steps are there

Answer 7

1. Identify the custodian/identify their responsibilities
2. Specify the evaluation criteria (how the info will be classified and labeled)
3. Classify and label each resource
4. Document exceptions to the classification policy
5. Select the security controls to be applied to each classification level
6. Specify procedures for declassification and transfer of custody
7. Create an enterprise-wide awareness program/training on the classification system

Question 8

Name the classification of data for use by GOV/MIL

Answer 8

TOP SECRET (CLASSIFIED), 
SECRET (CLASSIFIED), 
CONFIDENTIAL (CLASSIFIED), 
SENSITIVE BUT UNCLASSIFIED [SBU], 
UNCLASSIFIED

Question 9

Name the commercial/business/private sector CLASSIFICATION LEVELS (as used in the CISSP exam)

Answer 9

CONFIDENTIAL (HIGH), sometimes PROPRIETARY (if related to critical impact on competitive edge of the company)
PRIVATE (HIGH),
SENSITIVE (LOW),
PUBLIC (LOW)

Question 10

List the 6 organizational roles and responsibilities in security

Answer 10

Senior manager: (organizational owner of the policy and sign off on all measures)
Security Professional: (functional responsibility for security - writes procedures for approval by SM/follows/implements procedures in alignment with the security policy mandated by the senior manager) - not a decision-maker.
Data Owner: responsible for classifying the data and its protection within the security solution
Data Custodian: implements the prescribed procedures to protect the data according to the CIA triad.
User: person who has access to the data (but according to the principle of least privilege)
Auditor: responsible for reviewing and verifying that the security policy is properly implemented - produces compliance reports

Question 11

What is COBIT

Answer 11

A documented set of best IT Security practices. A framework of governance and management of enterprise IT. Designed to help map a set of IT security ideals to business objectives. Based on 5 principles:

1. Meeting Stakeholder needs
2. Covering the Enterprise end-to-end
3. Applying a Single-Integrated Framework
4. Enabling a holistic approach
5. Separating Governance from Management

Question 12

what is a baseline (as part of a formal security policy structure) - what organizations can be referenced to govern security standards and baselines

Answer 12

A baseline is a minimum level of security that has to be met. Orgs: NIST, TCSEC, ITSEC

Question 13

what elements comprise a formal security policy structure

Answer 13

Policies, Standards & Baselines, Guidelines, and Procedures

Question 14

What is Threat Modeling

Answer 14

A process where potential threats are identified, categorized, and analyzed

Question 15

Identify 2 approaches to Threat Modeling

Answer 15

Proactive (example Microsoft SD3+C)

Reactive (or adversarial) such as ethical hacking

Question 16

What is FUZZ testing

Answer 16

a specialized dynamic testing technique that provides many different inputs to test the limits of software and find previously undetected flaws.

Question 17

what is STRIDE

Answer 17

A system created by Microsoft to categorize threats

Question 18

What acronyms comprise STRIDE

Answer 18

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, elevation of Privilege

Question 19

What is PASTA

Answer 19

A 7-step thread modeling methodology - it is a risk-centric approach

Question 20

What are the acronyms of PASTA

Answer 20

Process for Attack Simulation and Threat Analysis

Question 21

What are the 7 stages of PASTA

Answer 21

1. Definition of Objectives for the analysis of risks (DO)
2. Definition of the technical scope (DTS)
3. Application Decomposition and analysis (ADA)
4. Threat Analysis (TA)
5. Weakness and vulnerability analysis (WVA)
6. Attack modeling and simulation (AMS)
7. Risk analysis and management (RAM)

Question 22

What are the main phases of Threat Modeling

Answer 22

1. Determine and Diagram Potential Attacks
2. Perform Reduction Analysis
3. Define/document prioritization and response (DREAD)

Question 23

What are the key concepts found/broken down in a reduction analysis

Answer 23

Trust boundaries
Data Flow paths
Input points
Privileged operations
Details about security stance and approach

Question 24

What is DREAD

Answer 24

A Threat ranking system/technique

Question 25

what are the acronyms of DREAD

Answer 25

``` Damage potential Reproducibility Exploitability Affected Users Discoverability ```

Question 26

What is SOC

Answer 26

Service Organization Control - an auditing framework (example: SOC1 and SOC2 reports provide insight on an org's security infrastructure)

Question 27

What is SSAE - what is the latest version of the SSAE regulation

Answer 27

Statement on Standards Attestation Engagements - latest version is 18 (came into effect on May 1, 2017)

Question 28

What is the scope of a SOC1 audit

Answer 28

description of security mechanisms to describe their suitability

Question 29

What is the scope of a SOC2 audit

Answer 29

implemented security controls in relation to availability, security, integrity, privacy, and confidentiality

Question 30

List risk-related terminology

Answer 30

Asset, Asset Valuation, Threat, Threat Agent, Vulnerability, Exposure, Risk, Safeguard, Attack, Breach

Question 31

What is the formula that defines Risk

Answer 31

RISK = THREAT * VULNERABILITY

Question 32

What are the 2 possible risk assessment/analysis methods

Answer 32

Quantitative and Qualitative

Question 33

List the 6 steps in a Quantitative risk analysis

Answer 33

1. Inventory Assets/assign value (AV) 2. Produce a list of threats for each asset/calculate exposure factor (EF) and single loss expectancy (SLE) 3. Perform Threat Analysis to understand likelihood of occurrence in a year or annualized rate of occurrence (ARO) 4. Derive the overall loss potential per threat or annualized loss expectancy (ALE) 5. research countermeasures for each threat and how it affects the ARO and ALE 6. Perform a cost/benefit analysis for each threat for each asset. select most appropriate response to each threat

Question 34

Name the 5 elements used in a quantitative risk analysis

Answer 34

``` AV: Asset Value EF: Exposure Factor SLE: Single Loss Expectancy ARO: Annualized Rate of Occurrence ALE: Annualized Loss Expectancy ```

Question 35

What are the common steps of APT activity

Answer 35

``` Attack (zero day/phishing) Back Door Lateral Movement (elevation of privileges/access to higher-services/accounts) Data Harvesting Exfiltration ```