Domain 1

Question 1

3 components of security education

Answer 1

Policy - what to do
Training - skills for doing it
Awareness - changes behavior

Question 2

CIA Triad vs DAD

Answer 2

CIA: Confidentiality, Integrity, Availability

DAD (logical opposite of CIA): Disclosure, Alteration, Destruction

Question 3

Controls are implemented across what three levels? Give examples for each

Answer 3

Administrative (aka directive): background checks, policies/procedures
Technical: encryption, smart cards
Physical: locks, securing laptops/magnetic media, protection of cable

Question 4

Criminal vs Civil

Answer 4

Criminal: possible to get jail time, burden of proof is beyond a reasonable doubt (99.9%)
Civil: tip of scale (50.1%)

Question 5

CVSS

Answer 5

Common Vulnerability Scoring System

Question 6

Draw chart of 5 types of documentation

Answer 6

refer to “Types of Documentation - Drawing 1B”

Question 7

Draw the qualitative RA matrix

Answer 7

Qualitative Risk Analysis Matrix helps identify most significant risks to organization
Likelihood on left vertical, Impact top horizontal (high med low)
Refer to “Qualitative RA Matrix - Domain 1 pg 67”

Question 8

Excessive risk

Answer 8

means above acceptable level of risk for executive / data owner; excessive does NOT mean a lot of risk

Question 9

Fork bomb

Answer 9

attack that says while 1=1 (which is always the case) keep forking out (starting new process) until all memory is used and system crashes

Question 10

Formula for Risk

Answer 10

risk = threat x vulnerability
threat drives calculation, vulnerability reduces the risk
threat: potential for harm, can be internal/external/competitor/govt (hurricanes, snowstorms, viruses, worms)
vulnerability: weakness (unpatched system, default install)

Question 11

variation of smurf involving spoofed UDP datagrams sent to UDP port 7

Answer 11

fraggle

Question 12

IAAA

Answer 12

Identification: means by which users claim their identities to a system
Authentication: establishes, tests or reconciles a user’s identity
Authorization: rights/permissions granted to an individual (or process) that enable access to a computer
Accountability: system’s ability to determine actions of single individual within a system, shows that a particular individual performed a particular action e.g. audit trails and logs

Question 13

LAND attack

Answer 13

creates recursive loop which crashes system e.g. from 192.168.1.1 > 192.168.1.1 on 8080

Question 14

List all quantitative formulas

Answer 14

SLE (Single Loss Expectancy) = EF (exposure factor) x AV (asset value)
ARO (Annualized Rate of Occurrence)
ALE (Annualized Loss Expectancy) = SLE x ARO
TCO (Total Cost of Ownership)
ROI (Return on Investment)
Cost/Benefit Analysis

Question 15

List all types of controls and examples of each

Answer 15

Preventative: locks on doors, firewalls
Detective: goes off during attack (alarm systems, IDS), means preventative failed
Corrective: short-term fix to prevent future attacks (police guards)
Compensating: alternative control (one-way firewall in hospital if MRI system could never be connected to network but doctors need info from it)
Recovery: long-term fix
Suppressive: where you detect and respond to deal with a problem

Question 16

Name a directive control that is a strategic user-focused document?

Answer 16

Policy

Question 17

Name the 5 types of documentation

Answer 17

‘Policy, Procedure, Standard, Baseline, Guideline (optional)

Question 18

Name different types of DoS attacks

Answer 18

DoS attacks:

• Crafted Packets
  
  • Ping of Death
  • LAND attack
  • Tear drop
• Flooding
  
  • Syn flood
  • Smurf
  • Fraggle

DDoS - compromising multiple machines to attack the victim
-Fork bomb

Question 19

OCTAVE

Answer 19

Operationally Critical Threat, Asset and Vulnerability Evaluation

Question 20

password guessing vs password cracking

Answer 20

Guessing (online, where you try to guess at website login prompt but subject to account lockout)
Cracking (offline, no account lockout but need raw encrypted passwords)

Question 21

PCI DSS requirements

Answer 21

Payment Card Industry Data Security Standard - aka dirty dozen (12 requirements), know in general the 12 goals (don’t need to know order):
Install/maintain firewalls, no vendor default passwords/parameters, protect stored data, encrypt transmission of data across public network, use/update antivirus, develop/maintain secure systems and applications, restrict access to cardholder data by business need to know, authenticate access to system components, restrict physical access to cardholder data, track and monitor all access to network resources to cardholder data, regularly test security systems/processes, maintain a policy that addresses information security for all personnel

Question 22

buffer overflow attack, if you send ping packet larger than the largest size you can

Answer 22

ping of death

Question 23

Info about individuals will be kept private and if it needs to be disclosed the person will be notified; regulated at state level

Answer 23

Privacy Act of 1974

Question 24

RFI, RFP, RFQ

Answer 24

Request for Information - helps you tailor the RFP
Request for Proposal - stage of procurement to determine which providers will bid for project and what their proposal looks like, more detailed than RFQ
Request for Quote - can sometimes ask for RFQ to make sure we have enough budget before doing a full RFP

Question 25

SLA, OLA, ELA

Answer 25

Service Level Agreement: delivering certain level of service and if you don't there's penalties e.g. ISP delivers certain level of bandwidth with certain reliability Operating Level Agreement: internal agreement that supports SLA e.g. you need to make sure you have enough staff to meet the SLA Enterprise License Agreement: site licensing for software e.g. Microsoft licensing agreement for Windows software

Question 26

type of attack that spoofs the victim's IP and sends ICMP Echo Request (ping) to directed broadcast

Answer 26

smurf attack. adversary sends out one request to broadcast address saying to 1 million computers to reply to "me" which is spoofed source address of person you want to bring down (smurfs singing down the street with hundreds joining like multiple packets growing together)

Question 27

has table that keeps track of connections, if you fill up, no new connections can come in

Answer 27

syn flood

Question 28

Attack that involves sending mangled IP fragments with overlapping, over-sized payloads to the target machine

Answer 28

tear drop. In other words putting a bunch of different puzzle pieces that could never be put together

Question 29

Third party governance

Answer 29

Before purchasing third party products, assess exposures/risks, validate software, etc COTS (Commercial Off the Shelf software) e.g. Windows/Office

Question 30

Types of IP

Answer 30

Intellectual Property Formal methods of protection: Patent: public, can't just be an idea, needs to be reduced to practice, show how it actually works; govt does it to encourage people to share best way to do something and share with society, then we'll give you 20 yr monopoly Copyright: creator of work is implied owner of copyright e.g. monkey who took selfies had copyright, not photographer Trademark: "Ultimate driving machine", "Just do it" Informal means of protection: Trade secret: formula for coca cola (if it were patent it would be public)

Question 31

What is an internal SLA?

Answer 31

OLA (Operating Level Agreement)

Question 32

What is OECD?

Answer 32

Organization for Economic Co-operation and Development, 34 countries in Europe, strict controls for information held on your behalf -Working Party on Information Security and Privacy develops non-binding guidance (member countries do not have to implement recommendations) EUDPD (European Union's Data Protection Directive) - binding requirement for EU member states, considered more stringent than US Privacy laws

Question 33

What is the ultimate output of threat mapping or attack services?

Answer 33

Security dashboard: visual representation that shows you where high exposures are and what systems they are on

Question 34

What is TOC/TOU?

Answer 34

Time of Check / Time of Use; difference should always be zero e.g. if you put system online for two hours before it's fully patched and secured there's a good chance it will be compromised

Question 35

What methodology is most common for scoring vulnerabilities? Name a second system as well.

Answer 35

CVSSv2 (Common Vulnerability Scoring System) is most common. Another is OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)

Question 36

Which country does not have one set of privacy laws?

Answer 36

The US since privacy laws are at a state level, not federal. All of Europe has one set of laws.

Question 37

Your company has decided to perform a major technology overhaul. Which would best describe impact to the organization: a) policies and procedures will need major revisions b) policies and procedures will need minor revisions c) minor revisions to policy and major revisions to procedures d) minor revisions to procedures and major revisions to policy

Answer 37

Answer: c

Question 38

good for addressing ownership, profit & loss, clearly lays out who makes what decision, who owns what part of company

Answer 38

BPA (Business Partnership Agreement)

Question 39

when two organizations connect their networks together, who owns what info, who is responsible for what actions, who has liabilities for particular exposures

Answer 39

MOU/A: Memorandum of Understanding/Agreement

Question 40

typically part of MOU, involves who is allowed to keep info if partners separate. dictates technical security requirements associated with two organizations connecting networks

Answer 40

Interconnection Security Agreement

Question 41

preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary data

Answer 41

Confidentiality

Question 42

guarding against improper data modification, includes ensuring information non-repudiation and authenticity

Answer 42

Integrity

Question 43

ensuring timely and reliable access to and use of information

Answer 43

Availability

Question 44

high level statement of what to do, should be specific, measurable, achievable e.g. All servers must be properly hardened by patching and turning off services

Answer 44

Policy

Question 45

details of how to do something e.g. all the steps to apply the security configuration when a system is built

Answer 45

Procedure

Question 46

specifies a certain way something should be done or a certain brand/type of equipment to be used e.g. Admins must use Windows Server 2012 R2 as the base operating system

Answer 46

Standard

Question 47

more specific implementation, specific technical details of how a system's hardware/software should be configured e.g. the specific settings for Win Server 2012 R2 should match those in the CIS Security Benchmark

Answer 47

Baseline. usually a baseline starts off as a guideline until it has been properly modified to meet the needs of org

Question 48

recommended way of doing something; e.g. to ease the config, local GPOs can be used to roll out the changes

Answer 48

Guideline. best practice might start off as a guideline and if analysis shows there is great benefit, it may become a standard (mandatory)

Question 49

Due __ is the prudent management and execution of due care e.g. maintaining the proper environment

Answer 49

due diligence

Question 50

Due __ is the minimum and customary practice of responsible protection of assets aka the "Prudent Man Rule"; are you doing what a reasonable organization would do when implementing security. This is an important concept to the legal matter of negligence and therein potential liability.

Answer 50

due care

Question 51

__ is performing reasonable examination and research before committing to a course of action. Basically 'look before you leap'. In law, you would perform this by researching the terms of a contract before signing it e.g. doing your homework. The opposite would be haphazard.

Answer 51

due diligence

Question 52

__ is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if this situation exists because of a contract, regulation, or law. The opposite of this is negligence.

Answer 52

due care

Question 53

Due __ is identifying threats and risks while Due __ is acting upon findins to mitigate risks.

Answer 53

due diligence (do detect), due care (do correct)