Domain 1 - Security and Risk Management

Question 1

Confidentiality

Answer 1

Access controls help ensure that only authorized subjects can access objects.

Question 2

Integrity

Answer 2

Ensures that data or system configurations are not modified without authorization

Question 3

Availability

Answer 3

Authorized requests for objects must be granted to subjects within a reasonable amount of time.

Question 4

Code of Ethics

Answer 4

PAPA
Protect society, the commonwealth, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Advance and protect the profession

Question 5

Security Policy development

Answer 5

Acceptable Use Policy
Assigns roles and responsibilities

Security Baselines
Define “minimum levels”

Security Guidelines
Offer recommendations

Security Procedures
Detailed step-by-step

Question 6

Risk Categories

Answer 6

Group of potential causes of risk.

Damage - Results in the physical loss of an assess or the inability to access the asset.

Disclosure - Disclose critical information regardless of how or where it was disclosed.

Losses - Might be permanent or temporary including altered data or inaccessible data.

Question 7

Risk Factors

Answer 7

Something that increase risk or susceptibility.

Physical damage - Natural disaster, power loss, or vandalism.

Malfunctions - Failure of systems, networks, or peripherals.

Attacks - Purposeful acts whether from the inside or outside, such as unauthorized disclosure.

Human errors - Usually considered accidental incidents, whereas attacks are purposeful incidents.

Application errors - Failures of the application including the operating system.

Question 8

Security Planning

Answer 8

Strategic - long term ~5 year

Tactical - midterm plan ~1 year

Operations - shorter (highly detailed) month to month or quarterly.

Question 9

Response to risk

Answer 9

Risk acceptance - Do nothing, accept the risk and potential loss if threat occurs.

Risk mitigation - You do this by implementing a countermeasure and accepting the residual risk.

Risk Assignment - Transfer risk to 3rd party.

Risk Avoidance - When costs of mitigating or accepting are higher than benefits of service

Risk Deterrence - Implementing deterrents to would-be violators of security behavior.

Risk rejection - UNACCETABLE possible response to risk is to reject of ignore risk.

Question 10

Risk management Frameworks

Answer 10

Primary risk management framework

NIST 800-37 rev 2

Question 11

7 Steps of NIST 800-37 rev 2

Answer 11

PCSIAAM
People Can See I am Always Monitoring

1. Prepare - to execute the RMF
2. Categorize - information systems
3. Select - security controls
4. Implement - security controls
5. Assess - the security controls
6. Authorize - the system (ATO)
7. Monitor - security controls

Question 12

When legal issues are involved.

Answer 12

contact an attorney

Question 13

Types of Risks

Answer 13

Residual - risk that remain after all safeguards - After

Inherent - risk that exists without controls (newly identified) - Before

Total - amount of risk an organization would face if no safeguards were implemented - Without

Question 14

Total Risk Formula

Answer 14

threats * vulnerabilities * asset value = total risk

Question 15

Risk formula

Answer 15

threat * vulnerability = risk

Question 16

Risk analysis - Quantitative

Answer 16

Quantitative - dollar value to evaluate effectiveness of countermeasures. OBJECTIVE

• Assign asset value (AV)
• Calculate exposure factor (EF)
• Calculate single loss expectancy (SLE)
• Assess the annualized rate of occurrence (ARO)
• Derive the annualized loss expectancy (ALE)
• Perform cost/benefit analysis of countermeasures

1. Inventory assets and assign a value (AV)
2. Identify threats. Research each asset and produce a list of all possible threats to each assets. (EF and SLE)
3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year. (ARO)
4. Estimate the potential loss by calculating the annualized loss expectancy (ALE).
5. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure.
6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset.

Question 17

Risk analysis - Qualititative

Answer 17

Uses a scoring system to rank threats and effectiveness of countermeasures. SUBJECTIVE

Question 18

Delphi Technique

Answer 18

An anonymous feed-back and response process used to arrive at a consensus.

Question 19

Loss potential

Answer 19

What would be lost if the threat agent is successful in exploiting a vulnerability.

Question 20

Delayed loss

Answer 20

This is the amount of loss that can occur over time.

Question 21

Threat agent

Answer 21

are what causes the threat by exploiting vulnerabilities

Question 22

Formula terms

Answer 22

exposure factor (EF)
% of loss that an organization would experience if a specific asses were violated by a realized risk.

single loss expectancy (SLE)
Represents the cost associated with a single realized risk against a specific assets

annualized rate of occurrence (ARO) - The expected frequency with which a specific threat or risk will occur with a single year.

annualized loss expectancy (ALE)

Safeguard evaluation -

Question 23

SLE Formula

Answer 23

AV * EF = SLE

Question 24

ALE

Answer 24

SLE * ARO = ALE

Question 25

Safeguard Evaluation formula

Answer 25

ALE before safeguard - ALE after safeguard - annual cost of safeguard = value of safeguard ALE1 - ALE2 - ACS = value of safeguard

Question 26

Controls gap

Answer 26

the amount of risk reduced by impending safeguards total risk - controls gap = residual risk

Question 27

Threat Modeling

Answer 27

Security process where potential threats are identified, categorized, and analyzed.

Question 28

Threat Model | STRIDE

Answer 28

``` STRIDE (Microsoft) Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege ```

Question 29

Threat Model | PASTA

Answer 29

Risk centric approach Stage I: Definition of Objectives Stage II: Definition of Technical Scope Stage III: App Decomposition and Analysis Stage IV: Threat Analysis Stage V: Weakness and Vulnerability Analysis Stage VI: Attack Modeling & Simulation Stage VII: Risk Analysis & Management

Question 30

Threat Model | VAST

Answer 30

Based on Agile project management Visual Agile Simple Threat

Question 31

Threat Model | Trike

Answer 31

Risk-based approach

Question 32

Threat Model | DREAD

Answer 32

Damage potential Reproducibility Exploitability Affected users Discoverability

Question 33

Reduction Analysis - Threat Modeling

Answer 33

Trust boundary - any location where the level of trust or security changes Data flow paths Input points - locations where external inputs are received Privileged operations - any activity that requires greater privileges than of a standard user account Details about security stance and approach

Question 34

Security controls

Answer 34

measures for countering and minimizing loss of unavailability

Question 35

Control categories

Answer 35

Technical (logical) - hardware/software mechanisms used to manage access Administrative - policies and procedures defined by org's security policy, and other regulations and requirements. Physical - items which you can touch - guards, gates, laptop locks

Question 36

Control types

Answer 36

Deterrent Controls - deployed to discourage violation of security policies Preventative Controls - deployed to thwart or stop unwanted or unauthorized activity from occurring - (fences, locks, access control points, alarm systems, separation of duties, job rotation, antimalware software, firewalls, IPs) Detective Controls - deployed to discover or detect unwanted or unauthorized activity - (CCTV, honeynets/honeypots, IDSs, security cameras, guards, audit trails, incident investigators) .. discover activity only AFTER it has occured Compensating Controls - provides other options to other existing controls to aid in enforcement of security policies. Corrective Controls - modifies the environment to return system to normal after an unwanted or unauthorized activity has occurred Recovery Controls- an extension of corrective controls but have more advanced or complex abilities. Attempts to repair or restore resources, functions, and capabilities after a security policy violation. Directive Controls - direct, confine, or control the actions of subjects to force or encourage compliance with security policies

Question 37

Laws

Answer 37

Computer Fraud and Abuse Act (CFAA) - The first major piece of US cybercrime-specific legislation Federal Sentencing Guidelines. provided punishment guidelines to help federal judges interpret computer crime laws. Federal Information Security Management Act (FISMA). Required a formal infosec operations for federal gov’t Copyright and the Digital Millennium Copyright Act. Covers literary, musical, and dramatic works.

Question 38

IP Licensing

Answer 38

Trademarks. covers words, slogans, and logos used to identify a company and its products or services. Patents. Patents protect the intellectual property rights of inventors. Trade Secrets. intellectual property that is absolutely critical to their business and must not be disclosed. Licensing. 4 types you should know are contractual, shrink-wrap, click-through, and cloud services.

Question 39

Encryption and Privacy

Answer 39

Computer Export Controls. US companies can’t export to Cuba, Iran, North Korea, Sudan, and Syria. Encryption Export Controls. regulations on the export of encryption products outside the US. Privacy (US). The basis for privacy rights is in the Fourth Amendment to the U.S. Privacy (EU). General Data Protection Regulation (GDPR) is the most likely to be mentioned

Question 40

U.S. Privacy Laws

Answer 40

HIPAA (Health Insurance Portability and Accountability Act) HITECH (Health Information Technology for Economic and Clinical Health) Gramm-Leach-Bliley Act (financial institutions) Children’s Online Privacy Protection Act (COPPA) Electronic Communications Privacy Act (ECPA) Communications Assistance for Law Enforcement Act (CALEA)

Question 41

Domain 1

Answer 41

Chapter 1 - 4

Question 42

Integrity is dependent on

Answer 42

Confidentiality and access control

Question 43

Availability is dependent on

Answer 43

integrity and confidentiality

Question 44

Protection Mechanisms

Answer 44

Defense in depth Abstraction - used for efficiency. Similar elements are put into groups, classes or roles that are assigned security controls, restrictions, or permissions as a collective. Data Hiding Encryption

Question 45

NIST Risk Management Framework (RMF)

Answer 45

Six phases: CSIAAM Categorize select implement assess authorize monitor Categorize Select Implement Assess Authorize Monitor

Question 46

Elements of AAA

Answer 46

Identification Authentication Authorization Auditing Accountability

Question 47

COBIT

Answer 47

Control Objectives for Information and Related Technology (COBIT) - security concept infrastructure used to organize the complex security solutions of companies.

Question 48

UBA and UEBA

Answer 48

User behavior analytics User and entity behavior analytics -Concept of analyzing the behavior or users, subjects, visitors, customers, etc for a specific goal or purpose.

Question 49

RMM

Answer 49

Risk maturity model | is a means to assess the key indicators and activities of a mature, sustainable, and repeatable risk management process.

Question 50

BCP

Answer 50

Business Continuity Plan - 4 steps Project scope and planning Business impact analysis Continuity Planning Approval and implementation

Question 51

BIA

Answer 51

Business Impact Analysis Identifies the business processes and tasks that are critical to an organization's ongoing viability and the threats posed to those resources.

Question 52

MTO | MTD

Answer 52

Maximum tolerable outage | Maximum tolerable downtime | The maximum length of time a business function can tolerate a disruption before suffering irreparable harm.

Question 53

RTO

Answer 53

Recovery time objective (RTO) for each business function is the amount of time in which you think you can feasibly recover the function in the event of a disruption.

Question 54

RPO

Answer 54

Recovery point objective data loss equivalent to the time-focused

Question 55

Business impact analysis process

Answer 55

``` Five stages Identification priorities Risk identification Likelihood assessment Impact analysis Resource prioritization ```

Question 56

ITAR

Answer 56

International Traffic in Arms Regulations -controls the export of items that are specifically designated as military and defense items, including the technical information related to those items.

Question 57

EAR

Answer 57

Export Administration Regulations Cover a broader set of items that are designed for commercial use by may have military applications.

Question 58

Canadian privacy law

Answer 58

PIPEDA Personal Information Protection and Electronic Documents Act

Question 59

Credit card payment PCI DSS

Answer 59

12 main requirements