Domain 1 - Security and Risk Management

Question 1

ISC2 code of ethics

Answer 1

PROTECT - society, commonwealth, and infrastructure
ACT - honorably, honestly, justly, responsibly, and legally
PROVIDE - diligent and competent service to principals
ADVANCE - and protect the profession

Question 2

Risk categories

Answer 2

○ Damage - physical loss or inability to access an asset
○ Disclosure - disclosing critical information regardless of where or how it was disclosed
Losses - might be permanent or temporary including altered or inaccessible data

Question 3

Risk Factors

Answer 3

○ Increase risk or susceptibility
○ Physical damage - natural disaster, power loss, vandalism
○ Malfunctions - failure of systems, networks, peripherals
○ Attacks - purposeful acts from inside or outside such as unauthorized disclosure
○ Human errors - usually accidental
Application errors - failures of app or OS

Question 4

Risk Response

Answer 4

○ Acceptance - do nothing, risk is accepted
○ Mitigation - implement a countermeasure and accept residual risk
○ Assignment - transfer risk to 3rd party i.e. insurance against damage or outsourcing
○ Avoidance - when costs of mitigating or accepting are higher than benefits of service
○ Deterrence - implementing deterrents to would-be violators i.e. audit policy, cameras, sec guards, warning signs
Rejection - unacceptable response, ignore risk, pretend it doesn’t exist

Question 5

Risk Management Framework (RMF)

Answer 5

○ NIST 800-37 is the primary RMF referenced
§ 7 steps (know these well)
® Remember PCSIAAM - People can see I am always monitoring
□ Prepare - to execute
□ Categorize - information systems
□ Select - sec controls
□ Implement - sec controls
□ Asses - the sec controls
□ Authorize - the system to operate in a normal
environment
Monitor - the sec controls, periodically assessing

Question 6

Residual Risk

Answer 6

risk that remains with conceivable safeguards in place

Question 7

total risk

Answer 7

amount of risk if no safeguards were implemented
Threats * vulnerabilities * asset value = total risk

Question 8

inherent risk

Answer 8

newly identified risk not yet addressed with risk management strategies, amount of risk that exists in the absence of controls

Question 9

Quantitative risk analysis

Answer 9

assigns dollar value to evaluate effectiveness of countermeasures, more labor intensive, requires a lot of data that results in specific dollar values, OBJECTIVE, 6 steps
§ Inventory assets - and assign value (asset value or AV)
§ Identify threats - research each asset and produce list of possible threats (calculate EF and SLE)
§ Threat analysis - calculate likelihood of each threat being realized within single year (ARO)
§ Estimate potential loss - calculate the annualized loss expectancy (ALE)
§ Research countermeasures for each threat - calculate the changes to ARO and ALE based on countermeasures
Perform a cost/benefit analysis - of each countermeasure

Question 10

Qualitative risk analysis

Answer 10

§ Uses scoring system to rank threats and countermeasure effectiveness
§ Uses guesswork, opinions, and estimations - SUBJECTIVE
“low, medium, high”

Question 11

Delphi technique

Answer 11

Anonymous feedback and response process used to arrive at a consensus

Question 12

Loss potential

Answer 12

What would be lost if threat agent was successful in exploiting a vuln

Question 13

Delayed loss

Answer 13

§ Amount of loss that can occur over time
i.e. website down, money lost over time

Question 14

Threat agents

Answer 14

Cause threats by exploiting vulns

Question 15

Exposure factor (EF)

Answer 15

% of loss that an organization would experience if asset were violated by realized risk

Question 16

Single Loss Expectancy

Answer 16

§ Cost associated with single realized risk against specific asset
§ SLE = Asset value (AV) * Exposure factor (EF)
SLE = 100,000 * 30% = 30,000 30,000

Question 17

Annualized rate of occurrence (ARO)

Answer 17

Expected frequency a specific risk/ threat will occur in a year

Question 18

Annualized Loss Expectancy (ALE)

Answer 18

§ ALE = SLE * ARO
§ Example:
□ Office building = $200,000 (AV)
□ Hurricane damge estimate = 50% (EF)
□ Hurricane probability is every 10 years = 10% (ARO)
□ SLE = AV * EF
® SLE = 200,000 * 50%
® SLE = 100,000
□ ALE = SLE * ARO
® ALE = 100,000 * 10%
® ALE = 10,000
In this example, spending over 10,000/year on hurricane damage mitigation is a waste of money because it costs more than we expect to lose

Question 19

Safeguard evaluation

Answer 19

§ Good security controls mitigate risk, are transparent to users, difficult to bypass, and are cost effective
§ ALE before safeguard - ALE after safeguard - annual cost of safeguard = value of safeguard
□ Value of safeguard = ALE1 - ALE2 - ACS
Is the safeguard cost effective?

Question 20

Controls gap

Answer 20

Total Risk - controls gap = residual risk

Question 21

Supply Chain

Answer 21

○ Most services are delivered through a chain of multiple entities
○ Secure supply chain includes vendors who are secure, reliable, trustworthy, reputable
○ On-site assessment - visit org, interview personnel, observe operations
○ Document exchange and review - investigate dataset and doc exchange, review processes
○ Process/ policy review - request copies of security policy
3rd party audit - involve independent auditor for security review

Question 22

Threat modeling

Answer 22

○ Proactive or Reactive
○ Focused on assets - uses asset valuation to identify threats to valuable assets
○ Focused on attackers - identify potential attackers and identify threats based on their goals
Focused on software - considers potential threats against software the org develops

Question 23

STRIDE (threat model)

Answer 23

§ Spoofing
§ Tampering
□ Data manipulation
§ Repudiation
□ Ability of user/ attacker to deny having
performed an activity
§ Information Disclosure
§ Denial of service
Elevation of privilege

Question 24

PASTA (threat model)

Answer 24

develop countermeasures based on asset value
§ Stage 1 - definition of objectives
§ Stage 2 - definition of technical scope
§ Stage 3 - app decomposition and analysis
§ Stage 4 - threat analysis
§ Stage 5 - weakness and vulnerability analysis
§ Stage 6 - attack modeling and simulation
Stage 7 - risk analysis and management

Question 25

VAST (threat model)

Answer 25

based on Agile PM princilples - integrate threat management into an agile development cycle
§ Visual
§ Agile
§ Simple
Threat

Question 26

DREAD (threat model)

Answer 26

§ Damage potential?
§ Reproducibility?
§ Exploitability?
§ Affected Users?
§ Discoverability?
How difficult to discover the weakness

Question 27

TRIKE (threat model)

Answer 27

-focuses on acceptable risk
§ Open source threat modeling that implements a requirements model
Ensures the assigned level of risk for each asset is acceptable to stakeholders

Question 28

COBIT

Answer 28

security control framework
§ IT management and governance framework
§ Principle 1 - meeting stakeholder needs
§ Principle 2 - cover enterprise end to end
§ Principle 3 - applying single, integrated framework
§ Principle 4 - enabling a holistic approach
Principle 5 - separating governance from management

Question 29

Trust boundaries

Answer 29

any location where the level of trust/ security changes

Question 30

technical controls

Answer 30

logical, involveshardware/ software mechanisms to manage access

Question 31

administrative controls

Answer 31

policies and procedures

Question 32

physical controls

Answer 32

anything you can touch

Question 33

deterrent controls

Answer 33

deployed to discourage violation of sec polices

Question 34

preventative controls

Answer 34

stop unwanted/ unauthorized activity from occurring

Question 35

detective controls

Answer 35

discover/ detect unwanted/ unauthorized activity

Question 36

compensating controls

Answer 36

options to other existing controls to aid in enforcement of sec policies

Question 37

corrective controls

Answer 37

modifies environment to return systems to normal after an unwanted or unauthorized activity has occurred
□ I.e. antivirus removing malware
Backup software restoring files

Question 38

recovery controls

Answer 38

extension of corrective controls but more advanced
i.e. vm shadowing, hot sites, warm sites

Question 39

directive controls

Answer 39

direct, confine, or control actions of subjects to force or encourage compliance with sec policies
Ie sec policy requirement, posted notifications

Question 40

criminal law

Answer 40

prohibitions against acts such as murder, assault, etc

Question 41

civil law

Answer 41

contract disputes, real estate, employment, estate

Question 42

administrative law

Answer 42

gov agencies have leeway to enact admin law

Question 43

Computer fraud and abuse act (CFAA)

Answer 43

first piece of cybercrime legislation, provides specific protections for systems operated by fed agencies

Question 44

Federal sentencing guidelines

Answer 44

provided punishment guidelines to help fed judges interpret computer crime laws

Question 45

Federal Information Security Management Act (FISMA)

Answer 45

required a formal infosec operations for federal government, regulates infosec for all federal agencies

Question 46

Copyright and digital millenium copyright act

Answer 46

covers literary, musical, and dramatic works. Includes written works like website content

Question 47

Trademarks

Answer 47

words, slogans, logos to identify company

Question 48

Patents

Answer 48

protect IP rights of inventors

Question 49

Trade secrets

Answer 49

IP that is critical to business and must not be disclosed

Question 50

Licensing

Answer 50

4 types - contractual, shrink-wrap, click-through, and cloud services

Question 51

Computer export controls

Answer 51

US cant export to Cuba, Iran, North Korea, Sudan, and Syria

Question 52

Encryption Export Controls

Answer 52

dept of commerce details limitations on export of encryption products outside the US

Question 53

Privacy (US)

Answer 53

basis for privacy rights is the 4th amendment to US constitution

Question 54

Privacy (EU)

Answer 54

General Data Protection Regulation (GDPR) applies to any company with customers in the EU, standard contractual clauses and binding corporate rules
-GDPR outlines fines of up to 4% of companies annual global revenue or 20 million euros (any company with a customer in the EU is subject to GDPR)

Question 55

HIPAA (Health Insurance Portability and Accountability Act)

Answer 55

health

Question 56

HITECH

Answer 56

(Health Information Technology for Economic and Clinical Health)

Question 57

Gramm-Leach-Bliley Act (GLBA)

Answer 57

Financial institutions

Question 58

COPPA

Answer 58

Children’s Online Privacy Protection Act, 13yo and under

Question 59

Electronic communications privacy act (ECPA)

Answer 59

crime to invade electronic privacy of an individual, prohibits unauthorized monitoring of email and voicemail

Question 60

Communications assistance for law enforcement act (CALEA)

Answer 60

enables the government to intercept wire and electronic communications and call-identifying information under certain circumstances – in particular, when it is necessary in order to protect national security.

Question 61

Business Continuity Plan (BCP)

Answer 61

overall organizational plan for “how-to” continue business
§ Focuses on whole business
§ Cover comms and process more broadly
Umbrella policy

Question 62

Disaster Recovery Plan (DRP)

Answer 62

• returning IT infrastructure to operation after disaster
  § Focuses on technical aspects of recovery
  Falls under the BCP umbrella

Question 63

Continuity of operations plan (COOP)

Answer 63

plan for continuing to do business until IT infrastructure can be restored

Question 64

Consequences of privacy and data breaches

Answer 64

○ Reputational damage - result in loss of customer trust and loss of revenue
○ Identity theft - using someones private info to impersonate them
○ IP Theft - costs customer, credit ratings, brand reputation, forfeiture of first to market advantage, loss of profitability, lines of business to competition
Fines - failing to report a breach can cost millions. GDPR outlines fines of up to 4% of companies annual global revenue or 20 million euros (any company with a customer in the EU is subject to GDPR)

Question 65

Breach notifications

Answer 65

○ Laws - failing to report a breach can result in fines that can reach into the millions
○ GDPR - breaches must be reported within 72 hours
○ Escalations - to external sources like law enforcement or outside experts to stop/ investigate breach
○ Other countries have their own reporting timescale
Delays - can sometime allow for criminal investigation

Question 66

FERPA

Answer 66

Family education rights and privacy act, ensures privacy of educational records

Question 67

Homeland Security Act (HSA)

Answer 67

created DHS and the cyber enhancement act of 2002 and the critical in

Question 68

Memorandum of understanding (MOU)

Answer 68

statement of intentions, NOT a legal contract

Question 69

Service Organization Control (SOC)

Answer 69

review of existing security
Type 1 = point in time
Type 2 = over a period of time

SOC1=financial
SOC2=security and CIA

Question 70

PCI DSS

Answer 70

Credit card compliance, BANK can pursue legal actions