Domain 1 Security & Risk Management

Question 1

What is a vulnerability

Answer 1

A weakness in a system that could be potentially be exploited.

Question 2

What is a Threat

Answer 2

Anything that can bring harm to a system

Question 3

What is Impact

Answer 3

attempts to determine what the outcome of a successful exploitation would be

Question 4

What is Likelihood

Answer 4

An additional input into the Risk equation outside of just threat and vulnerability

How likely successful exploitation of a vulnerability.

Question 5

Quantitative risk analysis

Answer 5

always numerically based and tied directly back to money

Question 6

Single Loss Expectancy

Answer 6

SLE = EF (Exposure Factor) X AV (Asset Value)

Question 7

Asset Value

Answer 7

The value of the asset

Question 8

Exposure Factor (EF)

Answer 8

% of the asset value (AV) due to a threat

Question 9

Annualized Rate of Occurrence (ARO)

Answer 9

Frequency of threat occurrence per year

Question 10

Annualized Loss Expectancy (ALE)

Answer 10

Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO)

Question 11

Principle of least privileges

Answer 11

Aka Minimum Necessary Access

Individuals only be granted the access necessary to perform their required business functions

Applies to system configuration, firewall rule sets, etc…

Question 12

Rotation of duties

Answer 12

force other people to be in charge of carrying out key tasks normally performed by another employee.

Question 13

Separation of duties

Answer 13

limit risk associated with critical functions/transactions by requiring two parties to perform what one person could otherwise perform.

Question 14

Risk Transfer

Answer 14

Involve 3rd party to help address the risk

Most common type is breach insurance.

Question 15

Risk Avoidance

Answer 15

declining not to move forward with a project that introduces the unacceptable level of risk.

e.g. decommissioning of a deployed system.

Question 16

Risk Mitigation

Answer 16

Take actions that decreases the risk

Reduce the risk to an acceptable level

Question 17

Request for Information (RFI)

Answer 17

gather information about the available providers of the items or service being procured

Question 18

Request for Proposal (RFP)

Answer 18

determine which provider will bid for the project, what their proposal looks like, and what the cost will be

Question 19

Request for Quote (RFQ)

Answer 19

included as overall part of RFP

determining the cost a supplier/provider would charege

Question 20

Business Partnership Agreement (BPA)

Answer 20

typically used when business operates legally as partnership

address things like ownership, profit/losses, and contributions

Question 21

Memorandum of Understanding/Agreement (MOU/)

Answer 21

two organizations interconnect information systems/networks.

Question 22

Interconnection Security Agreement (ISA)

Answer 22

technical security requirements with two organization connect

Supports MOU/MOA

Question 23

Service Level Agreement (SLA)

Answer 23

force providers to agree to provide an acceptable level of security.

Question 24

Operating Level Agreement (OLA)

Answer 24

Internal agreement that supports SLA

determines level of service required of internal departments in order to be able to fully satisfy the details of the SLA

Question 25

Enterprise License Agreement (ELA)

Answer 25

govern how an organization that licenses large volume of software is allowed to use that software

Question 26

Acceptable Use Policy (AUP)

Answer 26

catch all policy that tried to define both expected user behavior and prohibited user behavior

Question 27

Risk

Answer 27

=Threat x Vulnerability

Question 28

Exploit

Answer 28

Process of threat taking advantage of a vulnerability

Question 29

Threat

Answer 29

anything that can cause harm to an information system

Question 30

Virus

Answer 30

malware that requires a carrier

Question 31

Worm

Answer 31

malware that self propagates

Question 32

Trojan

Answer 32

Benign-appearing function | Cover malicious function

Question 33

Non-Disclosure Agreement (NDA)

Answer 33

neither employer nor employee will divulge sensitive data

Question 34

Non-Compete Agreement

Answer 34

establishes employee who leaves the organization agrees not to work for a competitor

Question 35

Non-Solicitation Agreement

Answer 35

Prohibits an employee that leaves the company from soliciting other employees to also leave soliciting customers of the employer for business

Question 36

Opposite of Confidentiality Integrity Availability

Answer 36

Disclosure Alteration Destruction

Question 37

Confidentiality

Answer 37

prevents unauthorized disclosure of data

Question 38

Integrity

Answer 38

prevents unauthorized modification of assets

Question 39

Availability

Answer 39

ensure required access to resource remains possible

Question 40

Identification

Answer 40

weak unproven claim of identity

Question 41

Authentication

Answer 41

proof that user's identify claim was legitimate

Question 42

Authorization

Answer 42

proceeds after successful authentication and determines what authenticated users can do

Question 43

Accountability

Answer 43

logging - details the interaction performed by the individuals

Question 44

Compensatory Damages

Answer 44

Money awarded directly related to the actual losses/harm incurred (e.g. usb stick)

Question 45

Statutory Damages

Answer 45

Monetary damages designated by law

Question 46

Punitive Damages

Answer 46

Awards meant to punish the defendant (not tied to actual loss)

Question 47

Legal Fees

Answer 47

some but not all jurisdictions considered fees a form of compensatory damages that could be awarded.

Question 48

Civil Law

Answer 48

primary associated with torts, contracts, and property preponderance of evidence no jail time

Question 49

Criminal Law

Answer 49

Society itself has been harmed burden of proof beyond reasonable doubt Jail time

Question 50

Qualitative risk analysis

Answer 50

Not tied to dollar amount associated with potential lost Risk Rating Useful for prioritization of risk

Question 51

Types of Authentication

Answer 51

Something you know (password/phrases) Something you have (token) Something you are (biometrics) Someplace you are (GPS)

Question 52

Preventive Control

Answer 52

prevent attack from being successful

Question 53

Detective Control

Answer 53

Tries to detect problem after an attack occurs used after the fact Hiring procedures and human resources are detective controls Rotating users and PTO discover illegal activities

Question 54

Deterrent Control

Answer 54

discourages security violations

Question 55

Compensating Control

Answer 55

Adding another control/layer

Question 56

Corrective Control

Answer 56

reacts to an attack and takes corrective action for data recovery

Question 57

Recovery control

Answer 57

Restores the operating state to normal after an attack or system failure

Question 58

Due Care

Answer 58

base level of protection that a reasonable person takes to check piece of code Acting as any reasonable would

Question 59

Due Diligence

Answer 59

Practice or process that ensure the decided upon standard of care is maintained

Question 60

Patent

Answer 60

``` Protects invention for 20 years Must: Having utility Novelty non-obvious ```

Question 61

Copyright

Answer 61

Form of Expression (paper, vinyl etc..)

Question 62

Trademark

Answer 62

word, name, symbol, or device that is used in trade with goods to indicate the source of the goods Distinguish them from other goods

Question 63

Trade Secret

Answer 63

Project critical intellectual property that is not publicly available

Question 64

Risk Analysis

Answer 64

Determine where level of risk is unacceptable Two approaches: Qualitative and Quantitative.

Question 65

Threat Modeling

Answer 65

seeks to understand threats and consider how they might negatively impact security

Question 66

Attack Surface

Answer 66

represents all the ways in which an attacker could attempt to introduce data to exploit a vulnerability.

Question 67

Security Policy

Answer 67

High level guidance regarding expectation This is the Why

Question 68

Standards

Answer 68

Focused on how to achieve what security policies mandate This is they What

Question 69

What makes up a policy

Answer 69

``` Purpose Related documents Cancellation Background Scope Policy Statement Responsibility ```

Question 70

Standards

Answer 70

Provide the detailed guidance for carrying out tasks This is the How

Question 71

Baseline

Answer 71

more specific implementation of the standard

Question 72

Guidelines

Answer 72

Are not mandatory | Best practices