Domain 9 - Exam Feedback Flashcards

Question

Among the following choices, what kind of IDS is considered an expert system? Behavior based or Knowledge based?

Answer 1

Behavior based A behavior-based intrusion detection system (IDS) can be labeled an expert system or a pseudo-artificial intelligence system because it can learn and make assumptions about events. In other words, the IDS can act like a human expert by evaluating current events against known events.

Answer 2

Hijacking In a hijack attack, which is an offshoot of a man-in-the-middle attack, a malicious user is positioned between a client and server and then i**_nterrupts the session and takes it over._**

Answer 3

Lighting Lighting is by far the most pervasive and basic element of security because it illuminates areas and makes signs of hidden danger visible to all.

Answer 4

Outbound traffic with an address outside the range 10.8.6.0/24 Although it is true that John would probably want to filter out all of these types of traffic for various reasons, he would be specifically interested in filtering out outbound traffic with an address not belonging to his network to achieve his stated goal.

Answer 5

Each encapsulated protocol includes its own error detection, error handling, acknowledgment, and session management features. Tunneling is generally an inefficient means of communicating because all protocols include their own error detection, error handling, acknowledgment, and session management features, and using more than one protocol at a time just compounds the overhead required to communicate a single message.

Answer 6

Tunnel When IPsec is used in tunnel mode, entire packets, rather than just the payload, are encrypted. This mode is designed for use in gateway-to-gateway communications.

Answer 7

Yes Daily workstation change (i.e., when workers do not have a designated, assigned, or consistent workstation but operate any one that is available) is an effective means of preventing and detecting the presence of unapproved software.

Answer 8

A hash total is a checksum used to verify the integrity of a transmission.

Answer 9

No Providing for nonrepudiation is not a reason for data classification.

Answer 10

The Delphi technique is a form of qualitative risk analysis that uses an anonymous feedback-and-response process to arrive at a group consensus.

Answer 11

Integrity Without object integrity, confidentiality cannot be maintained. In fact, integrity and confidentiality depend on one another.

Answer 12

256 bits The strongest keys supported by the Advanced Encryption Standard are 256 bits. The valid AES key lengths are 128, 192, and 256 bits.

Answer 13

Accountability, not authorization Accountability is the ultimate goal of a process started by identification.

Answer 14

Hybrid environment Hybrid environments combine both hierarchical and compartmentalized environments so that security levels have subcompartments.

Answer 15

Technical physical security control (not just physical security controls) Technical physical security controls include access controls; intrusion detection; alarms; closed-circuit television (CCTV); monitoring; heating, ventilating, and air conditioning (HVAC); power supplies; and fire detection and suppression.

Answer 16

A. External connection attempts B. Execution of malicious code C. Access to controlled objects

Answer 17

0 to 1,023

Answer 18

A baseline NIST SP 800-53 discusses security control baselines as a list of security controls. CIS releases security baselines, and a baseline is a useful part of a threat management strategy and may contain a list of acceptable configuration items.

Answer 19

A forensic disk controller performs four functions. 1. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. 2. The other three functions include returning data requested by a read operation, 3. returning access-significant information from the device, and 4. reporting errors from the device back to the forensic host. The controller should not prevent read commands from being sent to the device because those commands may return crucial information.

Answer 20

TGS The TGS, or Ticket-Granting Service (which is usually on the same server as the KDC), receives a TGT from the client. It validates the TGT and the user’s rights to access the service they are requesting to use. The TGS then issues a ticket and session keys to the client. The AS serves as the authentication server, which forwards the username to the KDC. It’s worth noting that the client doesn’t communicate with the KDC directly. Instead, it will communicate with the TGT and the AS, which means KDC isn’t an appropriate answer here.

Answer 21

Wave pattern Wave pattern motion detectors transmit ultrasonic or microwave signals into the monitor area, watching for changes in the returned signals bouncing off objects.

Answer 22

A stateful packet inspection firewall Stateful packet inspection firewalls, also known as dynamic packet filtering firewalls, track the state of a conversation and can allow a response from a remote system based on an internal system being allowed to start the communication. Static packet filtering and circuit level gateways only filter based on source, destination, and ports, whereas application-level gateway firewalls proxy traffic for specific applications.

Answer 23

The DES modes of operation are : 1. Electronic Codebook (ECB), 2. Cipher Block Chaining (CBC), 3. Cipher Feedback (CFB), 4. Output Feedback (OFB), and 5. Counter (CTR).

Answer 24

RADIUS is not proprietary XTACACS and TACACS+ are both Cisco proprietary protocols.

Answer 25

A worm, because: * Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. * Viruses and Trojan horses typically require user interaction to spread. * Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

Answer 26

The built-in erase commands are not completely effective on some SSDs.

Answer 27

1. Notice, 2. Choice, 3. Accountability for onward transfer, 4. Security, 5. Data integrity and purpose limitation, 6. Access, 7. Recourse, Enforcement and Liability

Answer 28

Trusted foundry The U.S. Trusted Foundry program helps to protect the supply chain for components and devices by ensuring that the companies that produce and supply them are secure. TEMPEST is the name for a program aimed at capturing data from electronic emissions, GovBuy is not a government program or supplier, and MITRE conducts research and development for the U.S. government.

Answer 29

CER The crossover error rate (CER) is the point where both the false acceptance rate and the false rejection rate cross. CER and ERR, or equal error rate, mean the same thing and are used interchangeably.

Answer 30

Due Diligence The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Answer 31

Proactive Proactive monitoring, aka synthetic monitoring, uses recorded or generated traffic to test systems and software. Passive monitoring uses a network span, tap, or other device to capture traffic to be analyzed. Reactive and replay are not industry terms for types of monitoring.

Answer 32

Hand geometry scanners assess the physical dimensions of an individual’s hand but do not verify other unique factors about the individual, or even verify if they are alive. This means that hand geometry scanners should not be implemented as the sole authentication factor for secure environments. Hand geometry scanners do not have an abnormally high FRR and do not stand out as a particular issue from an accessibility standpoint compared to other biometric systems.

Answer 33

Parol evidence rule The parol evidence rule states that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing. The best evidence rule says that a copy of a document is not admissible if the original document is available. Real evidence and testimonial evidence are evidence types, not rules of evidence.

Answer 34

Directive Notifications and procedures like the signs posted at the company Chris works for are examples of directive access controls.

Answer 35

Workflow-based account provisioning Provisioning that occurs through an established workflow, such as through an HR process, is workflow-based account provisioning.

Answer 36

Cat 5e and Cat 6 Category 5e and Category 6 UTP cable are both rated to 1000 Mbps. Cat 5 (not Cat 5e) is only rated to 100 Mbps, whereas Cat 7 is rated to 10 Gbps. There is no Cat 4e.

Answer 37

* **Latency** is a delay in the delivery of packets from their source to their destination. * **Jitter** is a variation in the latency for different packets.

Answer 38

Fire suppression systems do not stop a fire from occurring but do reduce the damage that fires cause. This is an example of reducing risk by lowering the impact of an event.

Answer 39

Trade secret Patents and trade secrets can both protect intellectual property in the form of a process. Patents require public disclosure and have expiration dates while trade secrets remain in force for as long as they remain secret. Therefore, trade secret protection most closely aligns with the company’s goals.

Answer 40

SCAP The Security Content Automation Protocol (SCAP) is a suite of specifications used to handle vulnerability and security configuration information. The National Vulnerability Database (NVD) provided by NIST uses SCAP. XACML is the eXtensible Access Control Markup Language, an OASIS standard used for access control decisions, and neither VSML nor SCML are industry terms.

Answer 41

A NAC system Network Access Control (NAC) systems can be used to authenticate users and then validate their system’s compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution. A firewall can’t enforce system security policies, whereas an IDS can only monitor for attacks and alarm when they happen. Thus, neither a firewall nor an IDS meets Kolin’s needs. Finally, port security is a MAC address–based security feature that can only restrict which systems or devices can connect to a given port.

Answer 42

Whois During the information gathering and discovery phase of a penetration test, testers will gather information about the target. Whois can provide information about an organization, including IP ranges, physical addresses, and staff contacts. Nessus would be useful during a vulnerability detection phase, and Metasploit would be useful during exploitation. zzuf is a fuzzing tool and is less likely to be used during a penetration test.

Answer 43

Directory indexing may not initially seem like an issue during a penetration test, but simply knowing the name and location of files can provide an attacker with quite a bit of information about an organization, as well as a list of potentially accessible files. XDRF is not a type of attack, and indexing is not a denial-of-service attack vector. Directory indexing being turned on is typically either due to misconfiguration or design, or because the server was not properly configured at setup, rather than being a sign of attack.

Answer 44

Steal a user’s cookies. Cross-site tracing (XST) leverages the HTTP TRACE or TRACK methods and could be used to steal a user’s cookies via cross-site scripting (XSS). The other options are not industry terms for web application or web server attacks or vulnerabilities.

Answer 45

APIPA addresses are assigned between 169.254.0.01 and 169.254.255.254, Automatic Private IP Addressing (APIPA) is Microsoft’s terminology for address autoconfiguration in the Windows 98, ME, 2000 and XP OSs. APIPA allows a local area network (LAN) computer to give itself a unique IP address when Dynamic Host Configuration Protocol (DHCP) is unavailable. APIPA is sometimes known as auto-IP.

Answer 46

Crystal box penetration testing, which is also sometimes called white box penetration testing

Answer 47

Discovery The discovery phase includes activities like gathering IP addresses, network ranges, and hostnames, as well as gathering information about employees, locations, systems, and of course, the services those systems provide. Banner information is typically gathered as part of discovery to provide information about what version and type of service is being provided. **Banner grabbing is the act of capturing the information provided by banners, configurable text-based welcome screens from network hosts that generally display system information. Banners are intended for network administration.**

Answer 48

**Device fingerprinting via a web portal** can require user authentication and can gather data like operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may have more than one depending on how many network interfaces they have, which can make unique identification challenging.

Answer 49

DoS and OS attacks Call managers and VoIP phones can be thought of as servers or appliances and embedded or network devices. That means that the most likely threats that they will face are denial-of-service (DoS) attacks and attacks against the host operating system. Malware and Trojans are less likely to be effective against a server or embedded system that doesn’t browse the Internet or exchange data files; buffer overflows are usually aimed at specific applications or services.

Answer 50

Type 1 error **Type 1 errors** occur when a valid subject is not authenticated. **Type 2 errors** occur when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not associated with biometric authentication.

Answer 51

The hearsay rule The hearsay rule says that a witness cannot testify about what someone else told them, except under very specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all of the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.

Answer 52

Worm Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

Answer 53

In this scenario, the vendor is providing object-based storage, a core infrastructure service. Therefore, this is an example of infrastructure as a service (IaaS).

Answer 54

Integrity verification Encryption, access controls, and firewalls would not be effective in this example because the accountants have legitimate access to the data. Integrity verification software would protect against this attack by identifying unexpected changes in protected data.

Answer 55

Data diddling is a type of cybercrime in which data is altered as it is entered into a computer system, most often by a data entry clerk or a computer virus. Computerized processing of the altered data results in a fraudulent benefit.

Answer 56

MAC Bell-LaPadula uses security labels on objects and clearances for subjects, and is therefore a MAC model. It does not use discretionary, rule-based, role-based, or attribute-based access control.

Answer 57

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of _students in any educational institution_ that accepts any form of federal funding.

Answer 58

Attackers may use algorithmic complexity as a tool to exploit a TOC/TOU race condition. By varying the workload on the CPU, attackers may exploit the amount of time required to process requests and use that variance to effectively schedule the exploit’s execution. File locking, exception handling, and concurrency controls are all methods used to defend against TOC/TOU attacks.

Answer 59

Application-level gateway firewall An application-level gateway firewall uses proxies for each service it filters. Each proxy is designed to analyze traffic for its specific traffic type, allowing it to better understand valid traffic and to prevent attacks. Static packet filters and circuit-level gateways simply look at the source, destination, and ports in use, whereas a stateful packet inspection firewall can track the status of communication and allow or deny traffic based on that understanding.

Answer 60

Multitasking Multitasking handles multiple processes on a single processor by switching between them using the operating system. Multiprocessing uses multiple processors to perform multiple processes simultaneously. Multiprogramming requires modifications to the underlying applications. Multithreading runs multiple threads within a single process.

Answer 61

Scoping Scoping is the process of reviewing and selecting security controls based on the system that they will be applied to. Tailoring is the process of matching a list of security controls to the mission of an organization. Baselines are used as a base set of security controls, often from a third-party organization that creates them. Standardization isn’t a relevant term here.

Answer 62

Processing During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.

Answer 63

Secret Systems and media should be labeled with the highest level of sensitivity that they store or handle. In this case, based on the U.S. government classification scheme, the highest classification level in use on the system is Secret. Mixed classification provides no useful information about the level, whereas Top Secret and Confidential are too high and too low, respectively.

Answer 64

Likelihood Using encryption reduces risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information.

Answer 65

Sanitization Sanitization includes steps like removing the hard drive and other local storage from PCs before they are sold as surplus. Degaussing uses magnetic fields to wipe media; purging is an intense form of clearing used to ensure that data is removed and unrecoverable from media; and removing does not necessarily imply destruction of the drive.

Answer 66

While full device encryption doesn’t guarantee that data cannot be accessed, it provides Michelle’s best option for preventing data from being lost with a stolen device when paired with a passcode. Mandatory passcodes and application management can help prevent application based attacks and unwanted access to devices, but won’t keep the data secure if the device is lost. Remote wipe and GPS location is useful if the thief allows the device to connect to a cellular or wifi network. Unfortunately, many modern thieves immediately take steps to ensure that the device will not be trackable or allowed to connect to a network before they capture data or wipe the device for re-sale.

Answer 67

Open Relay SMTP servers that don’t authenticate users before relaying their messages are known as open relays. Open relays that are Internet exposed are typically quickly exploited to send email for spammers.

Answer 68

Port Address Translation (PAT) is used to allow a network to use any IP address set inside without causing a conflict with the public Internet. PAT is often confused with Network Address Translation (NAT), which maps one internal address to one external address. IPsec is a security protocol suite, software-defined networking (SDN) is a method of defining networks programmatically, and IPX is a non-IP network protocol. Q - Ed’s organization has 5 IP addresses allocated to them by their ISP but needs to connect over 100 computers and network devices to the Internet. What technology can he use to connect his entire network via the limited set of IP addresses he can use? A - PAT

Answer 69

L2TP is the only one of the four common VPN protocols that can natively support non-IP protocols. PPTP, L2F, and IPsec are all IP-only protocols.

Answer 70

**Remnant data** is data that is left after attempts have been made to remove or erase it. Bitrot is a term used to describe aging media that decays over time. MBR is the master boot record, a boot sector found on hard drives and other media. Leftover data is not an industry term.

Answer 71

Maintain compentent records of all investigations and assessments. The four canons of the (ISC)2 code of ethics are 1. To protect society, the common good, necessary public trust and confidence, and the infrastructure; 2. Act honorably, honestly, justly, responsibly, and legally; 3. Provide diligent and competent service to principals; and 4. Advance and protect the profession.

Answer 72

Annually Individuals with specific business continuity roles should receive training on at least an annual basis.

Answer 73

2 Triple DES functions by using either two or three encryption keys. When used with only one key, 3DES produces weakly encrypted ciphertext that is the insecure equivalent of DES.

Answer 74

APIPA addresses are assigned between 169.254.0.01 and 169.254.255.254, APIPA. (Automatic Private IP Addressing) The Windows function that provides DHCP autoconfiguration addressing. APIPA assigns a class B IP address from 169.254. 0.0 to 169.254. 255.255 to the client when a DHCP server is either permanently or temporarily unavailable.

Answer 75

Passive Since Lauren wants to monitor her production server, she should use passive monitoring by employing a network tap, span port, or other means of copying actual traffic to a monitoring system that can identify performance and other problems. This will avoid introducing potentially problematic traffic on purpose while capturing actual traffic problems. Active monitoring relies on synthetic or previously recorded traffic, and both replay and real time are not common industry terms used to describe types of monitoring.

Answer 76

Set up a virtual span port and capture data using a VM IDS Using a virtual machine to monitor a virtual span port allows the same type of visibility that it would in a physical network if implemented properly. Installing Wireshark would allow monitoring on each system but doesn’t scale well. A physical appliance would require all traffic to be sent out of the VM environment, losing many of the benefits of the design. Finally, netcat is a network tool used to send or receive data, but it isn’t a tool that allows packet capture of traffic between systems.

Answer 77

SPAN [Switch Port Analyzer] Port Mirroring also known as SPAN (Switched Port Analyzer), sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed.

Answer 78

Compensating A mantrap, which is composed of a pair of doors with an access mechanism that allows only one door to open at a time, is an example of a preventive access control because it can stop unwanted access by keeping intruders from accessing a facility due to an opened door or following legitimate staff in. It can serve as a deterrent by discouraging intruders who would be trapped in it without proper access, and of course, doors with locks are an example of a physical control. A compensating control attempts to make up for problems with an existing control or to add additional controls to improve a primary control.

Answer 79

In a land attack, the **attacker sends a packet that has identical source and destination IP addresses** in an attempt to crash systems that are not able to handle this out-of-specification traffic.

Answer 80

QualysGuard: Network vulnerability scanning. Nikto: Web vulnerability scanning.

Answer 81

create rule The create rule allows a subject to create new objects and also creates an edge from the subject to that object, granting rights on the new object.

Answer 82

Metasploit can only test vulnerabilities it has plug-ins for Metasploit provides an extensible framework, allowing penetration testers to create their own exploits in addition to those that are built into the tool. Unfortunately, penetration testing can only cover the point in time when it is conducted. When conducting a penetration test, the potential to cause a denial of service due to a fragile service always exists, but it can test process and policy through social engineering and operational testing that validates how those processes and policies work.

Answer 83

The Children’s Online Privacy Protection Act (COPPA) regulates websites that cater to children or knowingly collect information from children under the age of 13.

Answer 84

Extensible Authentication Protocol (EAP) was originally intended to be used on physically isolated network channels and did not include encryption. Fortunately, it was designed to be extensible, and PEAP (Protected Extensible Authentication Protocol) can provide TLS encryption. EAP isn’t limited to PEAP as an option as EAP-TLS also exists, providing an EAP TLS implementation, and the same extensibility allows a multitude of other authentication methods.

Answer 85

**Key Distribution Center** The key distribution center (KDC) is the trusted third party that provides authentication services. Kerberos uses symmetric-key cryptography to authenticate clients to servers. All clients and servers are registered with the KDC, and it maintains the secret keys for all network members. **Kerberos Authentication Server** The authentication server hosts the functions of the KDC: a ticket-granting service (TGS) and an authentication service (AS). However, it is possible to host the ticket-granting service on another server. The authentication service verifies or rejects the authenticity and timeliness of tickets. This server is often called the KDC. **Ticket-Granting Ticket** A ticket-granting ticket (TGT) provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects. A TGT is encrypted and includes a symmetric key, an expiration time, and the user’s IP address. Subjects present the TGT when requesting tickets to access objects. **Ticket** A ticket is an encrypted message that provides proof that a subject is authorized to access an object. It is sometimes called a service ticket (ST). Subjects request tickets to access objects, and if they have authenticated and are authorized to access the object, Kerberos issues them a ticket. Kerberos tickets have specific lifetimes and usage parameters. Once a ticket expires, a client must request a renewal or a new ticket to continue communications with any server.

Answer 86

**Strengths -** Kerberos is a versatile authentication mechanism that works over local LANs, remote access, and client-server resource requests. **Weaknesses -** Kerberos presents a single point of failure—the KDC. If the KDC is compromised, the secret key for every system on the network is also compromised. Also, if a KDC goes offline, no subject authentication can occur. It also has strict time requirements and the default configuration requires that all systems be time-synchronized within five minutes of each other. If a system is not synchronized or the time is changed, a previously issued TGT will no longer be valid and the system will not be able receive any new tickets. In effect, the client will be denied access to any protected network resources.

Answer 87

Nikto Web Scanner is a Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received.

Answer 88

**CGI** stands for Common Gateway Interface, which is a standard for a gateway, or interface, between clients and web servers. **CGI scripts** are potential security holes even though you run your server as "nobody". A subverted CGI script running as "nobody" still has enough privileges to mail out the system password file, examine the network information maps, or launch a log-in session on a high numbered port (it just needs to execute a few commands in Perl to accomplish this).

Answer 89

e-Discovery of electronically stored information (ESI) is the process of producing for a court or external attorney all ESI pertinent to a legal proceeding. The Electronic Discovery Reference Model identifies 8 steps: 1. Identification 2. Preservation 3. Collection 4. Processing 5. Review 6. Analysis 7. Production 8. Presentation

Answer 90

The formula for determining the number of encryption keys required by a symmetric algorithm is ((n\*(n-1))/2). With six users, you will need ((6\*5)/2), or 15 keys

Answer 91

TKIP Temporal Key Integrity Protocol (TKIP) was designed as the replacement for WEP without requiring replacement of legacy wireless hardware. TKIP was implemented into 802.11 wireless networking under the name WPA (Wi-Fi Protected Access). TKIP improvements include a key-mixing function that combines the initialization vector (IV) (i.e., a random number) with the secret root key before using that key with RC4 to perform encryption; a sequence counter is used to prevent packet replay attacks; and a strong integrity check named Michael is used. TKIP and WPA were officially replaced by WPA2 in 2004. Additionally, attacks specific to WPA and TKIP (i.e., coWPAtty and a GPU-based cracking tool) have rendered WPA’s security unreliable.

Answer 92

1. **Discovery** - Footprinting and gathering information about the target 2. **Enumeration** - Performaing port scans and resource identification methods 3. **Vulnerability mapping** -- Identifying vulnerabiliites in identified systems and resources 4. **Exploitation** - Attempting to gain unauthorized access by exploiting vulnerabilities 5. **Report to management** - Delivering to management documentation test findings along with suggested countermeasures

Answer 93

**The SOC1 audit** focuses on a description of security mechanisms to assess their suitability. **The SOC2 audit** focuses on implemented security controls in relation to availability, security, integrity, privacy, and confidentiality.

Answer 94

**With a SOC2 / Type 1 report**, your organization’s controls are assessed at a specific point in time. This report acts as a snapshot of your environment to determine and demonstrate if the controls are suitably designed and in place. For example, we will take an example terminated employee and confirm that their access was properly revoked and documented via a ticketing system. A Type 1 report has the following characteristics: Description of your organization’s system as a whole Assesses the design of your organization’s internal controls Tests a specific point in time

Answer 95

**Type 2 Report** For a Type 2 report, your organization’s controls are assessed over a period of time, typically a twelve-month review period. Unlike a Type 1 report, Type 2 acts as a historical review of your environment to determine and demonstrate if the controls are suitably designed and in place, as well as operating effectively over time. The audit process will include sample testing within the review period to determine if your organization’s controls are operating effectively. For instance, we will take a sample of employees from the population of terminated personnel and confirm that their access was properly revoked and documented via ticketing system during the agreed-upon review period. A Type 2 report has the following characteristics: Description of your organization’s system as a whole Assesses the design of your organization’s controls, as well as their operating effectiveness Focuses on a period of time in which the controls are operating Features detailed descriptions of the auditor’s tests and test results of the controls Since a Type 2 report is more granular and comprehensive than a Type 1 report, it often provides your clients with a higher level of assurance.

Answer 96

**ESP’s Transport mode** encrypts IP packet data but leaves the packet header unencrypted. **ESP Tunnel mode** encrypts the entire packet and adds a new header to support transmission through the tunnel.

Answer 97

It's part of level 2 - Repeatable

Answer 98

**Key risk indicators (KRIs)** are often used to monitor risk for organizations that establish an ongoing risk management program. Using automated data gathering and tools that allow data to be digested and summarized can provide predictive information about how organizational risks are changing. **KPIs are key performance indicators**, which are used to assess how an organization is performing. Quantitative risk assessments are good for point-in-time views with detailed valuation and measurement-based risk assessments, whereas a penetration test would provide details of how well an organization’s security controls are working.

Answer 99

The commercial classification scheme discussed by (ISC)2 includes four primary classification levels: * confidential, * private, * sensitive, * public. Secret is a part of the military classification scheme.

Answer 100

Use Case Testing Testing for desired functionality is use case testing. Dynamic testing is used to determine how code handles variables that change over time. Misuse testing focuses on how code handles examples of misuse, and fuzzing feeds unexpected data as an input to see how the code responds.

Answer 101

* Class A: 10.0.0.0 to 10.255.255.255, * Class B: 172.16.0.0 to 172.31.255.255, * Class C: 192.168.0.0 to 196.168.255.255 These should never be routable on the public Internet. Microsoft APIPA address between 169.254.0.1 and 169.254.255.254

Answer 102

2 Organizations should train at least two individuals on every business continuity plan task. This provides a backup in the event the primary responder is not available.

Answer 103

Typically: * **Permissions** include both the access and actions that you can take on an object. * **Rights** usually refer to the ability to take action on an object, and don’t include the access to it. * **Privileges** combine rights and permissions, * **Roles** describe sets of privileges based on job tasks or other organizational artifacts.

Answer 104

* CWR and ECE Congestion Window Reduced (CWR) and ECN-Echo (ECE) are used to manage transmission over congested links, and are rarely seen in modern TCP networks.

Answer 105

* **Fault** is a momentary loss of power. * **Blackouts** are sustained complete losses of power. * **Sags** and **B****rownouts** are not complete power disruptions but rather periods of low voltage conditions.

Answer 106

Lauren’s team would benefit from a credential management system. Credential management systems offer features like password management, multifactor authentication to retrieve passwords, logging, audit, and password rotation capabilities. A strong password policy would only make maintenance of passwords for many systems a more difficult task if done manually. **Single sign-on would help if all of the systems had the same sensitivity levels, but different credentials are normally required for higher sensitivity systems.**

Answer 107

The business or mission owner’s role is responsible for making sure systems provide value. When controls decrease the value that an organization gets, the business owner bears responsibility for championing the issue to those involved. **There is not a business manager or information security analyst role in the list of NIST-defined data security roles.** A data processor is defined but acts as a third-party data handler and would not have to represent this issue in Olivia’s organization.

Answer 108

* Ring 0 The kernel lies within the central ring, Ring 0. * Ring 1 contains other operating system components. * Ring 2 is used for drivers and protocols. * Ring 3 - User-level programs and applications run at Ring 3. Rings 0–2 run in privileged mode whereas Ring 3 runs in user mode.

Answer 109

CVSS * CVSS - The Common Vulnerability Scoring System (CVSS) uses measures such as attack vector, complexity, exploit maturity, and how much user interaction is required as well as measures suited to local concerns. * CVE is the Common Vulnerabilities and Exposures dictionary, * CNA is the CVE Numbering Authority, and * NVD is the National Vulnerability Database.

Answer 110

An individual does not have a reasonable expectation of privacy when any communication takes place using employer-owned communications equipment or accounts.

Answer 111

* **Checklist review** - the checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. * **TableTop exercise** - During a tabletop exercise, _team members come together_ and walk through a scenario without making any changes to information systems. * **Parallel Test** During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. * **Full interruption test,** the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.

Answer 112

1Category 5e: B. 300 feet. Coaxial (RG-58): A. 500 feet. Fiber optic: C. 1+ Kilometers.

Answer 113

* **Unclassified** 1. **Sensitive, but unclassified** 2. **Confidential** data could be expected to cause damage. 3. **Secret** - The U.S. government classifies data that could reasonably be expected to cause damage to national security if disclosed, and for which the damage can be identified or described, as Secret. The U.S. government does not use Classified in its formal four levels of classification. 4. **Top Secret** - Top Secret data could cause exceptionally grave damage,

Answer 114

* Public * Sensitive * Private * Confidential

Answer 115

The purpose of a digital certificate is to provide the general public with an authenticated copy of the certificate subject’s public key.

Answer 116

CA’s private key The last step of the certificate creation process is the digital signature. During this step, the certificate authority signs the certificate using its own private key.

Answer 117

CA’s public key When an individual receives a copy of a digital certificate, he or she verifies the authenticity of that certificate by using the CA’s public key to validate the digital signature contained on the certificate.

Answer 118

Certificates may only be added to a Certificate Revocation List by the certificate authority that created the digital certificate.

Answer 119

* **Remote journaling** transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly. * **Transaction logging** is not a recovery technique alone; it is a process for generating the logs used in remote journaling. * **Electronic valuting** - in an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily. * **Remote mirroring** maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.

Answer 120

* **SOC 1, Type 1** - A report that provides the auditor’s opinions of financial statements about controls at the service organization and that includes a report on the opinion on the presentation of the service organization’s system as well as suitability of the controls. * **SOC 1, Type 2** - A report that provides an assessment of the risk of material misstatement of financial statement assertions affected by the service organization’s processing and that includes a description of the service auditor’s tests of the controls and the results of the tests and their effectiveness. * **SOC 2** - A report that provides predefined, standard benchmarks for controls involving confidentiality, availability, integrity, and privacy of a system and the information it contains, generally for restricted use. * **SOC 3** - A general use report that reports on controls related to compliance and/or operations.

Answer 121

Jim must comply with the informatin in this document Guidelines provide advice based on best practices developed throughout industry and organizations, but they are not compulsory. Compliance with guidelines is optional.

Answer 122

Purge The three categories of data destruction are clear (overwriting with nonsensitive data), purge (removing all data), and destroy (physical destruction of the media). **Degaussing is an example of a purging technique.**

Answer 123

PSH is a TCP flag used to clear the buffer, resulting in immediately sending data, and URG is the TCP urgent flag. These flags are not present in UDP headers.

Answer 124

Business Logic Errors How CISSP exam thinks: Business logic errors are most likely to be missed by automated functional testing. If a complete coverage code test was conducted, runtime, input validation, and error handling issues are likely to have been discovered by automated testing. Any automated system is more likely to miss business logic errors, because humans are typically necessary to understand business logic issues.

Answer 125

Warm Site - assume about a week after the disaster Linda should choose a warm site. This approach balances cost and recovery time. Cold sites take a very long time to activate, measured in weeks or months. Hot sites activate immediately but are quite expensive. Mutual assistance agreements depend on the support of another organization.

Answer 126

Test coverage is computed using the formula test coverage = number of use cases tested/total number of use cases. Code coverage is assessed by the other formulas, including function, conditional, and total code coverage.

Answer 127

Automated recovery **Automated recovery** - In an automated recovery, the system can recover itself against one or more failure types. **Manual Recovery** - In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations. **In an automated recovery without undue loss**, the system can recover itself against one or more failure types and also preserve data against loss. **In function recovery**, the system can restore functional processes automatically.

Answer 128

California Online Privacy Protection Act (CalOPPA) requires a conspicuously posted privacy policy for any commercial websites or online services that collect personal information on California residents.

Answer 129

Irises don’t change as much as other factors. Iris scans have a longer useful life than many other types of biometric factors because they don’t change throughout a person’s lifespan (unless the eye itself is damaged). Iris scanners can be fooled in some cases by high-resolution images of an eye, and iris scanners are not significantly cheaper than other scanners.

Answer 130

This is an encrypted email message. The S/MIME secure email format uses the P7S format for encrypted email messages. If the recipient does not have a mail reader that supports S/MIME, the message will appear with an attachment named smime.p7s.

Answer 131

**Aggregation** - is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone. **An inference problem** occurs when an attacker can pull together pieces of less sensitive information _from multiple sources_ and use them to derive information of greater sensitivity. In cases where only a single source was used, it will be an aggregation issue.

Answer 132

**Candidate Key** - Super key is a set of one or multiple attributes which can uniquely identify a record in a table. _A candidate key is a key selected from the set of super keys._ Furthermore, the candidate key should not have any redundant attributes. **Primary Key** - A primary key is a candidate key. It is considered as the main key for any table. It helps to uniquely identify each row or a record of the table. Note - Any primary key is, by definition, also a candidate key.

Answer 133

A Specification * **Specifications** are document-based artifacts like policies or designs. * **Activities** are actions that support an information system that involves people. * **Mechanisms** are the hardware-, software-, or firmware-based controls or systems in an information system, and an * **Individual** is one or more people applying specifications, mechanisms, or activities.

Answer 134

Gray box **In a gray box test**, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted. White box tests also have access to the source code but perform testing from a developer’s perspective. Black box tests work from a user’s perspective but do not have access to source code. Blue boxes are a telephone hacking tool and not a software testing technique.

Answer 135

Implement a SIEM A Security Information and Event Management (SIEM) tool is designed to centralize logs from many locations in many formats and to ensure that logs are read and analyzed despite differences between different systems and devices.

Answer 136

Watermarking Watermarking alters a digital object to embed information about the source, either in a visible or hidden form. Digital signatures may identify the source of a document but they are easily removed. Hashing would not provide any indication of the document source, since anyone could compute a hash value. Document staining is not a security control.

Answer 137

Second floor Data centers should be located in the core of a building. Locating it on lower floors makes it susceptible to flooding and physical break-ins. Locating it on the top floor makes it vulnerable to wind and roof damage.

Answer 138

Differential backups do not alter the archive bit on a file, whereas incremental and full backups reset the archive bit to 0 after the backup completes. Partial backups are not a backup type.

Answer 139

Link State OSPF is a link state protocol. Link state protocols maintain a topographical map of all connected networks and preferentially select the shortest path to remote networks for traffic. A distance vector protocol would map the direction and distance in hops to a remote network, whereas shortest path first and link mapping are not types of routing protocols.

Answer 140

Digital Signature Fred’s company needs to protect integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. Encrypting isn’t necessary because the company does not want to protect confidentiality. TLS can provide in-transit protection but won’t protect integrity of the messages, and of course a hash used without a way to verify that the hash wasn’t changed won’t ensure integrity either.

Answer 141

Set the Secure attribute for the cookies, thus forcing TLS. Setting the Secure cookie will only allow cookies to be sent via HTTPS TLS or SSL sessions, preventing man-in-the-middle attacks that target cookies. The rest of the settings are problematic: Cookies are vulnerable to DNS spoofing. Domain cookies should usually have the narrowest possible scope, which is actually accomplished by not setting the Domain cookie. This allows only the originating server to access the cookie. Cookies without the Expires or Max-age attributes are ephemeral and will only be kept for the session, making them less vulnerable than stored cookies. Normally, the HTTPOnly attribute is a good idea, but it prevents scripting rather than requiring unencrypted HTTP sessions.

Answer 142

TCP; none—TACACS+ encrypts the full session TACACS+ uses TCP, and encrypts the entire session, unlike RADIUS, which only encrypts the password and operates via UDP.

Answer 143

The client workstation supplies it in the form of a client-to-server ticket and an authenticator. When a client connects to a service server (SS), it sends the following two messages: * The client-to-server ticket, encrypted using service’s secret key * A new authenticator, including the client ID and timestamp that is encrypted using the Client/Server session key. The server or service that is being accessed receives all of the data it needs in the service ticket. To do so, the client uses a client-to-server ticket received from the Ticket Granting Service.

Answer 144

2G * **2G Technologies** - CDMA, GSM, and IDEN are all 2G technologies. * **3G Technologies** - EDGE, DECT, and UTMS * **4G technologies** include WiMax, LTE, and IEE 802.20 mobile broadband.

Answer 145

Closed Head Dry pipe, deluge, and preaction systems all use pipes that remain empty until the system detects signs of a fire. Closed-head systems use pipes filled with water that may damage equipment if there is damage to a pipe.

Answer 146

She has to make sure that appropriate security controls are in place to protect the data. * **System owners** have to ensure that the systems they are responsible for are properly labeled based on the highest level of data that their system processes, and they have to ensure that appropriate security controls are in place on those systems. * **Data owners** own the classification process.

Answer 147

ST Vendors complete security targets (STs) to describe the controls that exist within their product. During the review process, reviewers compare those STs to the entity’s Protection Profile (PP) to determine whether the product meets the required security controls.

Answer 148

Automated recovery without undue data loss In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations.

Answer 149

Antenna placement, antenna type, and antenna power levels Antenna placement, antenna design, and power level control are the three important factors in determining where a signal can be accessed and how usable it is. A captive portal can be used to control user logins, and antenna design is part of antenna types. The FCC does provide maximum broadcast power guidelines but does not require a minimum power level.

Answer 150

RTO The recovery time objective (RTO) is the amount of time that it may take to restore a service after a disaster without unacceptable impact on the business. The RTO for each service is identified during a business impact assessment.

Answer 151

OCSP The Online Certificate Status Protocol (OCSP) eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification.

Answer 152

It uses a handshake. TCP’s use of a handshake process to establish communications makes it a connection-oriented protocol. TCP does not monitor for dropped connections nor does the fact that it works via network connections make it connection-oriented.

Answer 153

The waterfall methodology is compatible with the SDLC. SDLC approaches include steps to provide operational training for support staff as well as end-user training. The SDLC may use one of many development models, including the waterfall and spiral models. The SDLC does not mandate the use of an iterative or sequential approach; it allows for either approach.

Answer 154

TCP headers can be 20 to 60 bytes long depending on options that are set.

Answer 155

They should use the same requirements as data over any public network. Cellular networks have the same issues that any public network does. Encryption requirements should match those that the organization selects for other public networks like hotels, conference Wi-Fi, and similar scenarios. Encrypting all data is difficult, and adds overhead, so it should not be the default answer unless the company specifically requires it. WAP is a dated wireless application protocol and is not in broad use; requiring it would be difficult. WAP does provide TLS, which would help when in use.

Answer 156

Connect to his company’s encrypted VPN service.

Answer 157

Depth NIST Special Publication 800-53 describes depth and coverage. **Depth** is the level of detail, rigor, and formality of artifacts produced during design and development. Coverage is the breadth and scope of the assessment conducted. If you encounter a question like this and are not familiar with the details of a standard like NIST 800-53, or may not remember them, focus on the meanings of each word and the details of the question. We can easily rule out affirmation, which isn’t a measure. Suitability is a possibility, but depth fits better than suitability or coverage.

Answer 158

BAA HIPAA requires that anyone working with personal health information on behalf of a HIPAA-covered entity be subject to the terms of a business associates agreement (BAA).

Answer 159

When data reaches the Transport layer, it depends on whether it's TCP or UDP. * TCP sends segments * UDP sends datgrams Above the Transport layer, data becomes a data stream, while below the Transport layer they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.

Answer 160

PGP stands for pretty good privacy Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. The PGP email system, invented by Phil Zimmerman, uses the “web of trust” approach to secure email. The commercial version uses RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest production. The freeware version uses Diffie-Hellman key exchange, the Carlisle Adams/Stafford Tavares (CAST) encryption/decryption, and SHA hashing.

Answer 161

Dynamic Host Configuration Protocol (DHCP) uses port 68 for client request broadcast and port 67 for server point-to-point response.

Answer 162

Internet email must comply with the X.400 standard.

Answer 163

Hosts and networks Tunnel mode VPNs are used to connect networks to networks or networks to hosts. Transport mode is used to connect hosts to hosts. Host, server, client, terminal, and domain controller are all synonyms.

Answer 164

IPSec IPsec is a VPN protocol that can be implemented as the payload encryption mechanism when L2TP is used to craft the VPN connection for an IP communication.

Answer 165

Permanent virtual circuit A PVC reestablishes a link using the same basic parameters or virtual pathway each time it connects. SVCs use unique settings each time. Bandwidth on demand links can be either PVCs or SVCs.

Answer 166

To allow management to review all changes The primary purpose of change management is to allow management to review all changes. However, it is true that the overall goal of change management is to prevent unwanted reductions to security.

Answer 167

Availability Availability has the most avenues or vectors of attack and compromise. Availability can be affected by damaging the resource, compromising the resource host, interfering with communications, or attacking the client.

Answer 168

The first step toward granting a user access is for them to claim an identity (identification). That is followed by verifying credentials (authentication), then by granting authority (authorization), and finally by monitoring activity (auditing).

Answer 169

Legal defense/support of authentication To effectively hold users accountable, your security must be legally defensible. Primarily, you must be able to prove in a court that your authentication process cannot be easily compromised. Thus, your audit trails of actions can then be tied to a human.

Answer 170

Integrity protection is not about stopping all change but preventing unwanted, unintended, and malicious change as well as ensuring the retention of correct information.

Answer 171

Policies, standards, baselines, guidelines, and procedures can be combined in a single document. Avoid combining policies, standards, baselines, guidelines, and procedures in a single document. Each of these structures must exist as a separate entity because each performs a different specialized function.

Answer 172

Complete and detailed valuation of all assets

Answer 173

Prescribe tasks to roles As a general rule of thumb, security policies (as well as standards, guidelines, and procedures) should not address specific individuals. Instead of assigning tasks and responsibilities to a person, they should be defined for a role. Then these defined roles are assigned to individuals as a job description or an assigned work task. The assignment of a role to a person is not part of the security policy documentation. Rather, that activity is a function of administrative control or personnel management. Thus, a security policy does not define who is to do what but rather what must be done by the various roles within the security infrastructure.

Answer 174

(ALE1 – ALE2) – CM cost

Answer 175

Job descriptions Job descriptions are essential to user and personnel security. Only when it’s based on a job description does a background check have true meaning. Without a job description, auditing and monitoring cannot determine when a user performs tasks outside of their assigned work. Without a job description, administrators do not know what level of access to assign via DAC.

Answer 176

Determining priority The risk analysis equations—specifically, the ALE and the cost/benefit equation—produce results that are primarily used to prioritize security efforts. The largest values should be addressed and resolved first. The values are not directly used to obtain insurance or assign responsibility, and they’re not realistic enough to be used as actual cost/loss expectations.

Answer 177

SELECT() SELECT() is not an aggregate function but an SQL command. MAX() is an aggregate function that selects the maximum value from a set. SUM() is an aggregate function that adds values together. AVG() is an aggregate function that determines the mathematical average of a series of values.

Answer 178

DNS uses a hierarchical model to organize data, with root name servers representing the top-level domains and authority distributed hierarchically to child servers.

Answer 179

Traverse mode noise Traverse mode noise is generated by the difference in power between the hot and neutral wires of a power source or operating electrical equipment.

Answer 180

There are two types of electromagnetic interference (EMI): common mode and traverse mode. **Common mode noise** is generated by a difference in power between the hot and ground wires of a power source or operating electrical equipment. **Traverse mode noise** is generated by a difference in power between the hot and neutral wires of a power source or operating electrical equipment.

Answer 181

.NET Framework The .NET Framework includes the Common Language Interface to support multiple programming languages.

Answer 182

The risk remaining after a countermeasure is installed

Answer 183

10 years Trademarks are protected for an initial 10-year period and may be renewed for unlimited successive 10-year periods.

Answer 184

Removal **Removal** removes the malicious code but does not repair the damage caused by it. **Cleaning** not only removes the code, but it also repairs any damage the code has caused.

Answer 185

Creating botnets Most malware is designed to add systems to botnets, where they are later used for other nefarious purposes, such as sending spam or participating in distributed denial-of-service attacks.

Answer 186

Receiver’s name The receiver’s name is not a necessary component of a digital certificate.

Answer 187

Secure Shell (SSH) provides secure replacements for a number of common Internet utilities, such as converting FTP to SFTP, and internal network utilities, such as converting rexec to sexec.

Answer 188

ISAKMP The Internet Security Association and Key Management Protocol (ISAKMP) provides background security support services for IPsec, including managing security associations.

Answer 189

AH The Authentication Header (AH) provides assurances of message integrity and nonrepudiation.

Answer 190

Goguen-Meseguer The Goguen-Meseguer model is based on predetermining the set or domain of objects that a subject can access. The set or domain is a list of those objects that a subject can access. This model is based on automation theory and domain separation. This means subjects are able to perform only predetermined actions against predetermined objects.

Answer 191

Trusted subject A trusted subject can violate the star property of “no write down” in the act of declassification, which is not an actual violation of security.

Answer 192

Bounds The bounds of a process consist of limits set on the memory addresses and resources it can access. The bounds state or define the area within which a process is confined.

Answer 193

XML exploitation XML exploitation is a form of programming attack that is used to either falsify information being sent to a visitor or cause their system to give up information without authorization.

Answer 194

Quality of service management Failing to provide data flow control means failing to provide quality of service management as well.

Answer 195

Security target Security targets (STs) specify the claims of security from the vendor that are built into a TOE.

Answer 196

## Footnote Graham-Denning The Graham-Denning model is focused on the secure creation and deletion of both subjects and objects. Ultimately, Graham-Denning is a collection of eight primary protection rules or actions (listed in the question) that define the boundaries of certain secure actions.

Answer 197

Source or origin The source or origin of a resource is rarely a serious criterion in the assignment of a classification label. The other options are just a few of the important criteria of classification assignment.

Answer 198

Data custodian The security role of data custodian is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.

Answer 199

AV - The asset value (AV) is a monetary measure of an asset’s worth to the organization.

Answer 200

Qualitative decision-making Qualitative decision-making takes non-numerical factors, such as emotional impact, into consideration.

Answer 201

Future events that might warrant reconsideration

Answer 202

Vital records program

Answer 203

**Electronic vaulting** automatically backs up data to a secure site where storage professionals at the vaulting company’s site handle the details.

Answer 204

Remote journaling Remote journaling data transfers are performed expeditiously on a frequent (usually hourly) basis through copies of the transaction logs.

Answer 205

**Transitive trust** is the concept that if A trusts B and B trusts C, then A inherits trust of C through the transitive property—which works like it would in a mathematical equation: if a = b, and b = c, then a = c. In the previous example, when A requests data from B and then B requests data from C, the data that A receives is essentially from C. Transitive trust is a serious security concern because it may enable bypassing of restrictions or limitations between A and C, especially if A and C both support interaction with B

Answer 206

**A credential management system** provides a storage space for users to keep their credentials when SSO isn’t available. Users can store credentials for websites and network resources that require a different set of credentials. The management system secures the credentials with encryption to prevent unauthorized access. As an example, Windows systems include the Credential Manager tool. Users enter their credentials into the Credential Manager and when necessary, the operating system retrieves the user’s credentials and automatically submits them. When using this for a website, users enter the URL, username, and password. Later, when the user accesses the website, the Credential Manager automatically recognizes the URL and provides the credentials.

Answer 207

SLE stands for Single Loss Expectancy SLE = Asset Value x Exposure Factor (EF)

Answer 208

The Exposure Factor represents the percentage of loss a realized threat could have on a certain asset. If a data warehouse was valued at $150K and the EF was 25%, then the SLE would be ($150K x 25%) = $37.5K

Answer 209

ALE stands for Annual Loss Expectancy. ALE = SLE x Annualized Rate of Occurrence (ARO) ARO stands for Annual Rate of Occurence and it is the estimated frequency of a specific threat taking place within a 12-month timeframe Key point -- Never spend more per year than the ALE to protect something.

Answer 210

(ALE before implementing safeguard) - (ALE after implementing safeguard) - - _(Annual cost of safeguard)_ =Value of Safeguard to company

Answer 211

* Kerberos * Security Domains * Directory Services * Thin Clients

Answer 212

* A CA is a trusted organization (or server) that maintains and issues digital certificates. * Could be at a company * Could be something like Verisign * A CA is a component of PKI

Answer 213

A man in the middle attack

Answer 214

When two private CA's each trust the other in order for two separate organizations to be able to communicate securely

Answer 215

A CRL is a list of certs that have been revoked. The CRL is maintained by the CA.

Answer 216

* It's an improvement over the CRL approach * When OCSP is implemented, it checks the CRL in the background as part of the protocol * Thus, the CRL is checked every time and we are not risking trusting entities with certs that have been revoked for one reason or another

Answer 217

* A certificate is the mechanism used to associate a public key with a collection of components in a manner that is sufficient to uniquely identify the claimed owner. * The cert includes a serial number, version number, identity information, algorithm information, lifetime dates and the signature of the issuing authority.

Answer 218

The RA performs the certificate registration duties

Answer 219

* Certification Authority * Registration Authority * Certificate Repository * Certificate Revocation System * Key backup and recovery system * Automatic key update * Management of Key Histories * Timestamping * Client-side software

Answer 220

* Confidentiality * Access Control * Integrity * Authentication * Non-repudiation

Answer 221

100 meters.

Answer 222

Reflected Input Cross-site scripting attacks are successful only against web applications that include reflected input. Reflected Input Example - a simple web application that contains a single text box asking a user to enter their name. When the user clicks Submit, the web application loads a new page that says, “Hello, name.”

Answer 223

Input validation nput validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML tag in the input.

Answer 224

The tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack.

Answer 225

* **Cross-site scripting** uses reflected input to trick a user’s browser into executing untrusted code from a trusted site. * **Cross-site request forgery (XSRF or CSRF)** attacks exploit the trust that sites have in a user’s browser by attempting to force the submission of authenticated requests to third-party sites.

Answer 226

ISO/IEC 15408 These are Common Criteria for the evaluation of the security level of a system

Answer 227

* EAL1 - Functionally tested * EAL2 - Structurally tested * EAL3 - Methodically tested and checked * EAL4 - Methodically designed, tested and reviewed * EAL5 - Semiformally designed and tested * EAL6 - Semiformally verified design and tested * EAL7 - Formally verified design and tested

Answer 228

It means that it's based on a model that can be mathematically proven

Answer 229

Protection profiles (pp)

Answer 230

1. Security Problem Description 2. Security Objectives 3. Security Requirements

Answer 231

* It only means it has the potential of providing the specified level of protection. It must be properly configured to actually provide the desired level of protection * It is up to the customer to keep the software properly configured at all times. * The level of protection is a point in time snapshot. The next version of the software could have a lower level of protection

Answer 232

* ISO/IEC 15408-1 Introduction and General model * ISO/IEC 15408-2 Security Functional Components * ISO/IEC 15408-3 Security Assurance Components

Answer 233

* Certification is the comprehensive technical evaluation of the security components and their compliance for the purpose of accredition * The goal of the certification process is to ensure that a system, product, or network is right for the customer's purposes * Accreditation is the formal acceptance of the adequacy of a system's overall security and functionality by management. * Following examination of the certifaction information, Management makes a formal accreditation statement

Answer 234

* Users - active agents * Transformation procedures (TP's) * Constrained data items (CDI's) * Unconstrained data items (UDI's) * Integrity Verification Procedures (IVP's)

Answer 235

**Well formed transactions** - these are a series of operations that transform a data item from one consistent state to another.

Answer 236

* Data is separated into CDI (secure and worthy of protection) and UDI (less critical) * Users can't modify CDI directly. They must use Transformation Procedures to modify the data on behalf of the user * The IVP ensures that all critical data manipulation follows the application defined integrity rules * The Clark-Wilson model enforces the "access triple" 1. Subject (user) 2. Program (TP) 3. Object (CDI)

Answer 237

* A non-interference model ensures that any actions that take place at a higher level of security do not affect or interfere with actions that take place at a lower level * It is concerned about what a subject knows about the state of the system * It is designed to prevent data leakage. If an entity at a higher security level performs an action, it cannot change the state for an entity at a lower security level.

Answer 238

* The model allows for dynamically changing access controls that protect against conflicts of interest * The Brewer and Nash model states that a subject can write to an object if, and only if, the subject cannot read another object that is in a different dataset * Its main goal is to protect against conflicts of interest by users' access attempts (example -- stock broker having access to earnings report) * It is also known as the Chinese Wall model

Answer 239

* How to securely create an object * How to securely create a subject * How to securely delete an object * How to securely delete a subject * How to securely provide the read access right * How to securely provide grant the access right * How to securely provide the delete access right * How to securely provide transfer access rights

Answer 240

The Harrison-Ruzzo-Ullman model deals with access rights of subjects and the integrity of those rights A subject can carry out only a finite set of operations on an object. Gist -- If there is a complex operation required (Steps A-F, for example) and one of those commands is not authorized, then the whole operation fails. Think transaction integrity

Answer 241

ICMP Type 3 SNMP is a UDP-based service. UDP does not have any means of sending back errors, because it is a simplex protocol. Thus, when UDP errors occur, the system will switch protocols and use ICMP to send back information. In the case of a non-existing service, the port is thus not available, so an ICMP Type 3 error will be returned.

Answer 242

* **Trike** -is a threat modeling methodology that focuses on a risk-based approach instead of depending upon the aggregated threat model used in STRIDE and DREAD. It provides a method of performing a security audit in a reliable and repeatable procedure. * **STRIDE** stands for * Spoofing * Tampering * Repudiation * Information Disclosure * Denial of Service * Elevation of Privilege * **DREAD** * Disaster, * Reproducibility, * Exploitability, * Affected Users * Discoverability * **VAST -** is a threat modeling concept based on Agile project management and programming principles. * Visual * Agile * Simple * Threat

Answer 243

Polymorphic viruses actually modify their own code as they travel from system to system. The virus’s propagation and destruction techniques remain the same, but the signature of the virus is somewhat different each time it infects a new system.

Answer 244

Audit trail Audit trails provide a comprehensive record of system activity and can help detect a wide variety of security violations, software flaws, and performance problems. An audit trail includes a variety of logs, including change logs, security logs, and system logs, but any one of these individual logs can’t detect all the issues mentioned in the question.

Answer 245

Hybrid The hybrid model includes a combination of two or more clouds or an on-site/cloud hybrid approach. The other answers refer to a single cloud-based structure. A community model is shared with two or more organizations but it can be a single cloud. A private cloud is private to an organization, and a public cloud is available to any organization.

Answer 246

TCP ACK scan The TCP ACK scan sends an ACK packet, simulating a packet from the middle of an already established connection.

Answer 247

Quarantine NAC often operates in a pre-admission philosophy in which a system must meet all current security requirements (such as patch application and antivirus updates) before it is allowed to communicate with the network. This often means systems that are not in compliance are quarantined or otherwise involved in a captive portal strategy in order to force compliance before network access is restored.

Answer 248

Asynchronous one-time passwords An asynchronous token generates and displays one-time passwords using a challenge-response process to generate the password. A synchronous token is synchronized with an authentication server and generates synchronous one-time passwords. Static passwords are not one-time passwords but instead stay the same for a period of time. A passphrase is a static password created from an easy-to-remember phrase.

Answer 249

A reset has been transmitted. The flag value of 00000100 indicates a RST, or reset flag, has been transmitted. This is not necessarily an indication of malicious activity.

Answer 250

**Biometric systems using a one-to-many search** provide identification by searching a database for a match. **Biometric systems using a one-to-one search** provide authentication. **Biometric systems do not provide authorization or accountability.**

Answer 251

Nondiscretionary access control Nondiscretionary access control enables the enforcement of systemwide restrictions that override object-specific access control.

Answer 252

Sender Policy Framework (SPF) To protect against spam and email spoofing, an organization can also configure their SMTP servers for Sender Policy Framework. SPF operates by checking that inbound messages originate from a host authorized to send messages by the owners of the SMTP origin domain.

Answer 253

Opportunistic TLS for SMTP will attempt to set up to an encrypted connection with every other email server in the event that it is supported; otherwise, it will downgrade to plaintext.

Answer 254

Multilevel In a multilevel security mode system, there is no requirement that all users have appropriate clearances to access all the information processed by the system.

Answer 255

1. DREAD 2. Probability \* Damage Potential 3. igh/medium/low.

Answer 256

Top-down approach

Answer 257

FISMA The Federal Information Security Management Act (FISMA), passed in 2002, requires that federal agencies implement an information security program that covers the agency’s operations.

Answer 258

Yes, Deterrent access control is deployed to discourage violation of security policies.

Answer 259

Trusted A trusted system is one in which all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.

Answer 260

Production

Answer 261

A threat could pass through a single checkpoint that did not address its particular malicious activity. Parallel security designs are insecure because a threat could pass through a single checkpoint that did not address its particular malicious activity. **Think physical security. Bank (serial) vs. shopping mall (parallel)**

Answer 262

Absraction Abstraction describes putting similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Answer 263

Classification level Classification level is assigned based on an asset’s value as well as its sensitivity and confidentiality. It is not used as a valuation element.

Answer 264

Nondiscretionary access control Nondiscretionary access control enables the enforcement of systemwide restrictions that override object-specific access control.

Answer 265

Compartmentalized environment Compartmentalized environments require specific security clearances over compartments or domains instead of objects.

Answer 266

Strategic A strategic plan is a long-term plan that is fairly stable. It defines the organization’s goals, mission, and objectives. It is useful for about five years if it is maintained and updated annually. The strategic plan also serves as the planning horizon. Long-term goals and visions of the future are discussed in a strategic plan.

Answer 267

Changes can be rolled back to a previous state.

Answer 268

Level 0 Supervisory mode programs are run by the security kernel, at Level 0 of the ring protection scheme.

Answer 269

Distributed reflective denial of service Coordinated attack efforts between cooperative machines using traffic in an entirely legitimate manner are distributed reflective denial-of-service attacks. A distributed reflective denial-of-service (DRDoS) attack is a variant of a DoS. It uses a reflected approach to an attack. In other words, it doesn’t attack the victim directly, but instead manipulates traffic or a network service so that the attacks are reflected back to the victim from other sources. Domain Name System (DNS) poisoning attacks (covered in Chapter 12) and smurf attacks (covered later in this chapter) are examples.

Answer 270

Encryption

Answer 271

Stealth viruses rick antivirus software into thinking everything is functioning normally. Stealth viruses alter operating system file access routines so that when an antivirus package scans the system, it is provided with the information it would see on a clean system rather than with infected versions of data.

Answer 272

No, it's not a reliable security practice. Too easily spoofed.

Answer 273

Remote dialing Remote dialing (aka hoteling) is the vulnerability or feature of a PBX system that allows for an external entity to piggyback onto the PBX system and make long-distance calls without being charged for the tolls.

Answer 274

Field-powered device A field-powered device has electronics that activate when the device enters the electromagnetic field that the reader generates. Such devices actually generate electricity from an EM field to power themselves.

Answer 275

The symbol ⊕ represents the exclusive OR (XOR) function, which is true when one and only one of the input bits is true.

Answer 276

Tor While all of these technologies may be used in attempts to achieve anonymity, Tor is the only technology listed that may provide anonymized browsing when properly implemented.

Answer 277

Tor stands for The Onion Router and is a privacy-oriented browser. It provides its privacy and security by relaying your traffic across different networks known as nodes. These nodes are placed globally all over the world ensuring that neither no one can see your origin and destination IP locations.

Answer 278

Slow speed Public key cryptosystems are notoriously slower than their secret key counterparts. They eliminate the difficulty of key exchange and provide for both scalability and nonrepudiation

Answer 279

Password guessing

Answer 280

To host resources accessed by outside visitors but that are still isolated from the private network

Answer 281

1. People, 2. Infrastructure 3. Buildings/facilities.

Answer 282

Simulation tests are similar to the structured walk-throughs.

Answer 283

Trust comes first. Trust is built into a system by crafting the components of security. Then assurance (in other words, reliability) is evaluated using certification and/or accreditation processes.

Answer 284

**Full Backups** As the name implies, full backups store a complete copy of the data contained on the protected device. Full backups duplicate every file on the system regardless of the setting of the archive bit. Once a full backup is complete, the archive bit on every file is reset, turned off, or set to 0. **Incremental Backups** Incremental backups store only those files that have been modified since the time of the most recent full or incremental backup. Only files that have the archive bit turned on, enabled, or set to 1 are duplicated. Once an incremental backup is complete, the archive bit on all duplicated files is reset, turned off, or set to 0. **Differential Backups** Differential backups store all files that have been modified since the time of the most recent full backup. Only files that have the archive bit turned on, enabled, or set to 1 are duplicated. However, unlike full and incremental backups, the differential backup process does not change the archive bit.

Answer 285

Business continuity planning

Answer 286

A product that automates the inspection of audit logs and real-time event information to detect intrusion attempts and possibly also system failures An intrusion detection system (IDS) is a product that automates the inspection of audit logs and real-time event information to detect intrusion attempts. Option A defines a firewall,

Answer 287

To lure attackers into a bogus system or network environment and present sufficient material of apparent worth or interest to keep the attacker around long enough to track them down A honeypot (single system) or honeynet (entire network) is intended to provide a lure for attackers, and by design it provides sufficient material of apparent worth or interest to keep attackers around for a while.

Answer 288

The relationship between assets, vulnerabilities, and threats The primary purpose for operations security is to safeguard information assets that reside in a system day to day, to identify and safeguard any vulnerabilities that might be present in that system, and to prevent any exploitation of threats. Administrators often call the relationship between assets, vulnerabilities, and threats an operations security triple.

Answer 289

The ® symbol is reserved for trademarks that have received official registration status by the US Patent and Trademark Office. If you use a trademark in the course of your public activities, you are automatically protected under any relevant trademark law and can use the ™ symbol to show that you intend to protect words or slogans as trademarks.

Answer 290

Timely To be admissible, evidence must be: * relevant * material * competent (means it must have been obtained legally)

Answer 291

Voluntary surrender Internal investigations usually operate under the authority of senior managers, who grant access (i.e., voluntary surrender) to all information and resources necessary to conduct the investigation.

Answer 292

**compromise** If system security has been broken, the system is considered compromised.

Answer 293

Take no action that jeopardizes the business interests of principals. The Code of Ethics does not require that you protect the business interests of the principals. In fact, you may find yourself ethically bound to take action that jeopardizes those business interests.

Answer 294

**The cardinality** of a table refers to the number of rows in the table, **The degree** of a table is the number of columns.

Answer 295

**Local Alarm System** Local alarm systems must broadcast an audible (up to 120 decibel [db]) alarm signal that can be easily heard up to 400 feet away. Additionally, they must be protected from tampering and disablement, usually by security guards. For a local alarm system to be effective, there must be a security team or guards positioned nearby who can respond when the alarm is triggered. **Central Station System** The alarm is usually silent locally, but offsite monitoring agents are notified so they can respond to the security breach. Most residential security systems are of this type. Most central station systems are well-known or national security companies, such as Brinks and ADT. A proprietary system is similar to a central station system, but the host organization has its own onsite security staff waiting to respond to security breaches. **Auxiliary Station** Auxiliary alarm systems can be added to either local or centralized alarm systems. When the security perimeter is breached, emergency services are notified to respond to the incident and arrive at the location. This could include fire, police, and medical services.

Answer 296

Companion viruses are self-contained executable files that escape detection by using a filename similar to, but slightly different from, a legitimate operating system file. They rely on the default filename extensions that Windows-based operating systems append to commands when executing program files (.com, .exe, and .bat, in that order). For example, if you had a program on your hard disk named game.exe, a companion virus might use the name game.com. If you then open a Command tool and simply type GAME, the operating system would execute the virus file, game.com, instead of the file you actually intended to execute, game.exe.

Answer 297

An electronic access control (EAC) lock comprises three elements: * an electromagnet to keep the door closed, * a credential reader to authenticate subjects and to disable the electromagnet, * door-closed sensor to reenable the electromagnet.

Answer 298

Enterprise extended Enterprise extended infrastructure mode exists when a wireless network is designed to support a large physical environment through the use of a single SSID but numerous access points.

Answer 299

Low Orbit Ion Cannon (LOIC) is a commonly used distributed denial of service (DDoS) attack toolkit.

Answer 300

Satan and Saint are reconnaissance utilities used to map networks and scan for known vulnerabilities.

Answer 301

Mobile site plan Details of mobile sites are part of a disaster recovery plan, rather than a business continuity plan, since they are not deployed until after a disaster strikes. (some questions may be about differentiating between BCP and DR plans).

Answer 302

USGS The US Geological Survey provides detailed earthquake risk data for locations in the United States. FEMA develops flood maps

Answer 303

Heuristic detection Heuristic detection techniques develop models of normal activity and then identify deviations from that baseline.

Answer 304

Both omissions and errors are difficult aspects to protect against, particularly as they deal with human and circumstantial origins.

Answer 305

Response Evidence collection takes place during the response phase of the incident. Incidents are identified and verified during the detection phase. Compliance with laws might occur during the reporting phase, depending on the incident. Personnel typically perform a root-cause analysis during the remediation phase.

Answer 306

Hardware segmentation is similar to process isolation in purpose. It prevents the access of information that belongs to a different process/security level.

Answer 307

Hardware segmentation is similar to process isolation in purpose. It prevents the access of information that belongs to a different process/security level. The main difference is that hardware segmentation enforces these requirements through the use of physical hardware controls rather than the logical process isolation controls imposed by an operating system. Such implementations are rare, and they are generally restricted to national security implementations where the extra cost and complexity is offset by the sensitivity of the information involved and the risks inherent in unauthorized access or disclosure.

Answer 308

128 bits The MD5 algorithm produces 128-bit hashes regardless of the size of the input message.

Answer 309

Clark-Wilson model Of the four models mentioned, Biba and Clark-Wilson are most commonly used for commercial applications because both focus on data integrity. Of these two, Clark-Wilson offers more control and does a better job of maintaining integrity, so it’s used most often for commercial applications. Bell-LaPadula is used most often for military applications. Brewer and Nash applies only to datasets (usually within database management systems) where conflict-of-interest classes prevent subjects from accessing more than one dataset that might lead to a conflict-of-interest situation.

Answer 310

Periodic security audits Failing to perform periodic security audits can result in the perception that due care is not being maintained. Such audits alert personnel that senior management is practicing due diligence in maintaining system security. An organization should not indiscriminately deploy all available controls but should choose the most effective ones based on risks.

Answer 311

Antivirus software Antivirus software is not a deterrent access control, though it can be identified as a preventive, corrective, or recovery access control. Examples of deterrent access controls include security policies, cameras, awareness training, fences, locks, security badges, and guards.

Answer 312

* security policies * cameras * awareness training * fences, * locks, * security badges, * guards.

Answer 313

In the read-through test, you distribute copies of the disaster recovery plan to key personnel for review but do not actually meet or perform live testing.

Answer 314

1. Read-through tests involve the distribution of recovery checklists to disaster recovery personnel for review. 2. Structured walk-throughs are “tabletop” exercises that involve assembling the disaster recovery team to discuss a disaster scenario. 3. Simulation tests are more comprehensive and may impact one or more noncritical business units of the organization. 4. Parallel tests involve relocating personnel to the alternate site and commencing operations there. 5. Full-interruption tests involve relocating personnel to the alternate site and shutting down operations at the primary site.

Answer 315

**Hierarchical Environment** A hierarchical environment relates various classification labels in an ordered structure from low security to medium security to high security, such as Confidential, Secret, and Top Secret, respectively. Each level or classification label in the structure is related. Clearance in one level grants the subject access to objects in that level as well as to all objects in lower levels but prohibits access to all objects in higher levels. For example, someone with a Top Secret clearance can access Top Secret data and Secret data. **Compartmentalized Environment** In a compartmentalized environment, there is no relationship between one security domain and another. Each domain represents a separate isolated compartment. To gain access to an object, the subject must have specific clearance for its security domain. **Hybrid Environment** A hybrid environment combines both hierarchical and compartmentalized concepts so that each hierarchical level may contain numerous subdivisions that are isolated from the rest of the security domain. A subject must have the correct clearance and the need to know data within a specific compartment to gain access to the compartmentalized object. A hybrid MAC environment provides granular control over access, but becomes increasingly difficult to manage as it grows. Figure 14.3 is an example of a hybrid environment.

Answer 316

A software-defined network (SDN) typically uses an attribute-based access control (ABAC) model. SDNs don’t normally use the discretionary access control (DAC), mandatory access control, or role-based access control (RBAC) models.

Answer 317

The private IP addresses defined in RFC 1918 are: * 10.0.0.0 to 10.255.255.255 (a full Class A range), * 172.16.0.0 to 172.31.255.255 (16 Class B ranges), and * 192.168.0.0 to 192.168.255.255 (255 Class C ranges).

Answer 318

Privileged entities

Answer 319

Firewalls are unable to filter on encrypted traffic within a VPN, which is a drawback. VPNs can cross firewalls. Firewalls do not have to always block outbound VPN connections. Firewalls usually only minimally affect the throughput of a VPN and then only when filtering is possible.

Answer 320

The primary purpose of change management is to allow management to review all changes. However, it is true that the overall goal of change management is to prevent unwanted reductions to security.

Answer 321

Use of quantitative and qualitative approaches

Answer 322

Evil twin is an attack in which a hacker operates a false access point that will automatically clone, or twin, the identity of an access point based on a client device’s request to connect. Each time a device successfully connects to a wireless network, it retains a wireless profile in its history. These wireless profiles are used to automatically reconnect to a network whenever the device is in range of the related base station. Each time the wireless adapter is enabled on a device, it wants to connect to a network, so it sends out reconnection requests to each of the networks in its wireless profile history. These reconnect requests include the original base station’s MAC address and the network’s SSID. The evil twin attack system eavesdrops on the wireless signal for these reconnect requests. Once the evil twin sees a reconnect request, it spoofs its identity with those parameters and offers a plaintext connection to the client. The client accepts the request and establishes a connection with the false evil twin base station. This enables the hacker to eavesdrop on communications through a man-in-the-middle attack, which could lead to session hijacking, data manipulation credential theft, and identity theft.

Answer 323

A rogue WAP can also be deployed by an attacker externally to target your existing wireless clients or future visiting wireless clients. **An attack against existing wireless clients requires that the rogue WAP be configured to duplicate the SSID, MAC address, and wireless channel of the valid WAP**, although operating at a higher power rating. This may cause clients with saved wireless profiles to inadvertently select or prefer to connect to the rogue WAP instead of the valid original WAP. **The second method focuses on attracting new visiting wireless clients. This type of rogue WAP is configured with a social engineering trick by setting the SSID to an alternate name that appears legitimate or even preferred over the original valid wireless network’s SSID. For example, if the original SSID is “ABCcafe,” then the rogue WAP SSID could be “ABCcafe-2,”** “ABCcafe-LTE,” or “ABCcafe-VIP.” The rogue WAP’s MAC address and channel do not need to be clones of the original WAP. These alternate names may seem like better network options to new visitors and thus trick them into electing to connect to the false network instead of the legitimate one.

Answer 324

Allowing users to reuse the same password Preventing password reuse by tracking password history increases security but allowing users to reuse the same password does not increase security. You can also improve password security by enabling account lockout controls, enforcing a password policy, and using password verification tools to check the strength of existing passwords.

Answer 325

Confidentiality and integrity Kerberos provides confidentiality and integrity protection security services for authentication traffic using symmetric cryptography to encrypt tickets sent over the network to prove identification and provide authentication. The security services provide by Kerberos are not directly related to availability or nonrepudiation.

Answer 326

No Kerberos is an effective SSO system within a single organization but not between organizations.

Answer 327

I had packet in mind Here is what CISSP said: **A data object is called a datagram or a packet in the Network layer.** It is called a PDU in layers 5 through 7. It is called a segment in the Transport layer and a frame in the Data Link layer.

Answer 328

Hide the identity of an attacker through misdirection

Answer 329

Key elements of an audit report include: * Purpose * Scope * Results of the audit.

Answer 330

The difference between piggybacking and tailgating is that a piggybacker would have a consent of an authorized person allowing him the access, while a tailgater simply enters the premises.

Answer 331

Ensuring that changes do not reduce security The goal of change management is to ensure that any change does not lead to unintended outages or reduce security. The Q didn't ask for goal or purpose, but they wanted the goal

Answer 332

Mandatory access control model A mandatory access control model includes a lattice-based format, with labels used to identify separate compartments.

Answer 333

Compliance checking Compliance checking ensures that all necessary elements of a security solution are properly deployed and functioning as expected.

Answer 334

VLAN A VLAN (virtual LAN) is a hardware-imposed network segmentation created by switches that requires a routing function to support communication between different segments.

Answer 335

Extract data from XML/HMTL-formatted data automatically A screen scraper tool is used to automatically extract standardized formatted data, such as XML and HTML, from human-friendly output. This tool is often used to extract results from web search engines.

Answer 336

Security governance Security governance should include acquisitions, divestitures, and oversight committees.

Answer 337

Tactical Tactical planning is designed to focus on timeframes of approximately one year and may include scheduling of tasks, assignment of responsibilities, hiring plans, maintenance plans, and even acquisition plans.

Answer 338

* **Strategic Plan** A strategic plan is a long-term plan that is fairly stable. It defines the organization’s security purpose. * **Tactical Plan** The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events. A tactical plan is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals. * **Operational Plan** An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. Operational plans must be updated often (such as monthly or quarterly)

Answer 339

A company’s right to audit The purpose of a privacy policy is to inform users where they do and do not have privacy for the primary benefit of the protection of the company’s right to audit and monitor user activity.

Answer 340

Vulnerability scanners Vulnerability scanners can check systems to ensure they are up-to-date with current patches (along with other checks) and are an effective tool to verify the patch management program.

Answer 341

parallel test Parallel tests represent the next level in testing and involve actually relocating personnel to the alternate recovery site and implementing site activation procedures.

Answer 342

A baseline is a listing of security controls that provide a minimum level of security. Organizations can tailor a baseline to meet its needs. The baseline is a starting point, and it does not ensure maximum security. A baseline provides a listing of controls an organization can apply, but it isn’t necessarily a listing of applied controls.

Answer 343

Sutherland

Answer 344

Web application firewall PCI DSS allows organizations to choose between performing annual web vulnerability assessment tests or installing a web application firewall.

Answer 345

Real evidence Real evidence must be either uniquely identified by a witness or authenticated through a **documented chain of custody.** Since you couldn't authenticate hearsay via a documented chain of custody, the answer must be real evidence.

Answer 346

NIFC The National Interagency Fire Center provides daily updates on wildfires occurring in the United States.

Answer 347

Probable cause To obtain a search warrant, investigators must have probable cause.

Answer 348

Integrity The Goguen-Meseguer model is an integrity model based on predetermining the set or domain—a list of objects that a subject can access.

Answer 349

Restore service During the mitigation phase of an incident, you would take steps to isolate and contain the incident. You would gather evidence during the response phase. Personnel notify appropriate people during the reporting phase. Servers are restored during the recovery phase.

Answer 350

Certificate path validation is verification that each certificate in a certificate path is valid and legitimate.

Answer 351

Waiting for the event to expire In most cases, you must simply wait until the emergency or condition expires and things return to normal. If physical and infrastructure support is lost, such as after a catastrophe, regular activity (including deploying updates, performing scans, or tightening controls) is not possible.

Answer 352

512 bits The SHA-2 algorithms support the creation of message digests up to 512 bits long.

Answer 353

X.509 X.509 defines a common format for digital certificates containing certification of a public encryption key.

Answer 354

Dedicated mode The scenario presented in the question describes the three characteristics of dedicated mode.

Answer 355

System high System high mode provides the most granular control over resources and users because it enforces clearances, requires need to know, and allows the processing of only single sensitivity levels. All the other levels either do not have unique need to know between users (dedicated), allow multiple levels of data processing (compartmented), or allow a wide number of users with varying clearance (multilevel).

Answer 356

Substitution Confusion occurs when the relationship between the plaintext and the key is so complicated that an attacker can’t merely continue altering the plaintext and analyzing the resulting ciphertext to determine the key.

Answer 357

Substitution achieves confusion Transposition achies diffusion

Answer 358

Trusted path A trusted path is a channel established with strict standards to allow necessary communication without exposing the TCB to security vulnerabilities.

Answer 359

Defined The Defined stage of SW-CMM is characterized by the use of formal, documented software development processes.

Answer 360

A.Dual stack B. Tunneling D. NAT-PT The means by which IPv6 and IPv4 can coexist on the same network is to use one or more of three primary options. Dual stack is to have most systems operate both IPv4 and IPv6 and use the appropriate protocol for each conversation. Tunneling allows most systems to operate a single stack of either IPv4 or IPv6 and use an encapsulation tunnel to access systems of the other protocol. Network Address Translation-Protocol Translation (NAT-PT) (RFC-2766) can be used to convert between IPv4 and IPv6 network segments similar to how NAT converts between internal and external addresses. There is no distinct IPsec version 6 because IPsec is native to IPv6, and IPsec does not assist or support a network operating both IPv4 and IPv6 on its own.

Answer 361

Open source intelligence Open source intelligence is the gathering of information from any publicly available resource. This includes websites, social networks, discussion forums, file services, public databases, and other online sources. This also includes non-Internet sources, such as libraries and periodicals.

Answer 362

* The **Read** attribute will allow you to read the file, but not make changes. * The **Change** attribute will allow you read, write, execute and delete the file, but will not allow you to change the ACLs and/or owner of the files. * ‘**Full Control’** allows any changes to be made to the file and its permissions and ownership.

Answer 363

**SIP** is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP).

Answer 364

Up until the conception of Diameter, IETF had individual working groups who define how Voice over IP (VoIP), Fax over IP (FoIP), Mobile IP, and remote authentication protocols work. Defining and implementing them individually in any network can easily end up in too much confusion and interoperability. It requires customers to roll out and configure several different policy servers and increases the cost with each new added service. With Diameter all of these services can be authenticated over the same authentication architecture.

Answer 365

* Scoping is the process of reducing the breadth of provisions within a standard that must be considered in practice by an organization in light of the actual technologies it deploys. * Tailoring is

Answer 366

A VPN must include both a tunneling protocol and encryption.

Answer 367

Implementing a three-tiered application architecture A three-tiered architecture consisting of presentation layer, business logic layer, and data layer should be used in this type of situation. This framework splits up the functionality processes that are necessary in e-commerce, but also allows for increasing degrees of security to be implemented. Each layer (presentation, business logic, data layer) runs on separate systems and the traffic between each system should go through separate firewalls.

Answer 368

The algorithm is an alphabet and the key is the number of shifts

Answer 369

The decryption key may reside in memory long past its last use, and be accessible and recoverable. Until power has been removed from primary memory for a sufficient amount of time, encryption/decryption keys for any process may remain recoverable directly from memory, where they must necessarily reside during processing. Additionally, the memory pages that contain the keys may continue to be present after their use if they are not subsequently reused

Answer 370

Customary **Customary law** is built upon the ideas of history and tradition of a country. People are expected to act a certain way according to custom. Examples of nations that use a form of customary law are India, China and African nations **A tort** is a wrongful act resulting in injury or damages, for which the civil law provides that the injured person (or the person suffering damages) may seek ...

Answer 371

A software component that determines if a user is authorized to perform a requested operation A reference monitor is the abstract machine that holds all of the rules of access for the system. The security kernel is the active entity that enforces the reference monitor’s rules. They control the access attempts of any and all subjects; a user is just one example of a subject.

Answer 372

Reconstitution * **The Activation/Notification Phase** describes the process of activating the plan based on outage impacts and notifying recovery personnel. * **The Recovery Phase** details a suggested course of action for recovery teams to restore system operations at an alternate site or using contingency capabilities. * **The final phase, Reconstitution**, includes activities to test and validate system capability and functionality and outlines actions that can be taken to return the system to normal operating condition and prepare the system against future outages.

Answer 373

Establishing baselines for data purges Determining when data should be purged is the responsibility of a data owner, not the data custodian. The data owner should be aware of the legal, regulatory, and policy issues surrounding how long data is to be kept. Once the data owner decides that particular data should be purged, the data custodian would most likely be tasked with configuring a system to carry out the purging process. The other tasks all belong to a data custodian.

Answer 374

VPNs can be created in combination with end-user applications. Multiprotocol Label Switching (MPLS) gives service providers the ability to create VPNs without the need of end-user applications.

Answer 375

Council of Europe Convention on Cybercrime The Council of Europe (CoE) Convention on Cybercrime is one example of an attempt to create a standard international response to cybercrime. It is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation. The Convention's objectives include the creation of a framework for establishing jurisdiction and extradition of the accused. For example, extradition can only take place when the event is a crime in both jurisdictions.

Answer 376

Lucifer IBM’s 128-bit algorithm, Lucifer, was accepted as the national standard in 1974. It was altered by NIST and referred to as Digital Encryption Algorithm, which used a 56-bit key.

Answer 377

B. Internet users who waste computer resources The IAB has declared wasting computer resources through purposeful activities unethical because it sees these resources as assets that are to be available for the computing society.

Answer 378

Physical attributes A biometric system can make authentication decisions based on an individual’s behavior, as in signature dynamics and voice prints, but these can change over time and possibly be forged. Biometric systems that base authentication decisions on physical attributes (iris, retina, fingerprint) provide more accuracy, because they do not change as often and are harder to impersonate.

Answer 379

Pharming involves DNS poisoning and phishing involves social engineering.

Answer 380

i. A semantic integrity mechanism makes sure structural and semantic rules are enforced. ii. A database has referential integrity if all foreign keys reference existing primary keys. iii. Entity integrity guarantees that the tuples are uniquely identified by primary key values.

Answer 381

A.Qualitative approach to risk analysis A is correct. Since threat modeling is based on perceptions, opinions, judgments, and experiences-rather than hard costs and facts-threat modeling is an example of a qualitative approach to risk analysis. Calculating hard costs and facts would be a quantitative or value-based approach.

Answer 382

C. Established a standard he operations manager has established a standard, which specifies how hardware will be maintained. A regulation is a directive usually imposed from an entity outside the company-such as a mandate from government, a legal requirement, or an industry requirement. Policies are usually established by senior management, rather than line management. The operations manager may be reacting to a policy directive that requires uniformity and consistency in server management. The introduction of the checklists provided the tools necessary to implement this policy. Use of the checklists will eventually yield a baseline for server quality.

Answer 383

The point to which application data must be recovered to resume system operations The Recovery Point Objective (RPO) is the point in time to which you must recover data as defined by your organization. This is generally a definition of what an organization determines is an "acceptable loss" in a disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2 hours. Based on this RPO the data must be restored to within 2 hours of the disaster.

Answer 384

Choke points The network perimeter concept recognizes the need to separate sensitive networks from non-sensitive networks and accomplishes this by using choke points to block segment-to-segment access.

Answer 385

When he uses it to refresh memory Notes that are taken by an investigator will, in most cases, not be admissible in court as evidence. It is not seen as reliable information and can only be used by the investigator to help him remember activities during the investigation.

Answer 386

Valuable papers insurance is a special type of property-casualty insurance. Valuable papers insurance reimburses the policyholder for the monetary value of any valuable papers such as wills, trusts, or corporate charters that are lost for any reason, though it cannot actually replace these papers.

Answer 387

Microprobing

Answer 388

Preaction system

Answer 389

Binding Binding is a method of limiting a subject’s independence within a network. In this example, certain accounting users are bound to one database. Binding illustrates the principle of obligation.

Answer 390

Media analysis The three types of DFS are: media, software, and network analysis. Media analysis is commonly referred to as computer forensics and consists of analyzing physical media for evidence acquisition.

Answer 391

SESAME is an authentication protocol similar to Kerberos.

Answer 392

To provide protection of a sensitive area Internal partitions only go up to the dropped ceiling and not to the real ceiling. These means that someone can easily go through the dropped ceiling, climb over the partition, and enter the sensitive area. Thus this barrier is easily overcome.

Answer 393

The user base of the data Who might use the data is dependent upon its usefulness, but doesn’t factor into how it is classified.

Answer 394

It detects a break in a circuit. In an electromechanical IDS, a physical circuit is constructed around a potential ingress point, such as a window, commonly with strips of metal foil. If the window is opened, the foil is severed and the circuit is broken, tripping the alarm.

Answer 395

1. Functionality 2. Effectiveness 3. Assurance

Answer 396

Multicast **Multicast** - When a single station needs to send data to a specific group of other stations, the method it uses is referred to as a multicast. **Unicast** - is the method used to transmit data from one station to one other station. **Broadcast** is the method used to transmit data from one station to all other stations on the LAN _indiscriminately_.

Answer 397

They can commonly be successfully attacked remotely, resulting in malicious code executing within the same security context as the local process being compromised.

Answer 398

It's a Non-Compete Agreement

Answer 399

logical technical

Answer 400

* computer file, * a network service, * a system resource, * a process, * a program, * a product, * an IT infrastructure, * a database, * a hardware device, * furniture, * product recipes/formulas, * intellectual property, * personnel, * software, * facilities, * and so on.

Answer 401

The weakness in an asset or the absence or the weakness of a safeguard or countermeasure is a vulnerability. In other words, a vulnerability is a flaw, loophole, oversight, error, limitation, frailty, or susceptibility in the IT infrastructure or any other aspect of an organization. If a vulnerability is exploited, loss or damage to assets can occur.

Answer 402

Exposure is being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited by a threat agent or event.

Answer 403

risk = threat \* vulnerability

Answer 404

The whole purpose of security is to prevent risks from becoming realized by removing vulnerabilities and blocking threat agents and threat events from jeopardizing assets. As a risk management tool, security is the implementation of safeguards.

Answer 405

A breach is the occurrence of a security mechanism being bypassed or thwarted by a threat agent.

Answer 406

To reduce the ARO. Although there are some perfect safeguards, most are not. Thus, many safeguards have an applied ARO that is smaller (you hope much smaller) than the non-safeguarded ARO, but it is not often zero. With the new ARO (and possible new EF), a new ALE with the application of a safeguard is computed.

Answer 407

ConceptFormula Exposure factor (EF)% Single loss expectancy (SLE)SLE = AV \* EF Annualized rate of occurrence (ARO)# / year Annualized loss expectancy (ALE)ALE = SLE \* ARO or ALE = AV \* EF \* ARO Annual cost of the safeguard (ACS)$ / year Value or benefit of a safeguard(ALE1 – ALE2) – ACS

Answer 408

In most cases, the cost/benefit with the highest value is the best safeguard to implement for that specific risk against a specific asset.

Answer 409

The Delphi technique is simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. It is used on qualitative risk analysis.

Answer 410

1. Reduce or mitigate 2. Assign or transfer 3. Accept 4. **Deter** - Risk deterrence is the process of implementing deterrents to would-be violators of security and policy. Some examples include implementation of auditing, security cameras, security guards, instructional signage, warning banners, motion detectors, strong authentication, and making it known that the organization is willing to cooperate with authorities and prosecute those who participate in cybercrime. 5. **Risk avoidance** is the process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of risk avoidance. Another example is to locate a business in Arizona instead of Florida to avoid hurricanes. 6. **Reject or ignore** - final but unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk.

Answer 411

Total risk is the amount of risk an organization would face if no safeguards were implemented. A formula for total risk is as follows: threats \* vulnerabilities \* asset value = total risk (Note that the \* here does not imply multiplication, but a combination function; this is not a true mathematical formula.)

Answer 412

total risk – controls gap = residual risk

Answer 413

SCA stands for Security Control Assessment It's a formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation. Can be performed in addition to or independently of a full security evaluation, such as a penetration test or vulnerability assessment. **NIST Special Publication 800-53A** titled “Guide for Assessing the Security Controls in Federal Information Systems”

Answer 414

* Purchase cost * Development cost * Administrative or management cost * Maintenance or upkeep cost * Cost in acquiring asset * Cost to protect or sustain asset * Value to owners and users * Value to competitors * Intellectual property or equity value * Market valuation (sustainable price) * Replacement cost * Productivity enhancement or degradation * Operational costs of asset presence and loss * Liability of asset loss * Usefulness

Answer 415

**NIST Special Publication 800-37**. There are 6 steps to the Risk Management Framework (RMF). * **Categorize** the information system and the information processed, stored, and transmitted by that system based on an impact analysis. * **Select** an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. * **Implement** the security controls and describe how the controls are employed within the information system and its environment of operation. * **Assess** the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. * **Authorize** information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable. * **Monitor** the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.”

Answer 416

(OCTAVE) - Operationally Critical Threat, Asset, and Vulnerability evaluation (FAIR) - Factor Analysis of Information Risk and (TARA) - Threat Agent Risk Assessment

Answer 417

* **Operational departments** that are responsible for the core services the business provides to its clients * **Critical support services**, such as the information technology (IT) department, facilities and maintenance personnel, and other groups responsible for the upkeep of systems that support the operational departments * **Corporate security teams responsible for physical security**, as they are many times the first responders to an incident and are also responsible for the physical safeguarding of the primary facility and alternate processing facility * **Senior executives and other key individuals** essential for the ongoing viability of the organization

Answer 418

1. Project scope and planning 2. Business impact assessment, 3. Continuity planning 4. Approval and implementation

Answer 419

1. Identify priorities 2. Risk Identification 3. LIKELIHOOD ASSESSMENT 4. IMPACT ASSESSMENT 5. RESOURCE PRIORITIZATION (BCP team priorities)

Answer 420

Both criminal and civil

Answer 421

Administrative law is published in the Code of Federal Regulations, often referred to as the CFR.

Answer 422

* **The International Traffic in Arms Regulations (ITAR)** controls the export of items that are specifically designated as military and defense items, including technical information related to those items. The items covered under ITAR appear on a list called the United States Munitions List (USML), maintained in 22 CFR 121. * **The Export Administration Regulations (EAR)** cover a broader set of items that are designed for commercial use but may have military applications. Items covered by EAR appear on the Commerce Control List (CCL) maintained by the U.S. Department of Commerce. Notably, EAR includes an entire category covering information security products.

Answer 423

**Privacy Act of 1974** The Privacy Act mandates that agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed for a legitimate function of government. **The Privacy Act of 1974 applies only to government agencies.** Many people misunderstand this law and believe that it applies to how companies and other organizations handle sensitive personal information, but that is not the case.

Answer 424

Electronic Communications Privacy Act of 1986 The Electronic Communications Privacy Act (ECPA) makes it a crime to invade the electronic privacy of an individual. **One of the most notable provisions of the ECPA is that it makes it illegal to monitor mobile telephone conversations.** In fact, such monitoring is punishable by a fine of up to $500 and a prison term of up to five years.

Answer 425

**Communications Assistance for Law Enforcement Act (CALEA) of 1994** The Communications Assistance for Law Enforcement Act (CALEA) of 1994 amended the Electronic Communications Privacy Act of 1986. CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.

Answer 426

The Economic Espionage Act of 1996 extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage. This changed the legal definition of theft so that it was no longer restricted by physical constraints.

Answer 427

* BAA agreements * Breach notification agreements Under the HITECH Breach Notification Rule, HIPAA-covered entities that experience a data breach must notify affected individuals of the breach and must also notify both the Secretary of Health and Human Services and the media when the breach affects more than 500 individuals

Answer 428

It's about personally identifiable information. This includes unencrypted copies of a person’s name in conjunction with any of the following information: * Social Security number * Driver’s license number * State identification card number * Credit or debit card number * Bank account number in conjunction with the security code, access code, or password that would permit access to the account * Medical records * Health insurance information In the years following SB 1386, many (but not all) other states passed similar laws modeled on the California data breach notification law. As of 2017, * Only Alabama and South Dakota do not have state breach notification laws.

Answer 429

* Websites must have a privacy notice that clearly states the types of information they collect and what it’s used for, including whether any information is disclosed to third parties. The privacy notice must also include contact information for the operators of the site. * Parents must be provided with the opportunity to review any information collected from their children and permanently delete it from the site’s records. * Parents must give verifiable consent to the collection of information about children younger than the age of 13 prior to any such collection. Exceptions in the law allow websites to collect minimal information solely for the purpose of obtaining such parental consent.

Answer 430

**Gramm-Leach-Bliley Act of 1999** Until the Gramm-Leach-Bliley Act (GLBA) became law in 1999, there were strict governmental barriers between financial institutions. * GLBA somewhat relaxed the regulations concerning the services each organization could provide. When Congress passed this law, it realized that this increased latitude could have far-reaching privacy implications. * Because of this concern, it included a number of limitations on the types of information that could be exchanged even among subsidiaries of the same corporation and required financial institutions to provide written privacy policies to all their customers by July 1, 2001.

Answer 431

* One of the major changes revolves around the way government agencies obtain wiretapping authorizations. Previously, police could obtain warrants for only one circuit at a time, after proving that the circuit was used by someone subject to monitoring. Provisions of the PATRIOT Act allow authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under the single warrant. * Another major change is in the way the government deals with Internet service providers (ISPs). Under the terms of the PATRIOT Act, ISPs may voluntarily provide the government with a large range of information. The PATRIOT Act also allows the government to obtain detailed information on user activity through the use of a subpoena (as opposed to a wiretap). * Finally, the USA PATRIOT Act amends the Computer Fraud and Abuse Act (yes, another set of amendments!) to provide more severe penalties for criminal acts. The PATRIOT Act provides for jail terms of up to 20 years and once again expands the coverage of the CFAA.

Answer 432

The Family Educational Rights and Privacy Act (FERPA) is another specialized privacy bill that affects any educational institution that accepts any form of funding from the federal government (the vast majority of schools). * Parents/students have the right to inspect any educational records maintained by the institution on the student. * Parents/students have the right to request correction of records they think are erroneous and the right to include a statement in the records contesting anything that is not corrected. * Schools may not release personal information from student records without written consent, except under certain circumstances.

Answer 433

In the past, the only legal victims of identity theft were the creditors who were defrauded. * This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law.

Answer 434

* Businesses have the right to monitor employees use of company assets * There is no “reasonable expectation of privacy" in the workplace Steps companies should take: * Clauses in employment contracts that state the employee has no expectation of privacy while using corporate equipment * Similar written statements in corporate acceptable use and privacy policies * Logon banners warning that all communications are subject to monitoring * Warning labels on computers and telephones warning of monitoring * As with many of the issues discussed in this chapter, it’s a good idea to consult with your legal counsel before undertaking any communications-monitoring efforts.

Answer 435

The rights that are guaranteed by this law are: * Right to access the data * Right to know the data’s source * Right to correct inaccurate data * Right to withhold consent to process data in some situations * Right of legal action should these rights be violated

Answer 436

It relates to companies outside of Europe conducting business inside Europe. 1. **Informing Individuals About Data Processing** Companies must include a commitment to the Privacy Shield Principles in their privacy policy, making it enforceable by U.S. law. They must also inform individuals of their rights under the Privacy Shield framework. 2. **Providing Free and Accessible Dispute Resolution** Companies participating in the Privacy Shield must provide consumers with a response to any complaints within 45 days and agree to an appeal process that includes binding arbitration. 3. **Cooperating with the Department of Commerce** Companies covered by the agreement must respond in a timely manner to any requests for information received from the U.S. Department of Commerce related to their participation in the Privacy Shield. 4. **Maintaining Data Integrity and Purpose Limitation** Companies participating in Privacy Shield must only collect and retain personal information that is relevant to their stated purpose for collecting information. 5. **Ensuring Accountability for Data Transferred to Third Parties** Privacy Shield participants must follow strict requirements before transferring information to a third party. These requirements are designed to ensure that the transfer is for a limited and specific purpose and that the recipient will protect the privacy of the information adequately. 6. **Transparency Related to Enforcement Actions** If a Privacy Shield participant receives an enforcement action or court order because they fail to comply with program requirements, they must make public any compliance or assessment reports submitted to the FTC. 7. **Ensuring Commitments Are Kept As Long As Data Is Held** Organizations that leave the Privacy Shield agreement must continue to annually certify their compliance as long as they retain information collected under the agreement.

Answer 437

A major difference between the GDPR and the data protection directive is the widened scope of the regulation. The new law applies to all organizations that collect data from EU residents or process that information on behalf of someone who collects it. * A data breach notification requirement that mandates that companies inform authorities of serious data breaches within 24 hours * The creation of centralized data protection authorities in each EU member state * Provisions that individuals will have access to their own data * Data portability provisions that will facilitate the transfer of personal information between service providers at the individual’s request * The “right to be forgotten” that allows people to require companies to delete their information if it is no longer needed

Answer 438

No. The Payment Card Industry Data Security Standard (PCI DSS) is an excellent example of a compliance requirement that is not dictated by law but by contractual obligation. 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. 5. Protect all systems against malware and regularly update antivirus software or programs. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data by business need-to-know. 8. Identify and authenticate access to system components. 9. Restrict physical access to cardholder data. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. 12. Maintain a policy that addresses information security for all personnel.

Answer 439

* The first major provision of the DMCA is the prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder. * The DMCA also limits the liability of Internet service providers (ISP) when their circuits are used by criminals violating the copyright law.

Answer 440

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Answer 441

As an example, a company that collects personal information on employees for payroll is a **data controller.** If they pass this information to a third-party company to process payroll, the payroll company is the **data processor**. In this example, the payroll company (the data processor) must not use the data for anything other than processing payroll at the direction of the data controller. The GDPR restricts data transfers to countries outside the EU.

Answer 442

* Notice: An organization must inform individuals about the purposes for which it collects and uses information about them. * Choice: An organization must offer individuals the opportunity to opt out. * Accountability for Onward Transfer: Organizations can only transfer data to other organizations that comply with the Notice and Choice principles. * Security: Organizations must take reasonable precautions to protect personal data. * Data Integrity and Purpose Limitation: Organizations should only collect data that is needed for processing purposes identified in the Notice principle. Organizations are also responsible for taking reasonable steps to ensure that personal data is accurate, complete, and current. * Access: Individuals must have access to personal information an organization holds about them. Individuals must also have the ability to correct, amend, or delete information, when it is inaccurate. * Recourse, Enforcement, and Liability: Organizations must implement mechanisms to ensure compliance with the principles and provide mechanisms to handle individual complaints.

Answer 443

Pseudonymization refers to the process of using pseudonyms to represent other data. Example: Instead of including personal information such as the patient’s name, address, and phone number, it could just refer to the patient as Patient 23456 in the medical record.

Answer 444

Tokenization is similar to pseudonymization. **Pseudonymization** uses pseudonyms to represent other data. **Tokenization** uses tokens to represent other data. Neither the pseudonym nor the token has any meaning or value outside the process that creates them and links them to the other data. Additionally, both methods can be reversed to make the data meaningful.

Answer 445

Unlike pseudonymization and tokenization, masking cannot be reversed.

Answer 446

* **A data administrator** is responsible for granting appropriate access to personnel. * **A custodian** helps protect the integrity and security of data by ensuring that it is properly stored and protected.

Answer 447

A list of security controls. Using an OS image as a starting point is a practical example of a baseline.

Domain 9 - Exam Feedback Flashcards

(489 cards)