Security Architecture Domain 4 Flashcards
1
Q
Three risk analysis methods
A
OCTAVE
NIST 800-30
ISO/IEC27005
2
Q
Quantitative Risk Analysis
This approach employs two fundamental elements;
A
the probability of an event
occurring and a value or measure for the loss should it occur.
3
Q
Quantitative risk analysis makes use of a single figure produced from these elements. This is called the _____________________ or the ______________
A
‘Annual Loss Expectancy (ALE)’
‘Estimated Annual Cost (EAC)’.
4
Q
Quantitative risk is calculated by multiplying
A
Single loss event SLE x annual rate of occurrence AR0
5
Q
Most qualitative risk analysis methodologies make use of a number of interrelated elements:
A
THREATS
Things that can go wrong or attack the system
VULNERABILITIES
These weaknesses make a system more prone to attack by a threat or make an attack more likely to have some success or impact.
CONTROLS
These are the countermeasures for vulnerabilities.
6
Q
Where is the attack vector in emails
A
there are potentially two, the email itself and the attachment to the email
7
Q
What are the key differences between a worm and a virus
A
Worms can generally spread without needing human interaction.
Virus needs a host file, it attaches to an executable file, document or program
8
Q
Most European countries data protection laws follow principles detailed in two EU directives, whether or not these countries are part of the European Union. These directives are
A
- Directive 95/46/EC of the European Parliament on the Protection
of Individuals with Regard to the Processing of Personal Data and
on the Free Movement of Such Data (commonly called the Data
Protection Directive) 20 and - Directive 2002/58/EC Concerning the Processing of Personal Data
and the Protection of Privacy in the Electronic Communications
Sector 21. The first directive applies to the collection, storage,
disclosure, and other uses of personal data. The second directive
9
Q
The __________________ was born out of the necessity to expand product security assurance programs in the United States, Canada, United Kingdom, France, and Germany.
A
Common criteria CC
10
Q
Product evaluations began in the United States with the ___________________, which was the criterion for evaluating secure systems and vendor products.
A
Orange Book TCSEC
11
Q
The Orange Book had an assurance range from
A
D2 up to A-3. The
D class had the least amount of rigorous testing, and A class consisted of more formal evaluation methods.
12
Q
The Orange Book only addressed
A
Confidentiality
13
Q
The next evaluation criteria, _____________, was created by Canada, the United Kingdom, France, Spain, and Germany.
A
the ITSEC
14
Q
ITSEC addressed
A
Confidentiality and Integrity
15
Q
The Common Criteria is useful as a guide for the development, evaluation, or procurement of IT products with security functionality. It addresses
A
Confidentiality, Integrity and availability
16
Q
The Common Criteria consists of three parts
A
Introduction and general model
Security functional requirements
Security Assurance requirements
17
Q
Common criteria
Part 2 - Security Functional Requirements establish a set of functional components as a standard way of
A
expressing the functional requirements for the Target of Evaluation (TOE).
18
Q
Common Critera
Part 3 - Security Assurance Requirements establish a set of assurance components as a standard way of
A
expressing the assurance requirements for the TOE.
19
Q
The purpose of this arrangement is to advance those objectives by bringing about a situation in which IT products and protection profiles that earn a Common Criteria certificate can be procured or used without
A
the need for further evaluation.
20
Q
When did Australia and New Zealand join the mutual recognition arrangement
A
October 1999
21
Q
The Common Criteria evaluated products begin the process by being
evaluated in a
A
certified laboratory
22
Q
The National Voluntary Laboratory Accreditation Program (NVLAP) provides third-party accreditation to
A
testing and calibration laboratories
23
Q
Part 2 of the Common Criteria defines the
A
Security functional components.
24
Q
What does TOE mean
A
Target of Evaluation
25
Is a TOE a product
It could be but it does not have to be. It might be an IT product, a part of an IT product, a set of IT products, a unique technology
that may never be made into a product, or a combination of these.
26
How many Evaluation Assurance Levels are there?
Seven
27
When is EAL1 Applicable
EALI is applicable where some confidence in correct operation is required, but the threats to security are not viewed as serious. but the threats to security are not viewed as serious. It will be of value where independent assurance is required to support the contention that due care has been exercised with respect to the protection of personal or similar information.
28
When is EAL2 Applicable
EAL.2 is, therefore, applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record.
29
EAL1 means what kind of testing
Functional
30
EAL2 means what kind of testing
Structural
31
EAL3 means what kind of testing
Methodically tested and checked
32
EAL4 means what kind of testing
Methodically Designed, Tested, and Reviewed
33
EAL5 means what what kind of testing
Semiformally Designed and Tested
34
EAL6 means what what kind of testing
Semiformally verified design and testing
35
EAL7 means what what kind of testing
Formally verified design and testing
36
When is EAL3 applicable
It is applicable in those circumstances where developers or users require a moderate level of independently assured security, and require a thorough investigation of the TOE and its development
without substantial reengineering.
37
When is EAL4 applicable
It is the highest level at which it is likely to be economically feasible
to retrofit to an existing product line. It is, therefore, applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.
38
When is an EAL5 applicable
When users require a high level of independently assured security in a planned developments
39
When is an EAL6 applicable
Applicable to the development of security TOEs for application in high-risk situations where the value of the protected assets justifies the additional costs.
40
When is an EAL7 applicable
EAL7 is applicable to the development of security TOEs for application in extremely high-risk situations or where the high value of the assets justifies the higher costs.
41
The Common Criteria Part 3 begins with
a philosophy of the approach to
assurance that will permit the reader to understand the rationale behind the
assurance requirements.
42
IT security breaches come from the intentional exploitation or _______________ of vulnerabilities in the application of IT within business concerns.
unintentional triggering
43
To the extent feasible vulnerabilities should be
1. Eliminated, by taking steps to expose, remove, or neutralize all
exercisable vulnerabilities.
2. Minimized, by taking steps to reduce to an acceptable level residual
potential impact of any risks or vulnerability.
3. Monitored, by taking steps to ensure that any attempt to exercise
a residual vulnerability will be detected so that steps can be taken
to limit the damage.
44
____________ is the traditional way of gaining assurance. It serves as the basis of the Common Criteria approach.
Evaluation
45
In the common criteria what is penetration testing
one method of evaluation
46
The Common Criteria philosophy asserts that greater assurance results from
the application of greater evaluation effort
47
What is The Common Criteria Evaluation Assurance Scale
Scope - That is, the effort is greater because a larger portion of the IT
product is included.
Depth - That is, the effort is greater because it is deployed to a finer
level of design and implementation detail.
Rigor - That is, the effort is greater because it is applied in a more
structured, formal manner.
48
The CMMI-DEV model provides guidance for
applying Capability Maturity Model best practices in a development organization. Best
49
Sources of the Capability Maturity Model (CMM)
The Software Engineering Institute (SEI) developed an initial version of a
maturity model with the assistance of the MITRE corporation
50
The CMMI for Development may be put to the following uses:
* Software process improvement,
* Software process assessments
* Software capability evaluations,
51
In CMM-DEV (Capability Maturity Model Integration for Development), the terms continuous representation and staged representation refer to
two different ways of assessing and improving process maturity within an organization.
52
What are two different ways of assessing and improving process maturity within an organization.
Continuous representation
Staged representation
53
The staged representation organizes process improvement into
five maturity levels, where each level builds on the previous one.
54
The continuous representation focuses on
improving specific process areas independently, rather than requiring an organization-wide maturity level.
55
What are the continuous representation maturity levels
Level 0 Incomplete
Level 1 Performed
Level 2 Managed
Level 3 Defined
Level 4 (N/A)
Level 5 (N/A)
56
What are the staged representation maturity levels
Level O (N/A)
Level 1 Initial
Level 2 Managed
Level 3 Defined
Level 4 Quantitatively Managed
Level 5 Optimizing
57
A capability level 2 process is characterised as a managed process. What is a managed capability or process
A managed process is a performed process that is planned and executed in accordance with policy
58
A capability level 3 process is characterised as a defined process. A defined process is
A managed process that is tailored from the organisation's set of standard processes according to the organisation's tailoring guidelines
59
The process discipline reflected by capability level 2 helps to ensure that
existing practices are retained during times of stress.
60
A critical distinction between maturity levels 3 and 4
is the predictability of process performance.
61
At maturity level 5, an organization continually
improves its processes based on a quantitative understanding of its business objectives and performance needs.
62
At maturity level ____, the
organisation and projects focus on understanding and controlling performance at the subprocess level and using the results to manage projects. At maturity level __________, the organisation is concerned with overall organisational performance using data collected from multiple projects.
4
5
63
Organizations wanting to understand and improve their capability to develop software effectively and professionals wanting to understand the key practices that are part of effective processes for developing or maintaining software could consider using which CMM
The Software Engineering Institute's CMMI for Development
64
The CMMI for Development Level 2 says that processes must be repeatable in the areas of
Project planning, tracking and oversight
65
The CMMI for Development Level 3 says that processes must be repeatable all level 2 task areas and
have defined processes for organisational process focus, process definition, training, integrated software management, intergroup coordination, and peer reviews
66
What is the purpose of ISO 7498
To provide a common basis for the coordination of standards development for the purpose of systems interconnection
67
The term Open Systems Interconnection (OSI) qualifies standards for the exchange of information among systems that are
"open" to one another for this purpose by virtue of their
mutual use of the applicable standards.
68
Three primary elements of defense in depth include the following
People
Technology
Operations
69
ISSE
Information System Security Engineering
70
What is ISSE
The art and science of discovering users information protection needs and designing information systems to protect them
71
What is the first step of an ISSE process
Discovering the protection needs
72
What is the last step of an ISSE process
Assessing the effectiveness
73
What is the basis for creating and information Protection Plan
An information management model and a threat analysis
74
The results of these two activities should be documented in the information management plan
The threat analysis and the Information Protection Plan
75
What comes first the systems security requirements, or the information protection needs
Information protection needs
76
Where do you find the systems security requirements
In the Statements of Work, Statements of Requirement or Statements of Objective, or SLAs
77
Design validation requires the development of a
test and evaluation plan
78
Design validation is done during which phase of the systems development life cycle
Phase 2
79
1. The approach in which policies, procedures, technology, and personnel
are considered in the system security development process is called
A. defense in depth.
B. requirements analysis.
C. risk assessment.
D. attack vectors.
The correct option is A
Best security practices should include an architecture that provides defense in depth where layers of technology are designed and implemented to provide data protection. These layers include people, technology, and operations (including processes and procedures).
80
2. Software that adds hidden components to a system without end user knowledge is
A. Virus.
B. Spyware.
C. Adware.
D. Malware.
The correct option is B
Spyware is software that adds hidden components to your system on the sly.
81
3. Risk is assessed by which of the following formulas?
A. Risk = Vulnerability × Threat × Impact Divided by Countermeasure
B. Risk = Annual Loss Opportunity ÷ Single Loss Expectancy
C. Risk = Exposure Facture divided by Asset Value
D. Risk = Vulnerability × Annual Loss Expectancy
The correct option is A
Option a is correct the others are mixed-up derivatives of risk management.
82
4. Requirements definition is a process that should be completed in the following order:
A. Document, identify, verify and validate.
B. Identify, verify, validate, document
C. Characterize, analyze, validate, and verify.
D. Analyze, verify, validate, and characterize.
The correct option is B
83
5. A path by which a malicious actor gains access to a computer or
network in order to deliver a malicious payload is a
A. penetration test.
B. attack vector.
C. vulnerability assessment.
D. risk assessment.
The correct option is B
Option b is the definition of an attack vector. Risk and vulnerability assessments
and penetration testing deal with ways of analyzing and protecting the system.
84
6. Which of the following is BEST as a guide for the development,
evaluation, and/or procurement of IT products with security
functionality?
A. ISO/IEC 27001
B. FIPS 140-2
C. Common Criteria
D. SEI-CMM
The correct option is C
85
7. Which of the following BEST defines evaluation criteria for Protection Profile (PP) and Security Target (ST) and presents evaluation assurance levels rating assurance for the TOE?
A. Part 3—Security assurance requirements
B. Part 2 Security functional requirements
C. Part 1-Introduction and general model
D. Part 4— History and previous versions
The correct option is A
Parts 2 and 1 deal with other security requirements and general CC model and
part 4 does not exist.
86
8. The National Voluntary Laboratory Accreditation Program (NVLAP)
must be in full conformance with which of the following standards?
A. ISO/IEC 27001 and 27002
B. ISO/IEC 17025 and Guide 58
C. NIST SP 800-53A
D. ANSI/ISO/IEC Standard 17024
The correct option is B
Option a deals with best practice implementation on the system. Option
c provides IA controls for federal government systems, and Option d is the standard for certifications such as the CISSP*.
87
9. A software application in combination with an operating system, a
workstation, smart card integrated circuit, or cryptographic processor
would be considered examples of a
A. Functional Communications (FCO)
B. Functional Trusted Path (FTP)
C. Target of Evaluation (TOE)
D. Security Target (ST)
The correct option is C
Options a and b refer to families of security functions, and Option d refers to the evaluation criteria that TOE (Option c) will be assessed by.
88
10. A security architect requires a device with a moderate level of
independently assured security, and a thorough investigation of the
TOE and its development without substantial reengineering. It should
be evaluated at which CC EAL?
A. EAL6
B. EAL5
C. EAL4
D. EAL3
The correct option is D
Option d refers to the criteria for EAL3 evaluation by definition. EAL6 is semiformally verified design and tested, EAL5 is semiformally designed but not verified, and EAL4 is methodically designed, tested, and reviewed.
89
11. At which Common Criteria EAL would a security architect select a
device appropriate for application in extremely high-risk situations or
where the high value of the assets justifies the higher costs?
A. EAL4
B. EAL5
C. EAL6
D. EAL7
The correct option is D
Again, Option d refers to the criteria for EAL 7 evaluation by definition. EAL6
is semi-formally verified design and tested, EAL 5 is semi-formally designed but not verified, and EAL 4 is methodically designed, tested, and reviewed.
Options a, b, or c would not be appropriate for extremely high-risk situations.
90
Which EAL is semi-formally designed but not verified
EAL 5
91
12. A list of Common Criteria-evaluated products can be found on the Internet on the site at the
A. NIAP
B. CCEVS
C. IASE
D. CERIS
The correct option is B
NIAP is the partnership between NIST and NSA for the evaluation of products, and IASE is the site run by DISA to promote best security practices. CERIS is a consortium run by the University of Notre Dame Computer Science and Information Security department. * CCEVS is the site that lists all evaluated products, those in the evaluation process, and those that have been removed or superseded.
92
13. Which of the following describes the purpose of the Capability
Maturity Model?
A. Determine business practices to ensure creditability for the
company's commitment to quality and excellence.
B. Provide assurance through active investigation and evaluation of
the IT product in order to determine its security properties.
C. Establish a metric to judge in a repeatable way the maturity of
an organization's software process as compared to the state of the
industry practice.
D. Provide an overview of standards related to the Information
Security Management family for uniformity and consistency of
fundamental terms and definitions.
The correct option is C
Options a and d are from ISO/IEC 27001, and Option b is from the Common Criteria.
93
14. Which one of the following describes the key practices that correspond
to a range of maturity levels 1-5?
A. Common Criteria
B. SEI-CMM
C. ISO/IEC 27002
D. IATF v3
The correct option is B
94
15. Which of the following CMMI levels include quantitative process
management and software quality management as the capstone
activity?
A. CMMI Level 5
B. CMMI Level 4
C. CMMI Level 3
D. CMMI Level 2
The correct option is B
CMMI Level 4 includes quantitative process management and software quality management as the capstone activity.
95
16. Where can the general principles of the OSI Reference Model
architecture be found that describes the OSI layers and what layering means?
A. Clause 3
B. Clause 5
C. Clause 7
D. Clause 9
The correct option is B
ISO 7498 discusses the OSI model. Within the model are clauses that describe the basis reference model. Clause 7 provides the description of the specific layers, and Clause 9 specifies compliance and consistency with the OSI reference model.
96
ISO 7498 discusses the OSI model. Within the model are clauses that describe the basis reference model. Clause 7 provides the description of
of the specific layers
97
ISO 7498 discusses the OSI model. Within the model are clauses that describe the basis reference model. Clause 9 specifies
compliance and consistency with the OSI reference model.
98
ISO 7498 discusses the OSI model. Within the model are clauses that describe the basis reference model. Clause 5 describes
the OSI layers and what layering means
99
17. A privately held toy company processing, storing, or transmitting
payment card data must be compliant with which of the following?
A. Gramm-Leach-Bliley Act (GLBA)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. Sarbanes-Oxley Act of 2002
D. PCI-DSS
The correct option is D
Options a, b and c do not have anything to do with card payment or credit card data.
100
18. In which phase of the IATF does formal risk assessment begin?
A. Assess effectiveness
B. Design system security architecture
C. Define system security requirements
D. Discover information protection needs
The correct option is B
Although risk assessment occurs during the assess effectiveness process after each stage, a formal risk assessment is conducted at the end of the Design System Security Architecture phase.
101
