Information Security Questions - Set 2

Describe "Buffer Overflow" Reference taken from - http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html

- A buffer overflow occurs when the limits of a given allocated space of memory is exceeded. This results in adjacent memory space being overwritten. If the memory space is overwritten with malicious code, it can potentially be executed, compromising the device.

What is ALE and how it helps in Information Security? References - Goals, Objectives and Business Cases. Page 31

- Annual Loss Expectancy - Cost of risk, if no steps are taken to mitigate it. - Helps securing funding by explaining Cost of control vs - Cost of risk. - Vital input defining organization's desired state.

Advantage of Proxy Firewall Reference taken from - http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html

- Because application/proxy firewalls act on behalf of clients, it acts as buffer from port scans and application attacks. - For example, if an attacker identifies vulnerability with the application, it first has to compromise with the Proxy before attacking the devices behind it. - Application/proxy firewalls can be very effective devices to control traffic flow and protect clients from malicious software (malware) and outside attacks.

IPSec VPN Tunnel provides

- Confidentiality - Data Authentication - Anti replay - Works at network layer - 2 Ipsec gateways make VPN (Virtual Private network) - IPSec does not use RSA for data encryption. It uses DES, 3DES, or AES. IPSec uses RSA only for IKE internet key exchange for during peer authentication phase, to ensure the other side is authentic and who they say they are.

Caveats of the "Reverse Proxy Firewall" Reference taken from - http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html

- Reverse proxy provides service to outside clients and requires higher visibility. Any loss of access may cause repetitional, financial or regulatory impact to the organization. - Well written proxy servers reduce the risk to the main web applications and hence the proxy must have counter strategy for all the potential vulnerabilities and should be compatible with the application.

Qualitative Risk assessment

The objective of conducting a qualitative risk analysis is to acquire safety against recognized risks and to increase the alertness of management, team members, and all personnel who are vulnerable to them. This method of risk analysis is designed to identify issues that are looked upon as project management impediments, but have the potential to become definite risk factors.

Voice recognition as a biometric authentication method is difficult to measure because: a. Many factors, including current health and respiration rate, make sampling difficult b. Computers are not yet fast enough to adequately sample a voice print c. Voice recognition does not handle accents well d. Impatience changes voice patterns, which leads to increased False Reject Rates

a. Many factors, including current health and respiration rate, make sampling difficult

In an information system that authenticates users based on userid and password, the primary reason for storing a hash of the password instead of storing the encrypted password is: a. No one, even system administrators, can derive the password b. Hashing algorithms are less CPU-intensive than encryption algorithms c. Hashed passwords require less storage space than encrypted passwords d. Support personnel can more easily reset a user's password when it is hashed

a. No one, even system administrators, can derive the password

The use of retina scanning as a biometric authentication method has not gained favor because: a. It is inconvenient to use retina scanning in a darkened room b. Many users cannot hold their eye open long enough for a scan to complete c. Users are uncomfortable holding their eye very near the biometric scanning device d. The human retina changes significantly over time

c. Users are uncomfortable holding their eye very near the biometric scanning device

A security manager is performing a quantitative risk assessment on a particular asset. The security manager wants to determine the quantitative loss for a single loss based on a particular threat. The correct way to calculate this is: a. Divide the asset's value by the exposure factor b. Multiply the asset's value times the annualized rate of occurrence c. Multiply the asset's value times the single loss expectancy d. Multiply the asset's value times the exposure factor

d. Multiply the asset's value times the exposure factor

A security manager is performing a quantitative risk assessment on a particular asset. The security manager wants to estimate the yearly loss based on a particular threat. The correct way to calculate this is: qualitative risk assessment is used to identify: a. Multiply the single loss expectancy times the asset's value b. Multiply the asset's value times the exposure factor c. Multiply the asset's value times the exposure factor times the single loss expectancy d. Multiply the single loss expectancy times the annualized rate of occurrence

d. Multiply the single loss expectancy times the annualized rate of occurrence

The 4 risk strategies for addressing the identified risks are

Risk Prevention/Mitigation/Reduction Risk Avoidance Risk Transfer Risk Retention or acceptance

Apart from common pitfalls, four other factors can also lead senior management to misdirect the decision making process. What are those -

- Confirmation bias: Human nature of consciously retrieving information that supports their beliefs and views. This may lead them to obtain information that reinforces their views and overlooks potential risks and problems. - Selective recall: Sr management reiterate facts and information that support only their views and beliefs during strategy design. For example - Stakeholder remembers incidents that support the proposed security policy. - Biased evaluation: Sr. management sometimes resorts to biased evaluation during strategy development. Biased evaluation refers to selectively collecting and accepting evidence that supports the management assumptions. It also ignores or reject evidences against their assumptions. For example, During a review of the proposed strategy, management members accept only views supporting the strategy. - Groupthink: When Sr management decision is based on agreement of group to avoid minimal conflict. For example; Stakeholders didn't want the new security policy immediately as they felt it might affect productivity.

Anchoring pitfall Page 16 - Common Pitfalls of Strategy Development.

- Decision making for strategy design is based on single aspect instead of thinking as whole. - For example the strategy design focusses on email security and in this process other aspects of IT security might be ignored like Web security, authorization, authentication etc.

Mental Accounting pitfall Page 16 - Common Pitfalls of Strategy Development.

- Decision making in this pitfall is based on expenses, which may lead to situations where an essential expense might be categorized as unnecessary. - For example : an organization might focus on spreading Virus awareness program than making expenditure to protect systems from virus.

Status Quo Bias pitfall Page 16 - Common Pitfalls of Strategy Development.

- Decision making is affected by the reluctance to change their belief and acceptance to better ideas to enhance security. - In fact this can translate to sticking to known practices and procedures even if then are faulty.

What are necessary steps you must consider to develop for Information security strategy?

- Define Goals and Objective of security program. - Create a business case - Describe the desired state of Information security - Determine the current state of Information security - Establish action plan to move from current state to desired state.

Describe Digital Signature and advantages. https://www.cgi.com/files/white-papers/cgi_whpr_35_pki_e.pdf

- Digital Signature is based on Public and Private key pair. - Data encrypted through Public key can be decrypted by the Private key and vice versa. - In Digital Signatures, the data is encrypted by sender using its private key and sends to receiver having senders public key, it decrypts it by the senders with public key. In this case Sender cannot deny that he hasn't send the file as it verifies the - There is "Non-Repudiation Clause" with digital signatures.

IPSec on AH (Authentication Handling/) provides only https://www.youtube.com/watch?v=rwu8__GG_rw

- Encapsulation but not encryption of data and hence doesn't provide confidentiality. It only provides authenticity and integrity. - AH doesn't work with NAT

Optimism pitfall Page 15 - Common Pitfalls of Strategy Development.

- Forecast or predictions made on optimism and without proper risk analysis can go severely wrong. - Predictions made on optimism must be made only after thorough analysis.

Difference between Symmetric and Asymmetric key encryption.

- In Symmetric Same key is used for encryption and decryption. - In Asymmetric, the data is encrypted through recipients Public Key and decrypted through the Private (Secret) key.

False consensus pitfall Page 17 - Common Pitfalls of Strategy Development.

- It is the attitude of senior management to blindly assume that a specific idea, behavior, or view of theirs is accepted by everyone. But Senior management might not have any data to support their assumption. - This false consensus can cause people to underestimate risks or overestimate the validity of view or an idea.

While defining Goals and Objective for a security program, what should be your consideration. pg 27

- It should be clear, meaningful, measurable and attainable. - Setting up General Goal often prevents defining specific goal. - Often reason of organization not defining specific goal is lack of awareness. - Often organizations don't know the different types of information assets used in projects and other activities. - To overcome this challenge and to define specific security objectives your goal should be to consider which information is confidential, which is for internal use and what is for public. - To achieve these goals, you need to * Recognize and track information assets * Categorize information assets based on criticality and sensitivity. * determine the principle and procedure to effectively categorizing, storing, retaining and removing the information assets.

While designing information security strategy, you need to perform enough research and thorough analysis. Without analysis, even the experienced contributors may design weak strategy. What are the common pitfalls of not doing enough diligence while designing strategy? Page 15 - Common Pitfalls of Strategy Development.

- Overconfidence - Optimism - Anchoring - Status Quo Bias - Mental accounting - Herding instinct - False consensus

During strategy development discussions, stakeholders state that some employees might not read the security policy completely. However, the information security officer reassures everyone that approximately 85% of employees ready the policy before accepting it. Identify the pitfall indicated by this situation. 1. Overconfidence 2. Optimism 3. Anchoring 4. Status Quo

- Overconfidence : Because the security officer is trying to accurately estimate the number of employees read security policy without supporting data.

Overconfidence is most common pitfall while developing security strategy. Describe it. Page 15 - Common Pitfalls of Strategy Development.

- Overconfident decision makers blindly believe that they make accurate decisions and may overlook the need of risk assessment and its mitigation. - They often insist on quoting a specific estimates without reviewing range of outcomes.

You've checked that the information security strategy is effective and accurate, however you aren't sure if this is aligned with business goals. The two most important business goals are establishing service continuity and availability and improving customer orientation, and service. Which group or individual is responsible for ensuring the right alignment of information security with the business goals.

- Senior Management (Correct) involvement ensures that the strategy development is aligned with business goals and objectives. Correct. - Information security officer (incorrect) is primarily responsible of implementing security initiatives at all levels, using security plans and policies. - Executive Management (incorrect) is primarily responsible for strategy development, provide leadership and its implementation.

Caveats of Proxy Firewall Reference taken from - http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html

- The application/Proxy firewall need to know about your application functionality to protect it. This kind of firewall is very common with Web based applications. - But if your application is unique, then proxy firewall may not be able to support without significant modifications. - Secondly these applications/proxy firewalls much slower than the packet scanning firewall because it has to maintain the state of both client and server and also perform network traffic. - These firewalls must also run applications similar to the clients, which can also make them vulnerable to application attacks.

Herding Instinct pitfall Page 17 - Common Pitfalls of Strategy Development.

- The decision making is based on peer pressure, what others are doing, irrespective whether that is required or not, compatible with business initiatives or not. - This is human tendency to obtain the approval of their peer group and general trend gain acceptance. - Herding instinct can lead to a sudden sensitization in organization to a specific security aspect or practice.

Advantages of the "Reverse Proxy Firewall" Reference taken from - http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html

- The reverse proxies must understand, how your application behaves and should deny requests as needed. - For example, your Web portal needs mailing address, Zip codes etc. The Proxy should be able to validate the data input and must deny in case it may cause any malfunction of Web server or buffer overflow. - Another advantage is SSL termination. (Note SSL is processor intensive and hence burden the device and usually SSL decryption is performed on separate device to reduce load). Since decryption is done on separate device, the Reverse Proxy FW can inspect the plain text traffic.

Features of the "Reverse Proxy Firewall"

- The reverse proxy firewall works the same way as Application/Proxy firewall but it is designed to protect the server instead of clients. - Clients connecting to Web server may unknowingly be directed to Proxy server and requests are serviced by the proxy on behalf of the clients. - This Reverse Proxy server may also be able to load balance the requests to multiple servers for better work load.

A report of fire incident in one of your client organization reaches to the team. The team becomes aware of the security measures that client organization is taking to avoid such incidents in the future. After the incident, the strategy development team wants to direct all the effort and time towards fireproofing of information assets and lots of resources are invested in it. The executing management repeatedly insist on identifying the fire marshals on premises and conducting fire drills every month. What are the common pitfalls? 1. Herding Instinct 2. Mental accounting 3. Anchoring 4. False consensus

1. Herding Instinct (Correct) - The tendency is to join the herd. In this case the client organization where the security incident occurred is called as herding instinct. 2. Mental accounting (Incorrect) - It involves management team members categorizing money differently from others. 3. Anchoring (Correct) - Anchoring means when the decision taken based on specific aspect, trait or piece of information instead thinking as whole 4. False consensus (Incorrect) - It involves making decision based on the assumptions that all members approve of decision.

Caveats of Packet Filtering Firewalls are Reference taken from - http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html

1. Packet filtering FW do not have visibility to the payload means the data portion of the packets. 2. ACL's are static. 3. This easily enables individual with malicious intent (hacker, cracker or script kindle) to easily circumvent the security policy by crafting the packets and misrepresenting traffic using well known port numbers or tunneling traffic that is allowed in the ACL. 4. Developers of peer to peer traffic quickly learned that port 80 allows unobstructed access through the firewalls.

Advantages of Packet Filtering Firewalls are Reference taken from - http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html

1. Packet filtering through ACL can be implemented at all the network devices like Routers, Switches, Wireless points and VPN Concentrators. 2. Switches can use - Routed access control list (RACL) at layer 3 - Port access control list (PACL) at layer 2 - VLAN Control list (VACL), which has capability to control switched or routed packets on the VLAN. 3. Quickest way to deploy when you want to implement security policy against infected devices.

Proxy Firewall Features Reference taken from - http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html

1. This is an Application firewall that act at Layer 7 of OSI model. 2. The devices act on behalf of client as Proxy for requested services. The request is sent to the proxy firewall, and then the proxy firewall acting on your behalf opens a web connection to the web page. That information is then transmitted to your web browser.

Which questions should an information security strategy goal answer? Pg 29.

1. which information is for internal use, which is for public use, and which is confidential? 2. which procedures guarantee effective storage and deletion of information? 3. which resources are important to an organization's success? 4. what are the probable types of risks to information security? Ans 1, and 3.

The security team is functional and has developed successfully various security initiatives in the organization. The implementation is monitored regularly and various course correction plans are made whenever required. This ensures that all security initiatives are aligned with business objectives and the security architecture of the organization. Which of these features of the development model followed by the team has assured the success of the strategy implementation? 1. Predict the outcome of strategy implementation using past events. 2. Defines strategy implementation outcome using the mission of the organization. 3. Defines security initiatives targeting specific security aspects. 4. Creates security initiatives that address changes in the business environment.

3. Correct "Defines security initiatives targeting specific security aspects."- The development approach followed by the team is based on the organization's security architecture and, therefore, defines security initiatives. 4. Correct "Creates security initiatives that address changes in the business environment." The development approach followed by the team is adaptive and, therefore, creates security initiatives that address changes in business environment.

Brute Force Attack (cracking)

Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.

An organization recently completed a risk assessment. Based on the findings in the risk assessment, the organization chose to purchase insurance to cover possible losses. This approach is known as: a. Risk transfer b. Risk avoidance c. Risk acceptance d. Risk reduction

Risk Transfer

What are the different sensitivity levels associated with the information assets?

Confidential - Revealing confidential information may lead to severe financial impact to the organization and that is the reason this information need to be guarded with high secrecy. Information may be like contacts, business development plans and trade secrets etc. Internal Use - This is for internal use and any leakage may cause adverse impact to the organization in terms of financial and reputational losses. Information assets that fall in this category are Training materials, policies and procedures etc. Public - Any fliers, brochures and advertisements fall in public category information. After you categorize the information based on its criticality and sensitivity you can develop policies and procedures for retaining and destroying information. These policies and procedures should enable effective information classification, destruction, storage and preservation. These policies need to be updated on regular basis.

What are the general sensitivity levels for information assets? Pg 28.

Confidential - Revealing such information may lead to adverse impact to the organization. It needs to be protected with high secrecy and protection. Examples - Client contracts, business development plans and trade secrets. Internal - Information is meant only for internal circulation. Any leakage may cause losing edge over competitors and reputational impact to the organization. Examples - Circulars, Policies and training material. Public - Markting brochures and services provided by the company etc.

There is a recent incident where some information leakage has been reported and you have been assigned to develop security strategy. Now you need to help organization to select people at various levels. What are the mandatory roles you need to be represented. Senior Management Executive Management Steering Committee Risk Committee

Correct - Senior Management or Board of directors are primary responsible for identifying critical information assets and their required level of security. Correct - Executive management is critical because they are needed for strategy development, provide leadership and its implementation. Incorrect - Steering committee is needed later stage for uniform implementation across the organization and alignment with business objectives. Incorrect - Risk committee is part of steering committee and the role of this committee is for Risk management.

What kind of threats that any organization be prepared for?

Information is asset Risks caused when you employ IT to share the information. IT Poses risks related to security breaches Virus & Malware attacks.

Objectives have to be well defined, Why? Pg 30

Lack of well defined objectives leads to 1. Confusion 1a. Unrealistic solution 2. Lack of direction/loose track 3. Financial losses 4. Waste of Resources Objective have to be well defined and has to be 1. Relevant 2. Measurable 3. Achievable

A security manager is developing a data classification policy. What elements need to be in the policy? a. Sensitivity levels, marking procedures, access procedures, and handling procedures b. Labeling procedures, access procedures, and handling procedures c. Sensitivity levels, access procedures, and handling procedures d. Sensitivity levels and handling procedures

Sensitivity levels, marking procedures, access procedures, and handling procedures

Senior Management in your organization wants to implement security policy to block file sharing applications. This is because, most organization ins the industry are implemented this. The management assumes that all stakeholders will agree to this policy implementation. What is the type of pitfall the management team is failing to avoid? 1. Mental accounting 2. False consensus 3. Herding instinct 4. Anchoring

False consensus - Making decision based on assumption that all the members approve of the decision is called false consensus. Herding Instinct - The tendency to join the herd. In this case the other organization in the industry, is called herding instinct.

An organization suffered a virus outbreak when malware was downloaded by an employee in a spam message. This outbreak might not have happened had the organization followed what security principle: a. Heterogeneity b. Fortress c. Integrity d. Defense in depth

Defense in depth.

Risk Avoidance strategy for addressing identified risk means :

Eliminate activities that involve risks Avoid creating activities that involve risks Relatively Extreme approach

Layer 6 is the Presentation layer:

It acts as the translator between systems, converting application layer information to a common format understandable by different systems. This layer handles encryption and standards such as Motion Picture Experts Group (MPEG) and Tagged Image File Format (TIFF).

Layer 2 is the Data-link layer:

It handles the reliable sending of information. Media Access Control is a component of Layer 2. Data at this layer would be referred to as a "frame."

Layer 1 is the Physical layer:

It is composed of the objects that you can see and some that you cannot, such as electrical characteristics.

What leads organizations to store too much of information? References - Goals, Objectives and Business Cases. Page ~32

It is expensive to design and develop set of procedures to sort information as critical, useful or obsolete. In absence of good design and procedures causes storing too much of information

Layer 7 is the Application layer:

It is the user interface to your computer (the programs), for example, word processor, e-mail application, telnet, and so on.

Layer 3 is the Network layer:

It is where IP addressing and routing happen. Data at this layer is considered a "packet."

Layer 5 is the Session layer:

It manages the connections or service requests between computers.

Layer 4 is the Transport layer:

It prepares data for delivery to the network. Transmission Control Protocol is a function of Layer 4, providing reliable communication and ordering of data. Data is split into messages in this layer. NOTE - User Datagram Protocol is also a role of Layer 4, but it does not provide reliable delivery of data.

What are the key elements of Information Security Program business case? pg 34

Key elements of ISP business case are - Security program objective (Concise & Clear) - Security program financial proposal (with cost of controls vs cost of risk) - Security program performance metrics (with KGI's and KPI's) - Security program resources - Security program schedules (Budget required and the complete schedule) - The schedule must be accurate, profitable and achievable to secure funding. - KPI are measurements of success factors of implementation. - KGI is an indicator what has to be achieved.

Risk Prevention/Mitigation part of Risk strategy means :

Manage liability by structuring activities and programs in ways that reduce or limit institutional risk.

The statement, "Promote professionalism among information system security practitioners through the provisioning of professional certification and training" is an example of a/an: a. Mission statement b. Objective c. Goal d. Requirement

Mission statement

What are the types of objectives that an information security strategy should include?

Objective for risk mitigation Necessary to reduce negative impact of risks to the organization. Objective aligned with business goals. Defining objectives aligned with business goals will help you discover information security activities that can support and drastically improve the business performance of the organization.

The two types of objectives that information security should include are: pg 30

Objectives for Risk Mitigation - These are created to reduce the negative impact of incidents on organizations. Examples are Virus or Malware protection. Objectives aligned with Business goals - help you discover information security activities that can support and drastically improve the business performance of an organization. To define objectives aligned with business goals base your security objectives on the company's strategic business plan.

Most accepted data encryption programs are Reference - http://www.encyclopedia.com/science-and-technology/computers-and-electrical-engineering/computers-and-computing/data-encryption

PGP - Pretty Good Privacy (PGP), which is considered easy to use; SSL - Secure Sockets Layer (SSL), which is used by many companies that accept online credit card orders; SET - Secure Electronic Transactions (SET), another popular method of handling credit card purchases that is backed by Visa, Mastercard, Microsoft, IBM, and other major players in electronic commerce; DES - Data Encryption Standard (DES), which was invented by IBM in the mid-1970s and became the U.S. government standard. RSA is known as a public key encryption system, meaning that many people can use it to encode information, but only the person who holds the key (or knows the value of the two prime numbers) can decode it again.

Packet Filtering Firewalls features are Reference taken from - http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html

Packet-filtering firewalls validate packets based on - - protocol, - source and/or destination IP addresses, - source and/or destination port numbers, - time range, - Differentiate Services Code Point (DSCP), - type of service (ToS), and various other parameters within the IP header. Packet filtering is generally accomplished using Access Control Lists (ACL) on routers or switches and are normally very fast, especially when performed in an Application Specific Integrated Circuit (ASIC). As traffic enters or exits an interface, ACLs are used to match selected criteria and either permit or deny individual packets.

23. An employee with a previous criminal history was terminated. The former employee leaked several sensitive documents to the news media. To prevent this, the organization should have: a. Reviewed access logs b. Restricted the employee's access to sensitive information c. Obtained a signed non-disclosure statement d. Performed a background verification prior to hiring the employee

Performed a background verification prior to hiring the employee

Purpose of business case and key elements of business case? References - Goals, Objectives and Business Cases. Page 33

Purpose is to provide justification and argument why particular project is needed. Key elements of business case are - Objective, - Cost & Return of investment - Benefits of the program - Actual risks and success factors - Resources needed - TCO (economic estimate of direct or indirect costs involved) - Do not include assumptions and predictions.

Quantitative Risk assessment

Quantitative risk analysis is more focused on the implementation of safety measures that have been established, in order to protect against every defined risk. By using a quantitative approach, an organization is able to create a very precise analytical interpretation that can clearly represent which risk-resolving measures have been most well-suited to various project needs. This makes the quantitative approach favored by many management teams since risk assessments can be clearly represented in the empirical forms like percentages or probability charts, since it emphasizes using tools such as metrics.

TACACS cs RADIUS (Central Authentication Server) and define AAA protocol

RADIUS - UDP, Encrypts Passwords, Enhanced Accounting, Standards based. TACACS - TCP, Encrypts packet, Basic accounting, CISCO proprietary. AAA Protocol means Authentication, Authorization and Accounting

Why information security is essential for any organization and what are the drawbacks of not having effective security strategy to protect information assets? Pg 28.

Regarding protection of information assets; It will lead to - resulting in accumulation of useless and obsolete data. - Organization may invest large amounts of funds and resources to protect unwanted information or unsafe data. - May cause inadvertently deletion of important and required information. - may cause organization to invest capital, time and resources for protecting useless information. - Organizations owns huge amount of data, which grows at constant rate and any delay in introducing the solution may result in expenditure is protecting unnecessary data. - Not having proper IS guidelines and policies may lead to malware attacks, virus attacks, hacking of intranet and stealing of confidential information.

The two components of risk management are: a. Risk assessment and risk analysis b. Vulnerability assessment and risk treatment c. Risk assessment and risk mitigation d. Risk assessment and risk treatment

Risk assessment and Risk treatment Also note Risk identification and prioritization. Definition - Risk management is the identification, assessment and prioritization of risks and the subsequent strategy or treatment to minimize its impact.

An organization has a strong, management-driven model of security- related activities such as policy, risk management, standards, and processes. This model is better known as: a. Risk management b. Security oversight c. Security governance d. Security control

Security Governance

The statement, "Information systems should be configured to require strong passwords," is an example of a/an: a. Security requirement b. Security policy c. Security objective d. Security control

Security Policy

An organization wishes to purchase an application and is undergoing a formal procurement process to evaluate and select a product. What documentation should the organization use to make sure that the application selected has the appropriate security-related characteristics? a. Security guidelines b. Security policies c. Security requirements d. Functional requirements

Security Requirements

The primary reason why users are told to use strong passwords is NOT: a. It is more difficult to "shoulder surf" a strong password because of the additional keystrokes b. Strong passwords are more difficult for others to guess c. Weak passwords are susceptible to dictionary attacks d. Passwords based on easily-discovered facts such as birthdays, spouse and pet names are easily guessed

a. It is more difficult to "shoulder surf" a strong password because of the additional keystrokes

You are now checking if the definition of the information security strategy is effective and accurate. What are the features that you need to check for in the information security strategy definition?

Whether it details - Security Objectives - Purposes - Goals of the organization. - Does it helps security concerns of the stakeholders.

CIA is known as: a. Confidentiality, Integrity, and Availability b. Computers, Information, and Assets c. Confidence In Applications d. Controls, Integrity, and Availability

a.

Annualized loss expectancy is calculated using which formula: a. ALE=AROxSLE b. ALE=EFxSLE c. ALE=AROxAV d. ALE=ARO/SLE

a. ALE=AROxSLE Annualized rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year. ARO is used to calculate ALE (annualized loss expectancy). ALE is calculated as follows: ALE = SLE x ARO.

After completing a risk assessment, an organization was able to reduce the risk through the addition of detective and preventive controls. However, these controls did not remove all risk. What options does the organization have for treating the remaining risk? a. Accept, avoid, reduce, or transfer b. None—the organization must accept the risk c. The organization must either accept or transfer the risk d. Does not apply: remaining risk cannot be treated further

a. Accept, avoid, reduce, or transfer

One disadvantage of the use of digital certificates as a means for two- factor authentication is NOT: a. Digital certificates may not be portable across different types of machines b. The password used to unlock the certificate may be weak and easily guessed c. It may be possible to steal the certificate and use it on another computer d. A digital certificate can theoretically be copied, unlike tokens and smart cards which are not easily cloned

a. Digital certificates may not be portable across different types of machines

A smart card is a good form of two-factor authentication because: a. It contains a certificate on a microchip that is resistant to cloning or cracking b. It can double as a proximity card for building entrance key card systems c. It does not rely on internal power like a token d. A smart card is portable and can be loaned to others

a. It contains a certificate on a microchip that is resistant to cloning or cracking

Exposure factor is defined as: a. The part of an asset's value that is likely to be lost by a particular threat b. The probability that the threat will be realized c. The probability that a loss will occur in a year's time d. The cost of a single loss

a. The part of an asset's value that is likely to be lost by a particular threat

A security engineer is soliciting bids for a software product that will perform centralized authentication. The engineer has found two products so far: one that is based on LDAP and one that is based on TACACS. Which of the following statements is the best approach? a. Select the LDAP-based product b. Do not consider the TACACS-based product, consider the LDAP- based product, and continue looking for other products c. Select the TACACS-based product d. Consider the TACACS-based product, and continue looking for other products based on TACACS

b. Do not consider the TACACS-based product, consider the LDAP- based product, and continue looking for other products

An organization employs hundreds of office workers that use computers to perform their tasks. What is the best plan for informing employees about security issues? a. Include security policy in the employee handbook b. Perform security awareness training at the time of hire and annually thereafter c. Perform security awareness training at the time of hire d. Require employees to sign the corporate security policy

b. Perform security awareness training at the time of hire and annually thereafter

A biometric authentication system that incorporates the results of newer scans into a user's profile is less likely to: a. Have a lower False Accept Rate b. Reject future authentication attempts as the user's biometrics slowly change over time c. Correctly identify and authenticate users d. Reject an impostor

b. Reject future authentication attempts as the user's biometrics slowly change over time

Annualized loss expectancy is defined as: a. The annual estimate of loss of all assets based on all threats b. The annual estimate of loss of an asset based on a single threat c. The annual estimate of loss of an asset based on all threats d. The annual estimate of loss of all assets based on a single threat

b. The annual estimate of loss of an asset based on a single threat

A qualitative risk assessment is used to identify: a. Vulnerabilities, threats, and countermeasures b. Vulnerabilities, threats, threat probabilities, and countermeasures c. Assets, risks, and mitigation plans d. Vulnerabilities and countermeasures

b. Vulnerabilities, threats, threat probabilities, and countermeasures

12. A risk manager has completed a risk analysis for an asset valued at $4000. Two threats were identified; the ALE for one threat is $400, and the ALE for the second threat is $500. What is the amount of loss that the organization should estimate for an entire year? a. $450 b. $500 c. $900 d. $100

c. $900

Palm scan, fingerprint scan, and iris scan are forms of: a. Strong authentication b. Two-factor authentication c. Biometric authentication d. Single sign-on

c. Biometric authentication

A security door has been designed so that it will ignore signals from the building's door entry system in the event of a power failure. This is known as: a. Fail soft b. Fail open c. Fail closed d. Fail secure

c. Fail closed

The reason that two-factor authentication is preferable over ordinary authentication is: a. Two-factor authentication is more difficult to crack b. It relies upon something the user knows c. It relies upon something that the user has d. Two-factor authentication uses stronger encryption algorithms

c. It relies upon something that the user has

A security manager needs to perform a risk assessment on a critical business application in order to determine what additional controls may be needed to protect the application and its databases. The best approach to performing this risk assessment is: a. Perform a qualitative risk assessment only b. Perform a quantitative risk assessment only c. Perform a qualitative risk assessment first, then perform a quantitative risk assessment d. Perform a quantitative risk assessment, then perform a qualitative risk assessment

c. Perform a qualitative risk assessment first, then perform a quantitative risk assessment

The impact of a specific threat is defined as: a. The cost of recovering the asset b. The cost required to protect the related asset c. The effect of the threat if it is realized d. The loss of revenue if it is realized

c. The effect of the threat if it is realized

Risk Retention or acceptance strategy for addressing identified risk means

• Self-insurance • Deductibles • Deciding not to purchase an insurance policy for a specific exposure

When an information system authenticates a user based on "what the user is," this refers to the use of: a. Authorization based upon the user's job title b. Role-based authentication c. Two-factor authentication d. Biometric authentication

d. Biometric authentication

An organization recently underwent an audit of its financial applications. The audit report stated that there were several segregation-of-duties issues that were related to IT support of the application. What does this mean? a. IT personnel should not have access to financial data. b. The duties of personnel are not formally defined. c. IT needs to begin the practice of job rotation. d. Individuals in IT have too many roles or privileges.

d. Individuals in IT have too many roles or privileges.

A security engineer has recently installed a biometric system, and needs to tune it. Currently the biometric system is rejecting too many valid, registered users. What adjustment does the security engineer need to make? a. Increase the False Accept Rate b. Reduce the False Accept Rate c. Increase the False Reject Rate d. Reduce the False Reject Rate

d. Reduce the False Reject Rate

The options for risk treatment are: a. Risk reduction, risk assumption, risk avoidance, and risk acceptance b. Risk acceptance, risk reduction, risk transfer, and risk mitigation c. Risk acceptance, risk reduction, and risk transfer d. Risk acceptance, risk avoidance, risk reduction, and risk transfer

d. Risk acceptance, risk avoidance, risk reduction, and risk transfer

Organizations that implement two-factor authentication often do not adequately plan. One result of this is: a. Some users will lose their tokens, smart cards, or USB keys b. Some users will store their tokens, smart cards, or USB keys with their computers, thereby defeating one of the advantages of two-factor authentication c. Users will have trouble understanding how to use two-factor authentication d. The cost of implementation and support can easily exceed the cost of the product itself

d. The cost of implementation and support can easily exceed the cost of the product itself

Advantage of Asymmetric Public Key over Symmetric (Private only) Key encryption.

• Simplified key distribution/Scalable • Digital Signature • Long-term encryption

Which of the following statements about Crossover Error Rate (CER) is true: a. This is the point where the False Accept Rate falls below 50% b. This is the point where the False Reject Rate falls below 50% c. This is the point where False Reject Rate and False Accept Rate add to 100% d. This is the point where False Reject Rate and False Accept Rate are equal

d. This is the point where False Reject Rate and False Accept Rate are equal The Crossover Error Rate or CER is the value of FAR and FRR when the sensitivity is configured so that FAR and FRR are equal. The Crossover Error Rate is well suited to perform a quantitative comparison of different biometric solutions, applications or devices. https://www.youtube.com/watch?v=wtvKQFMGVAM

Risk Transfer strategy for addressing identified risk means

• Insurance policies • Indemnification agreements • Releases and waivers