Self-Assessment
Which of these steps would not help you limit or prevent attacks on your systems that attempt to spoof, corrupt, or tamper with data? A. Ensure that firewalls, routers, and other network infrastructures filter for and block attempts to access network storage without authorization. B. Develop and use an organizational data model and data dictionary that contain all data-focused business logic; use them to build and validate business processes and the apps that support them. C. Implement data quality processes that ensure all data is fit for all purposes, in accordance with approved business logic. D. Implement information classification, and use access control and identity management to enforce it.
A. Option A by itself won't do what is needed; at a minimum, Option D and its implementation of rigorous access control and identity management is necessary to protect network storage resources from being corrupted, tampered with, and so forth. The others are all valuable parts of a data governance and data security/data protection plan.
Which of the following shows the major steps of the information risk management process in the correct order? A. Assess risks across the organization; identify information security and privacy risks; implement countermeasures; establish security and privacy posture; review supply chain for IT security risk elements B. Establish basic security posture; review risks; implement countermeasures; ongoing monitoring and assessment; testing; training C. Set priorities; assess risks; select controls and countermeasures; implement controls; validate correct operation; monitor D. Develop business impact analysis (BIA); establish risk tolerance levels; implement damage control choices; monitor
C. Option D incorrectly has the BIA first when it has to come after the organization's leadership has agreed to risk tolerance and set priorities. Option B is incorrect, partly because the basic "common-sense" posture is not part of a formal risk management process but a bare minimum immediate set of actions to take if needed. Option A has establishing a posture (which is policy and decisions that drive implementation and operation steps) and implementation in the wrong order.
There are three ways in which risk assessments can be done. Choose the option that orders them from best to least in terms of their contribution to risk management decision making. A. Qualitative, quantitative, and CVE-based B. CVE-based, quantitative, and qualitative C. There is no order; they all can and should be used, as each reveals something more about the risks you have to manage. D. Quantitative, CVE-based, and qualitative
C. Options A and D reflect biases toward or against qualitative assessments (presumably for being "soft" or potentially based on emotions or intuition) or quantitative ones (the data is too hard to get or validate). Using published common vulnerability and exposure (CVE) information can be quite illuminating, but as in Option D, be careful to not just assume that other people's experiences and systems are a good match for your own, or to bow to authoritative statements without carefully considering whether they fit your situation.
Which statement or statements about ports and the Internet is not correct? (Choose all that apply.) A. Using port numbers as part of addressing and routing was necessary during the early days of the Internet, largely because of the small size of the address field, but IPv6 makes most port usage obsolete. B. Standard ports are defined for a number of protocols, and these ports allow sender and receiver to establish connectivity for specific services. C. Standardized port assignments cannot be changed, or things won't work right, but they can be mapped to other port numbers by the protocol stacks on senders' and recipients' systems. D. Many modern devices, such as those using Android, cannot support ports, and so apps have to be redesigned to use alternate service connection strategies.
A, D. Ports are a fundamental part of the way apps request services from processes running on other nodes on the Internet. Standardized port numbers make applications designs easier to manage; thus, port 80 and HTTP are associated with each other. Therefore, Options A and D show a misunderstanding of what ports are and why they are necessary.
CVE data and your own vulnerability assessments indicate that many of your end-user systems do not include recent security patches released by the software vendors. You decide to bring these systems up to date by applying these patches. This is an example of which of the following? A. Remediating or mitigating a risk B. Transferring a risk C. Avoiding a risk D. Accepting a risk
A. Fixing or applying patches to eliminate a vulnerability is the definition of remediating, mitigating, fixing, or repairing a vulnerability.
What kinds of privileges should be part of what your mandatory access control policies can grant or deny to a requesting subject? (Choose all that apply.) A. Any privilege relating to reading from, writing to, modifying or deleting the object in question if it was created or is owned by the requesting subject B. Reading or writing/modifying the metadata associated with an object C. Modifying access control system constraints, rules, or policies D. Reading, writing, deleting, or asking the system to load the object as an executable task or thread and run it
B, D. Mandatory access control policies do not allow subjects or objects to modify the security-related aspects of the system, its subjects and objects; thus, granting the privileges in Option A or C cannot be allowed. Options B and D reflect reasonable and prudent access control checks that all systems should perform before granting access but that are not part of mandatory access control policies.
Protection of intellectual property (IP) is an example of what kind of information security need? A. Privacy B. Confidentiality C. Availability D. Integrity
B. Disclosure of intellectual property in unauthorized ways can end up giving away any competitive advantage that IP might have had for the business.
Patsy is reviewing the quantitative risk assessment spreadsheet for her division, and she sees a number of entries where the annual loss expectancy is far greater than the single loss expectancy. This suggests that: A. The RTO is later than the RPO. B. The ARO is less than 1. C. The particular risk is assessed to happen many times per year; thus its ARO is much greater than 1. D. This looks like an error in estimation or assessment, and should be further investigated.
C. Option B has the annual rate of occurrence (ARO) use incorrect; if the ARO was less than 1, the single loss expectancy is in effect spread over multiple years (as if it were amortized). Option A involves restore time and point objectives, which are not involved in the annualized loss expectancy (ALE) calculation. Option D misunderstands ALE = ARO * SLE (single loss expectancy) as the basic math involved.
Which statement best describes how digital signatures work? A. The sender hashes the message or file to produce a message digest and applies the chosen encryption algorithm and their private key to it. This is the signature. The recipient uses the sender's public key and applies the corresponding decryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender. B. The sender hashes the message or file to produce a message digest and applies the chosen decryption algorithm and their public key to it. This is the signature. The recipient uses the sender's private key and applies the corresponding encryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender. C. The sender hashes the message or file to produce a message digest and applies the chosen decryption algorithm and their private key to it. This is the signature. The recipient uses the sender's public key and applies the corresponding encryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender. D. The sender encrypts the message or file with their private key and hashes the encrypted file to produce the signed message digest. This is the signature. The recipient uses the sender's public key and applies the corresponding decryption algorithm to the signature, which will produce a matching message digest only if the message or file is authentically from the sender.
C. The incorrect answers show misapplication of the steps of the process. Option A has reversed who encrypts and who decrypts. Option B confuses the use of the sender's public and private key, and if the recipient knows the sender's private key it must no longer be private. Option D won't work, because decrypting the unencrypted hash won't produce anything that is useful.
What's the least secure way to authenticate device identity prior to authorizing it to connect to the network? A. MAC address whitelisting B. Multifactor authentication that considers device identification, physical location, and other attributes C. Verifying that the device meets system policy constraints as to software and malware updates D. Devices don't authenticate, but the people using them do.
D. Option D is highly risky and therefore correct: plugging a device into an empty network connection should start a connection handshake that is an opportunity to block an unknown or unauthorized device from joining the network. Options A and C are parts of how Option B performs such an authentication, and therefore B is the most secure approach of the three.
Properly used, cryptographic techniques improve all aspects of information security except: A. Confidentiality B. Authentication C. Nonrepudiation D. Accountability
D. Options A, B, and C are correct. Option D seems to confuse aspects of access control systems, which do have to keep track of—that is, account for—access attempts and allowed accesses.
What do we use protocols for? (Choose all that apply.) A. To conduct ceremonies, parades, or how we salute superiors, sovereigns, or rulers B. To have a conversation with someone, and keep disagreement from turning into hostile, angry argument C. To connect elements of computer systems together so that they can share tasks and control each other D. As abstract design tools when we are building systems, but we don't actually build hardware or software that implements a protocol E. None of the above
A, B, C. Option D is incorrect; almost everything that holds our IT world together is done via directly building protocols into hardware and software. Options A, B, and C are correct and show the human social communications need for signaling each other about the communication we're trying to achieve.
Which of the following are not examples of "shadow IT" contributing to an information security problem? (Choose all that apply.) A. One user defines a format or style sheet for specific types of documents for others in the division to use. B. An end user writes special-purpose database queries and reports used to forecast sales and project production and inventory needs, which are reviewed and used at weekly division meetings. C. Several users build scripts, flows, and other processing logic to implement a customer service help desk/trouble ticket system, using its own database on a shared use/ collaboration platform that the company uses. D. Users post documents, spreadsheets, and many other types of information on a company-provided shared storage system, making the information more freely available throughout the company.
A, B. The key determiner of whether user-defined and user-maintained "stuff" is shadow IT is the amount of business logic that it embeds or implements; the more such business logic is built into uncontrolled or unmanaged apps or tools, the greater the risk of something going wrong in undetected ways. Thus Option A is not a probable risk; Option B seems to have a lot of frequent, intensive reviews of the results of these queries, which would need to correlate or compare with what the production information systems would show. Option C implements customer relationship management and systems/product maintenance business logic; Option D seems to circumvent information classification, segregation of duties, and other access control principles. Both C and D bear close watching.
Due diligence means which of the following? A. Pay your debts completely, on time. B. Do what you have to do to fulfill your responsibilities. C. Make sure that actions you've taken to fulfill your responsibilities are working correctly and completely. D. Read and review the reports from subordinates or from systems monitoring data.
C. Options A and B are both examples of due care; due diligence is the verification that all is being done well and nothing is not done properly. Option D can be an important part of due diligence, but it is missing the potential for follow-up action.
When comparing the TCP/IP and OSI reference model as sets of protocols, which statement is most correct? A. Network hardware and systems are built on TCP/IP, whereas the OSI reference model only provides concepts and theories. B. TCP/IP only provides concepts and theories, whereas network hardware and systems are built using the OSI reference model. C. Both sets of protocols provide theories and concepts, but real hardware is built around the data, control, and management planes. D. Hardware and systems are built using both models, and both models are vital to threat assessment and network security.
D. Option D accurately reflects the use of both of these as conceptual models and protocol stacks—by builders, attackers, and defenders alike. Option A reflects an incorrect bias of many network engineers who somewhat dismissively ignore things above the Transport layer. Option B is incorrect, because both models drive the design and use of hardware, software, control, and systems management information. Option C is incorrect, since all three sets of concepts drive the design and operation of real hardware, software, and systems.
Is IPv6 backward compatible with IPv4? A. No, because the differences in addressing, packet header structure, and other features would not allow an IPv4 packet to successfully travel on an IPv6 network B. No, because IPv4 packets cannot meet the new security considerations built into IPv6 C. Yes, because IPv6 has services built into the protocol stacks to convert IPv4 packets into IPv6 compatible structures D. Yes, because the transport and routing protocols are the same
A. Option B is incorrect, because the changes in address field sizes, and therefore packet header structures, have nothing to do with security (although IPv6 does provide enhancements to security). Option C is incorrect; such a conversion could be done by a gateway, but that is not part of IPv6, although IPv6 supports it. Option D is incorrect, although the transport protocols (like TCP and UDP) have not changed, but this is not where the incompatibility comes from.
Which statement about how cryptography protects the meaning or content of files and messages is incorrect? A. Cryptography obscures meaning by misdirection, concealment, or deception. B. Cryptography obscures meaning by making it difficult or impossible for unauthorized users to access it, view it, copy it, or change it. C. Cryptography transforms the meaning and content of a file or message into a unique value. D. Cryptography is part of digitally signing files and messages to authenticate senders.
A. Options B, C, and D all are parts of what cryptography entails and taken together sum it up. Option A is more suggestive of camouflage, honeypots, or other efforts to draw attackers away from what you wish to defend and divert their energies elsewhere, which do not directly involve the use of encryption, hashing, and so forth.
Which of the following statements about social engineering attacks is incorrect? A. Most targeted individuals don't see the harm in responding or in answering simple questions posed by the attacker. B. Most people believe they are too smart to fall for such obvious ploys, but they do anyway. C. Most targeted individuals and organizations have effective tools and procedures to filter out phishing and related scams, so they are now better protected from such attacks. D. Most people want to be trusting and helpful.
C. Options A, B, and D all demonstrate the hallmarks of social engineering attacks—they work (and have worked for thousands of years) because people are generally trusting, open, and willing to engage with strangers. Option C, the correct choice, is unfortunately not true; tools may help filter out some email-based social engineering attacks, but few organizations have truly been able to operate with a "loose lips sink ships" approach and deal openly with customers, clients, and many other outside stakeholders.
A thunderstorm knocks out the commercial electric power to your company's datacenter, shutting everything down. This impacts which aspect of information security? A. Privacy B. Confidentiality C. Integrity D. Availability
D. If the equipment cannot run because there is no power, then no data stored in it can be displayed, printed, or shared with users—data is not available. Some transactions may have to be recovered and rerun once the power comes back up and everything is turned on again, but only if transactions were lost completely would there be a data integrity concern.
Which of the following activities are not part of information risk mitigation? A. Implementing new systems features or capabilities to enhance product quality B. Incident management and investigation, after a suspected information security breach C. Installing and testing new firewall, switch, and router systems and settings D. Developing an information classification policy and process
D. Improving product quality is a laudable goal, but in and of itself it is not related to information systems security; thus Option A is incorrect. Option B refers to activities after an incident; mitigation activities happen before an incident occurs or result from lessons learned because of the incident. Option C is most likely being done to implement new or revised security policies. Option D is part of information risk management and should precede information risk mitigation.
Which statement about business continuity planning and information security is most correct? A. Plans are useful only because they start the development of detailed procedures and processes, and thus, there is no need to maintain or improve such plans. B. Planning is more important than the plans it produces. C. Plans represent significant investments and decisions and thus should be updated only when significant changes to objectives or circumstances dictate. D. Planning should continuously bring plans and procedures in tune with ongoing operational reality.
D. Planning should be an ongoing, continuous, and iterative process; plans are thus continually tested against reality so that changes to plans and procedures stay harmonized. Thus, Option D is most correct. Option C, unfortunately, is a commonly held view and can lead to work being done to obsolete ideas or to assumptions long since proven to be incorrect by reality. Option B is good but not as correct and complete as D. Option A is incorrect; effective plans define and prioritize objectives, lay out major tasks and processes, assign resources to achieve those, and define success criteria for each; plans should be manageable and measurable.
Which statement correctly describes why CVE data should be part of your vulnerability assessments? A. It should provide most if not all of the vulnerability information you need to implement risk mitigation. B. Since hackers use CVE data to aid in planning their attacks, this should be the first place you look for insight as you do emergency hardening of your IT systems. Once these obvious vulnerabilities have been mitigated, a more complete vulnerability assessment should be done. C. It's a great source of information for known systems elements and known vulnerabilities associated with them, but it does nothing for vulnerabilities that haven't been reported yet or for company-developed IT elements. D. Since the vast majority of systems in use are based on Windows, if your business does not use Windows platforms you can probably avoid the expense of investigating CVE for vulnerability information.
C. Option B does correctly state the risk that attackers may know more about your systems than you do, if you haven't thoroughly checked CVE data as part of your vulnerabilities assessment. But it incorrectly goes on to suggest that you fix these first—they may not relate to your organization's highest-priority impacts as spelled out by the BIA. Option A is therefore false. Option D is also false, since even the most Linux-based of organizations will probably have non-Linux systems elements (such as network components) that CVE could have information about.
Which of the following might be legitimate ways to transfer a risk? (Choose all that apply.) A. Recognize that government agencies have the responsibility to contain, control, or prevent this risk, which your taxes pay them to do. B. Pay insurance premiums for a policy that provides for payment of claims and liabilities in the event the risk does occur. C. Shift the affected business processes to a service provider, along with contractually making sure they are responsible for controlling that risk or have countermeasures in place to address it. D. Change the underlying business process to use more secure software and hardware systems.
A, B, C. Option D is typically an example of remediating, sometimes called fixing or mitigating the risk.
What kind of information is part of an information risk assessment process? (Choose all that apply.) A. Lost revenues during the downtime caused by the risk incident, including time it takes to get things back to normal B. Damage to equipment or facilities, or injury or death to people C. Estimated costs to implement chosen solutions, remediations, controls, or countermeasures D. Total costs to create an asset that is damaged or disrupted by the risk event
A, B. Option C is the safeguard value, which we cannot compute until we have completed risk assessment and vulnerability assessment, and then designed, specified, or selected such controls or countermeasures. Option D is typically not the loss incurred by damage of an asset; of greater interest regarding impact to an asset would be the cost to repair it (if repairable), replace it, or design and implement new processes to do without it.
Explain the relationship between confidentiality and privacy, if any: A. Confidentiality is about keeping information secret so that we retain advantage or do not come to harm; privacy is about choosing who can enter one's life or property. B. Confidential information is information that must be kept private, so they really have similar meanings. C. Privacy laws allow criminals to hide their actions and intentions from society, but confidentiality allows for the government to protect defense-related information from being leaked to our enemies. D. Confidentiality is the freedom to choose whom we share information with; privacy refers to information that is specifically about our individual lives, activities, or interests.
A. Keeping information secret means agreeing to limit or control how (or if) that information can be passed on to others. Privacy is the freedom from intrusion into your own affairs, person, property, or ideas. The other options either confuse confidentiality with privacy or do not use the concepts correctly.
Which statement is incorrect as to how you should use RTO, MAO, and RPO in planning information risk management activities? A. Return to operations (RTO) is the desired time to get all business processes back into operation, whether on backup or workaround systems or on production systems brought back to normal. The recovery priority objective (RPO) sets priorities for which systems to bring up first or which business processes to get back into operation before others (of lower priority). B. Recovery point objective (RPO) establishes the maximum amount of data that is lost due to a risk event. This could be in numbers of transactions or in units of time and indicates the amount of rework of information that is acceptable to get systems back into normal operation. C. Recovery time objective (RTO) must be less than or equal to the maximum acceptable outage. MAO sets a maximum down time (outage time) before mission impact becomes unacceptable; RTO can be used to emphasize faster-than-MAO restoration. D. Maximum acceptable outage (MAO) relates to the mission or business objectives; if multiple systems support those objectives, then all of their recovery time objectives (RTOs) must be less than or equal to the MAO.
A. Option A is a misstatement of RTO and RPO.
In general, what differentiates phishing from whaling attacks? A. Phishing attacks tend to be used to gain access to systems via malware payloads or by getting recipients to disclose information, whereas whaling attacks try to get responsible managers to authorize payments to the attacker's accounts. B. Phishing attacks are focused on businesses; whaling attacks are focused on high-worth individuals. C. Whaling attacks tend to offer something that ought to sound "too good to be true," whereas phishing attacks masquerade as routine business activities such as package delivery confirmations. D. Whaling attacks send out huge numbers of emails attempting to lure targeted individuals into responding or following a link; phishing attacks use telephones or other means of making personal contact with a selected target.
A. Option A is correct; phishing tends to seek information, and whaling (and spear phishing) seeks action, typically the release of funds to the attacker. Option B is incorrect; whaling is primarily aimed at senior business leaders, whereas phishing can be aimed at anybody, anywhere, if the attacker perceives there is something worthwhile to learn in doing so. Option C has these reversed; whaling attacks depend on credibility of the business transaction they request. Option D is incorrect, since it reverses key characteristics of whaling and phishing.
Which statement about subjects and objects is not correct? A. Subjects are what users or processes require access to in order to accomplish their assigned duties. B. Objects can be people, information (stored in any fashion), devices, processes, or servers. C. Objects are the data that subjects want to access in order to read it, write to it, or otherwise use it. D. Subjects are people, devices, or processes.
A. Subjects, by definition, want to do something that involves an object. Thus, Option A has these roles reversed. Subjects can be any kind of entity that can take action. Objects contain information but also can provide requested services—that is, take action upon request—so Options B and C are correct.
Which statement about a reference monitor in an identity management and access control system is correct? A. It should be tamper-resistant. B. Its design and implementation should be complex so as to defeat reverse engineering attacks. C. It's an abstract design concept, which is not actually built into real hardware, operating systems, or access control implementations. D. It is part of the secure kernel in the accounting server or services provided by strong access control systems.
A. The reference monitor is the functionality that checks every access attempt to see if it should be authorized or denied. As a result, Option D is false (accounting is a record keeping function, necessary to access control but done after the access request is granted or denied). Option C is false, since the reference monitor is in fact implemented in operating systems (typically in their security kernel) or as part of a trusted computing base (TCB) module on a motherboard. Option B is the reverse of what's required; we need to be able to inspect, analyze, and verify that the logic and code of the reference monitor does its job completely and correctly and that it does nothing else if we are to consider it highly trustworthy.
What kind of malware attacks can corrupt or infect device-level firmware? (Choose all that apply.) A. SNMP-based attacks that can trigger the device to download and install a firmware update remotely B. Remote or onsite device management (or mismanagement) attacks that allow a hacker to initiate a firmware update using a hacked firmware file C. Phishing or misdirection attacks that fool operators or users into initiating an upload of a hacked firmware file D. None, because firmware updates require operator intervention to download trusted updates and patch files from the manufacturer's or vendor's websites, and then initiate and monitor the update and restart of the device
B, C. Option A is false; Simple Network Management Protocol (SNMP) by itself cannot trigger a device to download and install a firmware patch file. Option D is false, because that operator action can be misdirected to use the wrong file as the update. Option B may be true in some cases, if the device is set to allow remote management from other than a connected endpoint system such as a laptop or smartphone. Attacks like those in Option C happen a lot!
In which phase or phases of a typical data exfiltration attack would an attacker probably not make use of phishing? (Choose all that apply.) A. Reconnaissance and characterization B. Data gathering, clumping, masking, and aggregating C. Installing and using covert command and control capabilities D. Initial access
B, C. Phishing and many other social engineering tactics have played a major role in over 60 percent of major data breaches in the past few years. Such tactics have high payoff to the attacker during their search for a possible target, gathering information about its systems and security, and then their initial entry into the target's systems. Thus Options A and D are likely phases for phishing attacks, and incorrect answers to this question (note the "not make use"). Option B and C are almost exclusively done surreptitiously, exploiting information that social engineering may have revealed to the attacker; few if any signs of phishing in these activities have been noted.
In access control authentication systems, which is riskier, false positive or false negative errors? A. False negative, because they lead to a threat actor being granted access B. False positive, because they lead to a threat actor being granted access C. False negative, because they lead to legitimate subjects being denied access, which impacts business processes D. False positive, because they lead to legitimate subjects being denied access, which impacts business processes
B. A positive result of an authentication test means that the claimant is who (or what) they claim to be. Thus a false positive is allowing an incorrect identity to access the system, which probably is a threat actor. A negative result denies an identity's claim to be who (or what) they claim to be. Thus a false negative denies a legitimate identity from system access. Thus, Options A and D incorrectly use the concept of negative and positive authentication results (correct and false). While Option C is true, Option B indicates the situation of greatest risk—a threat actor has been legitimized and granted access.
Which of the following statements about man-in-the-middle (MITM) attacks is most correct? A. Session stealing attacks are not MITM attacks. B. MITM attacks can occur at any layer and against connectionless or connection-oriented protocols. C. This basic attack strategy can be used at any layer of the protocols where there is connection-oriented, stateful communication between nodes. D. MITM attacks can work only at Layer 4.
B. From the Physical layer on up, the injection of unauthorized traffic into a network can cause almost any protocol to fall for a "mistaken identity" that leads to an MITM attack. Session stealing (Layers 5 and 7) is a prime example, making Option A false. Option C is incorrect, since IP (Layer 2) is inherently connectionless and prone to MITM attacks. Option D is also false, as session stealing (and others) demonstrates.
How might you keep a gap from becoming a blind spot in your information security defenses? A. Transfer this risk to insurers or other parties. B. Ensure that systems elements around the gap provide sufficient detection and reporting capabilities so that an event of interest occurring in the gap cannot spread without being detected. C. Ensure that other systems elements can either detect or report when an event of interest is happening within the gap. D. You can't, as by definition the gap is where you have no appreciable security coverage, and this includes having no monitoring or detection capabilities.
B. If Option A or C was plausible, then you wouldn't actually have a gap. Option D correctly defines the gap but fails to look to how to mitigate the risk posed by the gap.
Which set of steps correctly shows the process of identity management? 1. Proofing 2. Provisioning 3. Review 4. Revocation 5. Deletion A. 1, 2, 3, 4, and then 5 B. 2, 3, 4 C. 1, 2, 4, 5 D. 2, 3, 5
B. Item 1, proofing, is part of provisioning, and thus Options A and C are incorrect. Item 5, deletion, happens after revocation, but it is a cleanup of files, assets, and records, and is more properly part of a records retention and housekeeping process. It is not part of identity management per se. Thus Option D is incorrect. Option B correctly reflects that we start by provisioning an identity, we continually review the privileges assigned to it versus the needs of the job and the organization, and then we revoke it.
What are all of the choices we need to make when considering information risk management, and what's the correct order to do them in? 1. Treatment: accept, treat (fix or mitigate), transfer, avoid, recast 2. Damage limitation: deter, detect, prevent, avoid 3. Perspective: outcomes, assets, process or threat based 4. Impact assessment: quantitative or qualitative A. 1, 2, 3, then 4 B. 3, 4, 2, then 1 C. 4, 3, 2, then 1 D. 2, 3, 1 then 4
B. Item 3, perspective, should reflect priorities, risk appetite or tolerance, and decision-making culture, and this has to lead all risk management activities. Next comes Item 4, which feeds into the BIA. Item 2 should be a product of the business impact analysis (BIA) process, because it combines costs or magnitude of impacts with acceptable damage limitation strategies. Finally, we choose what to fix, transfer (pay someone else to worry about), accept, or avoid, and any residual risk is recast or re-expressed to reflect these decisions.
We often hear people talk about the need for information systems to be safe and reliable. Is this the same as saying that they need to be secure? A. No, because reliability has to do with failures of equipment, errors in software design or use, or bad data used as input, whereas security is focused on keeping the systems and their data safe from intrusion or unwanted change. B. Yes, because the objective of information security is to increase our confidence that we can make sound and prudent decisions based on what those information systems are telling us and, in doing so, cause no harm. C. Yes, because all information and information systems are built by humans, and humans make mistakes, so we need strong safety rules and procedures to keep from causing harm. D. No, but they have ideas in common. For example, data integrity can lead to unsafe operation, but information security by itself cannot identify possible safety consequences.
B. Option A incorrectly ignores that failures in security design or practice can lead to data input or systems usage that might be safe and reliable tomorrow, for example, but not today. Option C, true as far as it goes, does not address security at all. Option D incorrectly ignores that the vulnerability assessments that should drive security measures are all based on consequences if the risk becomes real.
Which of the following best explains symmetric encryption? A. Uses one key to encrypt blocks of text to be ciphered and another key to decrypt it back B. Uses the same key or a simple transform of it to encrypt clear text into ciphertext, and then decrypt the ciphertext back into plaintext C. Was used extensively in classical encryption but has since been superseded by much stronger asymmetric encryption D. Is best suited to cleartext that has a very high degree of regularity to its structure and content
B. Option A is an incomplete description of asymmetric encryption; Option C is false, since hybrid systems are in widespread use; and Option D is unrelated to symmetric or asymmetric encryption.
Which statement about single-factor versus multifactor authentication is most correct? A. Single-factor is easiest to implement but with strong authentication is the hardest to attack. B. Multifactor requires greater implementation, maintenance, and management but can be extremely hard to spoof as a result. C. Multifactor authentication requires additional hardware devices to make authentication properly secure. D. Multifactor authentication should be reserved for those high-risk functions that require extra security.
B. Option A is false; each additional factor checked increases the challenge an attacker has to overcome to spoof an identity claim. Option C is false; hardware is only needed for factors involving what the subject has, such as a keyfob code generator or biometric factors. Option D is tempting, and high-risk functions might be best protected with additional security measures, but compared to Option B, it is not as compellingly correct.
What important role does systems monitoring perform in support of incident management? A. They are not related; monitoring is a routine task that uses trend analysis and data analytics to determine whether past systems behavior and use has been within expected bounds. B. Essential; by bringing together alert and alarm indicators from systems and their associated security controls and countermeasures, monitoring is the watchdog capability that activates incident response capabilities and plans. C. Incident response includes its own monitoring and alarms capabilities, so systems monitoring provides a good backup or alternate path to determining whether an incident is occurring. D. Ongoing, continuous monitoring is used to adjust or fine-tune alarm threshold settings so that false alarm rates can be better managed.
B. Option A misstates the role of ongoing monitoring and conflicts with Option B. Option C suggests a redundant set of capabilities, which may be mission critical for a select few organizations but is not common. Option D may be a useful capability, but it is not the reason for ongoing monitoring.
What is information risk? A. The threat that your computers, online storage, or cloud-hosted or other data could be hacked into and data stolen or changed B. The probability of an event occurring that disrupts your information and the business processes and systems that use it C. Vulnerabilities in your information systems that can be exploited by a threat actor and cause harmful impacts D. The probability that management and leadership's directions and communications will be misunderstood, causing the wrong actions to be taken by stakeholders, possibly causing financial loss, injury, or death
B. Option B is the simplest and most effective definition of information risk. Options A and C do not include probability of occurrence (risks are not certain to happen), and describe how risks become events rather than what the risk actually is. Option D is one example, but it does not define information risk.
Which statement about subnetting is correct? A. Subnetting applies only to IPv4 networks, unless you are using classless interdomain routing. B. Both IPv4 and IPv6 provide for subnetting, but the much larger IPv6 address field makes this a lot simpler to design and manage. C. Subnetting in IPv4 involves the CIDR protocol, which runs at Layer 3; in IPv6, this protocol, and hence subnetting, is not used. D. Because the subnet mask field is so much larger in IPv6, it is easier to subnet in this newer protocol stack than in IPv4.
B. Options A and C both incorrectly leave out subnetting in IPv6 and misstate what classless inter-domain routing (CIDR) is about, even though the two options say different incorrect things about CIDR. Option D is partly correct in that IPv6 does have a 16-bit subnet field, and as Option B says, the overall address field size makes subnetting much easier to do, but there is no subnet field in IPv4.
Which of the following statements best summarizes the benefits of using trusted platform modules (TPMs) as part of an organization's IT infrastructure? A. Because they have onboard hardware implementations of encryption, hashing, and key generation, they greatly simplify the use of certificate authorities and the public key infrastructure (PKI). B. As a trust root, a TPM can make hierarchies of trust more reliable. C. The TPM replaces the host system's random number generators and hash routines with its hardware-accelerated, more secure versions. This enhances system security as well as runtime performance. D. As a signed part of operating systems kernels, TPMs make it possible to validate software updates more reliably.
B. Since TPMs are special, sealed hardware modules added to the motherboards of computers or phones by their manufacturers, Option D is incorrect, even though TPM device driver software must be incorporated into most OSs to enable their use. Option A is incorrect; the TPM doesn't simplify this but allows for a more trustworthy hardware storage and management of certificates, digital signatures, and so forth. Option C is not correct; these functions in the OS and host hardware remain, while all the TPM provides is its own implementations with which it secures keys, manages certificates, and hashes (preserves) machine identification information.
Which statement about privacy and data protection is the most correct and most important? A. International standards and agreements specify that personally identifiable information (PII) and information about an individual's healthcare, education, work, or credit history must be protected from unauthorized use or disclosure. B. It's up to the organization that gathers, produces, uses, or disposes of such private data to determine what protection, if any, is needed. C. Storing backup or archive copies of privacy-related information in a datacenter in another country, without doing any processing there, does not subject you to that country's data protection laws. D. Sometimes, it seems cheaper to run the risk of fines or loss of business from a data breach involving privacy-related data than to implement proper data protection to prevent such a loss. While this might make financial sense, it is not legal or ethical to do so.
D. Option A is false; no such agreements apply worldwide. At best, regulations like the General Data Protection Regulation (GDPR) apply to EU member states. Option B is true as far as it goes, but with a catch: if the organization guesses wrong, it could end up in serious legal trouble in multiple jurisdictions. Option C is false; storage of data in a center in another country must involve movement of data from your jurisdiction into the one the datacenter is in, and movement in the reverse direction when you need to use the backup. In almost all cases, data protection laws and regulations apply to data in use, at rest, and in motion. Option D correctly illustrates the need to ensure that professional ethics have a voice in making risk management decisions.
As an SSCP, you work at the headquarters of a retail sales company that has many stores around the country. Its training department has prepared different training materials and operations manuals for in-store sales, warehouse staff, and other team members to use in their jobs. Almost all of these describe procedures that people do as they work with each other or with customers. From an information security standpoint, which of the following statements is correct? A. Since these all describe people-to-people interactions and processes, they are not implemented by the IT department, and so they're not something that information security is concerned with. B. Most of their content is probably common practice in business and retail sales and so would not be trade secrets, company proprietary, or private to the company. C. Although these processes are not implemented in IT systems, the documents and videos themselves are hosted in company-provided IT systems, and so information security requirements apply. D. If the company has decided that the content of these training materials is proprietary or company confidential, then their confidentiality must be protected. They must also be protected from tampering or unauthorized changes and be available to staff in the stores to use when they need them if the company is to do business successfully. Therefore, information security applies.
D. Options A and C are confusing information, and our systems or processes for using it, with the technologies with which we create, store, and use that information. Option B is a partial answer (it does not address anything other than confidentiality) and might be true, but this is a decision that company leadership and management should make (on advice from the SSCP). Option D is most complete and correct.
Which is the most correct statement as to what it means to have a proactive approach with your information security risk management plans, programs, and systems? A. Being proactive means that your countermeasures and controls can actively trace back to identify, locate, and characterize your attackers, which can help you both in defending against them and in potentially seeking legal redress. B. Senior leaders and managers in many businesses appreciate active, thoughtful, forward-looking approaches, and you will find it easier to gain their support. C. Proactive information security systems allow your security specialists to take real-time control of all systems elements and bring all information about events of interest into one common operational picture. This greatly enhances your ability to detect, characterize, and contain incidents. D. Being proactive means that you use the best knowledge you have today, including lessons learned from other organizations' experience with information risk, and you plan ahead to use these lessons to deal with these risks them, rather than wait for them to occur and then investigate how to respond to them.
D. Proactive means (thinking ahead and planning for contingencies), rather than reactive (waiting until things break). Option A is both wrong and probably illegal in most circumstances. Option B might be true, but it is a general statement about "being proactive" rather than specifically about information security. Option C describes an integrated information security management approach.
When choosing your countermeasures and tactics to protect hardware and systems software, you should start with which of the following? A. Published Current Vulnerabilities and Exposures (CVE) databases B. The information systems baseline that documents the systems your organization uses C. Your organization's business impact analysis D. Your organization's IT vulnerabilities assessment
D. Starting with Option A is a common-sense approach to quickly implementing some reasonable and prudent protection, but it lacks any judgment as to which vulnerabilities are important to your organization's risk management strategy and which are not. Option B is the systems inventory, and you will need it because it describes the as-built systems. Option C is what drives D. Therefore, start shopping for countermeasures with D in hand.
Nonrepudiation relies on cryptography to validate that: A. The sender or author of a document or file is who the recipient thinks it is B. The file or message has not been tampered with during transit or storage C. The file or message has not been viewed by others or copied without the sender's and named recipient's knowledge D. The certificate, public key, or both associated with the sender or author match what is associated with the file or message
D. While Option A is tempting, cryptographic processes cannot confirm that the certificate and key are correctly associated with a specific human or organization. The Certificate Authority (CA) does that through other (noncryptographic) means, and as an anchor in the chain of trust, attests that this person and this certificate go together. Thus Option D is correct. Option B refers to integrity and Option C to confidentiality, which are not directly part of nonrepudiation.
You're the only IT person at a small tool and die machine shop, which uses a LAN and cloud-hosted platforms to run the business on. The previous IT person had told your boss not to worry about the business being the target of a cyberattack. Which statement best lets you explain the real risks the company might face? A. Since we don't handle consumer-level payment cards, and we really don't have any proprietary information, we probably don't have to worry about being a target. B. We do share an extranet connection with key customers and suppliers, but it should prevent an attack on our systems that could lead to an attack on theirs. C. Our cloud systems hosting company provides most of our security, and as long as we keep our systems on the factory floor and the workstations our staff use properly updated, we should be okay. D. Since we haven't really done even a basic vulnerabilities assessment, we don't know what risks we could be facing. Let's do that much at least, and let that tell us what the next step should be. Soon.
D. While Option A may be true, it is naïve and incorrect; the air conditioning company that serviced Target stores didn't handle retail (credit card) sales either, yet attackers found it to be an ideal entry into Target's payment processing systems. Option C is also incorrect; your cloud hosts will protect their systems, and their platforms, from malware attacks from your connections, but attackers who spoof bogus, privileged accounts into your systems can still destroy your business's presence in those cloud systems. Option B is incorrect; without doing a detailed vulnerability assessment of that architecture, you are at risk making this assumption. Option D offers the boss a sensible first step.
What is a zero-day exploit? A. An exploit conducted against a vulnerability within the same day as it is reported B. An exploit that impacts a system immediately, rather than having a delayed effect like ransomware or scareware does C. There are no real zero-day exploits, but the mass media has exaggerated the dangers of unreported vulnerabilities D. An exploit conducted against a newly discovered vulnerability before it becomes known to the cybersecurity community or the system's vendor or owners
D. While some zero day exploits have been discovered and exploited within the same day, typically after the release of a new software product to the market, attackers need to spend considerable time on most newly discovered vulnerabilities to understand them well enough to design an exploit against them, and then find a suitable target. So Option A is not correct. Option B incorrectly refers to exploits that leave behind payloads or features that will take action later. Option C incorrectly associates the media reporting of cybersecurity, in general, with the time from discovery to exploitation of a vulnerability.