CIS4361 - Information Assurance and Security - Chapter 1

Vulnerability

A condition that leaves the system and its assets open to harm—including such things as software bugs, insecure passwords, inadequate physical security, and poorly designed networks. A vulnerability is a weakness or deficiency that enables an attacker to violate the system's integrity.

Control

A countermeasure that you put in place to avoid, mitigate, or counteract security risks due to threats or attacks.

Policy

A policy is a high-level statement that identifies the organization's intentions.

Common Vulnerabilities and Exposures (CVE) system

A public dictionary of vulnerabilities that facilitates the sharing of data among organizations, security tools, and services. In a sense, the CVE normalizes data about a vulnerability so that fixing or mitigating the issue is less of a challenge. The CVE is maintained by the non-profit MITRE Corporation and receives funding from the U.S. Department of Homeland Security.

Develetech is interested in implementing routine backups of all customer databases. This will help uphold availability because you will be able to quickly and easily restore the backed up copy, and it will also help uphold integrity in case someone tampers with the database. What controls can you implement to round out your risk mitigation strategy and uphold the components of the CIA triad?

A strong way to secure confidentiality is through encryption. Encrypting the database will deter unauthorized users from making sense of the stored data. You could also implement access control to prevent an intrusion before it even begins. This will keep your databases out of the hands of an attacker. In addition, you can implement physical security measures in case an attacker has in-person access to these databases.

Exploit

A technique that takes advantage of a vulnerability to perform an attack. Exploit may also refer to a packaged form of the technique, such as an application or script that automates the technique so that even an unskilled attacker can use the exploit to perform an attack.

A quantitative assessment of risk attempts to assign a monetary value to the elements of risk, as in the following formula

AV (Asset Value) X EF (Exposure Factor) = SLE (Single Loss Expectancy)

Fill in the blanks by selecting the appropriate security policies from the lists

Acceptable use policies outline general or specific behaviors that the organization believes will either reduce, increase, or have no effect on risk. Account management policies outline the responsibilities that administrators have in keeping various identity data secure and supportive of business objectives. Data classification policies outline how an organization chooses to categorize the different levels of data sensitivity. Data retention policies stipulate how and when organization should store data within its systems, and how and when the organization should purge that data.

Examples of common security policies found in many organizations

Acceptable use policy Account management policy Password policy Data ownership policy Data classification policy Data retention policy

What are the specific types of risk that could affect Develetech as it expands its business?

Answers will vary, as there are many potential risks. Additional offices and warehouses will require an infrastructure overhaul, which will require a reevaluation of infrastructural integrity. Certain physical assets, including computers and networking equipment, may not be able to sustain an increase in operational capacity. More personnel may increase the risk of a safety incident. Failing to understand and adhere to laws and regulations, especially when moving operations into a foreign country, may create legality issues for the organization. Financially, a security breach could cost the organization a great deal, and its reputation may suffer as a result.

You've identified a risk to the availability of your file servers at peak traffic hours. How would you prefer to calculate Develetech's risk exposure in this area? What are the strengths and weaknesses of the analysis you've chosen, and why do you think it's more beneficial than the others?

Answers will vary, but most organizations choose a combination of both quantitative and qualitative analysis methods with an emphasis one way or the other. The advantages of quantitative analysis are that it calculates values that can be used to determine appropriate safeguards and it's easy to communicate results. The disadvantages are that it's an expensive, time-consuming process; it sometimes involves complicated calculations; some of the precision may be illusory because of estimated values or risks; and some areas are very difficult to quantify. For qualitative analysis, the advantages are that it's faster and cheaper, and it leverages the experience of your team in determining the biggest risks rather than drowning in math. The disadvantages are that it's hard to use for budgeting of safeguards, and it ranks risks but does not give a good idea of the absolute costs of each. There is also potential value in semi-quantitive analysis, which may be able to mitigate the shortcomings of the previous methods. When it comes to risk, there is not necessarily an objectively right answer. Students may need more information about a situation before the best approach becomes obvious.

Develetech, a relatively large electronics manufacturer, is looking to expand its business domestically and internationally over the next couple of years. This may include everything from taking on new staff to establishing additional offices and warehouses. Why would these changes necessitate the development of an ERM strategy?

Answers will vary, but significant changes can bring about risk in many different ways. It may become more challenging to secure sensitive information and keep it out of unauthorized hands, or it may simply require more resources to secure more at-risk areas. Managing risk to information and systems will help your enterprise avoid legal and financial disasters. Additionally, there will be pressure from stakeholders, customers, and regulatory entities to conform to their expectations and meet standardization requirements. There is also the chance that an increase in the amount of communications in the enterprise will exponentially increase the amount of risk that these communication channels take on. You need to make sure that changes to your enterprise can uphold risk management expectations.

Threat

Any event or action that could potentially cause damage to an asset or an interruption of services. A threat is something or someone that can take advantage of vulnerabilities.

Asset

Anything of value that could be compromised, stolen, or harmed, including information, physical resources, and reputation.

Which of the following anti-malware solutions provides real-time protection?

Avast AVG Windows Defender Malwarebytes Anti-Malware AVG, Avast, Malwarebytes Anti-Malware, and Windows Defender are some antimalware solutions that provide real-time protection. These software identify and eliminate more than just virus-type malware. HitmanPro and Malicious Software Removal Tool do not provide real-time protection. These anti-malware solutions only detect and eliminate malware in an ad hoc scan of a system.

An attacker is entering your systems by exploiting a known hole in the operating system. This is best described as what type of a threat?

Backdoor A backdoor into a system can be used as an avenue for hackers to obtain undetected access. It is a way for an attacker to bypass authentication methods to gain access to a system. Spyware is a software package that gets installed on a system without the user's knowledge, and gathers personal or other sensitive information, potentially changing the computer's configuration. A botnet is a set of infected computers, called zombies, which act on behalf of a controlling system. It might take a website offline through a distributed denial-of-service attack. Logic bomb is a piece of code that sits dormant on a target computer until it is triggered by a specific event, such as a specific date. Once the code is triggered, the logic bomb detonates, and performs whatever actions it was programmed to do.

Besides its in-house technology, Develetech may decide to change its core business strategy. Recently, the executive officers at the company have been discussing the viability of moving to a cloud provider for most of the company's web hosting infrastructure. How would a move to the cloud impact your risk assessment?

Because the software and hardware would be out of your immediate reach, the entire infrastructure of your web hosting services may need to be reassessed. Depending on the cloud provider's transparency, you may not be able to conduct as full of an assessment as you'd like, relying instead on the cloud company to provide you with risk information. You may not necessarily have all of the facts to truly assess how these cloud services could compromise the enterprise. You must also be prepared for the possibility that your security requirements and standards won't necessarily apply to the cloud provider; depending on the nature of your relationship with them, they may adhere to their own standards, which you find inadequate.

Which of the following is an open source network monitor for a Unix-based system that includes custom scripting languages which allow users to set detection rules and action policies?

Bro Bro is an open source network monitor for a Unix-based system that includes custom scripting languages which allow users to set detection rules and action policies. It can function as NIDS/HIDS (network intrusion detection system/host-based intrusion detection system).

TOGAF divides security architecture into four different domains

Business architecture Applications architecture Data architecture Technical architecture

Fill in the blanks by dragging the appropriate types of business documents from the bottom onto their correct boxes

Business impact analysis: Identifies present organizational risks and determines the impact to ongoing, business-critical operations and processes Interoperability agreement: Outlines a business partnership or collaboration in which all entities exchange some resources while working together Business partnership agreement: Defines how an alliance between business entities will be conducted, and what exactly is expected of each entity in terms of services, finances, and security Operating-level agreement: Identifies and defines the working relationships between groups or divisions of an organization

Which of the following is a team of security professionals that respond to computer security incidents, report on vulnerabilities, and promote effective IT security practices to the private and public sectors?

CERT CERT (Computer Emergency Response Team) is a team of security professionals that provide incident response services to the private and public sectors. There are several well-known CERT teams, like the CERT Division and the United States Computer Emergency Readiness Team (US-CERT), that partner with diverse industries to enhance their cybersecurity and to disseminate key security information to the public. ISO (International Organization for Standardization) facilitates a series of standards that governments and industries can adhere to have common guidelines for processes and operations at the international level. RFC (Request for Comments) is a collection of documents that detail standards and protocols for Internet-related technologies. It was designed during the early creation of the Internet to help organize new information and ideas. ISF (Information Security Forum) is an independent, not-for-profit organization that looks at key issues in security and risk management, and develops best practices that meet the needs of its members.

Click to select the guidelines that are essential while assessing risk in the enterprise

Conduct thorough audits of cloud providers that host your assets. Determine what a threat is, where it comes from, and what risk it poses to the enterprise. Consider lost or continually shared assets in the event of a demerger or divestiture. Implement an ESA to more easily define your security expectations.

Click to select the layers of the SABSA framework

Contextual Conceptual Logical Physical Component Operational

The COBIT Frameworks (Control Objectives for Information and Related Technology)

Control Objectives for Information and Related Technology (COBIT) was created by ISACA® (which originally stood for Information Systems Audit and Control Association, but which is now used only in its acronym form). COBIT provides a framework for IT management and governance that was initially released in 1996, but has since been updated periodically, with version 5 of COBIT released in 2012. COBIT includes frameworks, process descriptions, control objectives, management guidelines, and maturity models.

Which of the following processes refers to the transferring of the malicious data from one system to another?

Data exfiltration The malicious transfer of data from one system to another is called data exfiltration. In a post-attack scenario, attackers are able to stay hidden on compromised systems even after the main incident has concluded. Whether by lateral movement, pivoting, or any other APT technique, the attacker gains access to private data that could put the organization in jeopardy if it were captured by unauthorized users.

Click to select the strategies that are used to mitigate risk in worst case scenarios

Determine controls that will help prevent or mitigate an extreme scenario. Identify what vectors these threats can take to instigate extreme scenarios. Identify the motivations of these threats. Identify what exactly you risk by failing to prevent an extreme event. Gather intelligence to identify threats that can instigate extreme scenarios.

In which of the following attacks, attackers access files from a location that they are not authorized to access?

Directory traversal Directory traversal is an attack in which attackers access files from a location that they are not authorized to access. The attacker does this by ordering an application to backtrack through the directory path so that the application reads or executes a file in a parent directory. The XSS (cross-site scripting) attack is a type of application attack where the attacker takes advantage of scripting and input validation vulnerabilities in an interactive website to attack legitimate users. A DoS (denial-of-service) attack is mounted with the objective of causing a negative impact on the performance of a computer or network. It is also known as a network saturation attack or bandwidth consumption attack. SQL injection involves adding SQL programming statements to input supplied by a user or an application. To identify SQL injection vulnerabilities in a web app, an attacker must test every single input to include elements such as URL parameters, form fields, cookies, POST data, and HTTP headers.

What is used to define the baseline, goals, and methods for securing a business?

ESA framework

In choosing which risks to prioritize in your mitigation efforts, you use an aggregate CIA score to make a determination. How will you calculate this score, and how will you determine which risk to prioritize?

Each risk is divided into the three components of the CIA triad (confidentiality, integrity, availability), and each component is scored based on how valuable it is to the organization. This value is multiplied by how harmful the risk is to produce a total amount of risk. The totals for each of the three components are added together to form the aggregate score. The risk with the highest aggregate score should be the first priority.

There are several elements that make up a vulnerability's entry in the CVE

Each vulnerability has an identifier that is in the format: CVE-YYYY-####, where YYYY is the year the vulnerability was discovered, and #### is at least four digits that indicate the order in which the vulnerability was discovered. Ex: CVE-2016-4890

What is ESA Frameworks?

Enterprise security architecture (ESA) is a framework used to define the baseline, goals, and methods used to secure a business. When focused on risk, ESAs start with an assessment of the risk and quantify how internal and external threats and vulnerabilities manifest themselves to the organization; they then proceed to the mitigation of each specific threat, vulnerability, and risk.

Which of the following incident handling tools is used for recovery of deleted data?

Foremost TestDisk TestDisk and Foremost incident handling tools are used for recovery of deleted data. Clonezilla and FTK Imager incident handling tools are used for creating disk images. Cian & Abel is a password cracking tool.

Special Publication 800-14

Generally Accepted Principles and Practices for Securing Information Technology Systems, provides a comprehensive information assurance framework that is directed toward "management, internal auditors, users, system developers, and security practitioners." This document provides "an understanding of the basic security requirements most IT systems should contain."

Guidelines

Guidelines are recommended, non-mandatory controls that support standards or that provide a reference for decision making when no applicable standard exists.

Which of the following is a proprietary SIEM tool that has a limited trial version?

HP ArcSight HP ArcSight is a proprietary SIEM tool that has a limited trial version. It helps customers to organize and track incident response activities, identify and prioritize security threats, and simplify audit and compliance activities. Splunk is a proprietary SIEM tool that has a paid cloud-based version, a paid enterprise version, and a limited free version for individuals. It helps an organization in real-time monitoring, investigation, and much more. IBM QRadar is a proprietary SIEM that provides real-time visibility, reduces and prioritize alerts, offers multi-tenancy, operates across on-premises and cloud environments, and much more. OSSIM (Open Source Security Information Management) is an open source SIEM that is delivered as its own operating system, rather than an independent application. It increases security visibility and control in user's network.

You are a network administrator of a bank. You discover that someone has logged in with a user account access, but then used various techniques to obtain access to other user accounts. What is this called?

Horizontal privilege escalation Privilege escalation is the process of obtaining access using legitimate credentials and then attempting to leverage that into accessing unauthorized system resources. When the process involves trying to access resources that have the same access level (such as one user trying to access another user's account), it is called horizontal privilege escalation. Vertical privilege escalation is the process of attempting to access sources with a higher access, such as a user account trying to access admin privileges. Account management is a common term used to refer to the processes, functions, and policies used to effectively manage user accounts within an organization. Session hijacking is an attack that exploits a computer during an active session to obtain unauthorized access to data, services, and networks.

Which of the following protocols does a port scanner generally use to perform the preliminary check to determine what devices on the network are alive?

ICMP ICMP (Internet Control Message Protocol) is generally used by a port scanner to perform the preliminary check to determine what devices on the network are alive and responding before a real port scan is carried out. This is done for optimization reasons, as a full port scan of all 65,535 ports for both the UDP and TCP protocols can be time-consuming. DHCP (Dynamic Host Configuration Protocol) is a protocol that automatically provides an IP host with its IP address and other related configuration information such as the subnet mask and default gateway. HTTPS (Hyper Text Transfer Protocol Secure) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. LDAP (Lightweight Directory Access Protocol) enables anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.

The ISO Model

ISO/IEC 20000, published in 2005, was the first international standard for IT management. It was based on the BS 15000 standard developed by the British Standards Institution (BSI). The 2013 edition of ISO/IEC 27001 provides comprehensive guidance on information assurance principles and processes

Who among the following are audiences for a pen test report?

IT manager Chief information officer Chief information security officer Audiences for a pen test report are the chief information officer (CIO), the chief information security officer (CISO), the IT managers, and other information and physical security managers. These people go through the pen test report according to their role and level of expertise.

There are several additional risk management processes that you can put into place to mitigate risk in your enterprise

Identify exemptions Use deterrence Identify inherent risk Identify residual risk

One of the possibilities involved in expanding Develetech is the adoption of new technology. Your CEO may decide to drop legacy products or even drop certain vendors altogether and replace them. What are the important things to remember about assessing new products and technologies, along with threats that inevitably come with them?

If a new product or technology is introduced, you need to determine how large of an impact this will have on your operations. Small changes within your organization may not require a review of the ERM strategy, unlike large changes. You also must take into account what these products interact with, especially if that happens to be sensitive company data. Each product and technology may have its own set of vulnerabilities that you need to test for, even if that product or technology fulfills the same basic role. Consulting with other departments and legal counsel may also aid you in your assessment. Like products and technology, threats are evolving and you must understand how they target your systems not just now, but on a recurring basis.

In which of the following attacks, an attacker pretends to be someone else?

Impersonation In an impersonation attack, the attacker pretends to be someone else. For example, calling the victim and pretending to be a technical support representative. The goal is typically to learn passwords or proprietary information that will assist in a more significant break-in.

The Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™) databases

In addition to the CVE, the MITRE Corporation also maintains the Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™) databases. The CWE focuses on enumerating software vulnerabilities, while CAPEC classifies specific attack patterns. These databases also tag each entry with a specific ID for easy reference.

Consequence

It is a security violation that results from a threat action.

Which of the following is executed when a certain predefined event occurs?

Logic bomb A logic bomb is a malware that executes its malicious activity when a certain condition is met, often when a certain date/time is reached. For example, a logic bomb can execute when a user logs on to a computer or presses certain keys on the keyboard. It can also execute on a particular date or time specified by developers

COBIT 5 promotes the following five principles

Meeting stakeholder needs Covering the enterprise end-to-end Applying a single, integrated framework Enabling a holistic approach Separating governance from management

Examples of ESA frameworks include

National Institute of Standards and Technology Special Publication (NIST SP) 800-37 Control Objectives for Information and Related Technology (COBIT®) Information Technology Assurance Framework (ITAF™) The Information Technology Infrastructure Library (ITIL®) International Organization for Standardization (ISO®) 27001/ISO 27002 Sherwood Applied Business Security Architecture (SABSA®) The Open Group Architecture Framework (TOGAF®)

Ann, a pen tester, wants to list host information like host operating system and IP addresses of all the active hosts on a network. Which of the following tools would be suited for this task?

Nmap Nmap helps the pen tester to list host information like host operating system and IP addresses of all the active hosts on a network. It is an open source network scanning tool and comes with a GUI version, Zenmap. Cain & Abel is a freeware password cracking tool which helps in password cracking by using many hashing algorithms. hping is an open source spoofing tool which helps in assisting pen testers to craft network packets to exploit vulnerable IDSs (intrusion detection systems) and firewalls. Nessus is a vulnerability scanning tool which intends to help pen testers in identifying weaknesses in their targets.

Roma works as the head of the threat intelligence group for a company. She and her team reported an alert stating that there is a critical vulnerability in the kernel. Unfortunately, the organization's asset inventory is not current. Which of the following techniques would a cybersecurity analyst perform to find all affected servers within an organization?

OS fingerprinting A cybersecurity analyst should perform an OS fingerprinting scan across all hosts. It is the technique of determining the type of operating system and services a target uses by studying the types of packets and the characteristics of these packets during a communications session. By analyzing certain protocol flags, options, and data in the packets a device sends onto the network, a security analyst can get information about the vulnerability that occurs in the kernel.

Which of the following is an open source SIEM developed by AlienVault delivered as its own OS, rather than an independent application?

OSSIM OSSIM (Open Source Security Information Management) is an open source SIEM that is delivered as its own operating system, rather than an independent application. It increases security visibility and control in user's network. Splunk is a proprietary SIEM tool that has a paid cloud-based version, a paid enterprise version, and a limited free version for individuals. It helps an organization in real-time monitoring, investigation, and much more. HP ArcSight is a proprietary SIEM tool has a limited trial version. It helps customers to organize and track incident response activities, identify and prioritize security threats, and simplify audit and compliance activities. IBM QRadar is a proprietary SIEM that provides real-time visibility, reduces and prioritize alerts, offers multi-tenancy, operates across on-premises and cloud environments, and much more.

Which of the following statements are true of external pen testing? Each correct answer represents a complete solution. Choose all that apply.

Objective in nature Causes illegal attacks on the organization network Testers involved have more extensive skills External pen testing involves external testers who perform penetration testing on a daily basis for a wide variety of customers and have more extensive skills. The testers involved do not have social connections within the organization and thus are objective in nature. This type of testing causes illegal attacks on the organization network as the authority is given to an external party. Internal pen testing is less expensive. External pen testing involves hired testers which is an expensive process.

Which of the following are the information assurance principles and processes provided by the 2013 edition of ISO/IEC 27001?

Organization of information security Human resource security Communication security Asset management Access control Cryptography

Select the security procedures from the lists

Patching: Keeps vulnerabilities in software from being exploited by a malicious user Compensating control: Mitigates a risk when a primary security control fails or cannot completely meet expectations Remediation planning: Includes steps to remove or suspend a system from production while the error is corrected Exception management: Provides security personnel with compensating controls that reduce the risk or transfer it elsewhere Control testing: Tests the control's efficacy at reducing risk, and weigh that against its cost Evidence production: Supports the forensic investigation process after a security incident

Which of the following uses active tools and security utilities to find security by simulating an attack on a system?

Penetration test A penetration test, or pen test, uses active tools and security utilities to evaluate security by simulating an attack on a system. It will verify that a threat exists, then will actively test and bypass security controls, and finally will exploit vulnerabilities on the system. A honeypot is a practice that tricks the attacker into believing that they are causing actual damage to system, which enables the security team to analyze the attacker's behavior. Incident response is the process in which an organization reacts to and reports security breaches within an acceptable time period. Packet crafting is a method of manually generating packets to test the behavior of network devices, enabling a hacker to enumerate firewall or intrusion detection rules that are in place.

A security administrator wants to manage both local and remote hosts together on a Windows system. Which of the following can a security administrator use to accomplish this?

PowerShell Windows PowerShell is a scripting language and shell for Microsoft Windows built on the .NET Framework. PowerShell is used by administrators to manage both local and remote hosts as it integrates with WMI. It offers much greater functionality than the traditional Windows command prompt. PowerShell functions mainly through the use of cmdlets, which are specialized .NET commands that interface with PowerShell. TOS (trusted operating system) is an operating system security technique that isolates resources and services from applications. WSDL (Web Services Description Language) is an XML-based protocol for transmitting and receiving information used in web applications to a variety of device types. PsExec is a Windows-based remote access service that doesn't require setup on the host for being accessed remotely.

Procedures

Procedures are step-by-step instructions on tasks required to implement various policies, standards, and guidelines.

Classes of Information

Public information, which presents no risk to an organization if it is disclosed, but does present a risk if it is modified or not available. Private information, which presents some risk to an organization if competitors were to possess it, if it were modified, or if it were not available. Restricted information, which might be limited to a very small subset of the organization primarily at the executive level (e.g., corporate accounting data), where unauthorized access to it might cause a serious disruption to the business. Confidential information, which would have significant impact to the business and its clients if it were disclosed. Client account information like user names and passwords, personally identifiable information (PII), protected health information (PHI), payment card information/ cardholder data (CHD), and personal data covered by the UK Data Protection Act (DPA) would be in this category.

Risk Analysis Methods

Qualitative: Uses descriptions and words to measure the likelihood and impact of risk Quantitative: Analyzes data using historic records, experiences, statistical theories, testing, and experiments Semi-quantitative: Provides an intermediary level between the two risk analysis types and creates a hybrid method

Which of the following password attacks calculates all the possible hashes for a set of characters and stores them in a table?

Rainbow A rainbow attack is the fastest method of password cracking. This method of password cracking is implemented by calculating all the possible hashes for a set of characters and then storing them in a table known as the Rainbow table. A dictionary attack is a type of password guessing attack. This type of attack uses a dictionary of common words to find out the password of a user. In a brute-force attack, an attacker uses software that tries a large number of key combinations to get a password. When an attacker performs a dictionary as well as a brute-force attack, the attack is known as a hybrid attack. In this method, the attack is performed through the dictionary attack method by adding numerals and symbols to dictionary words.

Which of the following consists of a group of characters that describe how to execute a specific search pattern on a given text?

Regular expression A regular expression (regex/regexp) is a group of characters that describe how to execute a specific search pattern on a given text. They are a much more powerful way to search for specific strings in a text than standard string searches. Search operations using regular expressions use a common syntax, which includes various special characters that have specific uses. Behavioral analysis is the process of identifying the way in which an entity acts, and then reviewing future behavior to see if it deviates from the norm. Directory traversal is the practice of accessing a file from a location that the user is not authorized to access. The attacker does this by ordering an application to backtrack through the directory path so that the application reads or executes a file in a parent directory. Input validation is a technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.

Which classification denotes information that only certain personnel in an enterprise are authorized to access?

Restricted

Which of the following involves deconstructing existing hardware or software to its basest level?

Reverse engineering Reverse engineering involves deconstructing existing hardware or software to its basest level. It assists in analyzing system's and application's structure to provide details about its functions. Sandboxing is a technique that isolates untrusted data in a closed virtual environment to conduct tests and analyze the data for threats and vulnerabilities. Sandboxes are used for testing application code during development and analyzing potential malware. Virtualization is the process of creating a virtual version of something, such as a server, a storage device, an operating system, or network resources.

Risk is often considered to be composed of three factors, as expressed in the following formula

Risk = Threats X Vulnerabilities X Consequences

A firewall vendor has discovered an obscure design flaw in one of their products. Correcting the flaw would be cost prohibitive, and it is an obscure flaw that would only affect a very small number of customers. Rather than recalling the product, the vendor had decided to simply leave the product as it is. This is best described as what type of risk response technique?

Risk acceptance The scenario best describes the risk acceptance risk response technique. It occurs when the cost of correcting or ameliorating the risk is more than the cost of exploiting the risk. Based on the cost-benefit analysis, it is best to accept the risk. Risk avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk. Risk transference is the process of passing a risk on to another entity. For example, insurance is risk transfer in which the burden of the risk is transferred from an organization to the insurance carrier. Risk mitigation is the process of lowering the risk to an acceptable level. For example, downloading files from the Internet is a risk. Using an anti-virus product that scans the Internet downloads is an example of risk mitigation.

Fill in the blanks by selecting the appropriate risk response techniques from the lists

Risk avoidance: Implies that risk has been completely eliminated (reduced to zero) Risk transference: Moves the responsibility for managing risk to another organization, such as an insurance company or an outsourcing provider Risk mitigation: A process of implementing controls and countermeasures to reduce the likelihood and impact of risk to an organization Risk acceptance: A response in which an organization identifies, analyzes a risk and determines whether or not the risk is within the organization's appetite

Risk Exposure

Risk exposure is the property that dictates how susceptible an organization is to loss. When quantified, risk exposure is usually defined as the product of the probability that an incident will occur and the expected impact or loss if it does occur.

How is Risk Management defined?

Risk management is typically defined as the cyclical process of identifying, assessing, analyzing, and responding to risks.

Bob works as a security administrator for a company. He is concerned about the risk of smart phones which is introducing security risks to the network. However, many employees need these devices for their work. So, he decides to allow smart phones only if they meet specific security criteria. Which risk response technique is best for him to implement?

Risk mitigation Risk mitigation is the process of taking steps to reduce a given risk to an acceptable level. The risk is not eliminated, but steps are taken to reduce either the likelihood and/or severity of the risk being exploited.

Which of the following aspects of identity schemes leads to privilege creep when roles are poorly defined?

Role Role-based identity leads to privilege creep when roles are poorly defined, violating the principle of least privilege and increasing an entity's chance of being a vector for an attack. Meaningful and thorough role definition is the most important remedy for this issue.

Which ESA framework consists of six layers and guides organization in risk-based approaches to implement security controls that uphold critical business objectives?

SABSA SABSA (Sherwood Applied Business Security Architecture) is an ESA framework created in 1995 based on the Zachman Framework. Its purpose is to guide organization in risk-based approaches to implement security controls that uphold critical business objectives. It is based on six layers of security architecture: contextual, conceptual, logical, physical, component, and operational. ITIL (Information Technology Infrastructure Library) is a set of IT management practices for aligning IT services with the needs of the business. The 2011 edition is the current publication. COBIT (Control Objectives for Information and Related Technology) was created by ISACA (Information Systems Audit and Control Association). It includes frameworks, process descriptions, control objectives, management guidelines, and maturity models. TOGAF (The Open Group Architecture Framework) provides high-level strategies for designing and implementing various dimensions of an organization's security architecture. It was created in 1995 and is based on the U.S. Department of Defense's TAFIM (Technical Architecture Framework for Information Management).

Which of the following frameworks is based on Zachman Framework?

SABSA (Sherwood Applied Business Security Architecture)

The single loss expectancy (SLE) value represents the financial loss that is expected from a specific adverse event. If you know how many times this loss is likely to occur in a year, you can calculate the cost on an annual basis

SLE (Single Loss Expectancy) X ARO (Annual Rate of Occurrence) = ALE (Annual Loss Expectancy)

Rose, a company's security officer, frequently receives reports of unauthorized personnel having access codes to the cipher locks of secure areas in the building. Rose should immediately implement which of the following to resolve this issue?

Security awareness training Rose should immediately implement security awareness training program. Security awareness and training include explaining policies, procedures, and current threats to both users and management. It can do much to assist in your efforts to improve and maintain security. A good security awareness training program for the entire organization should cover the following areas: importance of security; responsibilities of people in the organization; policies and procedures; usage policies; account and password selection criteria as well as social engineering prevention.

Who is responsible for providing technical support to other team members when dealing with fully designed systems?

Security specialist The security specialist is responsible for providing technical support to other team members when dealing with fully designed systems.

Drag the practice that should be incorporated in security policies and procedures from the bottom onto its description

Separation of duties: Divides the responsibility of a task to more than one individual to prevent fraud and error Job rotation: Refers to a management tool in which employees are shifted to different departments in order to expose them to all verticals of an organization Incident response: Defines monitoring and reporting requirements for incidents that involve security breaches or suspected breaches Least privilege: Dictates that users or systems should only have the minimal level of rights that is necessary to complete the job

Standards

Standards consist of specific low-level mandatory controls that help enforce and support policies.

Which of the following TCP/IP protocol is used to communicate logs to another system, uses UDP port 514, and is compatible with all the operating systems?

Syslog Syslog is a TCP/IP protocol which is used to communicate logs to another system, uses UDP port 514, and is compatible with all the operating systems. It has a centralized logging infrastructure that consists of clients, server, storage, and management and filtering software.

Which of the following protocols developed by Cisco provides full encryption and communication over TCP for clients requesting access to network resources?

TACACS+ TACACS+ (Terminal Access Controller Access Control System Plus) is developed by Cisco that provides full encryption and communication over TCP for clients requesting access to network resources. It divides the authentication and authorization components into multiple packets. LDAPS (Secure Lightweight Directory Access Protocol) is a method of implementing LDAP using SSL/TLS encryption protocols to prevent eavesdropping and man-in-the-middle attacks. RADIUS follows a two-step process for managing network access and implements AAA for users requesting remote access to a network service. Its communication is done over UDP (User Datagram Protocol), which means that there is no inherent reliability or error correction involved, which could impact the availability of the AAA mechanism. LDAP (Lightweight Directory Access Protocol) is a directory access protocol that runs over TCP/IP networks. It is used by services like Active Directory and OpenLDAP.

Which of the following categories of security controls monitors and prevents threats to systems and services?

Technical

Security Control Categories

Technical controls are hardware or software installations that are implemented to monitor and prevent threats and attacks to computer systems and services. Physical controls are security measures that restrict, detect, and monitor access to specific physical areas or assets. Administrative controls monitor an organization's adherence to security policies and procedures.

Common Vulnerability Scoring System (CVSS)

The CVSS is a risk management approach where vulnerability data is quantified and then the degrees of risk to different types of systems or information are taken into account. Since it is an open source formula for risk quantification, the CVSS is easily modified to fit a specific organization's needs.

The ITIL Model

The Information Technology Infrastructure Library (ITIL) is a comprehensive IT management structure derived from recommendations originally developed by the United Kingdom Government's Central Computer and Telecommunications Agency (CCTA) in the 1980s. These grew over time to become the first version of ITIL, which by the year 2000 was comprised of more than 30 books covering various aspects of IT service management. In 2001, the set was consolidated, reorganized, and pared down to a more manageable nine sets of publications, and the CCTA became part of the United Kingdom Treasury's Office of Government Commerce (OGC). ITIL is now owned and managed by AXELOS, a private commercial organization.

The NIST Framework and Models

The National Institute of Standards and Technology (NIST) publishes numerous documents on a wide range of security topics, such as encryption standards, guidelines for compliance with legal regulations, mobile device security, and cloud computing. NIST's 800 Series of Special Publications focus on computer security.

TOGAF

The Open Group Architecture Framework (TOGAF) is an ESA framework that provides high-level strategies for designing and implementing various dimensions of an organization's security architecture. TOGAF was created in 1995 and is based on the U.S. Department of Defense's Technical Architecture Framework for Information Management (TAFIM).

The SABSA Framework

The Sherwood Applied Business Security Architecture (SABSA) is an ESA framework created in 1995 based on the Zachman Framework. Its purpose is to guide organization in risk-based approaches to implement security controls that uphold critical business objectives.

How is the annual loss expectancy (ALE) value calculated?

The annual loss expectancy (ALE) value is calculated by multiplying an SLE by its ARO to determine the financial magnitude of a risk on an annual basis.

You've analyzed the application flaw and discovered that it could allow an unauthorized user to access the customer database that the app integrates with, if the app uses poor input validation. If an attacker were to access the database this way, they could glean confidential customer information, which would have a high impact on your business. However, you determine that your app's current input validation techniques account for all known exploits of this kind. How will you respond to this risk?

The answer is debatable and may require more careful analysis. However, some may argue that the strong input validation controls already in place imply that you should just accept the risk and save yourself the time, effort, and cost of an active response. Others will say that this is inadequate because it only accounts for known values, and that an attacker could find a way around the validation. This would necessitate a response like mitigation, in which more application security controls are implemented to harden the app against attack. Some might suggest transferring the risk to another organization that can provide more reliable security. Some might even argue that the risk to your customers' confidentiality is too great, and that you should avoid the risk entirely by dropping the internally developed app and using a different solution.

What is ERM (enterprise risk management)?

The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization

Aggregate CIA Score

The highest risks are rated at a 10. The lowest risks are rated at a 1. Data having no risk (for example, public data) is rated at a 0.

Attack

The intentional act of attempting to bypass one or more security services or controls of an information system.

What are the functions of a technical expert or a liaison to law enforcement? Each correct answer represents a complete solution. Choose all that apply.

To communicate an incident to authorities To share relevant evidence with authorities without overburdening them with trivial information Technical experts or liaisons' functions are to share relevant evidence with authorities without overburdening them with trivial information. They are also responsible for communicating an incident to authorities that can take legal actions. To know the hardware used and the virtualized environments in the organization are some of the important actions that should be taken when an organization is preparing for a forensic investigation.

What is the function of a sinkhole?

To reroute malicious outbound traffic from an organization's network Sinkhole reroutes malicious outbound traffic from an organization's network. It provides a specific place to apply specialized security analysis tools to the malicious outbound traffic. MAC (mandatory access control) places an access attribute on an object. It enforces explicit access control necessary to mitigate incidents involving privilege exploitation. Threat actors are used to denote an attacker is of a certain type. These have various methods of motivations, operations, and intentions. SMiShing is a type of attack that tricks a victim into revealing information by using text messages. It is a type of criminal activity using social engineering.

U.S. Military Classification System

Top Secret. Secret. Confidential. For Official Use Only.

UK Government Classification System

Top Secret. Secret. Official.

In which of the following attack does attackers target specific groups or organizations, discover which websites they frequently use, and inject malicious code into those websites?

Watering hole In watering hole attacks, attackers target specific groups or organizations, discover which websites they frequently use, and inject malicious code into those sites. When at least one member of the group or organization is infected, they compromise the rest.

Which of the following physical tools is a disk controller that accesses a drive in read-only mode and is also an important tool for securing the integrity of evidence?

Write blocker Write blocker is a disk controller that accesses a drive in read-only mode and prevents the operating system from writing data to a disk and is an important tool for securing the integrity of evidence. Tamper-proof seals help in identifying an evidence bag or other forensic container that has been accessed by an unauthorized personnel, which can deter people from compromising the integrity of evidence. Removable media is used to store data when quick offload or transfer data to a removable storage device is required to maintain a backup of the evidence. Drive adapters are used when a user wants to analyze an internal drive, collected as an evidence, from his forensics workstation.

During their risk assessment, your team has identified a security flaw in an application your organization developed. To conduct a proper analysis of how this could bring risk to your enterprise, what are some of the questions you need to ask?

You should ask how easily exploitable the flaw is, and what the scope of an exploit could be. Can an exploit expose confidential information? Can it crash the app or otherwise render other systems unavailable? What attack vectors exist that could allow an attacker to carry out this exploit? What mitigation plans, if any, are in place to address this flaw? How easily and quickly can you patch the flaw, and how will you deploy it so that all of the app's users are covered?

You've identified compliance to be one of the biggest concerns for the expansion. How will both internal and external compliance factors influence your risk assessment?

Your internal staff needs to comply with your ERM plan once it has been put in place. This usually means that training certain staff is required; otherwise, they might not be properly equipped to meet compliance requirements. Because internal users access your systems constantly, they can bring a great deal of risk. Externally, your organization must comply with all applicable laws and regulations. Even failure to comply with non-legally binding, industry-accepted standards may place your organization's finances or reputation in jeopardy. However, external compliance will not guarantee security. You may find that your risk is still too high even though you adhere to security requirements.

Classification of Information into CIA Levels

confidentiality, integrity, and availability (CIA) triad.

Under HOST DISCOVERY, which of the following commands runs a simple list scan to list targets?

nmap -sL nmap is used to discover hosts and services on a computer network, thus building a map of the network. To accomplish its goal, nmap sends specially crafted packets to the target hosts and then analyzes the responses. The nmap -sn command runs a simple ping scan. The nmap -Pn command is used to treat all hosts as online. The nmap -PS command is used to run TCP syn/ack.