Week 4-6 Quizzes
T/F Qualitative metrics are subjective in nature.
True
The bottom-up approach to metrics yields the most easily obtainable metrics however many metrics collected in this approach may not be suitable for top-management. 1) True 2) False
True
The goal of SecSDLC is to ensure information security is addressed throughout a project's life cycle. 1) True 2) False
True
T/F Business Impact Analysis scenario end-cases are more focused on Incident Recovery and are not considered by the Disaster Recovery Planning team.
False
The Oreck example shows that supplier and vendor relationships are not that important in times of disaster. 1) True 2) False
False
The majority of cyber attacks are shifting from financial gain motives to more ego and political motives. 1) True 2) False
False
Today's threat trends show attackers having high knowledge and skill backgrounds regarding exploits. 1) True 2) False
False
After Hurricane Katrina, it took Oreck Corporation over 6 months until they were able to get business functioning. 1) True 2) False
False-took 10 days
Which of the following is not an advantage of a centralized access control administration? Flexibility Standardization Higher level of security No need for different interpretations of a necessary security level
Flexibility
Which of the following represents the flow of contingency processes as a major disaster unfolds? BC, DR, IR IR, DR, BC CP, DR, IR DR, BC, IR
IR, DR, BC
Which of the following are major contingency planning areas of consideration? IRP DRP BIA BCP CMP All of the Above
IRP DRP BCP
Due to a lack of quality Business Continuity planning, over half of the businesses, forced to close their doors because of a disaster, never reopen. 1) True 2) False
True
Encapsulation is a term that describes the addition of headers and trailers onto a data payload as it is makes its way from layer 7 to layer 1 of the OSI model. 1) True 2) False
True
Full interruption testing of business continuity plans are not frequently (if at all) done by most organizations because they are expensive and disruptive to operations. 1) True 2) False
True
If countermeasures are adequate to stop an attack, then the attack does not become an incident. 1) True 2) False
True
In the 6-phase planning approach, governance oversees, reviews and approves policies while management establishes, ensures and assesses them. 1) True 2) False
True
In the Crisis Management phase of the 6-phase approach protocols are established to assess and limit damage. 1) True 2) False
True
Incident Response Planning uses the BIA to focus in on what countermeasures, if any, exist and if they are adequate to mitigate an end-case scenario threat. 1) True 2) False
True
Incident Response is a reactive measure, not a preventive measure. 1) True 2) False
True
It's important to disable Bluetooth on a mobile device if you do not use it. 1) True 2) False
True
Operational planning is short term in nature. 1) True 2) False
True
Oreck's disaster recovery plan was to use their New Orleans site in the case of a disaster at Long Beach and visa-versa. 1) True 2) False
True
PCI DSS applies to public and private sectors where an organization accepts, processes, stores, and transmits credit or debit card data. 1) True 2) False
True
PCI DSS focuses on merchants and merchant service providers. 1) True 2) False
True
Planning is a process that creates and implements strategies oriented towards the accomplishment of organizational objectives. 1) True 2) False
True
Policies must have enforced consequences to be effective. 1) True 2) False
True
Quantitative metrics are actual number values that are tracked over time. 1) True 2) False
True
Residual Risk is an uncovered element of a vulnerability (known or unknown) resulting from the level and effectiveness of safeguards. 1) True 2) False
True
Top-down approaches to metric formation is often easier when identifying the metrics that Should be in place. 1) True 2) False
True
System-Specific
Managerial/Technical guidance
If an asset has a value of 30 and a vulnerability with a 0.75 likelihood, what is the risk factor? 40 75% 22.5 32.5
22.5
New countermeasures have reduced a company's 40% vulnerability risk BY 30%. What is the new percentage of this company's remaining residual risk for the vulnerability? 10% 28% 30% None of the above
28% 0.4-(0.4 x 0.3)
Given the address 128.196.35.40, which part of the address represents a host number on the subnet? 128 128.196 35 40
40
PCI DSS is a law applying to all federal, state, and local government agencies. 1) True 2) False
False
Risk assessment is the actual treatment of risk. 1) True 2) False
False
Strategic planning is "what are we going to do?" and "how are we going to do it?" 1) True 2) False
False
A single countermeasure may eliminate multiple threats beyond what the countermeasure was originally intended. 1) True 2) False
True
ARP is a process of associating a MAC address with a given IP number. 1) True 2) False
True
A multi-component threat that uses a variety of access points to penetrate or glean information is: Easy to detect and block A Multi-vector threats A Reverse multi-threat vector A Multi-component vulnerability
A Multi-vector threats
Crisis Management is a series of focused steps that deal with the safety and state of employees and their families during and after a disaster. 1) True 2) False
1) True
1. Electronic Vaulting 2. Remote Journaling 3. Database Shadowing
1.bulk batch transfer of data to off-site location 2.Remote storage of transactions only 3.Remote storage of database and transactions in real time
Asset A has been assigned a value of 50, a vulnerability likelihood of 0.5, and a current control that addresses 50% of the risk. What would be its determined risk rating factor value (assume uncertainty of 20%)? 10.0 25.0 15.1 17.5 None of the above
17.5 (50 x 0.5) - 50% + 20% = (50 x 0.5) - (0.5 x 25) + 0.2 x 25) = 25 - 12.5 + 5 =17.5
Match the terms with their definitions. Shared use-2 RTO-1 RPO-4 Exclusive use-3
2. time-shares, service bureaus and mutual agreements giving a company access to a shared facility when needed 1.Amount of time before an infrastructure is available 4. A point in the past to which data will be restored at an alternate site 3.hot sites, warm sites and cold sites for which company has sole use when in need
Issue-Specific
overall policy regarding document storage
A company's past year Annual Loss Expectancy (ALE) for a particular vulnerability was $50,000. New security measures were put in place which brought the current year's ALE down to $30,000. IF the annual cost of the security measure is $10,000, what is the current Cost Benefit Analysis (CBA) figure associated with this measure? $10,000 $30,000 $5,000 $20,000 None of the above
$10,000 CBA = ALE (prior) - ALE (post) - ACS CBA = $50,000 - $30,000 - $10,000 CBA = $10,000
The estimated annual impact cost of a particular security incident is $10,000. The probability of the incident occurring is estimated at 30%. If a security device is purchased (costing $5,000) the current probability of the incident occurring is reduced by (not reduced to) 5%. What is the Modified Annual Loss Expectancy (mALE)? $5,000 $250 $2,850 $1,500
$2,850
Which of the following is the correct risk evaluation formula (L=likelihood, A=asset value, C=control mitigation, U=uncertainty): (L / A) + C - U (L x A) - C + U (L x U) + A - C (L x A) + C - U
(L x A) - C + U
Risk estimates for a particular vulnerability are calculated as: (Likelihood x percentage of uncertainty) - Asset Value + percentage of current controls (Likelihood x Asset Value) -percentage of current controls + percentage of uncertainty (Likelihood x Asset Value) + percentage of current controls + percentage of uncertainty (Likelihood x Asset Value) + percentage of current controls - percentage of uncertainty None of the above
(Likelihood x Asset Value) -percentage of current controls + percentage of uncertainty
A Business Continuity Plan focuses on recovering operations at an organization's primary site. 1) True 2) False
False
A vulnerability is: An attack vector A threat vector A weakness in design, procedure or defenses A known attack instance None of the above
A weakness in design, procedure or defenses
Which of the following are points of the threat vector model? Agents Consistency Knowledge Motive Means Opportunity
Agents Motive Means Opportunity
Which of the following would not be a security precaution for a mobile device? Select the best answer. VPN for connections Screenlock password File encryption Disallow rogue Wi-Fi connections All of above are valid None of above are valid
All of above are valid
Which of the following attacks is RFID vulnerable to? Sniffing Tracking Spoofing Denial of service All of the above None of the above
All of the above
Which of the following would not be considered a valid countermeasure (select the best answer)? Anti-Spyware software Awareness training Spare hard drives for systems Encryption of data in transit Policy and procedures on account retirement All of the above are valid countermeasures
All of the above are valid countermeasures
What is the difference between a Recovery Time Objective and a Recovery Point Objective? Select the best answer. An RPO deals with the amount of time until an operation or service is made available. An RTO deals exclusively with remote sites. An RTO deal with the amount of time until an operation or service is made available after a disaster while an RPO deals with how current data backups are. RTO and RPO are different name for the same thing - the time until an operation is made available after a disaster. RPO is not critical to the restoration of business functions while RTO is critical in that it affects the amount of data and transactions lost during a disaster.
An RTO deal with the amount of time until an operation or service is made available after a disaster while an RPO deals with how current data backups are.
What role does biometrics play in access control? Authorization Authenticity Authentication Accountability
Authentication
Bluetooth enabled devices are not real security problems because Bluetooth's range is too short to be effectively exploited. 1) True 2) False
False
Business drivers are high-level concerns based on tactical goals and objectives of the organization. 1) True 2) False
False
Which of the following would not be considered an information security related planning framework? COBIT COSO ERM COBOL Top-Down SABSA
COBOL Top-Down
Disaster Recovery Plans only focus on natural disasters. Man-Made disasters involving information systems are covered in the Incident Response Plan. 1) True 2) False
False
Disaster Recovery and Business Continuity are never executed concurrently. 1) True 2) False
False
In business continuity, a cold site offers faster recovery time than a hot site. 1) True 2) False
False
In the second phase of the 6-phase planning approach cycle, risks are identified and ranked. 1) True 2) False
False
Information Security policies only exist to avoid litigation. 1) True 2) False
False
Metrics are really only useful to the CEO and top managers. 1) True 2) False
False
Most planning approaches have 3 basic levels: strategic, tactical and disaster planning. 1) True 2) False
False
Most technical vulnerabilities exist in hardware and firmware. 1) True 2) False
False
Oversimplification of a security metric, for the sake of clarity, is advisable. 1) True 2) False
False
Which access control method is user-directed? Non-discretionary Mandatory Identity based Discretionary
Discretionary
Which of the following would not be a goal of Disaster Recovery Planning? Eliminate or reduce the potential for injuries, damage to facilities or loss of assets Ensure an alternate site as adequate resources to facilitate operations Stabilize the effects of a disaster Implement the planned procedures to resume operations
Ensure an alternate site as adequate resources to facilitate operations
Which of the following would not be considered attacker motivation? Disrupt social stability Ascertain strategic goals Disgruntlement Errors and omissions
Errors and omissions
A policy describing the protection of privacy would be which type of policy? Enterprise Information Security Program Policy Issue-Specific Security Policy System-Specific Security Policy Technical Specifications
Issue-Specific Security Policy
Why is an alert roster important in incident response? (select the best answer) It is required by regulations like Sarbanes-Oxley. It categorizes the alert levels. It allows the public to know what is going on. It allows the organization to alert the right people in the correct order.
It allows the organization to alert the right people in the correct order.
Many organizations are moving to virtualized infrastructures because (select all that apply): It is popular It reduces physical server counts It is made by Microsoft It reduces power & HVAC consumption It eliminates the need for backups It reduces downtimes
It reduces physical server counts It reduces power & HVAC consumption It reduces downtimes
The specifications for Category 5E wire would be a concern at what layer of the OSI model? Layer 7 Layer 3 Layer 1 Layer 2
Layer 1
Enterprise
Link to vision and mission statements
A company is considering two expensive countermeasures to reduce a risk. The impact of this particular attack type, on the company, is estimated at $1,500,000 in losses. The company feels there is a 40% chance of the incident occurring.Option-A would cost $100,000 and reduces the chance of the occurrence from 40% to 25%Option-B would cost $120,000 and reduces the chance of occurrence from 40% to 20%What is the Return on Security Investment (ROSI) for both options? Option-A = $375,000 and Option-B = $300,000 Option-A = $225,000 and Option-B = $300,000 Option-A = $125,000 and Option-B = $180,000 None of the above
Option-A = $125,000 and Option-B = $180,000 ALE=1,500,000 x .4 = 600,000 mALE=1,500,000 x .25 = 375,000 SAVINGS=600,000-375,000 = 335,000 ROSI=225,000-100,000 = 125,000 Option B: A;E=1,500,000 X .4 = 600,000 mALE=1,500,000 x .20 = 300,000 SAVINGS=600,000-300,000 = 300,000 ROSI=300,000-120,000=180,000
In discretionary access control security, who has delegation authority to grant access to data? User Security Office Security Policy Owner
Owner
Which of the following is the industry standard for securing credit card data? Payment Card Industry Digital Signature Standard Payment Card Incident Data Security Survey Payment Card Industry Data Security Standard Preventative Credit Incident Data Security Standard
Payment Card Industry Data Security Standard
Which of the following would not be a strategic level management area? Risk Analysis & Management Policy Compliance Security Program Governance Model
Policy Compliance
Which of the following best represents the order regarding security policy formation? Policy, standards, (practices, guidelines, procedures) Policy, guidelines (standards, practices, procedures) Standards, Policy (guidelines, practices, procedures) Procedures, practices, standards, policy, guidelines
Policy, standards, (practices, guidelines, procedures)
An access control model should be applied in a _________ manner. Detective Recovery Corrective Preventive
Preventive
Which of the following is a TCP handshake to open a connection? FIN - RST SYN - SYN/ACK - ACK FIN - ACK - SYN - ACK All of the above
SYN - SYN/ACK - ACK
What determines if an organization is going to operate under a discretionary, mandatory, or non-discretionary access control model? Administrator Security policy Culture Security levels
Security policy
Which of the following is not true regarding the role of security planning? Provides direction and priorities Should be a bottom-up approach Increases efficiencies and reduces waste Involves internal and external groups Assists in controlling actions
Should be a bottom-up approach
Good metrics should be: Specific, Measurable, Adjustable, Repeatable and Time-Dependent Static, Measurable, Attainable, Releasable and Time-Dependent Specific, Measurable, Attainable, Repeatable and Time-Dependent Specific, Measurable, Attainable, Recalcitrant and Time-Dependent
Specific, Measurable, Attainable, Repeatable and Time-Dependent
After the creation of a formal policy to establish business continuity plans, a BIA is the first major phase in the business contingency planning cycle. 1) True 2) False
True
An organization's risk appetite defines the level of acceptance as it evaluates security control trade-offs. 1) True 2) False
True
Balanced scorecards are used to show progress of strategy. 1) True 2) False
True
Database Shadowing options for BC is essentially the same as combining capabilities of Electronic Vaulting and Remote Journaling. 1) True 2) False
True
Decreasing the RTO of a business continuity plan will more than likely increase the cost and complexity associated with backup procedures and alternatives. 1) True 2) False
True
Disaster Recovery Planning is the preparation for and recovery from a disaster at an organization's primary disaster location. 1) True 2) False
True
A window of vulnerability is (select the best answer): The time-frame within which defense measures are reduced, compromised or lacking The time-frame in which a threat is no longer applicable A threat surface which extends beyond one year An old countermeasure
The time-frame within which defense measures are reduced, compromised or lacking
A Business Continuity Plan ensures that critical business functions can continue in the case of a disaster. 1) True 2) False
True
A Business Continuity Plan is typically invoked or executed after a devastating attack or disaster that cripples an organization's primary site of business. 1) True 2) False
True
A Business Impact Analysis assumes all existing controls have been bypassed and a disruption was successful. 1) True 2) False
True
A Key Performance Indicator (KPI) is a measure of how well something is being done. 1) True 2) False
True
A layer 3 switch can also serve as a router. 1) True 2) False
True
What is derived from a passphrase? Personal password Virtual password User ID Valid password
Virtual password
Asset A has a value of 50 and two vulnerabilities. Vulnerability 1 has a likelihood of 0.8 and no controls. Vulnerability 2 has a likelihood of 0.3 and a control that mitigates 40% of the vulnerability.Assuming an uncertainty level of 10%, what would the risk factor be for both vulnerabilities? Vulnerability-1: 30 Vulnerability-2: 56 Vulnerability-1: 44 Vulnerability-2: 10.5 Vulnerability-1: 25 Vulnerability-2: 12 Vulnerability-1: 25 Vulnerability-2: 44
Vulnerability-1: 44 Vulnerability-2: 10.5 V1 = (50 x 0.8) - 0 + (50 x 0.8)(0.1) = 40 - 0 + 4 = 44 V2 = (50 x 0.3) - (50 x 0.3)(0.4) + (50 x 0.3)(0.1) = 15 - 6 + 1.5 = 10.5
