Chapter 2
The Computer Fraud and Abuse Act (CFAA) makes it a federal crime to maliciously cause damage in excess of $_________ to a federal computer system during any one-year period.
$5,000
What is a quantitative risk analysis?
Focuses on hard values and percentages. A complete quantitative assessment is not possible because of all the intangible aspects of risk. The process involves asset valuation and threat identification and then determining a threat's potential frequency and the resulting damage. The result is a cost/benefit analysis of safeguards.
Access control to a system is what type of control?
Logical control
What is an organization's most valuable asset?
People
An environmental control is what type of control?
Physical control
What are the six steps of a quantitative risk analysis?
(1) Assign asset value, (2) Calculate exposure factor, (3) Calculate SLE, (4) Assess the ARO, (5) Derive the ALE, (6) Perform cost/benefit analysis of countermeasures
Who would be more effective organizational owner for an information security program? (1) CIO, or (2) CEO
(1) CIO since they would be the strongest advocate at the executive level. The CEO would not have the time necessary to focus on security.
What are the six steps of the NIST Risk Management Framework (SP 800-37)?
(1) Categorize information systems, (2) Select baseline controls, (3) Implement security controls, (4) Assess security controls, (5) Authorize system operation, and (6) Monitor security controls
Is a scenario where a hacker may exploit a web server using a sql injection attack to cause web defacement, what is the threat here? (1) The hacker, or (2) web defacement
(1) The hacker Web defacement is the risk. The unpatched server is the vulnerability.
Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks and comply with the security policy: (1) Training, or (2) Education
(1) Training
What might speed up the detection of a fraud that has already occurred: (1) Separation of duties, or (2) Mandatory vacation
(2) Mandatory vacation Separation of duties, least privilege, and defense in depth controls would help prevent a fraud in the first place.
An audit to ensure that business continuity planning measures are reasonable would best be: (1) SOC-1, or (2) SOC-2
(2) SOC-2
What is risk deterrence?
A response to an identified risk that implements deterrents to would be violators of security and policy. Examples include auditing, security cameras, security guards, instructional signage, warning banners.
What is risk avoidance?
A response to an identified risk where alternate options or activities that have less associated risk. For example, choosing to fly to a destination instead of driving is a form of risk avoidance. Or moving a business to Arizona instead of Florida to avoid hurricanes.
How should threats be evaluated?
A threat assessment as a team to provide the widest range of perspectives
What is the annualized loss expectancy (ALE) and how is it calculated?
ALE is an element of quantitative risk analysis that represents the possible yearly cost of all instances of a specific realized threat against a specific asset. ALE = ARO x SLE
What is the annualized rate of occurrence (ARO)?
ARO is an element of quantitative risk analysis that represents the expected frequency with which a specific threat or risk will occur within a single year
Developing and publishing of policies, standards, and procedures is an example of what type of control?
Administrative control
What are the three types of controls (based on implementation)?
Administrative, Logical, or Physical
What is the Delphi technique?
An anonymous feedback-and-response process used to arrive at a consensus. This consensus gives the responsible parties the opportunity to properly evaluate risks and implement solutions.
What is an exposure factor (EF)?
An element of quantitative risk analysis that represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
How is the security function managed?
An organization must implement proper and sufficient security governance. The act of performing a risk assessment to drive the security policy is the clearest and most direct example of management of the security function.
_________ establishes a minimum standard common denominator or foundation of security understanding
Awareness
How is security awareness training implemented?
Awareness of security must be created before training is rolled out. Once this has happened, training or teaching can be rolled out to comply with a security policy. All new employees require some level of training to comply with the standards, guidelines, and procedures mandated by the security policy.
What are the six steps of the risk management framework?
Categorize Systems, Select Controls, Implement, Assess Controls, Authorize System, and Monitor. According to the NIST risk management framework.
The _________ contains the text of all administrative laws promulgated by federal agencies
Code of Federal Regulation (CFR). The United States Code contains criminal and civil law. Supreme Court ruling contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.
____________ requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order
Communications Assistance to Law Enforcement Act (CALEA)
Segregation of duties is what type of control?
Compensating control
Eavesdropping is an attack against which CIA pillar?
Confidentiality
The ___________ is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies
Data custodian. Although the data owner is ultimately responsible, the data owner is usually a senior leader who delegates operational responsibility to a data custodian.
What is a termination policy?
Defines the procedure for terminating employees. It should include items such as always having a witness, disabling the employee's network access, and performing an exit interview. It should also include escorting the terminated employee off the premises and requiring the return of security tokens and badges and company property
What are the different control types (not based on implementation)?
Detective, corrective, deterrent, recovery, directive, and compensation
What is a controls gap (in relation to risk management)?
Difference between the total risk and residual risk. It is the amount of risk that is reduced by implementing safeguards.
Forcing subjects to comply with security policies and objectives via a posted notification is what type of control?
Directive control
__________ is a more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks. Most often associated with users pursuing certification or seeking job promotion.
Education.
True or False: Trademarks would protect computer software
False. However, patents, copyrights, and trade secrets would
True or False: A token is an authorization tool
False. It is an authentication tool. Similar to a password. Access control lists are examples of authorization tools. They are used to determine an individual's authorization level. Usernames are identification tools.
True or False: Implementing RAID technology (which provides fault tolerance for hard drive failures) is an example of a disaster recovery action
False. It is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.
True or False: Patents have no requirement to be useful
False. They do require this. They are required to be new, nonobvious, and useful. There also is no requirement that patents must be for inventions made by American citizens.
True or False: Electronic vaulting is a task performed during the business continuity
False. This is a data backup task that is part of disaster recovery efforts
True or False: Authentication would be able to prove to a third party that a message came from a purported source
False. This would be nonrepudiation.
Which amendment directly prohibits government agents from searching private property without a warrant and probable cause
Fourth amendment. Starting point for invasions of privacy.
________ regulates three types of entities - healthcare providers, health information clearinghouses, and health insurance plans
HIPAA
What is the principle of least privilege?
In a secure environment, users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities
What is the formula for safeguard evaluation?
In addition to determining the annual cost of a safeguard, you must calculate the ALE for the asset if the safeguard is implemented. Formula is: ALE before safeguard - ALE after implementing safeguard - annual cost of safeguard = value of the safeguard to the company. Or (ALE1 - ALE2) - ACS.
What is a security control assessment?
It is a formal evaluation of the overall system's infrastructure against a baseline. NIST specifies this process for government agencies in NIST 800-53A
Why are job rotation and mandatory vacations important?
Job rotation provides a type of job redundancy, and moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information. Mandatory vacations are used to audit and verify the work tasks and privileges of employees (can detect abuse, fraud, or negligence).
What type of control is two-factor authentication?
Preventative control
What is a risk analysis and what are the key elements?
Process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred, and which should be accepted. The following must be analyzed: assets, asset valuation, threats, vulnerabilities, exposure, risk, realized risk, safeguards, countermeasures, attacks, and breaches.
How does a qualitative risk assessment differ from a quantitative risk assessment?
Qualitative assigns a subjective rating (H/M/L) and does not attempt to assign numeric values to risk assessment components. It is scenario or opinion oriented. Delphi technique is a common qualitative assessment component (reaching an anonymous consensus).
What are the options for handling risk?
Reducing risk (by implementing safeguards and countermeasures). Transferring risk (purchasing insurance). Accepting risk (evaluated cost/benefit and has determined the cost of countermeasures outweighs the possible cost of loss due to the risk).
In a _______________ (as part of threat modeling), the security professional breaks the system down into five key elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls
Reduction analysis
___________ uses additional hard drives to protect servers against failure of a single device
Redundant Array of Inexpensive Disks (RAID). It is an integrity control that allows you to add robustness without adding additional servers.
If an organization's primary concern is the cost of rebuilding a data center, the _____________ method should be used to determine the current market price for equivalent servers
Replacement cost method
What is single loss expectancy (SLE) and what is the equation?
SLE is an element of quantitative risk analysis that represents the cost associated with a single realized risk against a specific asset. SLE = Asset Value x Exposure Factor
Explain separation of duties
Separation of duties is the security concept of dividing critical, significant, sensitive work tasks among several individuals. By separating duties, you ensure that no one person can compromise system security
The __________ Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a US corporation
The Economic Espionage Act. It gives true teeth to the intellectual property rights of trade secret owners
The __________ Act specifically applies to government contractors
The Federal Information Security Management Act (FISMA). The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002.
The _________ is responsible for implementing the EU-US Safe Harbor agreement
The US Department of Commerce. The validity of this agreement was in legal question in the wake of the NSA surveillance disclosures.
What does overall risk management entail?
The process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk. By performing risk management, you lay the foundation for reducing risk overall.
The _____________ rule requires that senior executives take personal responsibility for ensuring the due care that ordinary individuals would exercise in the same situation
The prudent man rule The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in 1991.
What is residual risk and how is it calculated.
The risk that management has decided to accept rather than mitigate. Total Risk - Controls Gap = Residual Risk. It can also be calculates as Total Risk - Countermeasures.
What does third-party governance of security refer to?
The system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements
RAID level 5, disk striping with parity, requires a minimum of _________ physical disks to operate
Three
Name some security implications of hiring new employees
To properly plan for security, you must have standards in place for job descriptions, job classification, work tasks, job responsibilities, preventing collusion, candidate screening, background checks, security clearances, employment agreements, and nondisclosure agreements
What is the equation for total risk?
Total risk if the amount of risk an organization would face if no safeguards were implemented. Calculation is: Threats x Vulnerabilities x Asset Value = Total Risk
True or False: Business continuity plans typically include planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan
True
True or False: Hashing can be used as an integrity control to verify on a periodic basis that files stored on a server were not modified.
True
True or False: Installing a firewall in a data center which is designed to block many types of application attacks would reduce the likelihood of a potential attack
True
True or False: Ransomware is an availability attack
True
True or False: Senior manager play several important roles in the business continuity planning phase. These include setting priorities, obtaining resources, and arbitrating disputes among team members.
True
True or False: The export of encryption software to certain countries is regulated under US export control laws.
True
True or False: Patents and trade secrets can both protect intellectual property related to a manufacturing process
True. Trade secrets are only appropriate when the details can be tightly controlled within an organization, so a patent is the appropriate solution in this case.
True or False: Everyone in the organization should receive initial business continuity plan training in an organization
True. Not only those with specific business continuity roles.
True or False: Risk = Threat * Vulnerability
True. Risks exist when there is an intersection of a threat and a vulnerability.
The ___________ bears responsibility for the registration of trademarks
US Patent and Trademark Office (USPTO)
How are vendor, consultant, and contractor controls defined?
Used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization. They are often defined in a document or policy known as a service-level agreement (SLA).
Is security training a control?
Yes. It must be monitored and evaluated for effectiveness. Utilization of questionnaires and surveys to gauge retention levels and feedback is required
