CISSP Chapter 2: Personnel Security and Risk Management Concepts
_____ is the occurrence of negative activity undertaken by two or more people, often for the purposes of fraud, theft, or espionage.
Collusion
A _____ control is deployed to provide various options to other existing controls to aid in enforcement and support of security policies.
Compensating
This is the act of conforming to or adhering to policies, rules, regulations, standards, or requirements.
Compliance
A _____ control is deployed to discover or detect unwanted or unauthorized activity. Operate after the fact.
Detective
Risk _____ is the process of implementing deterrents to would-be violators of security and policy.
Deterrence
A _____ control is deployed to discourage violation of security policies.
Deterrent
A _____ control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred.
Corrective
Asset valuations are not necessary for prioritizing and comparing risks with possible losses. True or False
False
Outsourced roles and responsibilities are immune from security governance and any legal standards imposed by third-party mandates. True or False
False
Security awareness must be exclusively created through a classroom type of exercise in order to deter distraction. True or False
False
Security mechanisms should consume as much resources as possible in order to show due care and due diligence. True or False
False
Security should be designed independently of business tasks and functions. Security is first and foremost regardless of impact to users. True or False
False
Separation of duties, restricted job responsibilities, and job rotation helps increase the possibility that co-workers will collude (collaborate) to perform illegal or abusive activities due to the higher risk of detection. True or False
False
The benefit of a countermeasure doesn't need to be testable and verifiable. True or False
False
The benefit of the countermeasure should be dependent on its secrecy. True or False
False
The cost of a countermeasure should be more than the value of the asset. True or False
False
The countermeasure should have no overrides. True or False
False
When using qualitative risk analysis, it's best to have one person conduct the evaluation process. True or False
False
FERPA stands for:
Family Educational Rights and Privacy Act
A risk _____ is a guideline or recipe for how risk is to be assessed, resolved, and monitored.
Framework
GDPR stands for:
General Data Protection Regulation
GLBA stands for:
Gramm-Leach-Bliley Act
HIPAA stands for:
Health Insurance Portability and Accountability Act
Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organization, regardless of their assigned tasks.
Read it again
Class C fire extinguishers use carbon dioxide or halon suppressants and are useful against electrical fires.
Read it again
Clearing describes preparing media for reuse. When media is cleared, unclassified data is written over all addressable locations on the media. Once that's completed, the media can be reused.
Read it again
Due to problems with remnant data, the U.S. National Security Agency requires physical destruction of SSDs. This process, known as disintegration, results in very small fragments via a shredding process.
Read it again
Electronic Discovery: During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.
Read it again
Electronic vaulting is a data backup task that is part of disaster recovery, not business continuity, efforts.
Read it again
If the vendor is providing object-based storage, a core infrastructure service, you haveinfrastructure as a service (IaaS).
Read it again
In the community cloud computing model, two or more organizations pool their resources to create a cloud environment that they then share.
Read it again
JavaScript is an interpreted language so the code is not compiled prior to execution, allowing one to inspect the contents of the code. C, C++, and Java are all compiled languages—a compiler produces an executable file that is not human-readable.
Read it again
Mandatory access control (MAC) systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.
Read it again
Maximum Tolerable Downtime (MTD) is the amount of time that a business may be without service before irreparable harm is caused. This is sometimes also called Maximum Tolerable Outage (MTO).
Read it again
Network Access Control (NAC) systems can be used to authenticate users and then validate their system's compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution. A firewall can't enforce system security policies, whereas an IDS can only monitor for attacks and alarm when they happen. Finally, port security is a MAC address-based security feature that can only restrict which systems or devices can connect to a given port.
Read it again
OAuth is an authentication protocol used to allow applications to act on a user's behalf without sharing the password, and is used for many web applications.
Read it again
Port Address Translation (PAT) is used to allow a network to use any IP address set inside without causing a conflict with the public Internet. PAT is often confused with Network Address Translation (NAT), which maps one internal address to one external address.
Read it again
RADIUS is a common, non-proprietary AAA technology used to provide services for dial-up, wireless networks, network devices, and a range of other systems.
Read it again
Redundant Array of Independent Disks (RAID) uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.
Read it again
Sanitization is a series of processes that removes data from a system or media while ensuring that the data is unrecoverable by any means.
Read it again
The reverse of onboarding. Removing an employee's identity from the IAM system once they've left.
Offboarding
____ is the process of adding new employees to the identity and access management (IAM) system of an organization. It's also used when an employee's role or position changes or when that person is awarded additional levels of privilege or access.
Onboarding
PCI DSS stands for:
Payment Card Industry Data Security Standard
At the end of a risk analysis, a key task to perform is the risk _____ to the relevant parties. It should be accurate, timely, comprehensive, clear and precise to support decision making, and updated on a regular basis.
Reporting
_____ risk is the risk that remains once safeguards/countermeasures have been implemented.
Residual
Total Risk - Controls Gap =
Residual Risk
The possibility that something could happen to damage, destroy, or disclose data or other resources is called _____.
Risk
the possibility or likelihood of some future event occurring to exploit a vulnerability.
Risk
_____ is the collection of practices related to supporting, defining, and directing the security efforts of an organization.
Security Governance
These are the people responsible for initiating and supporting risk analysis and assessment. They define the scope and purpose of the risk management endeavor.
Senior management
______ is the security concept in which critical, significant, and sensitive work tasks are divided among several individual administrators or high-level operators. This prevents any one person from having the ability to undermine or subvert vital security mechanisms. Principle of Least privilege.
Separation of duties
_____ controls involve the hardware or software mechanisms use to manage access and to provide protection for resources and systems.
Technical
This type of governance is the system of oversight mandated by law, regulation, industry standards, contractual obligations, or licensing requirements.
Third-party governance
A Security Control Assessment (SCA) is the formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation. True or False
True
A Type 1 authentication factor is something you know. True or False
True
A Type 2 is something you have, like a smart card or hardware token. True or False
True
A Type 3 authentication factor is something you are, like a biometric identifier. True or False
True
A great risk framework recommended by CISSP academia is NIST 800-37. True or False
True
Awareness is the number one prerequisite to security training. Awareness establishes a common baseline for foundation of security understanding across the entire organization and focuses on key or basic topics and issues related to security that all employees must understand and comprehend. True or False
True
Behavior modification requires some level of learning on the part of the user. True or False
True
Change management is a critical control process that involves systematically managing change. Without it, one might simply deploy code to production without oversight, documentation, or testing. True or False
True
Clearing is the process of preparing media for reuse. True or False
True
Code review is a review of the source code itself. True or False
True
Countermeasure selection is a post risk assessment/analysis activity. True or False
True
Countermeasures need to support continuous improvement. True or False.
True
Countermeasures should be tamperproof. True or False
True
Defense in Depth is the best approach to security controls. True or False
True
Degaussing uses magnets to wipe magnetic media. True or False
True
Document exchange and document review are essential elements of ensuring an organization is in full and open agreement with a governing body for compliance verification. True or False
True
Erasing is the deletion of files or media. True or False
True
Failure to meet third-party governance (auditors) can result in loss of ATO (Authorization to Operate), resulting in the severing of business with military or government agencies. True or False
True
Fuzz testing feeds unexpected input to code. True or False
True
Humans are the weakest element in any security solution. True or False
True
If a security control's benefits cannot be quantified, evaluated, or compared, then it does not actually provide any security. True or False
True
If an asset has no value, then there's no need to provide protection for it. True or False
True
In Germany and other EU member countries, an IP and MAC address are considered PII. True or False
True
It is important to realize that with all the calculations used to assess risk, the end values are used for prioritization and selection. The values themselves do not truly reflect real world loss or costs due to security breaches. True or False
True
Many countermeasures offer degrees of improvement rather than specific hard numbers. True or False
True
Multiprocessing uses multiple processors to perform multiple processes simultaneously. True or False
True
Multiprogramming requires modifications to the underlying applications. True or False
True
Multitasking handles multiple processes on a single processor by switching between them using the operating system. True or False
True
Multithreading runs multiple threads within a single process. True or False
True
NIST 800-30 provides examples of reference ratings and levels. True or False
True
NIST 800-37 has 6 steps to its Risk Management Framework (RMF). True or False
True
NIST SP 800-53 has a guide for performing the SCA process. True or False
True
One form of privacy is freedom from being observed, monitored, or examined without consent or knowledge. True or False
True
Purging is a more intensive form of clearing for reuse in lower security areas. True or False
True
Regression testing focuses on testing to ensure new code doesn't bring back old flaws. True or False
True
Residual risk is usually the risk that proved to be too expensive to safeguard. True or False
True
Risk = Threat x Vulnerability is an algorithm for defining risk. True or False
True
Risk acceptance is common when the cost of a countermeasure to safeguard an asset outweighs the cost of the asset's loss. True or False
True
Security control refers to a broad range of controls that perform such tasks as ensuring only authorized users can log on and prevent unauthorized uses from gaining access to resources. True or False
True
Security is aimed at preventing loss or disclosure of data while sustaining authorized access. True or False
True
The annual cost of safeguards should not exceed the expected annual cost of an asset's loss. True or False
True
The best method for catching collusion is through monitoring of employee activities. True or False
True
The cost of the countermeasure should be less than the benefit of the countermeasure. True or False
True
The countermeasure should provide a solution to a real and identified problem. True or False
True
The goals of security governance, corporate governance, and IT governance are all the same: Maintain business processes while striving toward growth and resiliency. True or False
True
The primary goal of risk management is to reduce risk to an acceptable level. True or False
True
The result of the countermeasure should make the cost of an attack greater for the perpetrator than the derived benefit from the attack. True or False
True
The sensitivity and classification of a specific position is dependent on the level of harm that could be caused by accidental or intentional violations of security by a person in the position. True or False
True
The three major types or categories of security controls are technical, physical, and administrative. True or False
True
There is no way to eliminate 100 percent of all risks to assets. True or False
True
Threats exploit vulnerabilities, which results in exposure. Exposure is risk, and risk is mitigated by safeguards. Safeguards protect assets that are endangered by threats. True or False
True
Zero fill wipes a drive by replacing data with zeros. True or False
True
job responsibilities are the specific work tasks an employee is required to perform on a regular basis. True or False
True
_____ controls are the policies and procedures defined by the organization's security policy and other regulations or requirements. Management controls focused on personnel and business practices.
Administrative
This is the exploitation of a vulnerability by a threat agent.
Attack
Possible responses to risk include _____.
Avoid Mitigate Transfer Accept Deter Reject/Ignore
Risk _____ is the process of selecting alternative options or activities that have less risk than the default, common, expedient, or cheaper options.
Avoidance
This is the occurrence of a security mechanism being bypassed by a threat agent.
Breach
This is anything within an environment that should be protected. Within scope of risk management and analysis.
Asset
This is a dollar value assigned to an asset based on actual cost and nonmonetary expenses.
Asset valuation
The successful implementation of a security solution requires changes in user _____.
Behavior
This form of training prepares an employee to perform another role in the even the primary person is unavailable. The employee performs the role when needed, not on a regular basis.
Cross training
A ____ control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.
Directive
The process of a governing body reading exchanged materials from a target and verifying them against standards and expectations. Performed before any on-site inspections to confirm the location is ready for a compliance check.
Documentation review
This is being susceptible to asset loss because of a threat. EF is derived from this.
Exposure
Crafting _____ is the first step in defining security needs related to personnel and being able to seek out new hires.
Job descriptions
Rotating employees among multiple job descriptions as a means by which an organization improves its overall security.
Job rotation
The two functions served by job rotations are _____ and _____.
Knowledge redundancy and risk reduction of fraud, data modification, theft, sabotage, and misuse of information.
_____ is the implementation of safeguards to counteract a vulnerability.
Mitigation
A _____ attempts to prevent an employee from working with a competing second organization in order to prevent the second organization from benefiting from special knowledge of the first organization.
NCA
An _____ is used to protect the confidential information within an organization from being disclosed by a former employee.
NDA
PII stands for:
Personally Identifiable Information
_____ controls are items you can touch, which include mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility.
Physical
A ____ control is deployed to actually block an action.
Preventative
Two risk assessment methodologies are _____ and _____.
Qualitative and quantitative
Attacks that change a symlink between the time that rights are checked and the file is accessed, in order to access a file that the account does not have rights to, are time of check/time of use (TOC/TOU) attacks, a form of race condition. Unlinking removes names from a Linux filesystem, setuid allows a user to run an executable with the permissions of its owner, and tick/tock is not a type of attack or Linux command.
Read it again
Six major elements of quantitative risk analysis are: 1. Assign Asset Value (AV) as a dollar figure 2. Calculate Exposure Factor (EF) as a percentage of single event loss 3. Calculate Single Loss Expectancy (SLE) as AV * EF 4. Assess the Annualized Rate of Occurrence (ARO) as an annual likelihood percentage 5. Service the Annualized Loss Expectancy (ALE) as SLE * ARO 6. Perform Cost/Benefit Analysis of Countermeasures (ALE1 - ALE2) - ACS - ALE1 = ALE pre-safeguard - ALE2 = ALE post-safeguard - ACS = Annual Cost of Safeguard
Read it again
Smart cards are a Type II authentication factor and include both a microprocessor and at least one certificate. Since they are something you have, they're not a Type I or III authentication factor. Tokens do not necessarily contain certificates.
Read it again
Smurf attacks use a distributed attack approach to send ICMP echo replies at a targeted system from many different source addresses. The most effective way to block this attack would be to block inbound ICMP traffic.
Read it again
The create rule allows a subject to create new objects and also creates an edge from the subject to that object, granting rights on the new object.
Read it again
The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization.
Read it again
The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort.
Read it again
The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure.
Read it again
The six steps of the NIST 800-37 RMF are: 1. Security categorization 2. Security control selection 3. Security control implementation 4. Security control assessment 5. Information system authorization 6. Security control monitoring
Read it again
While both XTACACS and TACACS+ provide strong identification, authentication code and accounting functionality, but both are Cisco proprietary protocols.
Read it again
____ controls are an extension of corrective controls but have more advanced or complex abilities, such as backup restorations, system imaging, server clustering, antivirus software, virtual machine shadowing, and database shadowing.
Recovery
The unacceptable response to risk reaction is to ____ the risk. This could leave you subject to punishment due to lack of due care.
Reject
The process of examining an environment for risks, evaluating each threat event as to its likelihood of occurrence and the cost of the damage, assessing the cost of countermeasures to each risk, and creating a cost/benefit report for safeguards to present to upper management.
Risk analysis
This is the response of placing the cost of loss onto another entity or organization.
Risk assignment
_____ is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost effective solutions for mitigating or reducing those risks.
Risk management
This document defines controls for vendor, consultant, and contractor levels of performance, expectations, compensation, and consequences.
SLA
This is a control taken to mitigate a vulnerability.
Safeguard
SOX stands for:
Sarbanes-Oxley Act
The basic process for qualitative risk analysis is the creation of _____.
Scenarios
This is any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset.
Threat
Threats X vulnerability X asset value =
Total Risk
This is a weakness in an asset or the absence/weakness of a safeguard or countermeasure.
Vulnerability
The Delphi technique is a group process that uses physically dispersed experts who fill out questionnaires to ____.
anonymously generate ideas