CISSP Chapter 2: Personnel Security and Risk Management Concepts

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

_____ is the occurrence of negative activity undertaken by two or more people, often for the purposes of fraud, theft, or espionage.

Collusion

A _____ control is deployed to provide various options to other existing controls to aid in enforcement and support of security policies.

Compensating

This is the act of conforming to or adhering to policies, rules, regulations, standards, or requirements.

Compliance

A _____ control is deployed to discover or detect unwanted or unauthorized activity. Operate after the fact.

Detective

Risk _____ is the process of implementing deterrents to would-be violators of security and policy.

Deterrence

A _____ control is deployed to discourage violation of security policies.

Deterrent

A _____ control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred.

Corrective

Asset valuations are not necessary for prioritizing and comparing risks with possible losses. True or False

False

Outsourced roles and responsibilities are immune from security governance and any legal standards imposed by third-party mandates. True or False

False

Security awareness must be exclusively created through a classroom type of exercise in order to deter distraction. True or False

False

Security mechanisms should consume as much resources as possible in order to show due care and due diligence. True or False

False

Security should be designed independently of business tasks and functions. Security is first and foremost regardless of impact to users. True or False

False

Separation of duties, restricted job responsibilities, and job rotation helps increase the possibility that co-workers will collude (collaborate) to perform illegal or abusive activities due to the higher risk of detection. True or False

False

The benefit of a countermeasure doesn't need to be testable and verifiable. True or False

False

The benefit of the countermeasure should be dependent on its secrecy. True or False

False

The cost of a countermeasure should be more than the value of the asset. True or False

False

The countermeasure should have no overrides. True or False

False

When using qualitative risk analysis, it's best to have one person conduct the evaluation process. True or False

False

FERPA stands for:

Family Educational Rights and Privacy Act

A risk _____ is a guideline or recipe for how risk is to be assessed, resolved, and monitored.

Framework

GDPR stands for:

General Data Protection Regulation

GLBA stands for:

Gramm-Leach-Bliley Act

HIPAA stands for:

Health Insurance Portability and Accountability Act

Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organization, regardless of their assigned tasks.

Read it again

Class C fire extinguishers use carbon dioxide or halon suppressants and are useful against electrical fires.

Read it again

Clearing describes preparing media for reuse. When media is cleared, unclassified data is written over all addressable locations on the media. Once that's completed, the media can be reused.

Read it again

Due to problems with remnant data, the U.S. National Security Agency requires physical destruction of SSDs. This process, known as disintegration, results in very small fragments via a shredding process.

Read it again

Electronic Discovery: During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.

Read it again

Electronic vaulting is a data backup task that is part of disaster recovery, not business continuity, efforts.

Read it again

If the vendor is providing object-based storage, a core infrastructure service, you haveinfrastructure as a service (IaaS).

Read it again

In the community cloud computing model, two or more organizations pool their resources to create a cloud environment that they then share.

Read it again

JavaScript is an interpreted language so the code is not compiled prior to execution, allowing one to inspect the contents of the code. C, C++, and Java are all compiled languages—a compiler produces an executable file that is not human-readable.

Read it again

Mandatory access control (MAC) systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.

Read it again

Maximum Tolerable Downtime (MTD) is the amount of time that a business may be without service before irreparable harm is caused. This is sometimes also called Maximum Tolerable Outage (MTO).

Read it again

Network Access Control (NAC) systems can be used to authenticate users and then validate their system's compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution. A firewall can't enforce system security policies, whereas an IDS can only monitor for attacks and alarm when they happen. Finally, port security is a MAC address-based security feature that can only restrict which systems or devices can connect to a given port.

Read it again

OAuth is an authentication protocol used to allow applications to act on a user's behalf without sharing the password, and is used for many web applications.

Read it again

Port Address Translation (PAT) is used to allow a network to use any IP address set inside without causing a conflict with the public Internet. PAT is often confused with Network Address Translation (NAT), which maps one internal address to one external address.

Read it again

RADIUS is a common, non-proprietary AAA technology used to provide services for dial-up, wireless networks, network devices, and a range of other systems.

Read it again

Redundant Array of Independent Disks (RAID) uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.

Read it again

Sanitization is a series of processes that removes data from a system or media while ensuring that the data is unrecoverable by any means.

Read it again

The reverse of onboarding. Removing an employee's identity from the IAM system once they've left.

Offboarding

____ is the process of adding new employees to the identity and access management (IAM) system of an organization. It's also used when an employee's role or position changes or when that person is awarded additional levels of privilege or access.

Onboarding

PCI DSS stands for:

Payment Card Industry Data Security Standard

At the end of a risk analysis, a key task to perform is the risk _____ to the relevant parties. It should be accurate, timely, comprehensive, clear and precise to support decision making, and updated on a regular basis.

Reporting

_____ risk is the risk that remains once safeguards/countermeasures have been implemented.

Residual

Total Risk - Controls Gap =

Residual Risk

The possibility that something could happen to damage, destroy, or disclose data or other resources is called _____.

Risk

the possibility or likelihood of some future event occurring to exploit a vulnerability.

Risk

_____ is the collection of practices related to supporting, defining, and directing the security efforts of an organization.

Security Governance

These are the people responsible for initiating and supporting risk analysis and assessment. They define the scope and purpose of the risk management endeavor.

Senior management

______ is the security concept in which critical, significant, and sensitive work tasks are divided among several individual administrators or high-level operators. This prevents any one person from having the ability to undermine or subvert vital security mechanisms. Principle of Least privilege.

Separation of duties

_____ controls involve the hardware or software mechanisms use to manage access and to provide protection for resources and systems.

Technical

This type of governance is the system of oversight mandated by law, regulation, industry standards, contractual obligations, or licensing requirements.

Third-party governance

A Security Control Assessment (SCA) is the formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation. True or False

True

A Type 1 authentication factor is something you know. True or False

True

A Type 2 is something you have, like a smart card or hardware token. True or False

True

A Type 3 authentication factor is something you are, like a biometric identifier. True or False

True

A great risk framework recommended by CISSP academia is NIST 800-37. True or False

True

Awareness is the number one prerequisite to security training. Awareness establishes a common baseline for foundation of security understanding across the entire organization and focuses on key or basic topics and issues related to security that all employees must understand and comprehend. True or False

True

Behavior modification requires some level of learning on the part of the user. True or False

True

Change management is a critical control process that involves systematically managing change. Without it, one might simply deploy code to production without oversight, documentation, or testing. True or False

True

Clearing is the process of preparing media for reuse. True or False

True

Code review is a review of the source code itself. True or False

True

Countermeasure selection is a post risk assessment/analysis activity. True or False

True

Countermeasures need to support continuous improvement. True or False.

True

Countermeasures should be tamperproof. True or False

True

Defense in Depth is the best approach to security controls. True or False

True

Degaussing uses magnets to wipe magnetic media. True or False

True

Document exchange and document review are essential elements of ensuring an organization is in full and open agreement with a governing body for compliance verification. True or False

True

Erasing is the deletion of files or media. True or False

True

Failure to meet third-party governance (auditors) can result in loss of ATO (Authorization to Operate), resulting in the severing of business with military or government agencies. True or False

True

Fuzz testing feeds unexpected input to code. True or False

True

Humans are the weakest element in any security solution. True or False

True

If a security control's benefits cannot be quantified, evaluated, or compared, then it does not actually provide any security. True or False

True

If an asset has no value, then there's no need to provide protection for it. True or False

True

In Germany and other EU member countries, an IP and MAC address are considered PII. True or False

True

It is important to realize that with all the calculations used to assess risk, the end values are used for prioritization and selection. The values themselves do not truly reflect real world loss or costs due to security breaches. True or False

True

Many countermeasures offer degrees of improvement rather than specific hard numbers. True or False

True

Multiprocessing uses multiple processors to perform multiple processes simultaneously. True or False

True

Multiprogramming requires modifications to the underlying applications. True or False

True

Multitasking handles multiple processes on a single processor by switching between them using the operating system. True or False

True

Multithreading runs multiple threads within a single process. True or False

True

NIST 800-30 provides examples of reference ratings and levels. True or False

True

NIST 800-37 has 6 steps to its Risk Management Framework (RMF). True or False

True

NIST SP 800-53 has a guide for performing the SCA process. True or False

True

One form of privacy is freedom from being observed, monitored, or examined without consent or knowledge. True or False

True

Purging is a more intensive form of clearing for reuse in lower security areas. True or False

True

Regression testing focuses on testing to ensure new code doesn't bring back old flaws. True or False

True

Residual risk is usually the risk that proved to be too expensive to safeguard. True or False

True

Risk = Threat x Vulnerability is an algorithm for defining risk. True or False

True

Risk acceptance is common when the cost of a countermeasure to safeguard an asset outweighs the cost of the asset's loss. True or False

True

Security control refers to a broad range of controls that perform such tasks as ensuring only authorized users can log on and prevent unauthorized uses from gaining access to resources. True or False

True

Security is aimed at preventing loss or disclosure of data while sustaining authorized access. True or False

True

The annual cost of safeguards should not exceed the expected annual cost of an asset's loss. True or False

True

The best method for catching collusion is through monitoring of employee activities. True or False

True

The cost of the countermeasure should be less than the benefit of the countermeasure. True or False

True

The countermeasure should provide a solution to a real and identified problem. True or False

True

The goals of security governance, corporate governance, and IT governance are all the same: Maintain business processes while striving toward growth and resiliency. True or False

True

The primary goal of risk management is to reduce risk to an acceptable level. True or False

True

The result of the countermeasure should make the cost of an attack greater for the perpetrator than the derived benefit from the attack. True or False

True

The sensitivity and classification of a specific position is dependent on the level of harm that could be caused by accidental or intentional violations of security by a person in the position. True or False

True

The three major types or categories of security controls are technical, physical, and administrative. True or False

True

There is no way to eliminate 100 percent of all risks to assets. True or False

True

Threats exploit vulnerabilities, which results in exposure. Exposure is risk, and risk is mitigated by safeguards. Safeguards protect assets that are endangered by threats. True or False

True

Zero fill wipes a drive by replacing data with zeros. True or False

True

job responsibilities are the specific work tasks an employee is required to perform on a regular basis. True or False

True

_____ controls are the policies and procedures defined by the organization's security policy and other regulations or requirements. Management controls focused on personnel and business practices.

Administrative

This is the exploitation of a vulnerability by a threat agent.

Attack

Possible responses to risk include _____.

Avoid Mitigate Transfer Accept Deter Reject/Ignore

Risk _____ is the process of selecting alternative options or activities that have less risk than the default, common, expedient, or cheaper options.

Avoidance

This is the occurrence of a security mechanism being bypassed by a threat agent.

Breach

This is anything within an environment that should be protected. Within scope of risk management and analysis.

Asset

This is a dollar value assigned to an asset based on actual cost and nonmonetary expenses.

Asset valuation

The successful implementation of a security solution requires changes in user _____.

Behavior

This form of training prepares an employee to perform another role in the even the primary person is unavailable. The employee performs the role when needed, not on a regular basis.

Cross training

A ____ control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.

Directive

The process of a governing body reading exchanged materials from a target and verifying them against standards and expectations. Performed before any on-site inspections to confirm the location is ready for a compliance check.

Documentation review

This is being susceptible to asset loss because of a threat. EF is derived from this.

Exposure

Crafting _____ is the first step in defining security needs related to personnel and being able to seek out new hires.

Job descriptions

Rotating employees among multiple job descriptions as a means by which an organization improves its overall security.

Job rotation

The two functions served by job rotations are _____ and _____.

Knowledge redundancy and risk reduction of fraud, data modification, theft, sabotage, and misuse of information.

_____ is the implementation of safeguards to counteract a vulnerability.

Mitigation

A _____ attempts to prevent an employee from working with a competing second organization in order to prevent the second organization from benefiting from special knowledge of the first organization.

NCA

An _____ is used to protect the confidential information within an organization from being disclosed by a former employee.

NDA

PII stands for:

Personally Identifiable Information

_____ controls are items you can touch, which include mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility.

Physical

A ____ control is deployed to actually block an action.

Preventative

Two risk assessment methodologies are _____ and _____.

Qualitative and quantitative

Attacks that change a symlink between the time that rights are checked and the file is accessed, in order to access a file that the account does not have rights to, are time of check/time of use (TOC/TOU) attacks, a form of race condition. Unlinking removes names from a Linux filesystem, setuid allows a user to run an executable with the permissions of its owner, and tick/tock is not a type of attack or Linux command.

Read it again

Six major elements of quantitative risk analysis are: 1. Assign Asset Value (AV) as a dollar figure 2. Calculate Exposure Factor (EF) as a percentage of single event loss 3. Calculate Single Loss Expectancy (SLE) as AV * EF 4. Assess the Annualized Rate of Occurrence (ARO) as an annual likelihood percentage 5. Service the Annualized Loss Expectancy (ALE) as SLE * ARO 6. Perform Cost/Benefit Analysis of Countermeasures (ALE1 - ALE2) - ACS - ALE1 = ALE pre-safeguard - ALE2 = ALE post-safeguard - ACS = Annual Cost of Safeguard

Read it again

Smart cards are a Type II authentication factor and include both a microprocessor and at least one certificate. Since they are something you have, they're not a Type I or III authentication factor. Tokens do not necessarily contain certificates.

Read it again

Smurf attacks use a distributed attack approach to send ICMP echo replies at a targeted system from many different source addresses. The most effective way to block this attack would be to block inbound ICMP traffic.

Read it again

The create rule allows a subject to create new objects and also creates an edge from the subject to that object, granting rights on the new object.

Read it again

The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization.

Read it again

The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort.

Read it again

The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure.

Read it again

The six steps of the NIST 800-37 RMF are: 1. Security categorization 2. Security control selection 3. Security control implementation 4. Security control assessment 5. Information system authorization 6. Security control monitoring

Read it again

While both XTACACS and TACACS+ provide strong identification, authentication code and accounting functionality, but both are Cisco proprietary protocols.

Read it again

____ controls are an extension of corrective controls but have more advanced or complex abilities, such as backup restorations, system imaging, server clustering, antivirus software, virtual machine shadowing, and database shadowing.

Recovery

The unacceptable response to risk reaction is to ____ the risk. This could leave you subject to punishment due to lack of due care.

Reject

The process of examining an environment for risks, evaluating each threat event as to its likelihood of occurrence and the cost of the damage, assessing the cost of countermeasures to each risk, and creating a cost/benefit report for safeguards to present to upper management.

Risk analysis

This is the response of placing the cost of loss onto another entity or organization.

Risk assignment

_____ is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost effective solutions for mitigating or reducing those risks.

Risk management

This document defines controls for vendor, consultant, and contractor levels of performance, expectations, compensation, and consequences.

SLA

This is a control taken to mitigate a vulnerability.

Safeguard

SOX stands for:

Sarbanes-Oxley Act

The basic process for qualitative risk analysis is the creation of _____.

Scenarios

This is any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset.

Threat

Threats X vulnerability X asset value =

Total Risk

This is a weakness in an asset or the absence/weakness of a safeguard or countermeasure.

Vulnerability

The Delphi technique is a group process that uses physically dispersed experts who fill out questionnaires to ____.

anonymously generate ideas


Ensembles d'études connexes

Organizational Behavior, Chapter 18

View Set

Legal Environment of Business Final Exam

View Set

Neuro questions - Myasthenia gravis, Parkinsons, SCI, stroke, MS

View Set

Microbiology, Ch 11 Nester's 8/9

View Set