CISSP Exam Collection - Part 4
QUESTION 469 Of the following, which multiple access method for computer networks does 802.11 Wireless Local Area Network use? A. B. C. D. CSMA/CA CSMA/CD 802.11 Doesn't support multiple access methods 802.11 RTS/CTS Exchange
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Back in the time when network hubs were commonly used in networks all sent packets were received by all stations but only the intended destination MAC address was supposed to listen. (Sniffers respond to all destination MAC addresses and can save those packets for examination.) Hub did not provide for any security or privacy. Hub networks turned out not to be scalable because of the high amount of frame collisions on the network as the number of nodes and the amount of traffic would increase. Collisions are where two stations speak on the wire at the same time and both frames being sent are damaged and must be re-transmitted. Wireless networks are like hub networks because all stations "see" all traffic sent on the wire. This situation is mitigated by the CSMA/CA access method. With CSMA/CA the node wishing to send listens to the network to see if anybody is transmitting and if they are they will wait. Otherwise they send their traffic. CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) is a protocol for carrier transmission in 802.11 networks. Unlike CSMA/CD (Carrier Sense Multiple Access/Collision Detect) which deals with transmissions after a collision has occurred, CSMA/CA acts to prevent collisions before they happen. In CSMA/CA, as soon as a node receives a packet that is to be sent, it checks to be sure the channel is clear (no other node is transmitting at the time). If the channel is clear, then the packet is sent. If the channel is not clear, the node waits for a randomly chosen period of time, and then checks again to see if the channel is clear. This period of time is called the backoff factor, and is counted down by a backoff counter. If the channel is clear when the backoff counter reaches zero, the node transmits the packet. If the channel is not clear when the backoff counter reaches zero, the backoff factor is set again, and the process is repeated. The following answers are incorrect: CSMA/CD: CSMA/CD doesn't support wireless networks well due to the problem of latency and "hidden nodes" are not visible to other nodes but are visible to the AP - Access Point. This means that Collision Detection won't work because control frames won't be received. This is used only on wired networks. Carrier Sense Multiple Access/Collision Detect (CSMA/CD) is the protocol for carrier transmission access in Ethernet networks. On Ethernet, any device can try to send a frame at any time. Each device senses whether the line is idle and therefore available to be used. If it is, the device begins to transmit its first frame. If another device has tried to send at the same time, a collision is said to occur and the frames are discarded. Each device then waits a random amount of time and retries until successful in getting its transmission sent. CSMA/CD is specified in the IEEE 802.3 standard. 802.11 Doesn't support multiple access methods: This isn't correct. 802.11 wireless supports multiple access to the wireless medium using CSMA/CA. 802.11 RTS/CTS Exchange: This isn't an access control method, rather they're supplemental packets to CSMA/CA where nodes request to send (RTS) clear to send (CTS) Packets exchanged by nodes to enhance signaling. The following reference(s) were/was used to create this question: CEH - Certified Ethical Hacker: Sybex, Kimberly Graves - Wiley Publishing, INC 2010
QUESTION 463 You wish to make use of "port knocking" technologies. How can you BEST explain this? A. B. C. D. Port knocking is where the client will attempt to connect to a predefined set of ports to identify him as an authorized client. Port knocking is where the user calls the server operator to have him start the service he wants to connect to. This is where all the ports are open on the server and the connecting client scans the open port to which he wants to connect to see if it's open and running. Port knocking is where the port sequence is encrypted with 3DES and only the server has the other key to decrypt the port sequence.
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The Answer: Port knocking is where the client will attempt to connect to a predefined set of ports to identify him as an authorized client. The port knocking sequence is used to identify the client as a legitimate user. The other answers are incorrect The following reference(s) were/was used to create this question: http://www.portknocking.org/
QUESTION 477 Which of the following service is a distributed database that translate host name to IP address to IP address to host name? A. DNS B. FTP C. SSHD. SMTP
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates information from domain names with each of the assigned entities. Most prominently, it translates easily memorized domain names to the numerical IP addresses needed for locating computer services and devices worldwide. The Domain Name System is an essential component of the functionality of the Internet. This article presents a functional description of the Domain Name System. For your exam you should know below information general Internet terminology: Network access point - Internet service providers access internet using net access point.A Network Access Point (NAP) was a public network exchange facility where Internet service providers (ISPs) connected with one another in peering arrangements. The NAPs were a key component in the transition from the 1990s NSFNET era (when many networks were government sponsored and commercial traffic was prohibited) to the commercial Internet providers of today. They were often points of considerable Internet congestion. Internet Service Provider (ISP) - An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. Internet service providers may be organized in various forms, such as commercial, community-owned, non-profit, or otherwise privately owned. Internet services typically provided by ISPs include Internet access, Internet transit, domain name registration, web hosting, co-location. Telnet or Remote Terminal Control Protocol -A terminal emulation program for TCP/IP networks such as the Internet. The Telnet program runs on your computer and connects your PC to a server on the network. You can then enter commands through the Telnet program and they will be executed as if you were entering them directly on the server console. This enables you to control the server and communicate with other servers on the network. To start a Telnet session, you must log in to a server by entering a valid username and password. Telnet is a common way to remotely control Web servers. Internet Link- Internet link is a connection between Internet users and the Internet service provider. Secure Shell or Secure Socket Shell (SSH) - Secure Shell (SSH), sometimes known as Secure Socket Shell, is a UNIX-based command interface and protocol for securely getting access to a remote computer. It is widely used by network administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three utilities - slogin, ssh, and scp - that are secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp. SSH commands are encrypted and secure in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted. Domain Name System (DNS) - The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates information from domain names with each of the assigned entities. Most prominently, it translates easily memorized domain names to the numerical IP addresses needed for locating computer services and devices worldwide. The Domain Name System is an essential component of the functionality of the Internet. This article presents a functional description of the Domain Name System. File Transfer Protocol (FTP) - The File Transfer Protocol or FTP is a client/server application that is used to move files from one system to another. The client connects to the FTP server, authenticates and is given access that the server is configured to permit. FTP servers can also be configured to allow anonymous access by logging in with an email address but no password. Once connected, the client may move around between directories with commands available Simple Mail Transport Protocol (SMTP) - SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems, send mail is the most widely- used SMTP server for e-mail. A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include POP3 support. The following answers are incorrect: SMTP - Simple Mail Transport Protocol (SMTP) - SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems, send mail is the most widely-used SMTP server for e-mail. A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include POP3 support. FTP - The File Transfer Protocol or FTP is a client/server application that is used to move files from one system to another. The client connects to the FTP server, authenticates and is given access that the server is configured to permit. FTP servers can also be configured to allow anonymous access by logging in with an email address but no password. Once connected, the client may move around between directories with commands available SSH - Secure Shell (SSH), sometimes known as Secure Socket Shell, is a UNIX-based command interface and protocol for securely getting access to a remote computer. It is widely used by network administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three utilities - slogin, ssh, and scp - that are secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp. SSH commands are encrypted and secure in several ways. Both ends of the client/ server connection are authenticated using a digital certificate, and passwords are protected by being encrypted. The following reference(s) were/was used to create this question: CISA review manual 2014 page number 273 and 274
QUESTION 464 You are part of a security staff at a highly profitable bank and each day, all traffic on the network is logged for later review. Every Friday when major deposits are made you're seeing a series of bits placed in the "Urgent Pointer" field of a TCP packet. This is only 16 bits which isn't much but it concerns you because: A. B. C. D. This could be a sign of covert channeling in bank network communications and should be investigated. It could be a sign of a damaged network cable causing the issue. It could be a symptom of malfunctioning network card or drivers and the source system should be checked for the problem. It is normal traffic because sometimes the previous fields 16 bit checksum value can over run into the urgent pointer's 16 bit field causing the condition.
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The Urgent Pointer is used when some information has to reach the server ASAP. When the TCP/IP stack at the other end sees a packet using the Urgent Pointer set, it is duty bound to stop all ongoing activities and immediately send this packet up the stack for immediate processing. Since the packet is plucked out of the processing queue and acted upon immediately, it is known as an Out Of Band (OOB) packet and the data is called Out Of Band (OOB) data. The Urgent Pointer is usually used in Telnet, where an immediate response (e.g. the echoing of characters) is desirable. Covert Channels are not directly synonymous with backdoors. A covert channel is simply using a communication protocol in a way it was not intended to be used or sending data without going through the proper access control mechanisms or channels. For example, in a Mandatory Access Control systems a user at secret has found a way to communicate information to a user at Confidential without going through the normal channels.In this case the Urgent bit could be use for a few reasons: 1. It could be to attempt a Denial of service where the host receiving a packet with the Urgent bit set will give immediate attention to the request and will be in wait state until the urgent message is receive, if the sender does not send the urgent message then it will simply sit there doing nothing until it times out. Some of the TCP/IP stacks used to have a 600 seconds time out, which means that for 10 minutes nobody could use the port. By sending thousands of packet with the URGENT flag set, it would create a very effective denial of service attack. 2. It could be used as a client server application to transmit data back and forward without going through the proper channels. It would be slow but it is possible to use reserved fields and bits to transmit data outside the normal communication channels. The other answers are incorrect The following reference(s) were/was used to create this question: http://www.vijaymukhi.com/vmis/tcp.htm and http://www.fas.org/irp/nsa/rainbow/tg030.htm document covering the subject of covert channels and also see: http://gray-world.net/papers.shtml which is a large collection of documents on Covert Channels
QUESTION 526 Within the context of the CBK, which of the following provides a MINIMUM level of security ACCEPTABLE for an environment? A. B. C. D. A baseline A standard A procedure A guideline
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Baselines provide the minimum level of security necessary throughout the organization. Standards specify how hardware and software products should be used throughout the organization. Procedures are detailed step-by-step instruction on how to achieve certain tasks. Guidelines are recommendation actions and operational guides to personnel when a specific standard does not apply. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 3: Security Management Practices (page 94).
QUESTION 581 Which of the following is a fraud detection method whereby employees are moved from position to position? A. B. C. D. Job Rotation Mandatory Rotation Mandatory Vacations Mandatory Job Duties
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Discussion: Job Rotation is the practice of moving employees from position to position in order to prevent any single user from perpetrating fraudulent activities without being detected by management. It is a common practice and can help an organization achieve certain corporate accreditation certifications. The following answers are incorrect: - Mandatory Rotation: This isn't the right answer. There isn't a commonly-used term called mandatory rotation. - Mandatory Vacations: This isn't the right answer here but it is a good term with which to be familiar. - Mandatory Job Duties: This is an incorrect answer because it isn't a method to detect fraud by employees. The following reference(s) was used to create this question: 2013. Official Security+ Curriculum.
QUESTION 535 Making sure that the data has not been changed unintentionally, due to an accident or malice is: A. B. C. D. Integrity. Confidentiality. Availability. Auditability.
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Integrity refers to the protection of information from unauthorized modification or deletion. Confidentiality is incorrect. Confidentiality refers to the protection of information from unauthorized disclosure. Availability is incorrect. Availability refers to the assurance that information and services will be available to authorized users in accordance with the service level objective. Auditability is incorrect. Auditability refers to the ability to trace an action to the identity that performed it and identify the date and time at which it occurred. References: CBK, pp. 5 - 6 AIO3, pp. 56 - 57
QUESTION 565 One purpose of a security awareness program is to modify: A. B. C. D. employee's attitudes and behaviors towards enterprise's security posture management's approach towards enterprise's security posture attitudes of employees with sensitive data corporate attitudes about safeguarding data
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Security-awareness training is performed to modify employees' behavior and attitude toward security. This can best be achieved through a formalized process of security-awareness training. It is used to increase the overall awareness of security throughout the company. It is targeted to every single employee and not only to one group of users. Unfortunately you cannot apply a patch to a human being, the only thing you can do is to educate employees and make them more aware of security issues and threats. Never underestimate human stupidity. Reference(s) used for this question: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. also see: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 130). McGraw-Hill. Kindle Edition.
QUESTION 576 CobiT was developed from the COSO framework. Which of the choices below best describe the COSO's main objectives and purpose? A. B. C. D. COSO main purpose is to help ensure fraudulent financial reporting cannot take place in an organization COSO main purpose is to define a sound risk management approach within financial companies. COSO addresses corporate culture and policy development. COSO is risk management system used for the protection of federal systems.
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: The Committee of Sponsoring Organizations of the Treadway Commission (COSO)2 was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, which studied factors that lead to fraudulent financial reporting and produced recommendations for public companies, their auditors, the Securities Exchange Commission, and other regulators. COSO identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives. These include: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The COSO internal control model has been adopted as a framework by some organizations working toward SarbanesOxley Section 404 compliance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. CobiT is a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. Its main purpose is to help ensure fraudulent financial reporting cannot take place in an organization. COBIT Control Objectives for Information and related Technology (COBIT)4 is published by the IT Governance Institute and integrates the following IT and risk frameworks: CobiT 4.1 Val IT 2.0 Risk IT IT Assurance Framework (ITAF) Business Model for Information Security (BMIS) The COBIT framework examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability aspects of the high-level control objectives. The framework provides an overall structure for information technology control and includes control objectives that can be utilized to determine effective security control objectives that are driven from the business needs. The Information Systems Audit and Control Association (ISACA) dedicates numerous resources to the support and understanding of COBIT. The following answers are incorrect: COSO main purpose if to define a sound risk management approach within financial companies. COSO addresses corporate culture and policy development. COSO is risk management system used for the protection of federal systems. The following reference(s) were/was used to create this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 9791-9800). Auerbach Publications. Kindle Edition.
QUESTION 555 Which of the following is an advantage of a qualitative over a quantitative risk analysis? A. B. C. D. It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. It provides specific quantifiable measurements of the magnitude of the impacts. It makes a cost-benefit analysis of recommended controls easier. It can easily be automated.
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. It does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-analysis of any recommended controls difficult. Since it involves a consensus of export and some guesswork based on the experience of Subject Matter Experts (SME's), it can not be easily automated. Reference used for this question: STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology Systems, 2001 (page 23).
QUESTION 561 Which of the following statements pertaining to a security policy is incorrect? A. B. C. D. Its main purpose is to inform the users, administrators and managers of their obligatory requirements for protecting technology and information assets. It specifies how hardware and software should be used throughout the organization. It needs to have the acceptance and support of all levels of employees within the organization in order for it to be appropriate and effective. It must be flexible to the changing environment.
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: A security policy would NOT define how hardware and software should be used throughout the organization. A standard or a procedure would provide such details but not a policy. A security policy is a formal statement of the rules that people who are given access to anorganization's technology and information assets must abide. The policy communicates the security goals to all of the users, the administrators, and the managers. The goals will be largely determined by the following key tradeoffs: services offered versus security provided, ease of use versus security, and cost of security versus risk of loss. The main purpose of a security policy is to inform the users, the administrators and the managers of their obligatory requirements for protecting technology and information assets. The policy should specify the mechanisms through which these requirements can be met. Another purpose is to provide a baseline from which to acquire, configure and audit computer systems and networks for compliance with the policy. In order for a security policy to be appropriate and effective, it needs to have the acceptance and support of all levels of employees within the organization. A good security policy must: · Be able to be implemented through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods · Be able to be enforced with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible · Clearly define the areas of responsibility for the users, the administrators, and the managers · Be communicated to all once it is established · Be flexible to the changing environment of a computer network since it is a living document Reference(s) used for this question: National Security Agency, Systems and Network Attack Center (SNAC),The 60 Minute Network Security Guide, February 2002, page 7. or A local copy is kept at: https://www.freepracticetests.org/documents/The%2060%20Minute%20Network%20Security %20Guide.pdf
QUESTION 560 What can be defined as an event that could cause harm to the information systems?A. B. C. D. A risk A threat A vulnerability A weakness
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: A threat is an event or activity that has the potential to cause harm to the information systems. A risk is the probability that a threat will materialize. A vulnerability, or weakness, is a lack of a safeguard, which may be exploited by a threat, causing harm to the information systems. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 1: Access Control Systems (page 32).
QUESTION 506 Related to information security, integrity is the opposite of which of the following? A. B. C. D. abstraction alteration accreditation application
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: Integrity is the opposite of "alteration." Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.
QUESTION 551 IT security measures should: A. B. C. D. Be complex Be tailored to meet organizational security goals. Make sure that every asset of the organization is well protected. Not be developed in a layered fashion.
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: In general, IT security measures are tailored according to an organization's unique needs. While numerous factors, such as the overriding mission requirements, and guidance, are to be considered, the fundamental issue is the protection of the mission or business from IT security- related, negative impacts. Because IT security needs are not uniform, system designers and security practitioners should consider the level of trust when connecting to other external networks and internal sub-domains. Recognizing the uniqueness of each system allows a layered security strategy to be used - implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas. The more complex the mechanism, the more likely it may possess exploitable flaws. Simple mechanisms tend to have fewer exploitable flaws and require less maintenance. Further, because configuration management issues are simplified, updating or replacing a simple mechanism becomes a less intensive process. Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet- filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. Adding good password controls and adequate user training improves the system's security posture even more. The need for layered protections is especially important when commercial-off-the-shelf (COTS) products are used. Practical experience has shown that the current state-of-the-art for security quality in COTS products does not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in series, requiring additional work by attackers to accomplish their goals. Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (pages 9-10).
QUESTION 567 Which type of security control is also known as "Logical" control? A. Physical B. Technical C. AdministrativeD. Risk
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: The following answers are incorrect: Physcial: This is a type of security control, but does not have an alternate name. Administrative: This is a type of security control, but doe not have an alternate name. Risk:This is not a type of security control. The following reference(s) were/was used to create this question: Shon Harris AIO 4th Edition, Chapter 3, Page 57
QUESTION 588 Sam is the security Manager of an financial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks, the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kind of a strategy should Sam recommend to the senior management to treat these risks? A. B. C. D. Risk Mitigation Risk Acceptance Risk Avoidance Risk transfer
Correct Answer: B Section: Software Development Security Explanation Explanation/Reference: Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way. For your exam you should know below information about risk assessment and treatment: A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner. A risk analysis has four main goals: · Identify assets and their value to the organization. · Identify vulnerabilities and threats. · Quantify the probability and business impact of these potential threats. · Provide an economic balance between the impact of the threat and the cost of the countermeasure. Treating Risk Risk Mitigation Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time. Risk Transfer Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example presented earlier, and can be seen in other insurance instances, such as liability insurance for a vendor or the insurance taken out by companies to protect against hardware and software theft or destruction. This may also be true if an organization must purchase and implement security controls in order to make their organization less desirable to attack. It is important to remember that not all risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may almost never be fully transferred. Risk Avoidance Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the risks that many of these children face as they become mobile? Some of these families will decide that the child in question will not be allowed to drive the family car, but will rather wait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and driving a motor vehicle. In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an underage driver, such as poor driving performance or the cost of insurance for the child. Although this choice may be available for some situations, it is not available for all. Imagine a global retailer who, knowing the risks associated with doing business on the Internet, decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if, indeed, the company has products or services that consumers wish to purchase). In addition, the decision may require the company to build or lease a site in each of the locations, globally, for which it wishes to continue business. This could have a catastrophic effect on the company's ability to continue business operations Risk Acceptance In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way. For example, an executive may be confronted with risks identified during the course of a risk assessment for their organization. These risks have been prioritized by high, medium, and low impact to the organization. The executive notes that in order to mitigate or transfer the low- level risks, significant costs could be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchase of new hardware, software, and office equipment, while transference of the risk to an insurance company would require premium payments. The executive then further notes that minimal impact to the organization would occur if any of the reported low-level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to forgo the costs and accept the risk. In the young driver example, risk acceptance could be based on the observationthat the youngster has demonstrated the responsibility and maturity to warrant the parent's trust in his or her judgment. The following answers are incorrect: Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. Risk Avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. Risk Mitigation - Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. The following reference(s) were/was used to create this question: CISA Review Manual 2014 Page number 51 and Official ISC2 guide to CISSP CBK 3rd edition page number 534-539
QUESTION 465 What would you call the process that takes advantages of the security provided by a transmission protocol by carrying one protocol over another? A. B. C. D. Piggy Backing Steganography Tunneling Concealing
Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: Computer networks use a tunneling protocol when one network protocol (the delivery protocol) encapsulates a different payload protocol. By using tunneling one can (for example) carry a payload over an incompatible delivery-network, or provide a secure path through an untrusted network. Tunneling typically contrasts with a layered protocol model such as those of OSI or TCP/IP. The delivery protocol usually (but not always) operates at a higher level in the model than does the payload protocol, or at the same level. To understand a particular protocol stack, network engineers must understand both the payload and delivery protocol sets. As an example of network layer over network layer, Generic Routing Encapsulation (GRE), a protocol running over IP (IP Protocol Number 47), often serves to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are compatible, but the payload addresses are incompatible with those of the delivery network. Secure Shell tunneling A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through a SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. For example, Windows machines can share files using the Server Message Block (SMB) protocol, a non- encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish an SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security. Tunneling to circumvent firewall policy Users can also use tunneling to "sneak through" a firewall, using a protocol that the firewall would normally block, but "wrapped" inside a protocol that the firewall does not block, such as HTTP. If the firewall policy does not specifically exclude this kind of "wrapping", this trick can function to get around the intended firewall policy. Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the HTTP CONNECT command to a HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows access only to a whitelist of specific authorized servers. The following answers are incorrect: Piggy Backing In security, piggybacking refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain. The act may be legal or illegal, authorized or unauthorized, depending on the circumstances. However, the term more often has the connotation of being an illegal or unauthorized act. To describe the act of an unauthorized person who follows someone to a restricted area without the consent of the authorized person, the term tailgating is also used. "Tailgating" implies without consent (similar to a car tailgating another vehicle on the freeway), while "piggybacking" usually implies consent of the authorized person. Piggybacking came to the public's attention particularly in 1999, when a series of weaknesses were exposed in airport security. While a study showed that the majority of undercover agents attempting to pass through checkpoints, bring banned items on planes, or board planes without tickets were successful, piggybacking was revealed as one of the methods that was used in order to enter off-limits areas. Steganography Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing" from the Greek words steganos () meaning "covered or protected", and graphein () meaning "to write". The first recorded use of the term was in 1499 by Johannes Trithemius in his Steganographia, a treatise on cryptography and steganography disguised as a book on magic. Generally, messages will appear to be something else: images, articles, shopping lists, or some other covertext and, classically, the hidden message may be in invisible ink between the visible lines of a private letter. The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages--no matter how unbreakable--will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal. Therefore, whereas cryptography protects the contents of a message, steganography can be said to protect both messages and communicating parties. Steganography includes the concealment of information within computer files. In digital steganography, electronic communications may include steganographic coding inside of a transport layer, such as a document file, image file, program or protocol. Media files are ideal for steganographic transmission because of theirlarge size. As a simple example, a sender might start with an innocuous image file and adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that someone not specifically looking for it is unlikely to notice it. Concealing Concealment (also called abscondence or hiding) is obscuring something from view or rendering it inconspicuous, the opposite of exposure. A military term is CCD: camouflage (object looks like its surroundings), concealment (object cannot be seen), and deception (object looks like something else); in a broad sense, all three are forms of concealment. The objective of hiding is often to keep the presence of an object or person secret, but in other cases not the presence is a secret, but only the location. The following reference(s) were/was used to create this question: Ethical Hacking Countermeasures v6.1 Ethical Hacking Countermeasures v7.0 Introduction to Ethical hacking http://en.wikipedia.org/wiki/Tunneling_protocol http://en.wikipedia.org/wiki/Steganography http://en.wikipedia.org/wiki/Piggybacking_%28security%29
QUESTION 574 Common Criteria 15408 generally outlines assurance and functional requirements through a security evaluation process concept of ______________, ____________, __________ for Evaluated Assurance Levels (EALs) to certify a product or system. A. B. C. D. EAL, Security Target, Target of Evaluation SFR, Protection Profile, Security Target Protection Profile, Target of Evaluation, Security Target SFR, Security Target, Target of Evaluation
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Common Criteria 15408 generally outlines assurance and functional requirements through a security evaluation process concept of Protection Profile (PP), Target of Evaluation (TOE), and Security Target (ST) for Evaluated Assurance Levels (EALs) to certify a product or system. This lists the correct sequential order of these applied concepts to formally conducts tests that evaluate a product or system for the certification for federal global information systems. Common Criteria evaluations are performed on computer security products and systems. There are many terms related to Common Criteria and you must be familiar with them.Target Of Evaluation (TOE) the product or system that is the subject of the evaluation. The evaluation serves to validate claims made about the target. To be of practical use, the evaluation must verify the target's security features. This is done through the following: Protection Profile (PP) a document, typically created by a user or user community, which identifies security requirements for a class of security devices (for example, smart cards used to provide digital signatures, or network firewalls) relevant to that user for a particular purpose. Product vendors can choose to implement products that comply with one or more PPs, and have their products evaluated against those PPs. In such a case, a PP may serve as a template for the product's ST (Security Target, as defined below), or the authors of the ST will at least ensure that all requirements in relevant PPs also appear in the target's ST document. Customers looking for particular types of products can focus on those certified against the PP that meets their requirements. Security Target (ST) the document that identifies the security properties of the target of evaluation. It is what the vendor claim the product can do. It may refer to one or more PPs. The TOE is evaluated against the SFRs (see below) established in its ST, no more and no less. This allows vendors to tailor the evaluation to accurately match the intended capabilities of their product. This means that a network firewall does not have to meet the same functional requirements as a database management system, and that different firewalls may in fact be evaluated against completely different lists of requirements. The ST is usually published so that potential customers may determine the specific security features that have been certified by the evaluation The evaluation process also tries to establish the level of confidence that may be placed in the product's security features through quality assurance processes: Security Assurance Requirements (SARs) descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. For example, an evaluation may require that all source code is kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalogue of these, and the requirements may vary from one evaluation to the next. The requirements for particular targets or types of products are documented in the ST and PP, respectively. Evaluation Assurance Level (EAL) the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements (SARs, see above) which covers the complete development of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL 1 being the most basic (and therefore cheapest to implement and evaluate) and EAL 7 being the most stringent (and most expensive). Normally, an ST or PP author will not select assurance requirements individually but choose one of these packages, possibly 'augmenting' requirements in a few areas with requirements from a higher level. Higher EALs do not necessarily imply "better security", they only mean that the claimed security assurance of the TOE has been more extensively verified. Security Functional Requirements (SFRs) specify individual security functions which may be provided by a product. The Common Criteria presents a standard catalogue of such functions. For example, a SFR may state how a user acting a particular role might be authenticated. The list of SFRs can vary from one evaluation to the next, even if two targets are the same type of product. Although Common Criteria does not prescribe any SFRs to be included in an ST, it identifies dependencies where the correct operation of one function (such as the ability to limit access according to roles) is dependent on another (such as the ability to identify individual roles). So far, most PPs and most evaluated STs/certified products have been for IT components (e.g., firewalls, operating systems, smart cards). Common Criteria certification is sometimes specified for IT procurement. Other standards containing, e.g., interoperation, system management, user training, supplement CC and other product standards. Examples include the ISO/IEC 17799 (Or more properly BS 7799-1, which is now ISO/IEC 27002) or the German IT- Grundschutzhandbuch. Details of cryptographic implementation within the TOE are outside the scope of the CC. Instead, national standards, like FIPS 140-2 give the specifications for cryptographic modules, and various standards specify the cryptographic algorithms in use. More recently, PP authors are including cryptographic requirements for CC evaluations that would typically be covered by FIPS 140-2 evaluations, broadening the bounds of the CC through scheme-specific interpretations. The following answers are incorrect: 1. Protection Profile, Security Target, Target of Evaluation 2. SFR, Protection Profile, Security Target, Target of Evaluation 4. SFR, Security Target, Protection Profile, Target of Evaluation The following reference(s) were/was used to create this question: ISO/IEC 15408 Common Criteria for IT Security Evaluations and http://en.wikipedia.org/wiki/Common_Criteria
QUESTION 550 In an organization, an Information Technology security function should: A. B. C. D. Be a function within the information systems function of an organization. Report directly to a specialized business unit such as legal, corporate security or insurance. Be lead by a Chief Security Officer and report directly to the CEO. Be independent but report to the Information Systems function.
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: In order to offer more independence and get more attention from management, an IT security function should be independent from IT and report directly to the CEO. Having it report to a specialized business unit (e.g. legal) is not recommended as it promotes a low technology view of the function and leads people to believe that it is someone else's problem. Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.
QUESTION 523 Which of the following is responsible for MOST of the security issues? A. B. C. D. Outside espionage Hackers Personnel Equipment failure
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Personnel cause more security issues than hacker attacks, outside espionage, or equipment failure. The following answers are incorrect because: Outside espionage is incorrect as it is not the best answer. Hackers is also incorrect as it is not the best answer. Equipment failure is also incorrect as it is not the best answer. Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 56
QUESTION 569 The owner of a system should have the confidence that the system will behave according to its specifications. This is termed as : A. B. C. D. Integrity Accountability Assurance Availability
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: The owner of a system should have the confidence that the system will behave according to its specifications. This is termed as Assurance The following answers are incorrect: Integrity Accountability Availability The following reference(s) were/was used to create this question: Ethical hacking countermeasures Introduction to Ethical hacking Orange Book
QUESTION 563 The preliminary steps to security planning include all of the following EXCEPT which of the following? A. B. C. D. Establish objectives. List planning assumptions. Establish a security audit function. Determine alternate courses of action
Correct Answer: C Section: Security and Risk Management ExplanationExplanation/Reference: The keyword within the question is: preliminary This means that you are starting your effort, you cannot audit if your infrastructure is not even in place. Reference used for this question: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
QUESTION 575 What are the four domains that make up CobiT? A. B. C. D. Plan and Organize, Maintain and Implement, Deliver and Support, and Monitor and Evaluate Plan and Organize, Acquire and Implement, Support and Purchase, and Monitor and Evaluate Acquire and Implement, Deliver and Support, Monitor, and Evaluate Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: CobiT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Each category drills down into subcategories. For example, Acquire and Implement contains the following subcategories: · Acquire and Maintain Application Software · Acquire and Maintain Technology Infrastructure · Develop and Maintain Procedures · Install and Accredit Systems · Manage Changes The following answers are incorrect: Plan and Organize, Maintain and Implement, Deliver and Support, and Monitor and Evaluate Plan and Organize, Acquire and Implement, Support and Purchase, and Monitor and EvaluateAcquire and Implement, Deliver and Support, and Monitor and Evaluate The following reference(s) were/was used to create this question: Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 55). McGraw-Hill. Kindle Edition
QUESTION 503 Which of the following is the MOST important aspect relating to employee termination? A. B. C. D. The details of employee have been removed from active payroll files. Company property provided to the employee has been returned. User ID and passwords of the employee have been deleted. The appropriate company staff are notified about the termination.
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: Even though Logical access to information by a terminated employee is possible if the ID and password of the terminated employee has not been deleted this is only one part of the termination procedures. If user ID is not disabled or deleted, it could be possible for the employee without physical access to visit the companies networks remotely and gain access to the information. Please note that this can also be seen in a different way: the most important thing to do could also be to inform others of the person's termination, because even if user ID's and passwords are deleted, a terminated individual could simply socially engineer their way back in by calling an individual he/she used to work with and ask them for access. He could intrude on the facility or use other weaknesses to gain access to information after he has been terminated. By notifying the appropriate company staff about the termination, they would in turn intitiate account termination, ask the employee to return company property, and all credentials would be withdrawn for the individual concerned. This answer is more complete than simply disabling account. It seems harsh and cold when this actually takes place , but too many companies have been hurt by vengeful employees who have lashed out at the company when their positions were revoked for one reason or another. If an employee is disgruntled in any way, or the termination is unfriendly, that employee's accounts should be disabled right away, and all passwords on all systems changed. For your exam you should know the information below: Employee Termination Processes Employees join and leave organizations every day. The reasons vary widely, due to retirement,reduction in force, layoffs, termination with or without cause, relocation to another city, careeropportunities with other employers, or involuntary transfers. Terminations may be friendly or unfriendly and will need different levels of care as a result. Friendly Terminations Regular termination is when there is little or no evidence or reason to believe that the termination is not agreeable to both the company and the employee. A standard set of procedures, typically maintained by the human resources department, governs the dismissal of the terminated employee to ensure that company property is returned, and all access is removed. These procedures may include exit interviews and return of keys, identification cards, badges, tokens, and cryptographic keys. Other property, such as laptops, cable locks, credit cards, and phone cards, are also collected. The user manager notifies the security department of the termination to ensure that access is revoked for all platforms and facilities. Some facilities choose to immediately delete the accounts, while others choose to disable the accounts for a policy defined period, for example, 30 days, to account for changes or extensions in the final termination date. The termination process should include a conversation with the departing associate about their continued responsibility for confidentiality of information.Unfriendly Terminations Unfriendly terminations may occur when the individual is fired, involuntarily transferred, laid off,or when the organization has reason to believe that the individual has the means and intention to potentially cause harm to the system. Individuals with technical skills and higher levels of access, such as the systems administrators, computer programmers, database administrators, or any individual with elevated privileges, may present higher risk to the environment. These individuals could alter files, plant logic bombs to create system file damage at a future date, or remove sensitive information. Other disgruntled users could enter erroneous data into the system that may not be discovered for several months. In these situations, immediate termination of systems access is warranted at the time of termination or prior to notifying the employee of the termination. Managing the people aspect of security, from pre-employment to postemployment, is critical to ensure that trustworthy, competent resources are employed to further the business objectives that will protect company information. Each of these actions contributes to preventive, detective, or corrective personnel controls. The following answers are incorrect: The other options are less important. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 99 Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 129). McGraw-Hill. Kindle Edition.
QUESTION 598 Which of the following virus types changes some of its characteristics as it spreads? A. B. C. D. Boot Sector Parasitic Stealth Polymorphic
Correct Answer: D Section: Software Development Security Explanation Explanation/Reference: A Polymorphic virus produces varied but operational copies of itself in hopes of evading anti- virus software. The following answers are incorrect: boot sector. Is incorrect because it is not the best answer. A boot sector virus attacks the boot sector of a drive. It describes the type of attack of the virus and not the characteristics of its composition.parasitic. Is incorrect because it is not the best answer. A parasitic virus attaches itself to other files but does not change its characteristics. stealth. Is incorrect because it is not the best answer. A stealth virus attempts to hide changes of the affected files but not itself.
QUESTION 527 According to private sector data classification levels, how would salary levels and medical information be classified? A. B. C. D. Public. Internal Use Only. Restricted. Confidential.
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: Typically there are three to four levels of information classification used by most organizations: Confidential: Information that, if released or disclosed outside of the organization, would create severe problems for the organization. For example, information that provides a competitive advantage is important to the technical or financial success (like trade secrets, intellectual property, or research designs), or protects the privacy of individuals would be considered confidential. Information may include payroll information, health records, credit information, formulas, technical designs, restricted regulatory information, senior management internal correspondence, or business strategies or plans. These may also be called top secret, privileged, personal, sensitive, or highly confidential. In other words this information is ok within a defined group in the company such as marketing or sales, but is not suited for release to anyone else in the company without permission. The following answers are incorrect: Public: Information that may be disclosed to the general public without concern for harming the company, employees, or business partners. No special protections are required, and information in this category is sometimes referred to as unclassified. For example, information that is posted to a company's public Internet site, publicly released announcements, marketing materials, cafeteria menus, and any internal documents that would not present harm to the company if they were disclosed would be classified as public. While there is little concern for confidentiality, integrity and availability should be considered. Internal Use Only: Information that could be disclosed within the company, but could harm the company if disclosed externally. Information such as customer lists, vendor pricing, organizational policies, standards and procedures, and internal organization announcements would need baseline security protections, but do not rise to the level of protection as confidential information. In other words, the information may be used freely within the company but any unapproved use outside the company can pose a chance of harm. Restricted: Information that requires the utmost protection or, if discovered by unauthorized personnel, would cause irreparable harm to the organization would have the highest level of classification. There may be very few pieces of information like this within an organization, but data classified at this level requires all the access control and protection mechanisms available to the organization. Even when information classified at this level exists, there will be few copies of it Reference(s) Used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 952-976). Auerbach Publications. Kindle Edition.
QUESTION 476 How many bits is the address space reserved for the source IP address within an IPv6 header? A. 128 B. 32 C. 64D. 256
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Discussion: An IPv6 address space is 128 bits or: 2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 When IPv4 was conceived in the late 1970s they thought that we would never need 4.3 Billion addresses but we ran out of them years ago. It is not likely that we will ever run out of addresses any time soon with numbers like those. We've gotten by with IPv4 by using NAT - Network Address Translation where private IP Addresses are used by a single or a few externally routable IP Addresses. Unfortunately, early on companies were given huge blocks of address spaces like class A networks with 224 or 16,777,216 addresses even when only a small handful were used within the company. Also, 127.0.0.0 loopback wasted as many. IPv6 addresses are written in 8 groups of 4 hexadecimal digits separated by colons like this: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 What is an IPv6 Header? An Internet Protocol version 6 (IPv6) data packet comprises of two main parts: the header and the payload. The first 40 bytes/octets (40x8 = 320 bits) of an IPv6 packet comprise of the header (see Figure 1) that contains the following fields: IPv6 Source address (128 bits) The 128-bit source address field contains the IPv6 address of the originating node of the packet. It is the address of the originator of the IPv6 packet. Destination address (128 bits) The 128-bit contains the destination address of the recipient node of the IPv6 packet. It is the address of the intended recipient of the IPv6 packet. Version/IP version (4-bits) The 4-bit version field contains the number 6. It indicates the version of the IPv6 protocol. This field is the same size as the IPv4 version field that contains the number 4. However, this field has a limited use because IPv4 and IPv6 packets are not distinguished based on the value in the version field but by the protocol type present in the layer 2 envelope. Packet priority/Traffic class (8 bits) The 8-bit Priority field in the IPv6 header can assume different values to enable the source node to differentiate between the packets generated by it by associating different delivery priorities to them. This field is subsequently used by the originating node and the routers to identify the data packets that belong to the same traffic class and distinguish between packets with different priorities. Flow Label/QoS management (20 bits) The 20-bit flow label field in the IPv6 header can be used by a source to label a set of packets belonging to the same flow. A flow is uniquely identified by the combination of the source address and of a non-zero Flow label. Multiple active flows may exist from a source to a destination as well as traffic that are not associated with any flow (Flow label = 0). The IPv6 routers must handle the packets belonging to the same flow in a similar fashion. The information on handling of IPv6 data packets belonging to a given flow may be specified within the data packets themselves or it may be conveyed by a control protocol such as the RSVP (Resource reSerVation Protocol). When routers receive the first packet of a new flow, they can process the information carried by the IPv6 header, Routing header, and Hop-by-Hop extension headers, and store the result (e.g. determining the retransmission of specific IPv6 data packets) in a cache memory and use the result to route all other packets belonging to the same flow (having the same source address and the same Flow Label), by using the data stored in the cache memory. Payload length in bytes(16 bits) The 16-bit payload length field contains the length of the data field in octets/bits following the IPv6 packet header. The 16-bit Payload length field puts an upper limit on the maximum packet payload to 64 kilobytes. In case a higher packet payload is required, a Jumbo payload extension header is provided in the IPv6 protocol. A Jumbo payload (Jumbogram) is indicated by the value zero in the Payload Length field. Jumbograms are frequently used in supercomputer communication using the IPv6 protocol to transmit heavy data payload. Next Header (8 bits) The 8-bit Next Header field identifies the type of header immediately following the IPv6 header and located at the beginning of the data field (payload) of the IPv6 packet. This field usually specifies the transport layer protocol used by a packet's payload. The two most common kinds of Next Headers are TCP (6) and UDP (17), but many other headers are also possible. The format adopted for this field is the one proposed for IPv4 by RFC 1700. In case of IPv6 protocol, the Next Header field is similar to the IPv4 Protocol field. Time To Live (TTL)/Hop Limit (8 bits) The 8-bit Hop Limit field is decremented by one, by each node (typically a router) that forwards a packet. If the Hop Limit field is decremented to zero, the packet is discarded. The main function of this field is to identify and to discard packets that are stuck in an indefinite loop due to any routing information errors. The 8-bit field also puts an upper limit on the maximum number of links between two IPv6 nodes. In this way, an IPv6 data packet is allowed a maximum of 255 hops before it is eventually discarded. An IPv6 data packet can pas through a maximum of 254 routers before being discarded. In case of IPv6 protocol, the fields for handling fragmentation do not form a part of the basic header. They are put into a separate extension header. Moreover, fragmentation is exclusively handled by the sending host. Routers are not employed in the Fragmentation process. For further details, please see RFC 2460 - Internet Protocol, Version 6 (IPv6) Specification. The following answers are incorrect: - 32: This answer would be right if the question was about IPv4 but it isn't so the answer is wrong. 32 Bits yields 4,294,967,296 unique IP Address and considering the RFC for that was released in 1981, IPv4 has proven to have a remarkable lifespan. After more than 30 years and the huge growth the internet it's no wonder its lifespan is coming to an end. - 64: This is only half the size of an IPv6 header address space so this isn't correct. 64 Bits would yield a huge number of addresses which probably would have been enough but designers wanted to be sure to never ever run out of addresses on planet earth with 128-bit address spaces in IPv6. - 256: This isn't correct because 256 is twice the size of an IPv6 address size, far to many addresses necessary at this or any other point in time. The following reference(s) was used to create this question: Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide Authorized Courseware: Exam CAS-001 (p. 53). Wiley. Kindle Edition.
QUESTION 541 Which of the following is not a component of a Operations Security "triples"? A. B. C. D. Asset Threat Vulnerability Risk
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: The Operations Security domain is concerned with triples - threats, vulnerabilities and assets. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 216.
QUESTION 594 Which of the following Confidentiality, Integrity, Availability (CIA) attribute supports the principle of least privilege by providing access to information only to authorized and intended users? A. B. C. D. Confidentiality Integrity Availability Accuracy
Correct Answer: A Section: Software Development Security Explanation Explanation/Reference: Confidentiality supports the principle of "least privilege" by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis.The level of access that an authorized individual should have is at the level necessary for them to do their job. In recent years, much press has been dedicated to the privacy of information and the need to protect it from individuals, who may be able to commit crimes by viewing the information. Identity theft is the act of assuming one's identity through knowledge of confidential information obtained from various sources. An important measure to ensure confidentiality of information is data classification. This helps to determine who should have access to the information (public, internal use only, or confidential). Identification, authentication, and authorization through access controls are practices that support maintaining the confidentiality of information. A sample control for protecting confidentiality is to encrypt information. Encryption of information limits the usability of the information in the event it is accessible to an unauthorized person. For your exam you should know the information below: Integrity Integrity is the principle that information should be protected from intentional, unauthorized, or accidental changes. Information stored in files, databases, systems, and networks must be relied upon to accurately process transactions and provide accurate information for business decision making. Controls are put in place to ensure that information is modified through accepted practices. Sample controls include management controls such as segregation of duties, approval checkpoints in the systems development life cycle, and implementation of testing practices that assist in providing information integrity. Well-formed transactions and security of the update programs provide consistent methods of applying changes to systems. Limiting update access to those individuals with a need to access limits the exposure to intentional and unintentional modification. Availability Availability is the principle that ensures that information is available and accessible to users when needed. The two primary areas affecting the availability of systems are: 1. Denial-of-Service attacks and 2. Loss of service due to a disaster, which could be man-made (e.g., poor capacity planning resulting in system crash, outdated hardware, and poor testing resulting in system crash after upgrade) or natural (e.g., earthquake, tornado, blackout, hurricane, fire, and flood). In either case, the end user does not have access to information needed to conduct business. The criticality of the system to the user and its importance to the survival of the organization will determine how significant the impact of the extended downtime becomes. The lack of appropriate security controls can increase the risk of viruses, destruction of data, external penetrations, or denial-of-service (DOS) attacks. Such events can prevent the system from being used by normal users. CIA The following answers are incorrect: Integrity - Integrity is the principle that information should be protected from intentional, unauthorized, or accidental changes. Availability - Availability is the principle that ensures that information is available and accessible to users when needed. Accuracy Accuracy is not a valid CIA attribute. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 314 Official ISC2 guide to CISSP CBK 3rd Edition Page number 350
QUESTION 582 Which answer BEST describes information access permissions where, unless the user is specifically given access to certain data they are denied any access by default? A. B. C. D. Implicit Deny Explicit Deny Implied Permissions Explicit Permit
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Discussion: Implicit Deny is a method of controlling access to data by denying access to ALL data then granting only to what the user needs to do their jobs. The converse being Explicit Deny where you only deny access for users for a smaller set of data and permit access to all other data. (Worst practice) Similar to the term of least privilege where users are only given access to data the must have in order to carry out their job duties, Implicit Deny principle denies by default access to information. More simply put, access to ALL data is denied by default and only necessary access is given to data so they employee can carry out their job duties. This term is common to firewalls or other filtering devices where, unless traffic is specifically permitted it is denied by default to enhance security. The following answers are incorrect: - Explicit Deny: Sorry, this is incorrect. Explicit Deny means users are given access to ALL data and only denied to a smaller subset of data. This a dangerous practice for information security. - Implied Permissions: Sorry, incorrect answer. This isn't a commonly used term in risk reduction methodology.- Explicit Permit: Sorry, also incorrect. Explicit means users are specifically given access but isn't used normally with the permit rule. The following reference(s) was used to create this question: 2013. Official Security+ Curriculum.
QUESTION 580 Which term BEST describes a practice used to detect fraud for users or a user by forcing them to be away from the workplace for a while? A. B. C. D. Mandatory Vacations Least Privilege Princple Obligatory Separation Job Rotation
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Discussion: Mandatory vacations are used to detect fraud by individuals who conceal their fraudulent activities but are unable to do so while they are on vacation. Replacement workers undertake the original worker's position and are in a good position to detect and uncover fraud of that person's position. The following answers are incorrect: - Least Privilege: This is a good term to know but not a correct answer here. Least Privilege principle means that users are only given access to a small set of data so as to prevent mass theft or damage by malware using their account. - Obligatory Separation: This isn't a valid term, sorry. - Job Rotation: This isn't the correct answer but it is a good term with which to be familiar. Job rotation is where employees are moved from position to position to detect and mitigate fraud. The following reference(s) was used to create this question: 2013. Official Security+ Curriculum.
QUESTION 579 Regarding risk reduction, which of the following answers is BEST defined by the process of giving only just enough access to information necessary for them to perform their job functions? A. B. C. D. Least Privilege Principle Minimum Privilege Princple Mandatory Privilege Requirement Implicit Information Princple
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Discussion: When we manage information and access to it, it is sensible to apply a standard that defines how much access the users is to get. The best guide to use is the Least Privilege Principle because anything less restrictive is taking a risk that is unnecessary to your organization and therefore unwise. When a users has ONLY access to information and resources necessary for his or her job functions you limit the damage that can be done with the users access. Consider how, when a computer is infected and operations can be undertaken using that user's account and if it is malicious, much damage can ensue. Also, you can contain the theft of your information resources by limiting access of the users. Least Privilege Principle is a good standard to manage your access for users. The following answers are incorrect: - Minimum Privilege Principle: Almost but not quite the correct term. The words Minimum and Least are similar but the common term is Least Privilege. - Mandatory Privilege Requirement: This isn't a correct answer but might look that way because it sounds official. Sorry. - Implicit Information Principle: Also an incorrect term that looks pretty official. The following reference(s) was used to create this question: 2013. Official Security+ Curriculum.
QUESTION 571 Which of the following is not classified as a "Security and Audit Frameworks and Methodologies" A. B. C. D. Bell LaPadula Committee of Sponsoring Organizations of the Treadway Commission (COSO) IT Infrastructure Library (ITIL) Control Objectives for Information and related Technology (COBIT)
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: From the official Guide, second edition: Bell LaPadula is a Security Model. "In general, most security models will focus on defining allowed interactions between subjects (active parties) and objects (passive parties) at a particular moment in time." The remaining three listed would all be classifed as frameworks. "Multiple frameworks and methodologies have been created to support security, auditing, and risk assessment of implemented security controls. These resources are valuable to assist in the design and testing of a security program. The following frameworks and methodologies have each gained a degree of acceptance within the auditing or information security community and assist with information security and auditing. Although the origins of several of them were not specifically designed to support information security, many of the processes within these practices help security professionals identify and implement controls in support of confidentiality, integrity, and availability." The following reference(s) were/was used to create this question: Tipton, Harold F. (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) Chapter 3, Information Security Governance and Risk Management, Pages 514-516
QUESTION 572 Which Security and Audit Framework has been adopted by some organizations working towards Sarbanes--Oxley Section 404 compliance? A. B. C. D. Committee of Sponsoring Organizations of the Treadway Commission (COSO) BIBA National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66) CCTA Risk Analysis and Management Method (CRAMM)
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: From the official Guide, third edition: "The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, which studied factors that lead to fraudulent financial reporting and produced recommendations for public companies, their auditors, the Securities Exchange Commission, and other regulators. COSO identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives. These include (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The COSO internal control model has been adopted as a framework by some organizations working toward Sarbanes--Oxley Section 404 compliance." The following answers are incorrect: Biba is a security model. National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66) and CCTA Risk Analysis and Management Method (CRAMM) are both Risk Assessment Methodologies. NIST SP 800-66 was written specifically with HIPAA clients in mind. The following reference(s) were/was used to create this question: Tipton, Harold F. & Steven Hernandez. Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) Chapter 3, Information Security Governance and Risk Management, Page 514-515
QUESTION 559 Which of the following would best classify as a management control? A. B. C. D. Review of security controls Personnel security Physical and environmental protection Documentation
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Management controls focus on the management of the IT security system and the management of risk for a system. They are techniques and concerns that are normally addressed by management. Routine evaluations and response to identified vulnerabilities are important elements of managing the risk of a system, thus considered management controls. SECURITY CONTROLS: The management, operational, and technical controls (i.e.,safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. SECURITY CONTROL BASELINE: The set of minimum security controls defined for a low-impact, moderate-impact,or high-impact information system. The following are incorrect answers: Personnel security, physical and environmental protection and documentation are forms of operational controls. Reference(s) used for this question: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf and FIPS PUB 200 at http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
QUESTION 573 The Widget company decided to take their company public and while they were in the process of doing so had an external auditor come and look at their company. As part of the external audit they brought in an technology expert, who incidentally was a new CISSP. The auditor's expert asked to see their last risk analysis from the technology manager. The technology manager did not get back to him for a few days and then the Chief Financial Officer gave the auditors a 2 page risk assesment that was signed by both the Chief Financial Officer and the Technology Manager. While reviewing it, the auditor noticed that only parts of their financial data were being backed up on site and no where else; the Chief Financial Officer accepted the risk of only partial financial data being backed up with no off-site copies available. Who owns the risk with regards to the data that is being backed up and where it is stored? A. B. C. D. Only the Chief Financial Officer Only the most Senior Management such as the Chief Executive Officer Both the Chief Financial Officer and Technology Manager Only The Technology Manager
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: One of the more important questions that face people working within an organization is who owns the risk? The answer really isn't straightforward because it depends upon the situation and what kind of risk is being discussed. Senior management owns the risk present during the operation of the organization, but there may be times when senior management also relies upon data custodians or business units managers to conduct work, and it is during these times that these other elements of the organization also shoulder some of the responsibility of risk ownership. What does Risk Owner mean: According to the ISO Guide 73:2009, definition 3.5.1.5 and the vocabulary of the ISO31000 standard, risk owner is defined as "person or entity with the accountability and authority to manage a risk". So senior management would be ultimately responsible because responsibilities cannot be delegated. However, mamangement can assign department manager who are accountable and have the authority to manage the risk. Dissecting this question: This question makes you think a bit because normally, it would be the Chief Executive Officer. However, in this scenario it was pretty clear that they drafted a quick report and put something down to make it look like they spent time on it. Because the Chief Financial Officer was the one that signed off on it, they are the one that stuck their neck out legally and would be the one ultimately responsible (unless of course the Chief Financial Officer could prove in a court of law that the other company officers knew about the false report). The Chief Executive Officer could theortically be held responsible, but the Chief Financial Officer signed off on it instead and accepted the risks. The Technology Manager, while clearly in collusion with the Chief Financial Officer to draft a quick report, is not an officer of the company and in turn would not be legally responsible. The Manager in fact did alert management of the risk and it was up to them to accept it. NOTE ABOUT TERMINOLOGY: One of our very active contributor (Jason), has sent us the following feedback: Hi, One to watch out for relating to this question in the exam, with the recent ISO27001 updates in 2013, there is a replacement of 'asset ownership' terminology with the new term 'risk ownership'. The Chief Financial Officer is the 'risk owner' according to the new updated ISO27001 standard. See link for year 2013 revisions for ISO27001 http://www.neupart.com/media/138936/iso27001rev2013riskmgmtprocess.pdf Note on page 3: 'In the new version 'asset owner' is renamed 'risk owner' and you are only required to identify risks in relation to the confidentiality, integrity and availability. Cheers Jason. My reply: Unfortunately ISC2 does not use up to the minute content on their current exam. The CBK has been updated only every 3 years or more in the past. So do not expect the new terminology from the latest ISO Standards to show up on your exam yet. Maybe in the future but for sure not in 2014. The following answers are incorrect: - Senior Management such as the Chief Executive Officer - Both the Chief Financial Officer and Technology Manager - Only The Technology Manager The following reference(s) were/was used to create this question: Reference: Harris, Shon (2010-01-15). CISSP All-in-One Exam Guide, Fifth Edition (p. 78). McGraw-Hill. Kindle Edition.
QUESTION 578 Which of the following answer BEST relates to the type of risk analysis that involves committees, interviews, opinions and subjective input from staff? A. B. C. D. Qualitative Risk Analysis Quantitative Risk Analysis Interview Approach to Risk Analysis Managerial Risk Assessment
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: The two main types of risk assessment involve either hard values and numbers or subjective opinions of staff members. Qualitative Risk Assessment: This type of risk assessment revolves more around the opinion of individuals or committees of individuals in the organization. Interviews are conducted, surveys administered and estimates derived from the results for the assessment. Quantitative Risk Assessment: Involves collection and assessment of data and the hard values they provide like costs, average rates of occurrence, single loss expectancy, replacement costs etc. In other words specific numbers to provide answers in the risk analysis process The following answers are incorrect: - Quantitative Risk Analysis: This isn't a correct answer because this type of risk analysis involves hard values and numbers to assist in addressing risk. - Interview Approach to Risk Analysis: This isn't a known risk analysis term but it does relate to a qualitative risk assessment because that type includes interviews. - Managerial Risk Assessment: Sorry, this is not a common term associated with the risk assessment process. The following reference(s) was used to create this question: 2013. Official Security+ Curriculum. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4595-4596). Auerbach Publications. Kindle Edition.
QUESTION 577 Which of the following answers is the BEST example of Risk Transference? A. B. C. D. Insurance Results of Cost Benefit Analysis Acceptance Not hosting the services at all
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: When we operate an organizational information system we are accepting a tolerable level of risk to allow the business functions to operate.There may be risks you are not qualified to accept or risks you would be better off having undertaken by an outside entity. A classic example is having your popular web server hosted by a web hosting agency which completely relieves you of the risks associated with that. Another example is insurance where you offload the risk to an insurance agency and pay them to accept the risk. When we transfer risk we are giving the risk to someone else to accept and it could be for a number of reasons. Expense primarily but it could also be performance, offers of better service elsewhere, legal reasons and other reasons. The following answers are incorrect: - Results of Cost Benefit Analysis: This might be involved in the process of Risk Mitigation but it isn't part of Risk Transference. Sorry, wrong answer. - Acceptance: This isn't correct because accepting the risk is the opposite of transferring the risk to someone else. - Not hosting the services at all: Sorry, this defines Risk Avoidance. The following reference(s) was used to create this question: 2013. Official Security+ Curriculum.
QUESTION 599 Which of the following is commonly used for retrofitting multilevel security to a database management system? A. B. C. D. trusted front-end. trusted back-end. controller. kernel.
Correct Answer: A Section: Software Development Security Explanation Explanation/Reference: If you are "retrofitting" that means you are adding to an existing database management system (DBMS). You could go back and redesign the entire DBMS but the cost of that could be expensive and there is no telling what the effect will be on existing applications, but that is redesigning and the question states retrofitting. The most cost effective way with the least effect on existing applications while adding a layer of security on top is through a trusted front- end. Clark-Wilson is a synonym of that model as well. It was used to add more granular control or control to database that did not provide appropriate controls or no controls at all. It is one of the most popular model today. Any dynamic website with a back-end database is an example of this today. Such a model would also introduce separation of duties by allowing the subject only specific rights on the objects they need to access. The following answers are incorrect: trusted back-end. Is incorrect because a trusted back-end would be the database management system (DBMS). Since the question stated "retrofitting" that eliminates this answer. controller. Is incorrect because this is a distractor and has nothing to do with "retrofitting". kernel. Is incorrect because this is a distractor and has nothing to do with "retrofitting". A security kernel would provide protection to devices and processes but would be inefficient in protecting rows or columns in a table.
QUESTION 586 There is no way to completely abolish or avoid risks, you can only manage them. A risk free environment does not exist. If you have risks that have been identified, understood and evaluated to be acceptable in order to conduct business operations. What is this this approach to risk management called? A. B. C. D. Risk Acceptance Risk Avoidance Risk Transference Risk Mitigation
Correct Answer: A Section: Software Development Security Explanation Explanation/Reference: Risk management provides a mechanism to the organization to ensure that executive management knows current risks, and informed decisions can be made to use one of the risk management principles: risk avoidance, risk transfer, risk mitigation, or risk acceptance, Risk Acceptance is when the risk has been identified, understood and evaluated to be acceptable in order to conduct business operations. Acceptance goes hand-in-hand with mitigation but they're slightly different. At the end of the day, there is always a particle of risk we must undertake to perform business in a complex computing world. Whether it is operating a website, hosting a VPN connection or connections for employees to the open internet, there is risk. Managers can either accept, avoid or transfer risk to another party. Either way, risk must be dealt with to conduct business operations. The following answers are incorrect: Risk Avoidance: Avoiding risk is when we avoid it altogether to deal with the risk. Whether it is by not hosting a website, not operating your own web proxy or any other computing task. Choosing not to perform the process is risk avoidance. This isn't correct because accepting risk is clearly not avoiding the risk. Risk Transference: When we transfer risk, we pay someone else to undertake the risk on our behalf so that we may conduct operations, benefit from the risk but don't undertake the risky operation ourselves. Accepting the risk is different from transferring the risk to another organization apart from your own in that you're not accepting it at all. Someone else does for you. Risk Mitigation: Mitigating risk means you accept it AND work around the risk to benefit from it. A good example could be a locked down web server or firewall. You benefit from the service they provide but mitigate risks involved by technical measures. Mitigation is incorrect because it goes beyond merely accepting the risk by mitigating the risk to make it more acceptable. The following reference(s) was used to create this question: Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide Authorized Courseware: Exam CAS-001 (p. 218). Wiley. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 8884-8886). AuerbachPublications. Kindle Edition.
QUESTION 587 John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the identified risk provided by an IS auditor? A. B. C. D. Risk Mitigation Risk Acceptance Risk Avoidance Risk transfer
Correct Answer: A Section: Software Development Security Explanation Explanation/Reference: Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. For your exam you should know below information about risk assessment and treatment: A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner. A risk analysis has four main goals: · Identify assets and their value to the organization. · Identify vulnerabilities and threats. · Quantify the probability and business impact of these potential threats. · Provide an economic balance between the impact of the threat and the cost of the countermeasure. Treating Risk Risk Mitigation Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time. Risk Transfer Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example presented earlier, and can be seen in other insurance instances, such as liability insurance for a vendor or the insurance taken out by companies to protect against hardware and software theft or destruction. This may also be true if an organization must purchase and implement security controls in order to make their organization less desirable to attack. It is important to remember that not all risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may almost never be fully transferred. Risk Avoidance Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the risks that many of these children face as they become mobile? Some of these families will decide that the child in question will not be allowed to drive the family car, but will rather wait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and driving a motor vehicle. In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an underage driver, such as poor driving performance or the cost of insurance for the child. Although this choice may be available for some situations, it is not available for all. Imagine a global retailer who, knowing the risks associated with doing business on the Internet, decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if, indeed, the company has products or services that consumers wish to purchase). In addition, the decision may require the company to build or lease a site in each of the locations, globally, for which it wishes to continue business. This could have a catastrophic effect on the company's ability to continue business operations Risk Acceptance In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way. For example, an executive may be confronted with risks identified during the course of a risk assessment for their organization. These risks have been prioritized by high, medium, and low impact to the organization. The executive notes that in order to mitigate or transfer the low- level risks, significant costs could be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchase of new hardware, software, and office equipment, while transference of the risk to an insurance company would require premium payments. The executive then further notes that minimal impact to the organization would occur if any of the reported low-level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to forgo the costs and accept the risk. In the young driver example, risk acceptance could be based on the observation that the youngster has demonstrated the responsibility and maturity to warrant the parent's trust in his or her judgment. The following answers are incorrect: Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. Risk Avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. Risk Acceptance - Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus thebenefit of dealing with the risk in another way. The following reference(s) were/was used to create this question: CISA Review Manual 2014 Page number 51 Official ISC2 guide to CISSP CBK 3rd edition page number 383,384 and 385
QUESTION 584 In terms or Risk Analysis and dealing with risk, which of the four common ways listed below seek to eliminate involvement with the risk being evaluated? A. B. C. D. Avoidance Acceptance Transference Mitigation
Correct Answer: A Section: Software Development Security Explanation Explanation/Reference: Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Mitigating risk means you work around the risk with measures to reduce the risk. A good example could be a locked down web server or firewall. You benefit from the service they provide but mitigate risks involved by technical measures. Another example of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. Understand that conducting business in a computing world means assumption of risk. You have to make a management decision on whether to avoid, mitigate, transfer or simply accept it as a risk of doing business. The following answers are incorrect: Avoid: Risk with avoidance is when we eliminate the risk by avoiding it altogether. No surprise there but this answer is distinct from the others because you simply don't undertake the risky process. It is incorrect here because you're not reducing the risk with controls as with mitigation. Acceptance: This means that the risk is identified and understand and evaluated to be acceptable in order to conduct business operations. It is incorrect because you are accepting that the risk is present and conducting business anyhow but don't mitigate risk with controls like in the question here. Transference: When we transfer risk, we pay someone else to undertake the risk on our behalf so that we may conduct operations and benefit from the risk but don't undertake the risky operation ourselves. This is not the same as mitigation so it is incorrect. The following reference(s) was used to create this question: Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide Authorized Courseware: Exam CAS-001 (p. 217-218). Wiley. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10183-10195). Auerbach Publications. Kindle Edition.
QUESTION 585 Of the multiple methods of handling risks which we must undertake to carry out business operations, which one involves using controls to reduce the risk? A. B. C. D. Mitigation Avoidance Acceptance Transference
Correct Answer: A Section: Software Development Security Explanation Explanation/Reference: Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Mitigating risk means you work around the risk with measures to reduce the risk. A good example could be a locked down web server or firewall. You benefit from the service they provide but mitigate risks involved by technical measures. Another example of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. Understand that conducting business in a computing world means assumption of risk. You have to make a management decision on whether to avoid, mitigate, transfer or simply accept it as a risk of doing business. The following answers are incorrect: Avoid: Risk with avoidance is when we eliminate the risk by avoiding it altogether. No surprise there but this answer is distinct from the others because you simply don't undertake the risky process. It is incorrect here because you're not reducing the risk with controls as with mitigation. Acceptance: This means that the risk is identified and understand and evaluated to be acceptable in order to conduct business operations. It is incorrect because you are accepting that the risk is present and conducting business anyhow but don't mitigate risk with controls like in the question here. Transference: When we transfer risk, we pay someone else to undertake the risk on our behalf so that we may conduct operations and benefit from the risk but don't undertake the risky operation ourselves. This is not the same as mitigation so it is incorrect. The following reference(s) was used to create this question: Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide Authorized Courseware: Exam CAS-001 (p. 217-218). Wiley. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10183-10195). Auerbach Publications. Kindle Edition.
QUESTION 593 Which type of risk assessment is the formula ALE = ARO x SLE used for? A. B. C. D. Quantitative Analysis Qualitative Analysis Objective Analysis Expected Loss Analysis
Correct Answer: A Section: Software Development Security Explanation Explanation/Reference: The formula ALE = ARO x SLE involves numerical values or quantities of a given resource or occurrence so it is thus a quantitative analysis. ALE = Annual Lose expectancy or how much it might cost per year if you were to lose the asset ARO = Annual Rate of Occurrence or how often the loss might occur. SLE = Single Loss Expectancy or how much each incident of loss would cost the organization. Using these values you can determine how much you should spend to secure the resources against loss. It is useful to use these costs when we compare them to the value of the asset for which we are responsible. It wouldn't be sensible to spend $10,000 USD a year for an asset you could replace for $2,000 USD. The following answers are incorrect: - Qualitative Analysis: This is part of the risk analysis process where interviews are conducted with employees to determine risk and where focus should be made for protecting assets. Many analysts combine Quantitative and Qualitative risk assessments to form an effective picture of where dollars should be spent to secure critical resources for the organization. It is not a correct answer because it does not use a mathematical formula to determine a hard value. - Objective Analysis: This is not a commonly used term to describe an approach to risk analysis but an objective approach could be likened more to a quantitative analysis where specific values are determined in the risk analysis process. - Expected Loss Analysis: This is also not a common term in risk analysis but it could describe the concept of analysis an expected loss due to a threat for which you must plan. The following reference(s) was used to create this question: Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide Authorized Courseware: Exam CAS-001 (p. 215). Wiley. Kindle Edition.
QUESTION 558 The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system is referred to as? A. B. C. D. Confidentiality Availability Integrity Reliability
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: An company security program must: 1) assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability; 2) protect informationcommensurate with the level of risk and magnitude ofharmresulting fromloss, misuse, unauthorized access, or modification. The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them. The following are incorrect answers: Confidentiality - The information requires protection from unauthorized disclosure and only the INTENDED recipient should have access to the meaning of the data either in storage or in transit. Integrity - The information must be protected from unauthorized, unanticipated, or unintentional modification. This includes, but is not limited to: Authenticity A third party must be able to verify that the content of a message has not been changed in transit. Non-repudiation The origin or the receipt of a specific message must be verifiable by a third party. Accountability - A security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. Reference used for this question: RFC 2828 and SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (page 5).
QUESTION 556 An effective information security policy should not have which of the following characteristic? A. B. C. D. Include separation of duties Be designed with a short- to mid-term focus Be understandable and supported by all stakeholders Specify areas of responsibility and authority
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: An effective information security policy should be designed with a long-term focus. All other characteristics apply. Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison- Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 397).
QUESTION 568 What is surreptitious transfer of information from a higher classification compartment to a lower classification compartment without going through the formal communication channels? A. B. C. D. Object Reuse Covert Channel Security domain Data Transfer
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Lampson is defined as (channels) not intended for information transfer at all, such as the service program's effect on system load, to distinguish it from Legitimate channels that are subjected to access controls by COMPUSEC. For more details see: http://en.wikipedia.org/wiki/Covert_channel The following answers are incorrect: Object Reuse Security Domain Data Transfer The following reference(s) were/was used to create this question: ISC2 Review V 8.00 page 440 http://en.wikipedia.org/wiki/Covert_channel
QUESTION 557 Which of the following choice is NOT normally part of the questions that would be asked in regards to an organization's information security policy? A. B. C. D. Who is involved in establishing the security policy? Where is the organization's security policy defined? What are the actions that need to be performed in case of a disaster? Who is responsible for monitoring compliance to the organization's security policy?
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Only personnel implicated in the plan should have a copy of the Disaster Recovery Plan whereas everyone should be aware of the contents of the organization's information security policy. Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison- Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 398).
QUESTION 583 Which of the following activities would not be included in the contingency planning process phase? A. B. C. D. Prioritization of applications Development of test procedures Assessment of threat impact on the organization Development of recovery scenarios
Correct Answer: B Section: Software Development Security Explanation Explanation/Reference: All of the answers except Development of test procedures would all be part of the contingency planning phase. Risk management minimizes loss to information assets due to undesirable events through identification, measurement, and control. It encompasses the overall security review, risk analysis, selection and evaluation of safeguards, costbenefit analysis, management decision, and safeguard identification and implementation, along with ongoing effectiveness review. In many organizations, contingency planning is a necessity that has turned out to be beneficial in more ways than ever expected. Contingency planning helps to ensure an organization's viability during and following a disaster. Another benefit of contingency planning is significant improvements in the daily operations of many organizations. Researching and documenting contingency plans can discover numerous single points of failure (SPOF). A SPOF is any single input to a process that, if missing, would cause the process or several processes to be unable to function. Once identified, these SPOFs can often easily be eliminated or have their damaging potential reduced. Many organizations have also witnessed process improvements as a direct result of their contingency planning efforts, particularly while exercising their DR and BCPs. The following answers are incorrect as they are all part of Contengency Planning: prioritization of apps = asset valuation assessment of threat impact = threat modeling development of recovery scenarios = risk mitigation The following reference(s) were/was used to create this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 8882-8884). Auerbach Publications. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20749-20756). Auerbach Publications. Kindle Edition.
QUESTION 570 Which of the following is best practice to employ in order to reduce the risk of collusion? A. B. C. D. Least Privilege Job Rotation Seperation of Duties Mandatory Vacations
Correct Answer: BSection: Security and Risk Management Explanation Explanation/Reference: The practice of Job Rotation can reduce the risk of collusion of activites between individuals. Job Rotation can be used to detect illegal activities or fraud within the system by having a new person filling up specific roles at regular interval. It is often times combined with Separation of duties as well. Least Privilege and Separation of Duties are usually what would entice people to work in Collusion. It is not preventing collusion as such, it is preventing abuse where a critical task cannot be performed by one person alone. Both are based on Split Knowledge, where only a portion of the knowledge is known by each person involved. Collusion means that at least two people are working together to cause some type of destruction or fraud. If people work together for a long period of time, then the chances of collusion are a lot more likely as they know each other very well and could decide to commit abuse or fraud. Based on the 4 choices presented, Job Rotation is certainly the best choice. The following answers are incorrect: Seperation of Duties - ensures one individual does not have the capability to execute all of the required steps required to complete a critical task. This control forces people to work in collusion if they wish to attempt bypassing the controls in place. This process does not reduce the likelihood that collusion will take place, it is the opposite where people are forced to work in collusion if they wish to abuse of the system. Mandatory Vacation - Provides similar benefits to Job Rotation, but the primary purpose is to identify and detect fraudulent activites of individuals while they are on leave and someone else is doing their duties. This practice is short term in focus and thus job rotation is the BEST practice to detect collusion as it is long term in focus. Least Privilege - the principle of providing the most restrictive access possible and still allow subjects to perform authorized tasks. The following reference(s) were/was used to create this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 671-673). Auerbach Publications. Kindle Edition.
QUESTION 566 Whose role is it to assign classification level to information? A. B. C. D. Security Administrator User Owner Auditor
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: The Data/Information Owner is ultimately responsible for the protection of the data. It is the Data/Information Owner that decides upon the classifications of that data they are responsible for. The data owner decides upon the classification of the data he is responsible for and alters that classification if the business need arises. The following answers are incorrect: Security Administrator. Is incorrect because this individual is responsible for ensuring that the access right granted are correct and support the polices and directives that the Data/Information Owner defines. User. Is Incorrect because the user uses/access the data according to how the Data/Information Owner defined their access. Auditor. Is incorrect because the Auditor is responsible for ensuring that the access levels are appropriate. The Auditor would verify that the Owner classified the data properly. References: CISSP All In One Third Edition, Shon Harris, Page 121
QUESTION 554 Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data? A. B. C. D. Business and functional managers IT Security practitioners System and information owners Chief information officer
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: The system and information owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they own. IT security practitioners are responsible for proper implementation of security requirements in their IT systems. Source: STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology Systems, 2001 (page 6).
QUESTION 552 What can be best defined as the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment? A. B. C. D. Risk management Risk analysis Threat analysis Due diligence
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Threat analysis is the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment. The following answers are incorrect: Risk analysis is the process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Risk analysis is synonymous with risk assessment and part of risk management, which is the ongoing process of assessing the risk to mission/business as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate, cost-effective controls to achieve and maintain an acceptable level or risk. Due Diligence is identifying possible risks that could affect a company based on best practices and standards. Reference(s) used for this question: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page B-3).
QUESTION 596 In computing what is the name of a non-self-replicating type of malware program containing malicious code that appears to have some useful purpose but also contains code that has a malicious or harmful purpose imbedded in it, when executed, carries out actions that are unknown to the person installing it, typically causing loss or theft of data, and possible system harm. A. virus. B. worm. C. Trojan horse.D. trapdoor.
Correct Answer: C Section: Software Development Security Explanation Explanation/Reference: A trojan horse is any code that appears to have some useful purpose but also contains code that has a malicious or harmful purpose imbedded in it. A Trojan often also includes a trapdoor as a means to gain access to a computer system bypassing security controls. Wikipedia defines it as: A Trojan horse, or Trojan, in computing is a non-self-replicating type of malware program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm. The term is derived from the story of the wooden horse used to trick defenders of Troy into taking concealed warriors into their city in ancient Greece, because computer Trojans often employ a form of social engineering, presenting themselves as routine, useful, or interesting in order to persuade victims to install them on their computers. The following answers are incorrect: virus. Is incorrect because a Virus is a malicious program and is does not appear to be harmless, it's sole purpose is malicious intent often doing damage to a system. A computer virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected". worm. Is incorrect because a Worm is similiar to a Virus but does not require user intervention to execute. Rather than doing damage to the system, worms tend to self-propagate and devour the resources of a system. A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. trapdoor. Is incorrect because a trapdoor is a means to bypass security by hiding an entry point into a system. Trojan Horses often have a trapdoor imbedded in them. References: http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29 and http://en.wikipedia.org/wiki/Computer_virus and http://en.wikipedia.org/wiki/Computer_worm and http://en.wikipedia.org/wiki/Backdoor_%28computing%29
QUESTION 589 Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized? A. B. C. D. Risk Mitigation Risk Acceptance Risk Avoidance Risk transfer
Correct Answer: C Section: Software Development Security Explanation Explanation/Reference: Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For your exam you should know below information about risk assessment and treatment: A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner. A risk analysis has four main goals: · Identify assets and their value to the organization. · Identify vulnerabilities and threats. · Quantify the probability and business impact of these potential threats. · Provide an economic balance between the impact of the threat and the cost of the countermeasure. Treating Risk Risk Mitigation Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time. Risk Transfer Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example presented earlier, and can be seen in other insurance instances, such as liability insurance for a vendor or the insurance taken out by companies to protect against hardware and software theft or destruction. This may also be true if an organization must purchase and implement security controls in order to make their organization less desirable to attack. It is important to remember that not all risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may almost never be fully transferred. Risk Avoidance Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the risks that many of these children face as they become mobile? Some of these families will decide that the child in question will not be allowed to drive the family car, but will rather wait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and driving a motor vehicle. In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an underage driver, such as poor driving performance or the cost of insurance for the child. Although this choice may be available for some situations, it is not available for all. Imagine a global retailer who, knowing the risks associated with doing business on the Internet, decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if, indeed, the company has products or services that consumers wish to purchase). In addition, the decision may require the company to build or lease a site in each of the locations, globally, for which it wishes to continue business. This could have a catastrophic effect on the company's ability to continue business operations Risk Acceptance In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way. For example, an executive may be confronted with risks identified during the course of a risk assessment for their organization. These risks have been prioritized by high, medium, and low impact to the organization. The executive notes that in order to mitigate or transfer the low- level risks, significant costs could be involved.Mitigation might involve the hiring of additional highly skilled personnel and the purchase of new hardware, software, and office equipment, while transference of the risk to an insurance company would require premium payments. The executive then further notes that minimal impact to the organization would occur if any of the reported low-level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to forgo the costs and accept the risk. In the young driver example, risk acceptance could be based on the observation that the youngster has demonstrated the responsibility and maturity to warrant the parent's trust in his or her judgment. The following answers are incorrect: Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. Risk Acceptance - Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way. Risk Mitigation - Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented The following reference(s) were/was used to create this question: CISA Review Manual 2014 Page number 51 and Official ISC2 guide to CISSP CBK 3rd edition page number 534-536
QUESTION 595 What does "System Integrity" mean? A. B. C. D. The software of the system has been implemented as designed. Users can't tamper with processes they do not own. Hardware and firmware have undergone periodic testing to verify that they are functioning properly. Design specifications have been verified against the formal top-level specification.
Correct Answer: C Section: Software Development Security Explanation Explanation/Reference: System Integrity means that all components of the system cannot be tampered with by unauthorized personnel and can be verified that they work properly. The following answers are incorrect: The software of the system has been implemented as designed. Is incorrect because this would fall under Trusted system distribution. Users can't tamper with processes they do not own. Is incorrect because this would fall under Configuration Management. Design specifications have been verified against the formal top-level specification. Is incorrect because this would fall under Specification and verification. References: AIOv3 Security Models and Architecture (pages 302 - 306) DOD TCSEC - http://www.cerberussystems.com/INFOSEC/stds/d520028.htm
QUESTION 553 Which of the following is NOT a common integrity goal? A. Prevent unauthorized users from making modifications. B. Maintain internal and external consistency.C. Prevent authorized users from making improper modifications. D. Prevent paths that could lead to inappropriate disclosure.
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: Inappropriate disclosure is a confidentiality, not an integrity goal. All of the other choices above are integrity goals addressed by the Clark-Wilson integrity model. The Clark-Wilson model is an integrity model that addresses all three integrity goals: 1. prevent unauthorized users from making modifications, 2. prevent authorized users from making improper modifications, and 3. maintain internal and external consistency through auditing. NOTE: Biba address only the first goal of integrity above Reference(s) used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1384). McGraw-Hill. Kindle Edition.
QUESTION 564 Step-by-step instructions used to satisfy control requirements is called a: A. B. C. D. policy standard guideline procedure
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
QUESTION 562 Which of the following best defines add-on security? A. B. C. D. Physical security complementing logical security measures. Protection mechanisms implemented as an integral part of an information system. Layer security. Protection mechanisms implemented after an information system has become operational.
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: The Internet Security Glossary (RFC2828) defines add-on security as "The retrofitting of protection mechanisms, implemented by hardware or software, after the [automatic data processing] system has become operational." Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
QUESTION 591 Which of the following security control is intended to bring environment back to regular operation? A. B. C. D. Deterrent Preventive Corrective Recovery
Correct Answer: D Section: Software Development Security Explanation Explanation/Reference: Recovery controls are intended to bring the environment back to regular operations For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the control's implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk. For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement. Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment. Detective Controls Detective controls warn when something has happened, and are the earliest point in the post- incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privilege. However, the detective nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprise'sassets by limiting the capabilities that authenticated user has. However, there are few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users. Corrective Controls When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with. Recovery Controls Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system files or even have default administrative accounts unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations. The following answers are incorrect: Deterrent - Deterrent controls are intended to discourage a potential attacker Preventive - Preventive controls are intended to avoid an incident from occurring Corrective - Corrective control fixes components or systems after an incident has occurred The following reference(s) were/was used to create this question: CISA Review Manual 2014 Page number 44 and Official ISC2 CISSP guide 3rd edition Page number 50 and 51
QUESTION 590 Which of the following risk handling technique involves the practice of passing on the risk to another entity, such as an insurance company? A. B. C. D. Risk Mitigation Risk Acceptance Risk Avoidance Risk transfer
Correct Answer: D Section: Software Development Security Explanation Explanation/Reference: Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. For your exam you should know below information about risk assessment and treatment: A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner. A risk analysis has four main goals: · Identify assets and their value to the organization. · Identify vulnerabilities and threats. · Quantify the probability and business impact of these potential threats. · Provide an economic balance between the impact of the threat and the cost of the countermeasure. Treating Risk Risk Mitigation Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time. Risk Transfer Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example presented earlier, and can be seen in other insurance instances, such as liability insurance for a vendor or the insurance taken out by companies to protect against hardware and software theft or destruction. This may also be true if an organization must purchase and implement security controls in order to make their organization less desirable to attack. It is important to remember that not all risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may almost never be fully transferred. Risk Avoidance Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the risks that many of these children face as they become mobile? Some of these families will decide that the child in question will not be allowed to drive the family car, but will rather wait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and driving a motor vehicle. In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an underage driver, such as poor driving performance or the cost of insurance for the child. Although this choice may be available for some situations, it is not available for all. Imagine a global retailer who, knowing the risks associated with doing business on the Internet, decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if, indeed, the company has products or services that consumers wish to purchase). In addition, the decision may require the company to build or lease a site in each of the locations, globally, for which it wishes to continue business. This could have a catastrophic effect on the company's ability to continue business operations Risk AcceptanceIn some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way. For example, an executive may be confronted with risks identified during the course of a risk assessment for their organization. These risks have been prioritized by high, medium, and low impact to the organization. The executive notes that in order to mitigate or transfer the low- level risks, significant costs could be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchase of new hardware, software, and office equipment, while transference of the risk to an insurance company would require premium payments. The executive then further notes that minimal impact to the organization would occur if any of the reported low-level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to forgo the costs and accept the risk. In the young driver example, risk acceptance could be based on the observation that the youngster has demonstrated the responsibility and maturity to warrant the parent's trust in his or her judgment. The following answers are incorrect: Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. Risk avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. Risk Mitigation - Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. The following reference(s) were/was used to create this question: CISA Review Manual 2014 Page number 51 and Official ISC2 guide to CISSP CBK 3rd edition page number 534-536
QUESTION 597 The security of a computer application is most effective and economical in which of the following cases? A. B. C. D. The system is optimized prior to the addition of security. The system is procured off-the-shelf. The system is customized to meet the specific security threat. The system is originally designed to provide the necessary security.
Correct Answer: D Section: Software Development Security Explanation Explanation/Reference: The earlier in the process that security is planned for and implement the cheaper it is. It is also much more efficient if security is addressed in each phase of the development cycle rather than an add-on because it gets more complicated to add at the end. If security plan is developed at the beginning it ensures that security won't be overlooked. The following answers are incorrect: The system is optimized prior to the addition of security. Is incorrect because if you wait to implement security after a system is completed the cost of adding security increases dramtically and can become much more complex. The system is procured off-the-shelf. Is incorrect because it is often difficult to add security to off-the shelf systems. The system is customized to meet the specific security threat. Is incorrect because this is a distractor. This implies only a single threat.
QUESTION 592 Which of the following is NOT an example of a detective control? A. B. C. D. System Monitor IDS Monitor detector Backup data restore
Correct Answer: D Section: Software Development Security Explanation Explanation/Reference: The word NOT is used as a keyword in the question. You need to find out a security control from an given options which in not detective control. Backup data restore is a corrective control and not a detective control. For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the control's implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist othertechnology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk. For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement. Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment. Detective Controls Detective controls warn when something has happened, and are the earliest point in the post- incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privilege. However, the detective nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting the capabilities that authenticated user has. However, there are few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users. Corrective Controls When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with. Recovery Controls Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system files or even have default administrative accounts unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations. For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the control's implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk. For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement. Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment. Detective Controls Detective controls warn when something has happened, and are the earliest point in the post- incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privilege. However, the detective nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting the capabilities that authenticated user has. However, there are few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system.This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users. Corrective Controls When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with. Recovery Controls Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system files or even have default administrative accounts unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations. The following answers are incorrect: The other examples are belongs to detective control. The following reference(s) were/was used to create this question: CISA Review Manual 2014 Page number 44 and Official ISC2 CISSP guide 3rd edition Page number 50 and 51
QUESTION 492 The ISO/IEC 27001:2005 is a standard for: A. B. C. D. Information Security Management System Implementation and certification of basic security measures Evaluation criteria for the validation of cryptographic algorithms Certification of public key infrastructures
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: The ISO 27000 Directory at: http://www.27000.org/index.htm has great coverage of the ISO 27000 series. The text below was extracted from their website. As mention by Belinda the ISO 27001 standard is the certification controls criteria while ISO 27002 is the actual standard. ISO 27002 used to be called ISO 17799 before being renamed. An Introduction To ISO 27001 (ISO27001) The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world. ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards. A scheme has been introduced by various certification bodies for conversion from BS7799 certification to ISO27001 certification. The objective of the standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization". The standard defines its 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Check-Act model to structure the processes, and reflects the principles set out in the OECG guidelines (see oecd.org). THE CONTENTS OF ISO 27001 The content sections of the standard are: Management Responsibility Internal Audits ISMS Improvement Annex A - Control objectives and controls Annex B - OECD principles and this international standard Annex C - Correspondence between ISO 9001, ISO 14001 and this standard Introduction To ISO 27002 (ISO27002) The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001. The standard "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization". The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities". The basis of the standard was originally a document published by the UK government, which became a standard 'proper' in 1995, when it was re-published by BSI as BS7799. In 2000 it was again re-published, this time by ISO ,as ISO 17799. A new version of this appeared in 2005, along with a new publication, ISO 27001. These two documents are intended to be used together, with one complimenting the other. ISO's future plans for this standard are focused largely around the development and publication of industry specific versions (for example: health sector, manufacturing, and so on). Note that this is a lengthy process, so the new standards will take some time to appear THE CONTENTS OF ISO 17799 / 27002 The content sections are: Structure Risk Assessment and Treatment Security Policy Organization of Information Security Asset Management Human Resources SecurityPhysical Security Communications and Ops Management Access Control Information Systems Acquisition, Development, Maintenance Information Security Incident management Business Continuity Compliance http://www.iso.org/iso/catalogue_detail?csnumber=42103 and The ISO 27000 Directory at http://www.27000.org/index.htm
QUESTION 502 Which of the following would be best suited to oversee the development of an information security policy? A. System AdministratorsB. End User C. Security Officers D. Security administrators
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: The security officer would be the best person to oversea the development of such policies. Security officers and their teams have typically been charged with the responsibility of creating the security policies. The policies must be written and communicated appropriately to ensure that they can be understood by the end users. Policies that are poorly written, or written at too high of an education level (common industry practice is to focus the content for general users at the sixth- to eighth-grade reading level), will not be understood. Implementing security policies and the items that support them shows due care by the company and its management staff. Informing employees of what is expected of them and the consequences of noncompliance can come down to a liability issue. While security officers may be responsible for the development of the security policies, the effort should be collaborative to ensure that the business issues are addressed. The security officers will get better corporate support by including other areas in policy development. This helps build buy-in by these areas as they take on a greater ownership of the final product. Consider including areas such as HR, legal, compliance, various IT areas and specific business area representatives who represent critical business units. When policies are developed solely within the IT department and then distributed without business input, they are likely to miss important business considerations. Once policy documents have been created, the basis for ensuring compliance is established. Depending on the organization, additional documentation may be necessary to support policy. This support may come in the form of additional controls described in standards, baselines, or procedures to help personnel with compliance. An important step after documentation is to make the most current version of the documents readily accessible to those who are expected to follow them. Many organizations place the documents on their intranets or in shared file folders to facilitate their accessibility. Such placement of these documents plus checklists, forms, and sample documents can make awareness more effective. For your exam you should know the information below: End User - The end user is responsible for protecting information assets on a daily basis through adherence to the security policies that have been communicated. Executive Management/Senior Management - Executive management maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know. Security Officer - The security officer directs, coordinates, plans, and organizes information security activities throughout the organization. The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, auditors, and third parties such as vendors. The security officer and his or her team are responsible for the design, implementation, management, and review of the organization's security policies, standards, procedures, baselines, and guidelines. Information Systems Security Professional- Drafting of security policies, standards and supporting guidelines, procedures, and baselines is coordinated through these individuals. Guidance is provided for technical security issues, and emerging threats are considered for the adoption of new policies. Activities such as interpretation of government regulations and industry trends and analysis of vendor solutions to include in the security architecture that advances the security of the organization are performed in this role. Data/Information/Business/System Owners - A business executive or manager is typically responsible for an information asset. These are the individuals that assign the appropriate classification to information assets. They ensure that the business information is protected with appropriate controls. Periodically, the information asset owners need to review the classification and access rights associated with information assets. The owners, or their delegates, may be required to approve access to the information. Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information. Owners or their delegates are responsible for understanding the risks that exist with regards to the information that they control. Data/Information Custodian/Steward - A data custodian is an individual or function that takes care of the information on behalf of the owner. These individuals ensure that the information is available to the end users and is backed up to enable recovery in the event of data loss or corruption. Information may be stored in files, databases, or systems whose technical infrastructure must be managed, by systems administrators. This group administers access rights to the information assets. Information Systems Auditor- IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls and their effectiveness. Business Continuity Planner - Business continuity planners develop contingency plans to prepare for any occurrence that could have the ability to impact the company's objectives negatively. Threats may include earthquakes, tornadoes, hurricanes, blackouts, changes in the economic/political climate, terrorist activities, fire, or other major actions potentially causing significant harm. The business continuity planner ensures that business processes can continue through the disaster and coordinates those activities with the business areas and information technology personnel responsible for disaster recovery. Information Systems/ Technology Professionals- These personnel are responsible for designing security controls into information systems, testing the controls, and implementing the systems in production environments through agreed upon operating policies and procedures. The information systems professionals work with the business owners and the security professionals to ensure that the designed solution provides security controls commensurate with the acceptable criticality, sensitivity, and availability requirements of the application. Security Administrator - A security administrator manages the user access request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. This individual has elevated privileges and creates and deletes accounts and access permissions. The security administrator also terminates access privileges when individuals leave their jobs or transfer between company divisions. The security administrator maintains records of access request approvals and produces reports of access rights for the auditor during testing in an access controls audit to demonstrate compliance with the policies. Network/Systems Administrator - A systems administrator (sysadmin/netadmin) configures network and server hardware and the operating systems to ensure that the information can be available and accessible. The administrator maintains the computing infrastructure using tools and utilities such as patch management and software distribution mechanisms to install updates and test patches on organization computers. The administrator tests and implements system upgrades to ensure the continued reliability of the servers and network devices. The administrator provides vulnerability management through either commercial off the shelf (COTS) and/or non-COTS solutions to test the computing environment and mitigate vulnerabilities appropriately. Physical Security - The individuals assigned to the physical security role establish relationships with external law enforcement, such as the local police agencies, state police, or the Federal Bureau of Investigation (FBI) to assist in investigations. Physical security personnel manage the installation, maintenance, and ongoing operation of the closed circuit television (CCTV) surveillance systems, burglar alarm systems, and card reader access control systems. Guards are placed where necessary as a deterrent to unauthorized access and to provide safety for the company employees. Physical security personnel interface with systems security, human resources, facilities, and legal and business areas to ensure that the practices are integrated. Security Analyst - The security analyst role works at a higher, more strategic level than the previously described roles and helps develop policies, standards, andguidelines, as well as set various baselines. Whereas the previous roles are "in the weeds" and focus on pieces and parts of the security program, a security analyst helps define the security program elements and follows through to ensure the elements are being carried out and practiced properly. This person works more at a design level than at an implementation level. Administrative Assistants/Secretaries - This role can be very important to information security; in many companies of smaller size, this may be the individual who greets visitors, signs packages in and out, recognizes individuals who desire to enter the offices, and serves as the phone screener for executives. These individuals may be subject to social engineering attacks, whereby the potential intruder attempts to solicit confidential information that may be used for a subsequent attack. Social engineers prey on the goodwill of the helpful individual to gain entry. A properly trained assistant will minimize the risk of divulging useful company information or of providing unauthorized entry. Help Desk Administrator - As the name implies, the help desk is there to field questions from users that report system problems. Problems may include poor response time, potential virus infections, unauthorized access, inability to access system resources, or questions on the use of a program. The help desk is also often where the first indications of security issues and incidents will be seen. A help desk individual would contact the computer security incident response team (CIRT) when a situation meets the criteria developed by the team. The help desk resets passwords, resynchronizes/reinitializes tokens and smart cards, and resolves other problems with access control. Supervisor - The supervisor role, also called user manager, is ultimately responsible for all user activity and any assets created and owned by these users. For example, suppose Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that these employees understand their responsibilities with respect to security; making sure the employees' account information is up-to-date; and informing the security administrator when an employee is fired, suspended, or transferred. Any change that pertains to an employee's role within the company usually affects what access rights they should and should not have, so the user manager must inform the security administrator of these changes immediately. Change Control Analyst Since the only thing that is constant is change, someone must make sure changes happen securely. The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software. This role must make certain that the change will not introduce any vulnerabilities, that it has been properly tested, and that it is properly rolled out. The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity. Or, a company can choose to just roll out the change and see what happens. The following answers are incorrect: Systems Administrator - A systems administrator (sysadmin/netadmin) configures network and server hardware and the operating systems to ensure that the information can be available and accessible. The administrator maintains the computing infrastructure using tools and utilities such as patch management and software distribution mechanisms to install updates and test patches on organization computers. The administrator tests and implements system upgrades to ensure the continued reliability of the servers and network devices. The administrator provides vulnerability management through either commercial off the shelf (COTS) and/or non-COTS solutions to test the computing environment and mitigate vulnerabilities appropriately. End User - The end user is responsible for protecting information assets on a daily basis through adherence to the security policies that have been communicated. Security Administrator - A security administrator manages the user access request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. This individual has elevated privileges and creates and deletes accounts and access permissions. The security administrator also terminates access privileges when individuals leave their jobs or transfer between company divisions. The security administrator maintains records of access request approvals and produces reports of access rights for the auditor during testing in an access controls audit to demonstrate compliance with the policies. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 109 Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 108). McGraw-Hill. Kindle Edition.
QUESTION 515 Which of the following would NOT violate the Due Diligence concept? A. B. C. D. Security policy being outdated Data owners not laying out the foundation of data protection Network administrator not taking mandatory two-week vacation as planned Latest security patches for servers being installed as per the Patch Management process
Correct Answer: DSection: Security and Risk Management Explanation Explanation/Reference: To be effective a patch management program must be in place (due diligence) and detailed procedures would specify how and when the patches are applied properly (Due Care). Remember, the question asked for NOT a violation of Due Diligence, in this case, applying patches demonstrates due care and the patch management process in place demonstrates due diligence. Due diligence is the act of investigating and understanding the risks the company faces. A company practices by developing and implementing security policies, procedures, and standards. Detecting risks would be based on standards such as ISO 2700, Best Practices, and other published standards such as NIST standards for example. Due Diligence is understanding the current threats and risks. Due diligence is practiced by activities that make sure that the protection mechanisms are continually maintained and operational where risks are constantly being evaluated and reviewed. The security policy being outdated would be an example of violating the due diligence concept. Due Care is implementing countermeasures to provide protection from those threats. Due care is when the necessary steps to help protect the company and its resources from possible risks that have been identifed. If the information owner does not lay out the foundation of data protection (doing something about it) and ensure that the directives are being enforced (actually being done and kept at an acceptable level), this would violate the due care concept. If a company does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence. Liability is usually established based on Due Diligence and Due Care or the lack of either. A good way to remember this is using the first letter of both words within Due Diligence (DD) and Due Care (DC). Due Diligence = Due Detect Steps you take to identify risks based on best practices and standards. Due Care = Due Correct. Action you take to bring the risk level down to an acceptable level and maintaining that level over time. The Following answer were wrong: Security policy being outdated: While having and enforcing a security policy is the right thing to do (due care), if it is outdated, you are not doing it the right way (due diligence). This questions violates due diligence and not due care. Data owners not laying out the foundation for data protection: Data owners are not recognizing the "right thing" to do. They don't have a security policy. Network administrator not taking mandatory two week vacation: The two week vacation is the "right thing" to do, but not taking the vacation violates due diligence (not doing the right thing the right way) Reference(s) used for this question: Shon Harris, CISSP All In One, Version 5, Chapter 3, pg 110
QUESTION 498 What is called an event or activity that has the potential to cause harm to the information systems or networks? A. B. C. D. Vulnerability Threat agent Weakness
ThreatCorrect Answer: D Section: Security and Risk Management Explanation Explanation/Reference: Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 16, 32.
QUESTION 479 Which of the following protocol is PRIMARILY used to provide confidentiality in a web based application thus protecting data sent across a client machine and a server? A. B. C. D. SSL FTP SSH S/MIME
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The Secure Socket Layer (SSL) Protocol is primarily used to provide confidentiality to the information sent across clients and servers. For your exam you should know the information below: The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmitted over a public network such as the Internet. SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers as well and became the de facto standard until evolving into Transport Layer Security. The "sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate. Later on SSL uses a Session Key along a Symmetric Cipher for the bulk of the data. TLS and SSL are an integral part of most Web browsers (clients) and Web servers. If a Web site is on a server that supports SSL, SSL can be enabled and specific Web pages can be identified as requiring SSL access. Any Web server can be enabled by using Netscape's SSLRef program library which can be downloaded for noncommercial use or licensed for commercial use. TLS and SSL are not interoperable. However, a message sent with TLS can be handled by a client that handles SSL but not TLS. The SSL handshake A HTTP-based SSL connection is always initiated by the client using a URL starting with https:// instead of with http://. At the beginning of an SSL session, an SSL handshake is performed. This handshake produces the cryptographic parameters of the session. A simplified overview of how the SSL handshake is processed is shown in the diagram below. SSL HandshakeImage Reference - http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1363- 00/en_US/HTML/handshak.gif The client sends a client "hello" message that lists the cryptographic capabilities of the client (sorted in client preference order), such as the version of SSL, the cipher suites supported by the client, and the data compression methods supported by the client. The message also contains a 28-byte random number. The server responds with a server "hello" message that contains the cryptographic method (cipher suite) and the data compression method selected by the server, the session ID, and another random number. Note: The client and the server must support at least one common cipher suite, or else the handshake fails. The server generally chooses the strongest common cipher suite. The server sends its digital certificate. (In this example, the server uses X.509 V3 digital certificates with SSL.) If the server uses SSL V3, and if the server application (for example, the Web server) requires a digital certificate for client authentication, the server sends a "digital certificate request" message. In the "digital certificate request" message, the server sends a list of the types of digital certificates supported and the distinguished names of acceptable certificate authorities. The server sends a server "hello done" message and waits for a client response. Upon receipt of the server "hello done" message, the client (the Web browser) verifies the validity of the server's digital certificate and checks that the server's "hello" parameters are acceptable. If the server requested a client digital certificate, the client sends a digital certificate, or if no suitable digital certificate is available, the client sends a "no digital certificate" alert. This alert is only a warning, but the server application can fail the session if client authentication is mandatory. The client sends a "client key exchange" message. This message contains the pre-master secret, a 46-byte random number used in the generation of the symmetric encryption keys and the message authentication code (MAC) keys, encrypted with the public key of the server. If the client sent a digital certificate to the server, the client sends a "digital certificate verify" message signed with the client's private key. By verifying the signature of this message, the server can explicitly verify the ownership of the client digital certificate. Note: An additional process to verify the server digital certificate is not necessary. If the server does not have the private key that belongs to the digital certificate, it cannot decrypt the pre-master secret and create the correct keys for the symmetric encryption algorithm, and the handshake fails. The client uses a series of cryptographic operations to convert the pre-master secret into a master secret, from which all key material required for encryption and message authentication is derived. Then the client sends a "change cipher spec" message to make the server switch to the newly negotiated cipher suite. The next message sent by the client (the "finished" message) is the first message encrypted with this cipher method and keys. The server responds with a "change cipher spec" and a "finished" message of its own. The SSL handshake ends, and encrypted application data can be sent. The following answers are incorrect: FTP - File Transfer Protocol (FTP) is a standard Internet protocol for transmitting files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers e-mail, FTP is an application protocol that uses the Internet's TCP/IP protocols. FTP is commonly used to transfer Web page files from their creator to the computer that acts as their server for everyone on the Internet. It's also commonly used to download programs and other files to your computer from other servers. SSH - Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers. It connects, via a secure channel over an insecure network, a server and a client running SSH server and SSH client programs, respectively. S/MIME - S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the Rivest-Shamir-Adleman encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF). Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 352 Official ISC2 guide to CISSP CBK 3rd Edition Page number 256 http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1363-00/en_US/HTML/ss7aumst18.htm
QUESTION 459 Behavioral-based systems are also known as? A. B. C. D. Profile-based systems Pattern matching systems Misuse detective systems Rule-based IDS
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: There are two complementary approaches to detecting intrusions, knowledge-based approaches and behavior-based approaches. This entry describes the second approach. It must be noted that very few tools today implement such an approach, even if the founding Denning paper {D. Denning, An Intrusion Detection Model, IEEE transactions on software engineering} recognizes this as a requirement for IDS systems. Behavior-based intrusion detection techniques assume that an intrusion can be detected by observing a deviation from normal or expected behavior of the system or the users. The model of normal or valid behavior is extracted from reference information collected by various means. The intrusion detection system later compares this model with the current activity. When a deviation is observed, an alarm is generated. In other words, anything that does not correspond to apreviously learned behavior is considered intrusive. Therefore, the intrusion detection system might be complete (i.e. all attacks should be caught), but its accuracy is a difficult issue (i.e. you get a lot of false alarms). Advantages of behavior-based approaches are that they can detect attempts to exploit new and unforeseen vulnerabilities. They can even contribute to the (partially) automatic discovery of these new attacks. They are less dependent on operating system-specific mechanisms. They also help detect 'abuse of privileges' types of attacks that do not actually involve exploiting any security vulnerability. In short, this is the paranoid approach: Everything which has not been seen previously is dangerous. The high false alarm rate is generally cited as the main drawback of behavior-based techniques because the entire scope of the behavior of an information system may not be covered during the learning phase. Also, behavior can change over time, introducing the need for periodic online retraining of the behavior profile, resulting either in unavailability of the intrusion detection system or in additional false alarms. The information system can undergo attacks at the same time the intrusion detection system is learning the behavior. As a result, the behavior profile contains intrusive behavior, which is not detected as anomalous. Herve Debar IBM Zurich Research Laboratory The following answers are incorrect: Pattern matching systems are signature-based (e.g. Anti-virus). Misuse detection systems is another name for signature-based IDSs. Rule-based IDS is a distractor. The following reference(s) were/was used to create this question: Shon Harris AIO - 4th edition, Page 254 and http://www.sans.org/security-resources/idfaq/behavior_based.php
QUESTION 474 What sort of attack is described by the following: An attacker has a list of broadcast addresses which it stores into an array, the attacker sends a spoofed icmp echo request to each of those addresses in series and starts again. The spoofed IP address used by the attacker as the source of the packets is the target/victim IP address. A. B. C. D. Smurf Attack Fraggle Attack LAND Attack Replay Attack
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The Smurf Attack is a denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, in their default settings, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on. The name Smurf comes from the file "smurf.c", the source code of the attack program, which was released in 1997 by TFreak. The author describes the attack as: The `smurf' attack is quite simple. It has a list of broadcast addresses which it stores into an array, and sends a spoofed icmp echo request to each of those addresses in series and starts again. The result is a devistating attack upon the spoofed ip with, depending on the amount of broadcast addresses used, many, many computers responding to the echo request. Mitigation: - Best method for mitigating this threat is to control access to the physical network infrastructure. If the attacker can't send the attack, this attack will obviously not work. - Currently the preferred method for controlling access to the network is by using 802.1X - Certificate security. - Also, modern operating systems don't usually permit a PING to a broadcast address and just returns an error message if you try. The following answers are incorrect: - Fraggle Attack: Close but not quite right. A Fraggle attack uses UDP rather than the ICMP that Smurf Attack uses. - LAND Attack: Sorry, not correct. A LAND attack is simply a series of packets sent to the target where the source and destination IP Addresses are the same as the victim. - Replay Attack: This isn't an attack that takes advantage of a system vulnerability so it isn't the correct answer.The following reference(s) was used to create this question: http://en.wikipedia.org/wiki/Smurf_attack and http://searchsecurity.techtarget.com/answer/What-is-a-land-attack and http://www.phreak.org/archives/exploits/denial/smurf.c
QUESTION 475 View the image below and identify the attack A. B. C. D. DDoS DOS TFN Reflection Attack
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The easiest attack to carry out against a network, or so it may seem, is to overload it through excessive traffic or traffic which has been "crafted" to confuse the network into shutting down or slowing to the point of uselessness. The image depicts a distributed denial of service attack where many computers attack the victim with any type of traffic and render it unable to communicate on the network or provide services. Computers on networks can provide services to other computers. The servers listen on specific TCP or UDP ports and software opens the ports on the server to accept traffic from visitors. Most users of the services on that server behave normally but at times attackers try to attack and take down the server by attacking its services or the operating system via the protocol stack itself. In the case of this question, the victim is being bounded with service requests from the zombies. Commonly it's UDP but more often it can be TCP traffic and unfortunately it is nearly impossible to defeat such an attack. You might compare this attack to calling someone over and over on their phone that they can't use their own phone but you're not doing anything specifically destructive to the phone. You're just exhausting its resources rendering it useless to the owner. The following answers are incorrect: - DOS - Denial of Service: This is almost correct but it is wrong because a simple DOS attack is one computer flooding another computer, not the many to one attack you see with a DDoS. - TFN - Tribe Flood Network attack: This isn't the correct answer because it isn't specifically what's depicted in the image. TFN is actually software used to conduct DDoS attacks and NOT an attack itself. More here. - Reflection Attack: This isn't the correct answer because a reflection attack is an attack on authentication systems which use the same protocol in both directions and doesn't ordinarily involve zombies. The following reference(s) was used to create this question: 2013. Official Security+ Curriculum. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 8494-8495). Auerbach Publications. Kindle Edition.
QUESTION 452 Which of the following is an advantage of proxies? A. B. C. D. Proxies provide a single point of access, control, and logging. Proxies must exist for each service. Proxies create a single point of failure. Proxies do not protect the base operating system.
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: By ensuring that all content flows through a single point, proxies provide a checkpoint for network data, which is an advantage rather than a liability, as are other choices. Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 8: Application-Level Proxies.
QUESTION 473 You are using an open source packet analyzer called Wireshark and are sifting through the various conversations to see if anything appears to be out of order. You are observing a UDP conversation between a host and a router. It was a file transfer between the two on port 69. What protocol was used here to conduct the file transfer? A. B. C. D. TFTP SFTP FTP SCP
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Discussion: TFTP is a curious protocol that doesn't use authentication and is often used to transfer configuration files between an administrator's computer and switch or router. The admin's computer would have the TFTP server software installed on it and he would SSH into the router and run a command that instructs the router to get its configuration from a TFTP server like this: #copy running-config tftp The router would request the IP or name of the host from where to get the config and the name of the config file. It would then be copied down into the running- config (RAM) on the router. This is how wireshark could have seen the file transfer. It is advisable that you use a more secure means to transfer router configuration files because of their sensitive nature. SCP or Secure Copy can be used on most mainstream routing and switching devices. The following answers are incorrect: - SFTP: This isn't correct because SFTP uses TCP and is on port 22. - FTP: This is not the right answer because FTP uses TCP and ordinarily uses ports 20/21. - SCP: Good guess but SCP doesn't use UDP or port 69 and even if you did 'see' a file transfer between SCP hosts you wouldn't see the contents of the packets because they're encrypted. Sorry. Here's more about SCP. The following reference(s) was used to create this question: 2013. Official Security+ Curriculum. TFTP
QUESTION 455 Another name for a VPN is a: A. B. C. D. tunnel one-time password pipeline bypass
Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
QUESTION 537 What is the goal of the Maintenance phase in a common development process of a security policy? A. B. C. D. to review the document on the specified review date publication within the organization to write a proposal to management that states the objectives of the policy to present the document to an approving body
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: "publication within the organization" is the goal of the Publication Phase "write a proposal to management that states the objectives of the policy" is part of Initial and Evaluation Phase "Present the document to an approving body" is part of Approval Phase. Reference: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 3, 2002, Auerbach Publications. Also: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 286).
QUESTION 488 A deviation from an organization-wide security policy requires which of the following? A. B. C. D. Risk Acceptance Risk Assignment Risk Reduction Risk Containment
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: A deviation from an organization-wide security policy requires you to manage the risk. If you deviate from the security policy then you are required to accept the risks that might occur. In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way. The OIG defines Risk Management as: This term characterizes the overall process. The first phase of risk assessment includes identifying risks, risk-reducing measures, and the budgetary impact of implementing decisions related to the acceptance, avoidance, or transfer of risk. The second phase of risk management includes the process of assigning priority to, budgeting, implementing, and maintaining appropriate risk-reducing measures. Risk management is a continuous process of ever-increasing complexity. It is how we evaluate the impact of exposures and respond to them. Risk management minimizes loss to information assets due to undesirable events through identification, measurement, and control. It encompasses the overall security review, risk analysis, selection and evaluation of safeguards, costbenefit analysis, management decision, and safeguard identification and implementation, along with ongoing effectiveness review. Risk management provides a mechanism to the organization to ensure that executive management knows current risks, and informed decisions can be made to use one of the risk management principles: risk avoidance, risk transfer, risk mitigation, or risk acceptance. The 4 ways of dealing with risks are: Avoidance, Transfer, Mitigation, Acceptance The following answers are incorrect: Risk assignment. Is incorrect because it is a distractor, assignment is not one of the ways to manage risk. Risk reduction. Is incorrect because there was a deviation of the security policy. You could have some additional exposure by the fact that you deviated from the policy.Risk containment. Is incorrect because it is a distractor, containment is not one of the ways to manage risk. Reference(s) used for this question Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 8882-8886). Auerbach Publications. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10206-10208). Auerbach Publications. Kindle Edition.
QUESTION 534 Which property ensures that only the intended recipient can access the data and nobody else?A. B. C. D. Confidentiality Capability Integrity Availability
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Confidentiality is defined as the property that ensures that only the intended recipient can access the data and nobody else. It is usually achieve using cryptogrphic methods, tools, and protocols. Confidentiality supports the principle of "least privilege" by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis. The level of access that an authorized individual should have is at the level necessary for them to do their job. In recent years, much press has been dedicated to the privacy of information and the need to protect it from individuals, who may be able to commit crimes by viewing the information. Identity theft is the act of assuming one's identity through knowledge of confidential information obtained from various sources. The following are incorrect answers: Capability is incorrect. Capability is relevant to access control. Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure. Integrity is incorrect. Integrity protects information from unauthorized modification or loss. Availability is incorrect. Availability assures that information and services are available for use by authorized entities according to the service level objective. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 9345-9349). Auerbach Publications. Kindle Edition. http://en.wikipedia.org/wiki/Capability-based_security
QUESTION 509 Related to information security, the prevention of the intentional or unintentional unauthorized disclosure of contents is which of the following? A. B. C. D. Confidentiality Integrity Availability capability
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Confidentiality is the prevention of the intentional or unintentional unauthorized disclosure of contents. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 60.
QUESTION 504 Making sure that only those who are supposed to access the data can access is which of the following? A. B. C. D. confidentiality. capability. integrity. availability.
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: From the published (ISC)2 goals for the Certified Information Systems Security Professional candidate, domain definition. Confidentiality is making sure that only those who are supposed to access the data can access it. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.
QUESTION 510 Related to information security, the guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered is an example of which of the following? A. B. C. D. integrity confidentiality availability identity
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Integrity is the guarantee that the message sent is the message received, and that the message was not intentionally or unintentionally altered. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 60.
QUESTION 522 Who should DECIDE how a company should approach security and what security measures should be implemented? A. B. C. D. Senior management Data owner Auditor The information security specialist
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: They are responsible for security of the organization and the protection of its assets. The following answers are incorrect because : Data owner is incorrect as data owners should not decide as to what security measures should be applied. Auditor is also incorrect as auditor cannot decide as to what security measures should be applied. The information security specialist is also incorrect as they may have the technical knowledge of how security measures should be implemented and configured , but they should not be in a position of deciding what measures should be applied. Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 51.
QUESTION 512 Which of the following is NOT an administrative control? A. B. C. D. Logical access control mechanisms Screening of personnel Development of policies, standards, procedures and guidelines Change control procedures
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: It is considered to be a technical control. Logical is synonymous with Technical Control. That was the easy answer. There are three broad categories of access control: Administrative, Technical, and Physical. Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data. Each category of access control has several components that fall within it, as shown here: Administrative Controls · Policy and procedures · Personnel controls · Supervisory structure · Security-awareness training · Testing Physical Controls · Network segregation · Perimeter security · Computer controls · Work area separation · Data backups Technical Controls · System access · Network architecture · Network access · Encryption and protocols · Control zone · Auditing The following answers are incorrect : Screening of personnel is considered to be an administrative control Development of policies, standards, procedures and guidelines is considered to be an administrative control Change control procedures is considered to be an administrative control. Reference : Shon Harris AIO v3 , Chapter - 3 : Security Management Practices , Page : 52-54
QUESTION 539 In regards to information classification what is the main responsibility of information (data) owner? A. B. C. D. determining the data sensitivity or classification level running regular data backups audit the data users periodically check the validity and accuracy of the data
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Making the determination to decide what level of classification the information requires is the main responsibility of the data owner. The data owner within classification is a person from Management who has been entrusted with a data set that belong to the company. It could be for example the Chief Financial Officer (CFO) who has been entrusted with all financial date or it could be the Human Resource Director who has been entrusted with all Human Resource data. The information owner will decide what classification will be applied to the data based on Confidentiality, Integrity, Availability, Criticality, and Sensitivity of the data. The Custodian is the technical person who will implement the proper classification on objects in accordance with the Data Owner. The custodian DOES NOT decide what classification to apply, it is the Data Owner who will dictate to the Custodian what is the classification to apply. NOTE: The term Data Owner is also used within Discretionary Access Control (DAC). Within DAC it means the person who has created an object. For example, if I create a file on my system then I am the owner of the file and I can decide who else could get access to the file. It is left to my discretion. Within DAC access is grantedbased solely on the Identity of the subject, this is why sometimes DAC is referred to as Identity Based Access Control. The other choices were not the best answer Running regular backups is the responsibility of custodian. Audit the data users is the responsibility of the auditors Periodically check the validity and accuracy of the data is not one of the data owner responsibility Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 14, Chapter 1: Security Management Practices.
QUESTION 495 What does "residual risk" mean? A. B. C. D. The security risk that remains after controls have been implemented Weakness of an assets which can be exploited by a threat Risk that remains after risk assessment has has been performed A security risk intrinsic to an asset being audited, where no mitigation has taken place.
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Residual risk is "The security risk that remains after controls have been implemented" ISO/IEC TR 13335-1 Guidelines for the Management of IT Security (GMITS), Part 1: Concepts and Models for IT Security, 1996. "Weakness of an assets which can be exploited by a threat" is vulnerability. "The result of unwanted incident" is impact. Risk that remains after risk analysis has been performed is a distracter. Risk can never be eliminated nor avoided, but it can be mitigated, transferred or accpeted. Even after applying a countermeasure like for example putiing up an Antivirus. But still it is not 100% that systems will be protected by antivirus.
QUESTION 480 Which one of the following represents an ALE calculation? A. B. C. D. single loss expectancy x annualized rate of occurrence. gross loss expectancy x loss frequency. actual replacement cost - proceeds of salvage. asset value x loss expectancy.
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Single Loss Expectancy (SLE) is the dollar amount that would be lost if there was a loss of an asset. Annualized Rate of Occurrence (ARO) is an estimated possibility of a threat to an asset taking place in one year (for example if there is a change of a flood occuring once in 10 years the ARO would be .1, and if there was a chance of a flood occuring once in 100 years then the ARO would be .01). The following answers are incorrect: gross loss expectancy x loss frequency. Is incorrect because this is a distractor. actual replacement cost - proceeds of salvage. Is incorrect because this is a distractor. asset value x loss expectancy. Is incorrect because this is a distractor.
QUESTION 499 A weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks is called a? A. B. C. D. Vulnerability Risk Threat Overflow
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 16, 32.
QUESTION 491 Which of the following is considered the weakest link in a security system? A. B. C. D. People Software Communications Hardware
Correct Answer: A Section: Security and Risk Management Explanation Explanation/Reference: The Answer: People. The other choices can be strengthened and counted on (For the most part) to remain consistent if properly protected. People are fallible and unpredictable. Most security intrusions are caused by employees. People get tired, careless, and greedy. They are not always reliable and may falter in following defined guidelines and best practices. Security professionals must install adequate prevention and detection controls and properly train all systems users Proper hiring and firing practices can eliminate certain risks. Security Awareness training is key to ensuring people are aware of risks and their responsibilities.The following answers are incorrect:Software. Although software exploits are major threat and cause for concern, people are the weakest point in a security posture. Software can be removed, upgraded or patched to reduce risk. Communications. Although many attacks from inside and outside an organization use communication methods such as the network infrastructure, this is not the weakest point in a security posture. Communications can be monitored, devices installed or upgraded to reduce risk and react to attack attempts. Hardware. Hardware components can be a weakness in a security posture, but they are not the weakest link of the choices provided. Access to hardware can be minimized by such measures as installing locks and monitoring access in and out of certain areas. The following reference(s) were/was used to create this question: Shon Harris AIO v.3 P.19, 107-109 ISC2 OIG 2007, p.51-55
QUESTION 517 Which of the following could be BEST defined as the likelihood of a threat agent taking advantage of a vulnerability? A. B. C. D. A risk A residual risk An exposure A countermeasure
Correct Answer: A Section: Security and Risk ManagementExplanation Explanation/Reference: Risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. If a firewall has several ports open , there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. The following answers are incorrect : Residual Risk is very different from the notion of total risk. Residual Risk would be the risks that still exists after countermeasures have been implemented. Total risk is the amount of risk a company faces if it chooses not to implement any type of safeguard. Exposure: An exposure is an instance of being exposed to losses from a threat agent. Countermeasure: A countermeasure or a safeguard is put in place to mitigate the potential risk. Examples of countermeasures include strong password management , a security guard. REFERENCES : SHON HARRIS ALL IN ONE 3rd EDITION Chapter - 3: Security Management Practices , Pages : 57-59
QUESTION 528 Which of the following would be the best criterion to consider in determining the classification of an information asset? A. B. C. D. Value Age Useful life Personal association
Correct Answer: ASection: Security and Risk Management Explanation Explanation/Reference: Information classification should be based on the value of the information to the organization and its sensitivity (reflection of how much damage would accrue due to disclosure). Age is incorrect. While age might be a consideration in some cases, the guiding principles should be value and sensitivity. Useful life. While useful lifetime is relevant to how long data protections should be applied, the classification is based on information value and sensitivity. Personal association is incorrect. Information classification decisions should be based on value of the information and its sensitiviry. References: CBK, pp. 101 - 102.
QUESTION 457 Which of the following media is MOST resistant to EMI interference? A. B. C. D. microwave fiber optic twisted pair coaxial cable
Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: A fiber optic cable is a physical medium that is capable of conducting modulated light transmission. Fiber optic cable carries signals as light waves, thus creating higher transmission speeds and greater distances due to less attenuation. This type of cabling is more difficult to tap than other cabling and is most resistant to interference, especially EMI. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 103).
QUESTION 454 Why does fiber optic communication technology have significant security advantage over other transmission technology? A. B. C. D. Higher data rates can be transmitted. Interception of data traffic is more difficult. Traffic analysis is prevented by multiplexing. Single and double-bit errors are correctable.
Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: It would be correct to select the first answer if the world "security" was not in the question. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
QUESTION 462 What is Dumpster Diving? A. B. C. D. Going through dust bin Running through another person's garbage for discarded document, information and other various items that could be used against that person or company Performing media analysis performing forensics on the deleted items
Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: The Answer: Running through another person's garbage for discarded document, information and other various items that could be used against that person or company. Dumpster diving is done with malicious intent. A synonym for Dumpster Diving is Data Scavenging. The following answers are incorrect: Going through dust bin will not give you access to sensitive information. It was not the best choice. Performing forensics on the deleted items is related to data remanence which means files were not destroyed properly and they can be recovered using specialized tools. Performing media analysis is not related to going through rubbish in a dumpster. The following reference(s) were/was used to create this question: CISSP Summary 2002 by John Wallhoff
QUESTION 472 What is the three way handshake sequence used to initiate TCP connections? A. B. C. D. ACK, SYN/ACK, ACK SYN, SYN/ACK, ACK SYN, SYN, ACK/ACK ACK, SYN/ACK, SYN
Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: The TCP three way handshake: 1. First, the client sends a SYN segment. This is a request to the server to synchronize the sequence numbers. It specifies its initial sequence number (ISN), which is incremented by 1, and that is sent to the server. To initialize a connection, the client and server must synchronize each other's sequence numbers. 2. Second, the server sends an ACK and a SYN in order to acknowledge the request of the client for synchronization. At the same time, the server is also sending its request to the client for synchronization of its sequence numbers. There is one major difference in this transmission from the first one. The server transmits an acknowledgement number to the client. The acknowledgement is just proof to the client that the ACK is specific to the SYN the client initiated. The process of acknowledging the client's request allows the server to increment the client's sequence number by one and uses it as its acknowledgement number. 3. Third, the client sends an ACK in order to acknowledge the request from the server for synchronization. The client uses the same algorithm the server implemented in providing an acknowledgement number. The client's acknowledgment of the server's request for synchronization completes the process of establishing a reliable connection. The following answers are incorrect: All of the other choices were incorrect answers The following reference(s) were/was used to create this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 5560-5573). Auerbach Publications. Kindle Edition.
QUESTION 514 Which of the following is BEST defined as a physical control? A. B. C. D. Monitoring of system activity Fencing Identification and authentication methods Logical access control mechanisms
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: Physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. The following answers are incorrect answers: Monitoring of system activity is considered to be administrative control. Identification and authentication methods are considered to be a technical control. Logical access control mechanisms is also considered to be a technical control. Reference(s) used for this question: Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 1280- 1282). McGraw-Hill. Kindle Edition.
QUESTION 467 What is the BEST answer pertaining to the difference between the Session and Transport layers of the OSI model? A. B. C. D. The Session layer sets up communication between protocols, while the Transport layer sets up connections between computer systems. The Transport layer sets up communication between computer systems, while the Session layer sets up connections between applications. The Session layer sets up communication between computer systems, while the Transport layer sets up connections between protocols. The Transport layer sets up communication between applications, while the Session layer sets up connections between computer systems.
Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: The following answers are incorrect: The Session layer sets up communication between protocols, while the Transport layer sets up connections between computer systems. The Session layer sets up communication between computer systems, while the Transport layer sets up connections between protocols. The Transport layer sets up communication between applications, while the Session layer sets up connections between computer systems. The following reference(s) were/was used to create this question: All In One CISSP Exam guide by Shon Harris, Chapter 7, pg 492
QUESTION 456 Which one of the following is used to provide authentication and confidentiality for e-mail messages? A. B. C. D. Digital signature PGP IPSEC AH MD4
Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference:Instead of using a Certificate Authority, PGP uses a "Web of Trust", where users can certify each other in a mesh model, which is best applied to smaller groups. In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority (or a hierarchy of such). The web of trust concept was first put forth by PGP creator Phil Zimmermann in 1992 in the manual for PGP version 2.0. Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security of e-mail communications. It was created by Phil Zimmermann in 1991. As per Shon Harris's book: Pretty Good Privacy (PGP) was designed by Phil Zimmerman as a freeware e-mail security program and was released in 1991. It was the first widespread public key encryption program. PGP is a complete cryptosystem that uses cryptographic protection to protect e-mail and files. It can use RSA public key encryption for key management and use IDEA symmetric cipher for bulk encryption of data, although the user has the option of picking different types of algorithms for these functions. PGP can provide confidentiality by using the IDEA encryption algorithm, integrity by using the MD5 hashing algorithm, authentication by using the public key certificates, and nonrepudiation by using cryptographically signed messages. PGP initially used its own type of digital certificates rather than what is used in PKI, but they both have similar purposes. Today PGP support X.509 V3 digital certificates. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 169). Shon Harris, CISSP All in One book https://en.wikipedia.org/wiki/Pretty_Good_Privacy TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
QUESTION 540 What is the main purpose of Corporate Security Policy? A. B. C. D. To transfer the responsibility for the information security to all users of the organization To communicate management's intentions in regards to information security To provide detailed steps for performing specific actions To provide a common framework for all development activities
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: A Corporate Security Policy is a high level document that indicates what are management`s intentions in regard to Information Security within the organization. It is high level in purpose, it does not give you details about specific products that would be use, specific steps, etc.. The organization's requirements for access control should be defined and documented in its security policies. Access rules and rights for each user or group of users should be clearly stated in an access policy statement. The access control policy should minimally consider: Statements of general security principles and their applicability to the organization Security requirements of individual enterprise applications, systems, and services Consistency between the access control and information classification policies of different systems and networks Contractual obligations or regulatory compliance regarding protection of assets Standards defining user access profiles for organizational roles Details regarding the management of the access control system As a Certified Information System Security Professional (CISSP) you would be involved directly in the drafting and coordination of security policies, standards and supporting guidelines, procedures, and baselines. Guidance provided by the CISSP for technical security issues, and emerging threats are considered for the adoption of new policies. Activities such as interpretation of government regulations and industry trends and analysis of vendor solutions to include in the security architecture that advances the security of the organization are performed by the CISSP as well. The following are incorrect answers: To transfer the responsibility for the information security to all users of the organization is bogus. You CANNOT transfer responsibility, you can only tranfer authority. Responsibility will also sit with upper management. The keyworks ALL and USERS is also an indication that it is the wrong choice. To provide detailed steps for performing specific actions is also a bogus detractor. A step by step document is referred to as a procedure. It details how to accomplish a specific task. To provide a common framework for all development activities is also an invalid choice. Security Policies are not restricted only to development activities. Reference Used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1551-1565). Auerbach Publications. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 9109-9112). Auerbach Publications. Kindle Edition.
QUESTION 486 The major objective of system configuration management is which of the following? A. B. C. D. system maintenance. system stability. system operations. system tracking.
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: A major objective with Configuration Management is stability. The changes to the system are controlled so that they don't lead to weaknesses or faults in th system. The following answers are incorrect: system maintenance. Is incorrect because it is not the best answer. Configuration Management does control the changes to the system but it is not as important as the overall stability of the system. system operations. Is incorrect because it is not the best answer, the overall stability of the system is much more important. system tracking. Is incorrect because while tracking changes is important, it is not the best answer. The overall stability of the system is much more important.
QUESTION 518 Which approach to a security program ensures people responsible for protecting the company's assets are DRIVING the program? A. B. C. D. The Delphi approach The top-down approach The bottom-up approach The technology approach
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members. In contrast, a bottom-up approach refers to a situation in which staff members (usually IT ) try to develop a security program without getting proper management support and direction. A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail. A top-down approach makes sure the people actually responsible for protecting the company's assets (senior management) are driving the program. The following are incorrect answers: The Delphi approach is incorrect as this is for a brainstorming technique. The bottom-up approach is also incorrect as this approach would be if the IT department tried to develop a security program without proper support from upper management. The technology approach is also incorrect as it does not fit into the category of best answer. Reference(s) used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 63). McGraw-Hill. Kindle Edition.
QUESTION 549 What can best be defined as high-level statements, beliefs, goals and objectives? A. B. C. D. Standards Policies Guidelines Procedures
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: Policies are high-level statements, beliefs, goals and objectives and the general means for their attainment for a specific subject area. Standards are mandatory activities, action, rules or regulations designed to provide policies with the support structure and specific direction they require to be effective. Guidelines are more general statements of how to achieve the policies objectives by providing a framework within which to implement procedures. Procedures spell out the specific steps of how the policy and supporting standards and how guidelines will be implemented.Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.
QUESTION 500 What is called the probability that a threat to an information system will materialize? A. B. C. D. Threat Risk Vulnerability Hole
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 16, 32.
QUESTION 546 Computer security should be first and foremost which of the following: A. B. C. D. Cover all identified risks Be cost-effective. Be examined in both monetary and non-monetary terms. Be proportionate to the value of IT systems.
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: Computer security should be first and foremost cost-effective. As for any organization, there is a need to measure their cost-effectiveness, to justify budget usage and provide supportive arguments for their next budget claim. But organizations often have difficulties to accurately measure the effectiveness and the cost of their information security activities. The classical financial approach for ROI calculation is not particularly appropriate for measuring security-related initiatives: Security is not generally an investment that results in a profit. Security is more about loss prevention. In other terms, when you invest in security, you don't expect benefits; you expect to reduce the risks threatening your assets.The concept of the ROI calculation applies to every investment. Security is no exception. Executive decision-makers want to know the impact security is having on the bottom line. In order to know how much they should spend on security, they need to know how much is the lack of security costing to the business and what are the most cost-effective solutions. Applied to security, a Return On Security Investment (ROSI) calculation can provide quantitative answers to essential financial questions: - Is an organization paying too much for its security? - What financial impact on productivity could have lack of security? - When is the security investment enough? - Is this security product/organisation beneficial? The following are other concerns about computer security but not the first and foremost: The costs and benefits of security should be carefully examined in both monetary and non- monetary terms to ensure that the cost of controls does not exceed expected benefits. Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to the severity, probability, and extent of potential harm. Requirements for security vary, depending upon the particular IT system. Therefore it does not make sense for computer security to cover all identified risks when the cost of the measures exceeds the value of the systems they are protecting. Reference(s) used for this question: SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (page 6). and http://www.enisa.europa.eu/activities/cert/other-work/introduction-to-return-on-security- investment
QUESTION 496 Preservation of confidentiality within information systems requires that the information is not disclosed to: A. B. C. D. Authorized person Unauthorized persons or processes. Unauthorized persons. Authorized persons and processes
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: Confidentiality assures that the information is not disclosed to unauthorized persons or processes. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 31.
QUESTION 505 Related to information security, confidentiality is the opposite of which of the following? A. B. C. D. closure disclosure disposal disaster
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: Confidentiality is the opposite of disclosure. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.
QUESTION 489 Which must bear the primary responsibility for determining the level of protection needed for information systems resources? A. B. C. D. IS security specialists Senior Management Senior security analysts systems Auditors
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: If there is no support by senior management to implement, execute, and enforce security policies and procedure, then they won't work. Senior management must be involved in this because they have an obligation to the organization to protect the assests . The requirement here is for management to show "due diligence" in establishing an effective compliance, or security program. It is senior management that could face legal repercussions if they do not have sufficient controls in place. The following answers are incorrect: IS security specialists. Is incorrect because it is not the best answer. Senior management bears the primary responsibility for determining the level of protection needed. Senior security analysts. Is incorrect because it is not the best answer. Senior management bears the primary responsibility for determining the level of protection needed. systems auditors. Is incorrect because it is not the best answer, system auditors are responsible that the controls in place are effective. Senior management bears the primary responsibility for determining the level of protection needed.
QUESTION 516 Which of the following would BEST be defined as an absence or weakness of safeguard that could be exploited? A. B. C. D. A threat A vulnerability A risk An exposure
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: It is a software , hardware or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. A vulnerability characterizes the absence or weakness of a safeguard that could be exploited. This vulnerability may be a service running on a server, unpatched applications or operating system software etc. The following answers are incorrect because: Threat: A threat is defined as a potential danger to information or systems. The threat is someone or something will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a 'Threat Agent'. A threat agent could be an intruder accessing the network through a port on the firewall , a process accessing data that violates the security policy. Risk:A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. If a firewall has several ports open , there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. Exposure: An exposure is an instance of being exposed to losses from a threat agent. REFERENCES: SHON HARRIS , ALL IN ONE THIRD EDITION : Chapter 3 : Security Management Practices , Pages: 57-59
QUESTION 521 Which of the following is given the responsibility of the maintenance and protection of the data? A. B. C. D. Data owner Data custodian User Security administrator
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: It is usually responsible for maintaining and protecting the data. The following answers are incorrect: Data owner is usually a member of management , in charge of a specific business unit and is ultimately responsible for the protection and use of the information. User is any individual who routinely uses the data for work-related tasks. Security administrator's tasks include creating new system user accounts , implementing new security software. References : Shon Harris AIO v3 , Chapter - 3: Security Management Practices , Pages : 99 - 103
QUESTION 481 The control of communications test equipment should be clearly addressed by security policy for which of the following reasons? A. Test equipment is easily damaged.B. Test equipment can be used to browse information passing on a network. C. Test equipment is difficult to replace if lost or stolen. D. Test equipment must always be available for the maintenance personnel.
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: Test equipment must be secured. There are equipment and other tools that if in the wrong hands could be used to "sniff" network traffic and also be used to commit fraud. The storage and use of this equipment should be detailed in the security policy for this reason. The following answers are incorrect: Test equipment is easily damaged. Is incorrect because it is not the best answer, and from a security point of view not relevent. Test equipment is difficult to replace if lost or stolen. Is incorrect because it is not the best answer, and from a security point of view not relevent. Test equipment must always be available for the maintenance personnel. Is incorrect because it is not the best answer, and from a security point of view not relevent. References: OIG CBK Operations Security (pages 642 - 643)
QUESTION 490 Within the realm of IT security, which of the following combinations best defines risk? A. B. C. D. Threat coupled with a breach Threat coupled with a vulnerability Vulnerability coupled with an attack Threat coupled with a breach of security
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: The Answer: Threat coupled with a vulnerability. Threats are circumstances or actions with the ability to harm a system. They can destroy or modify data or result an a DoS. Threats by themselves are not acted upon unless there is a vulnerability that can be taken advantage of. Risk enters the equation when a vulnerability (Flaw or weakness) exists in policies, procedures, personnel management, hardware, software or facilities and can be exploited by a threat agent. Vulnerabilities do not cause harm, but they leave the system open to harm. The combination of a threat with a vulnerability increases the risk to the system of an intrusion. The following answers are incorrect: Threat coupled with a breach. A threat is the potential that a particular threat-source will take advantage of a vulnerability. Breaches get around security. It does not matter if a breach is discovered or not, it has still occured and is not a risk of something occuring. A breach would quite often be termed as an incident or intrusion. Vulnerability coupled with an attack. Vulnerabilities are weaknesses (flaws) in policies, procedures, personnel management, hardware, software or factilities that may result in a harmful intrusion to an IT system. An attack takes advantage of the flaw or vulnerability. Attacks are explicit attempts to violate security, and are more than risk as they are active. Threat coupled with a breach of security. This is a detractor. Although a threat agent may take advantage of (Breach) vulnerabilities or flaws in systems security. A threat coupled with a breach of security is more than a risk as this is active. The following reference(s) may be used to research the topics in this question: ISC2 OIG, 2007 p. 66-67 Shon Harris AIO v3 p. 71-72
QUESTION 545 What can be described as a measure of the magnitude of loss or impact on the value of an asset? A. B. C. D. Probability Exposure factor Vulnerability Threat
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: The exposure factor is a measure of the magnitude of loss or impact on the value of an asset. The probability is the chance or likelihood, in a finite sample, that an event will occur or that a specific loss value may be attained should the event occur. A vulnerability is the absence or weakness of a risk-reducing safeguard. A threat is event, the occurrence of which could have an undesired impact. Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 3, August 1999.
QUESTION 524 What are the three FUNDAMENTAL principles of security? A. B. C. D. Accountability, confidentiality and integrity Confidentiality, integrity and availability Integrity, availability and accountability Availability, accountability and confidentiality
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: The following answers are incorrect because: Accountability, confidentiality and integrity is not the correct answer as Accountability is not one of the fundamental principle of security. Integrity, availability and accountability is not the correct answer as Accountability is not one of the fundamental principle of security. Availability, accountability and confidentiality is not the correct answer as Accountability is not one of the fundamental objective of security. References : Shon Harris AIO v3 , Chapter - 3: Security Management Practices , Pages : 49-52
QUESTION 494 How is Annualized Loss Expectancy (ALE) derived from a threat? A. B. C. D. ARO x (SLE - EF) SLE x ARO SLE/EF AV x EF
Correct Answer: B Section: Security and Risk Management Explanation Explanation/Reference: Three steps are undertaken in a quantitative risk assessment: Initial management approval Construction of a risk assessment team, and The review of information currently available within the organization. There are a few formulas that you MUST understand for the exam. See them below: SLE (Single Loss Expectancy) Single loss expectancy (SLE) must be calculated to provide an estimate of loss. SLE is defined as the difference between the original value and the remaining value of an asset after a single exploit. The formula for calculating SLE is as follows: SLE = asset value (in $) × exposure factor (loss due to successful threat exploit, as a %) Losses can include lack of availability of data assets due to data loss, theft, alteration, or denial of service (perhaps due to business continuity or security issues). ALE (Annualized Loss Expectancy) Next, the organization would calculate the annualized rate of occurrence (ARO). This is done to provide an accurate calculation of annualized loss expectancy (ALE). ARO is an estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year. When this is completed, the organization calculates the annualized loss expectancy (ALE). The ALE is a product of the yearly estimate for the exploit (ARO) and the loss in value of an asset after an SLE. The calculation follows ALE = SLE x ARO Note that this calculation can be adjusted for geographical distances using the local annual frequency estimate (LAFE) or the standard annual frequency estimate (SAFE). Given that there is now a value for SLE, it is possible to determine what the organization should spend, if anything, to apply a countermeasure for the risk in question. Remember that no countermeasure should be greater in cost than the risk it mitigates, transfers, or avoids. Countermeasure cost per year is easy and straightforward to calculate. It is simply the cost of the countermeasure divided by the years of its life (i.e., use within the organization). Finally, the organization is able to compare the cost of the risk versus the cost of the countermeasure and make some objective decisions regarding its countermeasure selection. The following were incorrect answers:All of the other choices were incorrect. The following reference(s) were used for this quesiton: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10048-10069). Auerbach Publications. Kindle Edition.
QUESTION 471 Which type of attack involves the altering of a systems Address Resolution Protocol (ARP) table so that it contains incorrect IP to MAC address mappings? A. B. C. D. Reverse ARP Poisoning ARP cache ARP table poisoning Reverse ARP table poisoning
Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: ARP table poisoning, also referred to as ARP cache poisoning, is the process of altering a system's ARP table so that it contains incorrect IP to MAC address mappings. This allows requests to be sent to a different device instead of the one it is actually intended for. It is an excellent way to fool systems into thinking that a certain device has a certain address so that information can be sent to and captured on an attacker's computer. The following answers are incorrect: "Reverse ARP" is the process of determining what an IP address is from a known MAC address "Poisoning ARP cache" This is not the correct term. "Reverse ARP table poisoning" There is no attack that goes by that name. The following reference(s) were/was used to create this question: TestPrep Certified Information Systems Security Professional (CISSP) Skillsoft Course
QUESTION 460 This OSI layer has a service that negotiates transfer syntax and translates data to and from the transfer syntax for users, which may represent data using different syntaxes. At which of the following layers would you find such service? A. B. C. D. Session Transport Presentation Application
Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: It is responsible for taking information from the "Application layer protocols" and putting it in a form suitable for the application to process. The presentation-layer implementation of the OSI protocol suite consists of a presentation protocol and a presentation service. The presentation protocol allows presentation-service users (PS-users) to communicate with the presentation service. A PS-user is an entity that requests the services of the presentation layer. Such requests are made at Presentation-Service Access Points (PSAPs). PS-users are uniquely identified by using PSAP addresses. Presentation service negotiates transfer syntax and translates data to and from the transfer syntax for PS-users, which represent data using different syntaxes. The presentation service is used by two PS-users to agree upon the transfer syntax that will be used. When a transfer syntax is agreed upon, presentation-service entities must translate the data from the PS-user to the correct transfer syntax. The OSI presentation-layer service is defined in the ISO 8822 standard and in the ITU-T X.216 recommendation. The OSI presentation protocol is defined in the ISO 8823 standard and in the ITU-T X.226 recommendation. A connectionless version of the presentation protocol is specified in the ISO 9576 standard. To remember the OSI layers you can use the following Mnemonics: The first one is from the bottom (Physical Layer - Layer 1) up (Application - Layer 7): Please Do Not Throw Sausage Pizza Away There is another mnemonic from the top down: All People Seem To Need Data Processing Both maps to: 1. Physical - 2. Data link - 3. Network - 4. Transport - 5. Session - 6. Presentation - 7. Application The following answers are incorrect: Transport: Responsible for providing end to end data transport services and establish the logical connection between COMPUTERS for example TCP and UDP Session: Responsible for maintaing the connection between two APPLICATIONS during the data transfer for example NFS , RPC protocol Application : Works closest to the application , it does not itself contain applications but rather the protocols that support the applications. for example HTTP work at this layer but the application it support is IE , Mozilla , opera , chrome ... The following reference(s) were/was used to create this question: http://www.cisco.com/cpress/cc/td/cpress/fund/ith2nd/it2432.htm and http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29
QUESTION 478 Which of the following attack is MOSTLY performed by an attacker to steal the identity information of a user such as credit card number, passwords,etc? A. B. C. D. Smurf attack Traffic analysis Pharming Interrupt attack
Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: Pharming is a cyber attack intended to redirect a website's traffic to another, bogus site. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as "poisoned". Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server. The term "pharming" is a neologism based on the words "farming" and "phishing". Phishing is a type of social-engineering attack to obtain access credentials, such as user names and passwords. In recent years, both pharming and phishing have been used to gain information for online identity theft. Pharming has become of major concern to businesses hosting ecommerce and online banking websites. Sophisticated measures known as anti-pharming are required to protect against this serious threat. Antivirus software and spyware removal software cannot protect against pharming. For your exam you should know the information below:Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. Spear phishing - Phishing attempts directed at specific individuals or companies have been termed spearphishing.Attackers may gather personal information about their target to increase their probability of success. Link manipulation Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http:// www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the ahref tags) suggest a reliable destination, when the link actually goes to the phishers' site. The following example link, //en.wikipedia.org/wiki/Genuine, appears to direct the user to an article entitled "Genuine"; clicking on it will in fact take the user to the article entitled "Deception". In the lower left hand corner of most browsers users can preview and verify where the link is going to take them. Hovering your cursor over the link for a couple of seconds may do a similar thing, but this can still be set by the phisher through the HTML tooltip tag. Website forgery Once a victim visits the phishing website, the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original bar and opening up a new one with the legitimate URL. An attacker can even use flaws in a trusted website's own scripts against the victim.These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. The following answers are incorrect: Smurf Attack Occurs when mis-configured network device allow packet to be sent to all hosts on a particular network via the broadcast address of the network Traffic analysis - is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security. Interrupt attack - Interrupt attack occurs when a malicious action is performed by invoking the operating system to execute a particular system call. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 323 Official ISC2 guide to CISSP CBK 3rd Edition Page number326 http://en.wikipedia.org/wiki/Phishing http://en.wikipedia.org/wiki/Pharming
QUESTION 466 At which OSI layer does SSL reside in? A. B. C. D. Application Session Transport Network
Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: The following answers are incorrect: Application - SSL resides in the transport layer. Session - While SSL does straddle both the session and transport layers, for exam purposes, choose transport. Network - SSL resides in the transport layer. The following reference(s) were/was used to create this question: All In One CISSP Exam guide by Shon Harris, Chapter 7, pg 493
QUESTION 468 Which of the following protocols offers native encryption? A. B. C. D. IPSEC, SSH, PPTP, SSL, MPLS, L2F, and L2TP IPSEC, SSH, SSL, TFTP IPSEC, SSH, SSL, TLS IPSEC, SSH, PPTP, SSL, MPLS, and L2TP
Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: The following answers are incorrect: IPSEC, SSH, PPTP, SSL, MPLS, and L2TP is incorrect because L2TP and PPTP does NOT offer encryption. IPSEC, SSH, SSL, TFTP is incorrect because TFTP does not offers encryption.IPSEC, SSH, PPTP, SSL, MPLS, L2F, and L2TP is incorrect because MPLS, L2F, and L2TP do NOT offer encryption. NOTE: PPTP did not provide Encryption natively. It is MPPE from Microsoft that would provide encryption. MPPE is an encryption technology developed by Microsoft to encrypt point-to-point links. These PPP connections can be over a dialup line or over a VPN tunnel. MPPE works as a subfeature of Microsoft Point-to-Point Compression (MPPC) MPPC is a scheme used to compress PPP packets between client devices. The MPPC algorithm is designed to optimize bandwidth utilization in order to support multiple simultaneous connections. MPPE is negotiated using bits in the MPPC option within the Compression Control Protocol (CCP) MPPC configuration option (CCP configuration option number 18). MPPE uses the RC4 algorithm with either 40- or 128-bit keys. All keys are derived from the cleartext authentication password of the user. RC4 is stream cipher; therefore, the sizes of the encrypted and decrypted frames are the same size as the original frame. The Cisco implementation of MPPE is fully interoperable with that of Microsoft and uses all available options, including historyless mode. Historyless mode can increase throughput in lossy environments such as VPNs, because neither side needs to send CCP Resets Requests to synchronize encryption contexts when packets are lost. The following reference(s) were/was used to create this question: Official (ISC)2 Guide to the CISSP CBK, Third Edition , pages 874 and 355 (IPSEC), 360 (SSH), 359 (PPTP), 362 (SSL), 361 (SOCKS), 360 (L2TP). and http://www.cisco.com/en/US/products/ps6587/products_white_paper09186a008019bf38.sht ml#15190
QUESTION 542 The absence of a safeguard, or a weakness in a system that may possibly be exploited is called a(n)? A. Threat B. Exposure C. VulnerabilityD. Risk
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: A vulnerability is a weakness in a system that can be exploited by a threat. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 237.
QUESTION 538 What is the difference between Advisory and Regulatory security policies? A. B. C. D. there is no difference between them regulatory policies are high level policy, while advisory policies are very detailed Advisory policies are not mandated. Regulatory policies must be implemented. Advisory policies are mandated while Regulatory policies are not
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Advisory policies are security polices that are not mandated to be followed but are strongly suggested, perhaps with serious consequences defined for failure to follow them (such as termination, a job action warning, and so forth). A company with such policies wants most employees to consider these policies mandatory. Most policies fall under this broad category. Advisory policies can have many exclusions or application levels. Thus, these policies can control some employees more than others, according to their roles and responsibilities within that organization. For example, a policy that requires a certain procedure for transaction processing might allow for an alternative procedure under certain, specified conditions. Regulatory Regulatory policies are security policies that an organization must implement due to compliance, regulation, or other legal requirements. These companies might be financial institutions, public utilities, or some other type of organization that operates in the public interest. These policies are usually very detailed and are specific to the industry in which the organization operates. Regulatory polices commonly have two main purposes: 1. To ensure that an organization is following the standard procedures or base practices of operation in its specific industry 2. To give an organization the confidence that it is following the standard and accepted industry policy Informative Informative policies are policies that exist simply to inform the reader. There are no implied or specified requirements, and the audience for this information could be certain internal (within the organization) or external parties. This does not mean that the policies are authorized for public consumption but that they are general enough to be distributed to external parties (vendors accessing an extranet, for example) without a loss of confidentiality. References: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 12, Chapter 1: Security Management Practices. also see: The CISSP Prep Guide:Mastering the Ten Domains of Computer Security by Ronald L. Krutz, Russell Dean Vines, Edward M. Stroz also see: http://i-data-recovery.com/information-security/information-security-policies-standards- guidelines-and-procedures
QUESTION 548 Who is responsible for initiating corrective measures and capabilities used when there are security violations? A. B. C. D. Information systems auditor Security administrator Management Data owners
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Management is responsible for protecting all assets that are directly or indirectly under their control. They must ensure that employees understand their obligations to protect the company's assets, and implement security in accordance with the company policy. Finally, management is responsible for initiating corrective actions when there are security violations. Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.
QUESTION 511 One of these statements about the key elements of a good configuration process is NOT true A. B. C. D. Accommodate the reuse of proven standards and best practices Ensure that all requirements remain clear, concise, and valid Control modifications to system hardware in order to prevent resource changes Ensure changes, standards, and requirements are communicated promptly and precisely
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Configuration management isn't about preventing change but ensuring the integrity of IT resources by preventing unauthorised or improper changes. According to the Official ISC2 guide to the CISSP exam, a good CM process is one that can: (1) accommodate change; (2) accommodate the reuse of proven standards and best practices; (3) ensure that all requirements remain clear, concise, and valid; (4) ensure changes, standards, and requirements are communicated promptly and precisely; and (5) ensure that the results conform to each instance of the product. Configuration management Configuration management (CM) is the detailed recording and updating of information that describes an enterprise's computer systems and networks, including all hardware and software components. Such information typically includes the versions and updates that have been applied to installed software packages and the locations and network addresses of hardware devices. Special configuration management software is available. When a system needs a hardware or software upgrade, a computer technician can accesses the configuration management program and database to see what is currently installed. The technician can then make a more informed decision about the upgrade needed. An advantage of a configuration management application is that the entire collection of systems can be reviewed to make sure any changes made to one system do not adversely affect any of the other systems Configuration management is also used in software development, where it is called Unified Configuration Management (UCM). Using UCM, developers can keep track of the source code, documentation, problems, changes requested, and changes made.Change management In a computer system environment, change management refers to a systematic approach to keeping track of the details of the system (for example, what operating system release is running on each computer and which fixes have been applied).
QUESTION 544 Controls are implemented to: A. B. C. D. eliminate risk and reduce the potential for loss mitigate risk and eliminate the potential for loss mitigate risk and reduce the potential for loss eliminate risk and eliminate the potential for loss
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Controls are implemented to mitigate risk and reduce the potential for loss. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks. It is not feasible and possible to eliminate all risks and the potential for loss as risk/threats are constantly changing. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32.
QUESTION 485 Who is ultimately responsible for the security of computer based information systems within an organization? A. B. C. D. The tech support team The Operation Team. The management team. The training team.
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: If there is no support by management to implement, execute, and enforce security policies and procedure, then they won't work. Senior management must be involved in this because they have an obligation to the organization to protect the assests . The requirement here is for management to show "due diligence" in establishing an effective compliance, or security program. The following answers are incorrect: The tech support team. Is incorrect because the ultimate responsibility is with management for the security of computer-based information systems. The Operation Team. Is incorrect because the ultimate responsibility is with management for the security of computer-based information systems. The Training Team. Is incorrect because the ultimate responsibility is with management for the security of computer-based information systems. Reference(s) used for this question:OIG CBK Information Security Management and Risk Management (page 20 - 22)
QUESTION 513 Which of the following is NOT a technical control? A. B. C. D. Password and resource management Identification and authentication methods Monitoring for physical intrusion Intrusion Detection Systems
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: It is considered to be a 'Physical Control' There are three broad categories of access control: administrative, technical, and physical. Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.Each category of access control has several components that fall within it, a partial list is shown here. Not all controls fall into a single category, many of the controls will be in two or more categories. Below you have an example with backups where it is in all three categories: · Administrative Controls · Policy and procedures - A backup policy would be in place · Personnel controls · Supervisory structure · Security-awareness training · Testing · Physical Controls · Network segregation · Perimeter security · Cmputer controls · Work area separation · Data backups (actual storage of the media, i:e Offsite Storage Facility) · Cabling · Technical Controls · System access · Network architecture · Network access · Encryption and protocols · Control zone · Auditing · Backup (Actual software doing the backups) The following answers are incorrect : Password and resource management is considered to be a logical or technical control. Identification and authentication methods is considered to be a logical or technical control. Intrusion Detection Systems is considered to be a logical or technical control. Reference : Shon Harris , AIO v3 , Chapter - 4 : Access Control , Page : 180 - 185
QUESTION 487 Who should measure the effectiveness of Information System security related controls in an organization? A. B. C. D. The local security specialist The business manager The systems auditor The central security manager
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: It is the systems auditor that should lead the effort to ensure that the security controls are in place and effective. The audit would verify that the controls comply with polices, procedures, laws, and regulations where applicable. The findings would provide these to senior management. The following answers are incorrect: the local security specialist. Is incorrect because an independent review should take place by a third party. The security specialist might offer mitigation strategies but it is the auditor that would ensure the effectiveness of the controls the business manager. Is incorrect because the business manager would be responsible that the controls are in place, but it is the auditor that would ensure the effectiveness of the controls. the central security manager. Is incorrect because the central security manager would be responsible for implementing the controls, but it is the auditor that is responsibe for ensuring their effectiveness.
QUESTION 530 Which of the following embodies all the detailed actions that personnel are required to follow? A. B. C. D. Standards Guidelines Procedures Baselines
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Procedures are step-by-step instructions in support of of the policies, standards, guidelines and baselines. The procedure indicates how the policy will be implemented and who does what to accomplish the tasks." Standards is incorrect. Standards are a "Mandatory statement of minimum requirements that support some part of a policy, the standards in this case is your own company standards and not standards such as the ISO standards" Guidelines is incorrect. "Guidelines are discretionary or optional controls used to enable individuals to make judgments with respect to security actions." Baselines is incorrect. Baselines "are a minimum acceptable level of security. This minimum is implemented using specific rules necessary to implement the security controls in support of the policy and standards." For example, requiring a password of at leat 8 character would be an example. Requiring all users to have a minimun of an antivirus, a personal firewall, and an anti spyware tool could be another example. References: CBK, pp. 12 - 16. Note especially the discussion of the "hammer policy" on pp. 16-17 for the differences between policy, standard, guideline and procedure. AIO3, pp. 88-93.
QUESTION 547 Which of the following best allows risk management results to be used knowledgeably? A. B. C. D. A vulnerability analysis A likelihood assessment An uncertainty analysis A threat identification
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Risk management consists of two primary and one underlying activity; risk assessment and risk mitigation are the primary activities and uncertainty analysis is the underlying one. After having performed risk assessment and mitigation, an uncertainty analysis should be performed. Risk management must often rely on speculation, best guesses, incomplete data, and many unproven assumptions. A documented uncertainty analysis allows the risk management results to be used knowledgeably. A vulnerability analysis, likelihood assessment and threat identification are all parts of the collection and analysis of data part of the risk assessment, one of the primary activities of risk management. Source: SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (pages 19-21).
QUESTION 501 Risk mitigation and risk reduction controls for providing information security are classified within three main categories, which of the following are being used? A. B. C. D. preventive, corrective, and administrative detective, corrective, and physical Physical, technical, and administrative Administrative, operational, and logical
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Security is generally defined as the freedom from danger or as the condition of safety. Computer security, specifically, is the protection of data in a system against unauthorized disclosure, modification, or destruction and protection of the computer system itself against unauthorized use, modification, or denial of service. Because certain computer security controls inhibit productivity, security is typically a compromise toward which security practitioners, system users, and system operations and administrative personnel work to achieve a satisfactory balance between security and productivity. Controls for providing information security can be physical, technical, or administrative. These three categories of controls can be further classified as either preventive or detective. Preventive controls attempt to avoid the occurrence of unwanted events, whereas detective controls attempt to identify unwanted events after they have occurred. Preventive controls inhibit the free use of computing resources and therefore can be applied only to the degree that the users are willing to accept. Effective security awareness programs can help increase users' level of tolerance for preventive controls by helping them understand how such controls enable them to trust their computing systems. Common detective controls include audit trails, intrusion detection methods, and checksums. Three other types of controls supplement preventive and detective controls. They are usually described as deterrent, corrective, and recovery. Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. These usually take the form of constraints that make it difficult or undesirable to perform unauthorized activities or threats of consequences that influence a potential intruder to not violate security (e.g., threats ranging from embarrassment to severe punishment). Corrective controls either remedy the circumstances that allowed the unauthorized activity or return conditions to what they were before the violation. Execution of corrective controls could result in changes to existing physical, technical, and administrative controls. Recovery controls restore lost computing resources or capabilities and help the organization recover monetary losses caused by a security violation. Deterrent, corrective, and recovery controls are considered to be special cases within the major categories of physical, technical, and administrative controls; they do not clearly belong in either preventive or detective categories. For example, it could be argued that deterrence is a form of prevention because it can cause an intruder to turn away; however, deterrence also involves detecting violations, which may be what the intruder fears most. Corrective controls, on the other hand, are not preventive or detective, but they are clearly linked with technical controls when antiviral software eradicates a virus or with administrative controls when backup procedures enable restoring a damaged data base. Finally, recovery controls are neither preventive nor detective but are included in administrative controls as disaster recovery or contingency plans. Reference(s) used for this question Handbook of Information Security Management, Hal Tipton,
QUESTION 543 In the CIA triad, what does the letter A stand for? A. B. C. D. Auditability Accountability Availability Authentication
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: The CIA triad stands for Confidentiality, Integrity and Availability.
QUESTION 536 Which of the following are the steps usually followed in the development of documents such as security policy, standards and procedures? A. B. C. D. design, development, publication, coding, and testing. design, evaluation, approval, publication, and implementation. initiation, evaluation, development, approval, publication, implementation, and maintenance. feasibility, development, approval, implementation, and integration.
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: The common steps used the development of security policy are initiation of the project, evaluation, development, approval, publication, implementation, and maintenance. The other choices listed are the phases of the software development life cycle and not the step used to develop ducuments such as Policies, Standards, etc... Reference: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 3, 2002, Auerbach Publications.
QUESTION 532 What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of once every five years and an exposure factor (EF) of 30%? A. B. C. D. $300,000 $150,000 $60,000 $1,500
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: The cost of a countermeasure should not be greater in cost than the risk it mitigates (ALE). For a quantitative risk assessment, the equation is ALE = ARO x SLE where the SLE is calculated as the product of asset value x exposure factor. An event that happen once every five years would have an ARO of .2 (1 divided by 5). SLE = Asset Value (AV) x Exposure Fact (EF) SLE = 1,000,000 x .30 = 300,000 ALE = SLE x Annualized Rate of Occurance (ARO) ALE = 300,000 x .2 = 60,000 Know your acronyms: ALE -- Annual loss expectancy ARO -- Annual rate of occurrence SLE -- Single loss expectancy The following are incorrect answers: $300,000 is incorrect. See the explanation of the correct answer for the correct calculation. $150,000 is incorrect. See the explanation of the correct answer for the correct calculation. $1,500 is incorrect. See the explanation of the correct answer for the correct calculation. Reference(s) used for this question: Mc Graw Hill, Shon Harris, CISSP All In One (AIO) book, Sixth Edition , Pages 87-88 and Official ISC2 Guide to the CISSP Exam, (OIG), Pages 60-61
QUESTION 525 What would BEST define risk management? A. B. C. D. The process of eliminating the risk The process of assessing the risks The process of reducing risk to an acceptable level The process of transferring risk
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: This is the basic process of risk management. Risk is the possibility of damage happening and the ramifications of such damage should it occur. Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100 percent secure environment. Every environment has vulnerabilities and threats to a certain degree. The skill is in identifying these threats, assessing the probability of them actually occurring and the damage they could cause, and then taking the right steps to reduce the overall level of risk in the environment to what the organization identifies as acceptable. Proper risk management requires a strong commitment from senior management, a documented process that supports the organization's mission, an information risk management (IRM) policy and a delegated IRM team. Once you've identified your company's acceptable level of risk, you need to develop an information risk management policy. The IRM policy should be a subset of the organization's overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies, which lay out the acceptable risk and the role of security as a whole in the organization. The IRM policy is focused on risk management while the security policy is very high-level and addresses all aspects of security. The IRM policy should address the following items: Objectives of IRM team Level of risk the company will accept and what is considered an acceptable risk (as defined in the previous article) Formal processes of risk identification Connection between the IRM policy and the organization's strategic planning processes Responsibilities that fall under IRM and the roles that are to fulfill them Mapping of risk to internal controls Approach for changing staff behaviors and resource allocation in response to risk analysis Mapping of risks to performance targets and budgets Key indicators to monitor the effectiveness of controls Shon Harris provides a 10,000-foot view of the risk management process below: A big question that companies have to deal with is, "What is enough security?" This can be restated as, "What is our acceptable risk level?" These two questions have an inverse relationship. You can't know what constitutes enough security unless you know your necessary baseline risk level. To set an enterprise-wide acceptable risk level for a company, a few things need to be investigated and understood. A company must understand its federal and state legal requirements, its regulatory requirements, its business drivers and objectives, and it must carry out a risk and threat analysis. (I will dig deeper into formalized risk analysis processes in a later article, but for now we will take a broad approach.) The result of these findings is then used to define the company's acceptable risk level, which is then outlined in security policies, standards, guidelines and procedures. Although there are different methodologies for enterprise risk management, the core components of any risk analysis is made up of the following: Identify company assets Assign a value to each asset Identify each asset's vulnerabilities and associated threats Calculate the risk for the identified assets Once these steps are finished, then the risk analysis team can identify the necessary countermeasures to mitigate the calculated risks, carry out cost/benefit analysis for these countermeasures and report to senior management their findings. When we look at information security, there are several types of risk a corporation needs to be aware of and address properly. The following items touch on the major categories: · Physical damage Fire, water, vandalism, power loss, and natural disasters · Human interaction Accidental or intentional action or inaction that can disrupt productivity · Equipment malfunction Failure of systems and peripheral devices · Inside and outside attacks Hacking, cracking, and attacking · Misuse of data Sharing trade secrets, fraud, espionage, and theft· Loss of data Intentional or unintentional loss of information through destructive means · Application error Computation errors, input errors, and buffer overflows The following answers are incorrect: The process of eliminating the risk is not the best answer as risk cannot be totally eliminated. The process of assessing the risks is also not the best answer. The process of transferring risk is also not the best answer and is one of the ways of handling a risk after a risk analysis has been performed. References: Shon Harris , AIO v3 , Chapter 3: Security Management Practices , Page: 66-68 and http://searchsecurity.techtarget.com/tip/Understanding-risk
QUESTION 520 How should a risk be HANDLED when the cost of the countermeasure OUTWEIGHS the cost of the risk? A. B. C. D. Reject the risk Perform another risk analysis Accept the risk Reduce the risk
Correct Answer: C Section: Security and Risk Management Explanation Explanation/Reference: Which means the company understands the level of risk it is faced. The following answers are incorrect because : Reject the risk is incorrect as it means ignoring the risk which is dangerous.Perform another risk analysis is also incorrect as the existing risk analysis has already shown the results. Reduce the risk is incorrect is applicable after implementing the countermeasures. Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 39
QUESTION 451 Which of the following is the primary security feature of a proxy server? A. B. C. D. Virus Detection URL blocking Route blocking Content filtering
Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: In many organizations, the HTTP proxy is used as a means to implement content filtering, for instance, by logging or blocking traffic that has been defined as, or is assumed to be nonbusiness related for some reason. Although filtering on a proxy server or firewall as part of a layered defense can be quite effective to prevent, for instance, virus infections (though it should never be the only protection against viruses), it will be only moderately effective in preventing access to unauthorized services (such as certain remote-access services or file sharing), as well as preventing the download of unwanted content. HTTP Tunneling. HTTP tunneling is technically a misuse of the protocol on the part of the designer of such tunneling applications. It has become a popular feature with the rise of the first streaming video and audio applications and has been implemented into many applications that have a market need to bypass user policy restrictions. Usually, HTTP tunneling is applied by encapsulating outgoing traffic from an application in an HTTP request and incoming traffic in a response. This is usually not done to circumvent security, but rather, to be compatible with existing firewall rules and allow an application to function through a firewall without the need to apply special rules, or additional configurations. The following are incorrect choices: Virus Detection A proxy is not best at detection malware and viruses within content. A antivirus product would be use for that purpose. URL blocking This would be a subset of Proxying, based on the content some URL's may be blocked by the proxy but it is not doing filtering based on URL addresses only. This is not the BEST answer. Route blocking This is a function that would be done by Intrusion Detection and Intrusion prevention system and not the proxy. This could be done by filtering devices such as Firewalls and Routers as well. Again, not the best choice. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 6195-6201). AuerbachPublications. Kindle Edition.
QUESTION 453 Which of the following packets should NOT be dropped at a firewall protecting an organization's internal network? A. B. C. D. Inbound packets with Source Routing option set Router information exchange protocols Inbound packets with an internal address as the source IP address Outbound packets with an external destination IP address
Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: Normal outbound traffic has an internal source IP address and an external destination IP address. Traffic with an internal source IP address should only come from an internal interface. Such packets coming from an external interface should be dropped. Packets with the source-routing option enabled usually indicates a network intrusion attempt. Router information exchange protocols like RIP and OSPF should be dropped to avoid having internal routing equipment being reconfigured by external agents. Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 10: The Perfect Firewall.
QUESTION 450 Which of the following NAT firewall translation modes offers no protection from hacking attacks to an internal host using this functionality? A. B. C. D. Network redundancy translation Load balancing translation Dynamic translation Static translation
Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: Static translation (also called port forwarding), assigns a fixed address to a specific internal network resource (usually a server). Static NAT is required to make internal hosts available for connection from external hosts. It merely replaces port information on a one-to-one basis. This affords no protection to statistically translated hosts: hacking attacks will be just as efficiently translated as any other valid connection attempt. NOTE FROM CLEMENT: Hiding Nat or Overloaded Nat is when you have a group of users behind a unique public IP address. This will provide you with some security through obscurity where an attacker scanning your network would see the unique IP address on the outside of the gateway but could not tell if there is one user, ten users, or hundreds of users behind that IP. NAT was NEVER built as a security mechanism. In the case of Static NAT used for some of your servers for example, your web server private IP is map to a valid external public IP on a one on one basis, your SMTP server private IP is mapped to a static public IP, and so on. If an attacker scan the IP address range on the external side of the gateway he would discover every single one of your servers or any other hosts using static natting. Ports that are open, services that are listening, and all of this info could be gathered just as if the server was in fact using a public IP. It does not provide this security through obscurity mentioned above. All of the other answer are incorrect. Reference used for this question: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 7: Network Address Translation.
QUESTION 461 At which layer of ISO/OSI does the fiber optics work? A. Network layerB. Transport layer C. Data link layer D. Physical layer
Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: The Answer: Physical layer The Physical layer is responsible for the transmission of the data through the physical medium. This includes such things as cables. Fiber optics is a cabling mechanism which works at Physical layer of OSI model All of the other answers are incorrect. The following reference(s) were/was used to create this question: Shon Harris all in one - Chapter 7 (Cabling)
QUESTION 458 Which of the following is NOT a way to secure a wireless network? A. B. C. D. Disable broadcast of SSID within AP`s configuration Change AP's default values Put the access points (AP) in a location protected by a firewall Give AP's descriptive names
Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: The SSID of the AP has very little value when it comes to security. In fact using descriptive names such as you company name would make you a more likely targe in some cases. The SSID is sent in clear text within the packets. It is not a security mechanism. The following answer are incorrect answers: All other choices would improve your AP security.
QUESTION 470 Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer? A. B. C. D. LCL and MAC; IEEE 802.2 and 802.3 LCL and MAC; IEEE 802.1 and 802.3 Network and MAC; IEEE 802.1 and 802.3 LLC and MAC; IEEE 802.2 and 802.3
Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: The data link layer, or Layer 2, of the OSI model is responsible for adding a header and a trailer to a packet to prepare the packet for the local area network or wide area network technology binary format for proper line transmission. Layer 2 is divided into two functional sublayers.The upper sublayer is the Logical Link Control (LLC) and is defined in the IEEE 802.2 specification. It communicates with the network layer, which is immediately above the data link layer. Below the LLC is the Media Access Control (MAC) sublayer, which specifies the interface with the protocol requirements of the physical layer. Thus, the specification for this layer depends on the technology of the physical layer. The IEEE MAC specification for Ethernet is 802.3, Token Ring is 802.5, wireless LAN is 802.11, and so on. When you see a reference to an IEEE standard, such as 802.11 or 802.16, it refers to the protocol working at the MAC sublayer of the data link layer of the protocol stack. The following answers are incorrect: LCL and MAC; IEEE 802.2 and 802.3 is incorrect because LCL is a distracter. The correct acronym for the upper sublayer of the data link layer is LLC. It stands for the Logical Link Control. By providing multiplexing and flow control mechanisms, the LLC enables the coexistence of network protocols within a multipoint network and their transportation over the same network media. LCL and MAC; IEEE 802.1 and 802.3 is incorrect because LCL is a distracter. The sublayers of the data link layer are the Logical Link Control (LLC) and the Media Access Control (MAC). Furthermore, the LLC is defined in the IEEE 802.2 specification, not 802.1. The IEEE 802.1 specifications are concerned with protocol layers above the MAC and LLC layers. It addresses LAN/MAN architecture, network management, internetworking between LANs and WANs, and link security, etc. Network and MAC; IEEE 802.1 and 802.3 is incorrect because network is not a sublayer of the data link layer. The sublayers of the data link layer are the Logical Link Control (LLC) and the Media Access Control (MAC). The LLC sits between the network layer (the layer immediately above the data link layer) and the MAC sublayer. Also, the LLC is defined in the IEEE 802.2 specification,not IEEE 802.1. As just explained, 802.1 standards address areas of LAN/MAN architecture, network management, internetworking between LANs and WANs, and link security.The IEEE 802.1 group's four active task groups are Internetworking, Security, Audio/Video Bridging, and Data Center Bridging. The following reference(s) were/was used to create this question: http://en.wikipedia.org/wiki/OSI_model
QUESTION 533 Which of the following statements pertaining to quantitative risk analysis is false? A. B. C. D. Portion of it can be automated It involves complex calculations It requires a high volume of information It requires little experience to apply
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: Assigning the values for the inputs to a purely quantitative risk assessment requires both a lot of time and significant experience on the part of the assessors. The most experienced employees or representatives from each of the departments would be involved in the process. It is NOT an easy task if you wish to come up with accurate values. "It can be automated" is incorrect. There are a number of tools on the market that automate the process of conducting a quantitative risk assessment. "It involves complex calculations" is incorrect. The calculations are simple for basic scenarios but could become fairly complex for large cases. The formulas have to be applied correctly. "It requires a high volume of information" is incorrect. Large amounts of information are required in order to develop reasonable and defensible values for the inputs to the quantitative risk assessment. References: CBK, pp. 60-61 AIO3, p. 73, 78 The Cissp Prep Guide - Mastering The Ten Domains Of Computer Security - 2001, page 24
QUESTION 507 Making sure that the data is accessible when and where it is needed is which of the following? A. B. C. D. confidentiality integrity acceptability availability
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: Availability is making sure that the data is accessible when and where it is needed. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.
QUESTION 508 Related to information security, availability is the opposite of which of the following? A. B. C. D. delegation distribution documentation destruction
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: Availability is the opposite of "destruction." Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.
QUESTION 531 Who is responsible for providing reports to the senior management on the effectiveness of the security controls? A. B. C. D. Information systems security professionals Data owners Data custodians Information systems auditors
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: IT auditors determine whether systems are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction and other requirements" and "provide top company management with an independent view of the controls that have been designed and their effectiveness." "Information systems security professionals" is incorrect. Security professionals develop the security policies and supporting baselines, etc."Data owners" is incorrect. Data owners have overall responsibility for information assets and assign the appropriate classification for the asset as well as ensure that the asset is protected with the proper controls. "Data custodians" is incorrect. Data custodians care for an information asset on behalf of the data owner. References; CBK, pp. 38 - 42. AIO3. pp. 99 - 104
QUESTION 493 What would be the Annualized Rate of Occurrence (ARO) of the threat "user input error", in the case where a company employs 100 data entry clerks and every one of them makes one input error each month? A. B. C. D. 100 120 1 1200
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: If every one of the 100 clerks makes 1 error 12 times per year, it makes a total of 1200 errors. The Annnualized Rate of Occurence (ARO) is a value that represents the estimated frequency in which a threat is expected to occur. The range can be from 0.0 to a large number. Having an average of 1200 errors per year means an ARO of 1200.
QUESTION 482 In discretionary access environments, which of the following entities is authorized to grant information access to other people? A. B. C. D. Manager Group Leader Security Manager Data Owner
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: In Discretionary Access Control (DAC) environments, the user who creates a file is also considered the owner and has full control over the file including the ability to set permissions for that file. The following answers are incorrect: manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people. group leader. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people. security manager. Is incorrect because in Discretionary Access Control (DAC) environments it is the owner/user that is authorized to grant information access to other people. IMPORTANT NOTE: The term Data Owner is also used within Classifications as well. Under the subject of classification the Data Owner is a person from management who has been entrusted with a data set that belongs to the company. For example it could be the Chief Financial Officer (CFO) who is entrusted with all of the financial data for a company. As such the CFO would determine the classification of the financial data and who can access as well. The Data Owner would then tell the Data Custodian (a technical person) what the classification and need to know is on the specific set of data. The term Data Owner under DAC simply means whoever created the file and as the creator of the file the owner has full access and can grant access to other subjects based on their identity.
QUESTION 484 Which of the following is the best reason for the use of an automated risk analysis tool? A. B. C. D. Much of the data gathered during the review cannot be reused for subsequent analysis. Automated methodologies require minimal training and knowledge of risk analysis. Most software tools have user interfaces that are easy to use and does not require any training. Information gathering would be minimized and expedited due to the amount of information already built into the tool.
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: The use of tools simplifies this process. Not only do they usually have a database of assests, threats, and vulnerabilities but they also speed up the entire process. Using Automated tools for performing a risk assessment can reduce the time it takes to perform them and can simplify the process as well. The better types of these tools include a well- researched threat population and associated statistics. Using one of these tools virtually ensures that no relevant threat is overlooked, and associated risks are accepted as a consequence of the threat being overlooked. In most situations, the assessor will turn to the use of a variety of automated tools to assist in the vulnerability assessment process. These tools contain extensive databases of specific known vulnerabilities as well as the ability to analyze system and network configuration information to predict where a particular system might be vulnerable to different types of attacks. There are many different types of tools currently available to address a wide variety of vulnerability assessment needs. Some tools will examine a system from the viewpoint of the network, seeking to determine if a system can be compromised by a remote attacker exploiting available services on a particular host system. These tools will test for open ports listening for connections, known vulnerabilities in common services, and known operating system exploits. Michael Gregg says: Automated tools are available that minimize the effort of the manual process. These programs enable users to rerun the analysis with different parameters to answer "what-ifs." They perform calculations quickly and can be used to estimate future expected losses easier than performing the calculations manually. Shon Harris in her latest book says: The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. The risk analysis team can also print reports and comprehensive graphs to present to management. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4655-4661). Auerbach Publications. Kindle Edition. and CISSP Exam Cram 2 by Michael Gregg and Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 2333- 2335). McGraw-Hill. Kindle Edition. The following answers are incorrect: Much of the data gathered during the review cannot be reused for subsequent analysis. Is incorrect because the data can be reused for later analysis. Automated methodologies require minimal training and knowledge of risk analysis. Is incorrect because it is not the best answer. While a minimal amount of training and knowledge is needed, the analysis should still be performed by skilled professionals. Most software tools have user interfaces that are easy to use and does not require any training. Is incorrect because it is not the best answer. While many of the user interfaces are easy to use it is better if the tool already has information built into it. There is always a training curve when any product is being used for the first time.
QUESTION 483 Which of the following groups represents the leading source of computer crime losses? A. B. C. D. Hackers Industrial saboteurs Foreign intelligence officers Employees
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: There are some conflicting figures as to which group is a bigger threat hackers or employees. Employees are still considered to the leading source of computer crime losses. Employees often have an easier time gaining access to systems or source code then ousiders or other means of creating computer crimes. A word of caution is necessary: although the media has tended to portray the threat of cybercrime as existing almost exclusively from the outside, external to a company, reality paints a much different picture. Often the greatest risk of cybercrime comes from the inside, namely, criminal insiders. Information security professionals must be particularly sensitive to the phenomena of the criminal or dangerous insider, as these individuals usually operate under the radar, inside of the primarily outward/external facing security controls, thus significantly increasing the impact of their crimes while leaving few, if any, audit trails to follow and evidence for prosecution. Some of the large scale crimes committed agains bank lately has shown that Internal Threats are the worst and they are more common that one would think. The definition of what a hacker is can vary greatly from one country to another but in some of the states in the USA a hacker is defined as Someone who is using resources in a way that is not authorized. A recent case in Ohio involved an internal employee who was spending most of his day on dating website looking for the love of his life. The employee was taken to court for hacking the company resources. The following answers are incorrect: hackers. Is incorrect because while hackers represent a very large problem and both the frequency of attacks and overall losses have grown hackers are considered to be a small segment of combined computer fraudsters. industrial saboteurs. Is incorrect because industrial saboteurs tend to go after trade secrets. While the loss to the organization can be great, they still fall short whencompared to the losses created by employees. Often it is an employee that was involved in industrial sabotage. foreign intelligence officers. Is incorrect because the losses tend to be national secrets. You really can't put t cost on this and the number of frequency and occurances of this is less than that of employee related losses. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 22327-22331). Auerbach Publications. Kindle Edition.
QUESTION 497 Which of the following is not one of the three goals of Integrity addressed by the Clark-Wilson model? A. B. C. D. Prevention of the modification of information by unauthorized users. Prevention of the unauthorized or unintentional modification of information by authorized users. Preservation of the internal and external consistency. Prevention of the modification of information by authorized users.
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: There is no need to prevent modification from authorized users. They are authorized and allowed to make the changes. On top of this, it is also NOT one of the goal of Integrity within Clark-Wilson. As it turns out, the Biba model addresses only the first of the three integrity goals which is Prevention of the modification of information by unauthorized users. Clark-Wilson addresses all three goals of integrity. The ClarkWilson model improves on Biba by focusing on integrity at the transaction level and addressing three major goals of integrity in a commercial environment. In addition to preventing changes by unauthorized subjects, Clark and Wilson realized that high-integrity systems would also have to prevent undesirable changes by authorized subjects and to ensure that the system continued to behave consistently. It also recognized that it would need to ensure that there is constant mediation between every subject and every object if such integrity was going to be maintained. Integrity is addressed through the following three goals: 1. Prevention of the modification of information by unauthorized users. 2. Prevention of the unauthorized or unintentional modification of information by authorized users. 3. Preservation of the internal and external consistency. The following reference(s) were used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17689-17694). Auerbach Publications. Kindle Edition. and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 31.
QUESTION 529 Which of the following is not a responsibility of an information (data) owner? A. B. C. D. Determine what level of classification the information requires. Periodically review the classification assignments against business needs. Delegate the responsibility of data protection to data custodians. Running regular backups and periodically testing the validity of the backup data.
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: This responsibility would be delegated to a data custodian rather than being performed directly by the information owner. "Determine what level of classification the information requires" is incorrect. This is one of the major responsibilities of an information owner. "Periodically review the classification assignments against business needs" is incorrect. This is one of the major responsibilities of an information owner. "Delegates responsibility of maintenance of the data protection mechanisms to the data custodian" is incorrect. This is a responsibility of the information owner. References: CBK p. 105. AIO3, p. 53-54, 960
QUESTION 519 Which of the following is NOT a part of a risk analysis? A. B. C. D. Identify risks Quantify the impact of potential threats Provide an economic balance between the impact of the risk and the cost of the associated countermeasure Choose the best countermeasure
Correct Answer: D Section: Security and Risk Management Explanation Explanation/Reference: This step is not a part of RISK ANALYSIS. A risk analysis has three main goals: identify risks, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the associated countermeasure. Choosing the best countermeasure is not part of the risk analysis. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 3: Security Management Practices (page 73). HARRIS, Shon, Mike Meyers' CISSP(R) Certification Passport, 2002, McGraw-Hill, page 12.