Week 4-6 Quizzes

T/F Qualitative metrics are subjective in nature.

True

The bottom-up approach to metrics yields the most easily obtainable metrics however many metrics collected in this approach may not be suitable for top-management. 1) True 2) False

True

The goal of SecSDLC is to ensure information security is addressed throughout a project's life cycle. 1) True 2) False

True

T/F Business Impact Analysis scenario end-cases are more focused on Incident Recovery and are not considered by the Disaster Recovery Planning team.

False

The Oreck example shows that supplier and vendor relationships are not that important in times of disaster. 1) True 2) False

False

The majority of cyber attacks are shifting from financial gain motives to more ego and political motives. 1) True 2) False

False

Today's threat trends show attackers having high knowledge and skill backgrounds regarding exploits. 1) True 2) False

False

After Hurricane Katrina, it took Oreck Corporation over 6 months until they were able to get business functioning. 1) True 2) False

False-took 10 days

Which of the following is not an advantage of a centralized access control administration? Flexibility Standardization Higher level of security No need for different interpretations of a necessary security level

Flexibility

Which of the following represents the flow of contingency processes as a major disaster unfolds? BC, DR, IR IR, DR, BC CP, DR, IR DR, BC, IR

IR, DR, BC

Which of the following are major contingency planning areas of consideration? IRP DRP BIA BCP CMP All of the Above

IRP DRP BCP

Due to a lack of quality Business Continuity planning, over half of the businesses, forced to close their doors because of a disaster, never reopen. 1) True 2) False

True

Encapsulation is a term that describes the addition of headers and trailers onto a data payload as it is makes its way from layer 7 to layer 1 of the OSI model. 1) True 2) False

True

Full interruption testing of business continuity plans are not frequently (if at all) done by most organizations because they are expensive and disruptive to operations. 1) True 2) False

True

If countermeasures are adequate to stop an attack, then the attack does not become an incident. 1) True 2) False

True

In the 6-phase planning approach, governance oversees, reviews and approves policies while management establishes, ensures and assesses them. 1) True 2) False

True

In the Crisis Management phase of the 6-phase approach protocols are established to assess and limit damage. 1) True 2) False

True

Incident Response Planning uses the BIA to focus in on what countermeasures, if any, exist and if they are adequate to mitigate an end-case scenario threat. 1) True 2) False

True

Incident Response is a reactive measure, not a preventive measure. 1) True 2) False

True

It's important to disable Bluetooth on a mobile device if you do not use it. 1) True 2) False

True

Operational planning is short term in nature. 1) True 2) False

True

Oreck's disaster recovery plan was to use their New Orleans site in the case of a disaster at Long Beach and visa-versa. 1) True 2) False

True

PCI DSS applies to public and private sectors where an organization accepts, processes, stores, and transmits credit or debit card data. 1) True 2) False

True

PCI DSS focuses on merchants and merchant service providers. 1) True 2) False

True

Planning is a process that creates and implements strategies oriented towards the accomplishment of organizational objectives. 1) True 2) False

True

Policies must have enforced consequences to be effective. 1) True 2) False

True

Quantitative metrics are actual number values that are tracked over time. 1) True 2) False

True

Residual Risk is an uncovered element of a vulnerability (known or unknown) resulting from the level and effectiveness of safeguards. 1) True 2) False

True

Top-down approaches to metric formation is often easier when identifying the metrics that Should be in place. 1) True 2) False

True

System-Specific

Managerial/Technical guidance

If an asset has a value of 30 and a vulnerability with a 0.75 likelihood, what is the risk factor? 40 75% 22.5 32.5

22.5

New countermeasures have reduced a company's 40% vulnerability risk BY 30%. What is the new percentage of this company's remaining residual risk for the vulnerability? 10% 28% 30% None of the above

28% 0.4-(0.4 x 0.3)

Given the address 128.196.35.40, which part of the address represents a host number on the subnet? 128 128.196 35 40

40

PCI DSS is a law applying to all federal, state, and local government agencies. 1) True 2) False

False

Risk assessment is the actual treatment of risk. 1) True 2) False

False

Strategic planning is "what are we going to do?" and "how are we going to do it?" 1) True 2) False

False

A single countermeasure may eliminate multiple threats beyond what the countermeasure was originally intended. 1) True 2) False

True

ARP is a process of associating a MAC address with a given IP number. 1) True 2) False

True

A multi-component threat that uses a variety of access points to penetrate or glean information is: Easy to detect and block A Multi-vector threats A Reverse multi-threat vector A Multi-component vulnerability

A Multi-vector threats

Crisis Management is a series of focused steps that deal with the safety and state of employees and their families during and after a disaster. 1) True 2) False

1) True

1. Electronic Vaulting 2. Remote Journaling 3. Database Shadowing

1.bulk batch transfer of data to off-site location 2.Remote storage of transactions only 3.Remote storage of database and transactions in real time

Asset A has been assigned a value of 50, a vulnerability likelihood of 0.5, and a current control that addresses 50% of the risk. What would be its determined risk rating factor value (assume uncertainty of 20%)? 10.0 25.0 15.1 17.5 None of the above

17.5 (50 x 0.5) - 50% + 20% = (50 x 0.5) - (0.5 x 25) + 0.2 x 25) = 25 - 12.5 + 5 =17.5

Match the terms with their definitions. Shared use-2 RTO-1 RPO-4 Exclusive use-3

2. time-shares, service bureaus and mutual agreements giving a company access to a shared facility when needed 1.Amount of time before an infrastructure is available 4. A point in the past to which data will be restored at an alternate site 3.hot sites, warm sites and cold sites for which company has sole use when in need

Issue-Specific

overall policy regarding document storage

A company's past year Annual Loss Expectancy (ALE) for a particular vulnerability was $50,000. New security measures were put in place which brought the current year's ALE down to $30,000. IF the annual cost of the security measure is $10,000, what is the current Cost Benefit Analysis (CBA) figure associated with this measure? $10,000 $30,000 $5,000 $20,000 None of the above

$10,000 CBA = ALE (prior) - ALE (post) - ACS CBA = $50,000 - $30,000 - $10,000 CBA = $10,000

The estimated annual impact cost of a particular security incident is $10,000. The probability of the incident occurring is estimated at 30%. If a security device is purchased (costing $5,000) the current probability of the incident occurring is reduced by (not reduced to) 5%. What is the Modified Annual Loss Expectancy (mALE)? $5,000 $250 $2,850 $1,500

$2,850

Which of the following is the correct risk evaluation formula (L=likelihood, A=asset value, C=control mitigation, U=uncertainty): (L / A) + C - U (L x A) - C + U (L x U) + A - C (L x A) + C - U

(L x A) - C + U

Risk estimates for a particular vulnerability are calculated as: (Likelihood x percentage of uncertainty) - Asset Value + percentage of current controls (Likelihood x Asset Value) -percentage of current controls + percentage of uncertainty (Likelihood x Asset Value) + percentage of current controls + percentage of uncertainty (Likelihood x Asset Value) + percentage of current controls - percentage of uncertainty None of the above

(Likelihood x Asset Value) -percentage of current controls + percentage of uncertainty

A Business Continuity Plan focuses on recovering operations at an organization's primary site. 1) True 2) False

False

A vulnerability is: An attack vector A threat vector A weakness in design, procedure or defenses A known attack instance None of the above

A weakness in design, procedure or defenses

Which of the following are points of the threat vector model? Agents Consistency Knowledge Motive Means Opportunity

Agents Motive Means Opportunity

Which of the following would not be a security precaution for a mobile device? Select the best answer. VPN for connections Screenlock password File encryption Disallow rogue Wi-Fi connections All of above are valid None of above are valid

All of above are valid

Which of the following attacks is RFID vulnerable to? Sniffing Tracking Spoofing Denial of service All of the above None of the above

All of the above

Which of the following would not be considered a valid countermeasure (select the best answer)? Anti-Spyware software Awareness training Spare hard drives for systems Encryption of data in transit Policy and procedures on account retirement All of the above are valid countermeasures

All of the above are valid countermeasures

What is the difference between a Recovery Time Objective and a Recovery Point Objective? Select the best answer. An RPO deals with the amount of time until an operation or service is made available. An RTO deals exclusively with remote sites. An RTO deal with the amount of time until an operation or service is made available after a disaster while an RPO deals with how current data backups are. RTO and RPO are different name for the same thing - the time until an operation is made available after a disaster. RPO is not critical to the restoration of business functions while RTO is critical in that it affects the amount of data and transactions lost during a disaster.

An RTO deal with the amount of time until an operation or service is made available after a disaster while an RPO deals with how current data backups are.

What role does biometrics play in access control? Authorization Authenticity Authentication Accountability

Authentication

Bluetooth enabled devices are not real security problems because Bluetooth's range is too short to be effectively exploited. 1) True 2) False

False

Business drivers are high-level concerns based on tactical goals and objectives of the organization. 1) True 2) False

False

Which of the following would not be considered an information security related planning framework? COBIT COSO ERM COBOL Top-Down SABSA

COBOL Top-Down

Disaster Recovery Plans only focus on natural disasters. Man-Made disasters involving information systems are covered in the Incident Response Plan. 1) True 2) False

False

Disaster Recovery and Business Continuity are never executed concurrently. 1) True 2) False

False

In business continuity, a cold site offers faster recovery time than a hot site. 1) True 2) False

False

In the second phase of the 6-phase planning approach cycle, risks are identified and ranked. 1) True 2) False

False

Information Security policies only exist to avoid litigation. 1) True 2) False

False

Metrics are really only useful to the CEO and top managers. 1) True 2) False

False

Most planning approaches have 3 basic levels: strategic, tactical and disaster planning. 1) True 2) False

False

Most technical vulnerabilities exist in hardware and firmware. 1) True 2) False

False

Oversimplification of a security metric, for the sake of clarity, is advisable. 1) True 2) False

False

Which access control method is user-directed? Non-discretionary Mandatory Identity based Discretionary

Discretionary

Which of the following would not be a goal of Disaster Recovery Planning? Eliminate or reduce the potential for injuries, damage to facilities or loss of assets Ensure an alternate site as adequate resources to facilitate operations Stabilize the effects of a disaster Implement the planned procedures to resume operations

Ensure an alternate site as adequate resources to facilitate operations

Which of the following would not be considered attacker motivation? Disrupt social stability Ascertain strategic goals Disgruntlement Errors and omissions

Errors and omissions

A policy describing the protection of privacy would be which type of policy? Enterprise Information Security Program Policy Issue-Specific Security Policy System-Specific Security Policy Technical Specifications

Issue-Specific Security Policy

Why is an alert roster important in incident response? (select the best answer) It is required by regulations like Sarbanes-Oxley. It categorizes the alert levels. It allows the public to know what is going on. It allows the organization to alert the right people in the correct order.

It allows the organization to alert the right people in the correct order.

Many organizations are moving to virtualized infrastructures because (select all that apply): It is popular It reduces physical server counts It is made by Microsoft It reduces power & HVAC consumption It eliminates the need for backups It reduces downtimes

It reduces physical server counts It reduces power & HVAC consumption It reduces downtimes

The specifications for Category 5E wire would be a concern at what layer of the OSI model? Layer 7 Layer 3 Layer 1 Layer 2

Layer 1

Enterprise

Link to vision and mission statements

A company is considering two expensive countermeasures to reduce a risk. The impact of this particular attack type, on the company, is estimated at $1,500,000 in losses. The company feels there is a 40% chance of the incident occurring.Option-A would cost $100,000 and reduces the chance of the occurrence from 40% to 25%Option-B would cost $120,000 and reduces the chance of occurrence from 40% to 20%What is the Return on Security Investment (ROSI) for both options? Option-A = $375,000 and Option-B = $300,000 Option-A = $225,000 and Option-B = $300,000 Option-A = $125,000 and Option-B = $180,000 None of the above

Option-A = $125,000 and Option-B = $180,000 ALE=1,500,000 x .4 = 600,000 mALE=1,500,000 x .25 = 375,000 SAVINGS=600,000-375,000 = 335,000 ROSI=225,000-100,000 = 125,000 Option B: A;E=1,500,000 X .4 = 600,000 mALE=1,500,000 x .20 = 300,000 SAVINGS=600,000-300,000 = 300,000 ROSI=300,000-120,000=180,000

In discretionary access control security, who has delegation authority to grant access to data? User Security Office Security Policy Owner

Owner

Which of the following is the industry standard for securing credit card data? Payment Card Industry Digital Signature Standard Payment Card Incident Data Security Survey Payment Card Industry Data Security Standard Preventative Credit Incident Data Security Standard

Payment Card Industry Data Security Standard

Which of the following would not be a strategic level management area? Risk Analysis & Management Policy Compliance Security Program Governance Model

Policy Compliance

Which of the following best represents the order regarding security policy formation? Policy, standards, (practices, guidelines, procedures) Policy, guidelines (standards, practices, procedures) Standards, Policy (guidelines, practices, procedures) Procedures, practices, standards, policy, guidelines

Policy, standards, (practices, guidelines, procedures)

An access control model should be applied in a _________ manner. Detective Recovery Corrective Preventive

Preventive

Which of the following is a TCP handshake to open a connection? FIN - RST SYN - SYN/ACK - ACK FIN - ACK - SYN - ACK All of the above

SYN - SYN/ACK - ACK

What determines if an organization is going to operate under a discretionary, mandatory, or non-discretionary access control model? Administrator Security policy Culture Security levels

Security policy

Which of the following is not true regarding the role of security planning? Provides direction and priorities Should be a bottom-up approach Increases efficiencies and reduces waste Involves internal and external groups Assists in controlling actions

Should be a bottom-up approach

Good metrics should be: Specific, Measurable, Adjustable, Repeatable and Time-Dependent Static, Measurable, Attainable, Releasable and Time-Dependent Specific, Measurable, Attainable, Repeatable and Time-Dependent Specific, Measurable, Attainable, Recalcitrant and Time-Dependent

Specific, Measurable, Attainable, Repeatable and Time-Dependent

After the creation of a formal policy to establish business continuity plans, a BIA is the first major phase in the business contingency planning cycle. 1) True 2) False

True

An organization's risk appetite defines the level of acceptance as it evaluates security control trade-offs. 1) True 2) False

True

Balanced scorecards are used to show progress of strategy. 1) True 2) False

True

Database Shadowing options for BC is essentially the same as combining capabilities of Electronic Vaulting and Remote Journaling. 1) True 2) False

True

Decreasing the RTO of a business continuity plan will more than likely increase the cost and complexity associated with backup procedures and alternatives. 1) True 2) False

True

Disaster Recovery Planning is the preparation for and recovery from a disaster at an organization's primary disaster location. 1) True 2) False

True

A window of vulnerability is (select the best answer): The time-frame within which defense measures are reduced, compromised or lacking The time-frame in which a threat is no longer applicable A threat surface which extends beyond one year An old countermeasure

The time-frame within which defense measures are reduced, compromised or lacking

A Business Continuity Plan ensures that critical business functions can continue in the case of a disaster. 1) True 2) False

True

A Business Continuity Plan is typically invoked or executed after a devastating attack or disaster that cripples an organization's primary site of business. 1) True 2) False

True

A Business Impact Analysis assumes all existing controls have been bypassed and a disruption was successful. 1) True 2) False

True

A Key Performance Indicator (KPI) is a measure of how well something is being done. 1) True 2) False

True

A layer 3 switch can also serve as a router. 1) True 2) False

True

What is derived from a passphrase? Personal password Virtual password User ID Valid password

Virtual password

Asset A has a value of 50 and two vulnerabilities. Vulnerability 1 has a likelihood of 0.8 and no controls. Vulnerability 2 has a likelihood of 0.3 and a control that mitigates 40% of the vulnerability.Assuming an uncertainty level of 10%, what would the risk factor be for both vulnerabilities? Vulnerability-1: 30 Vulnerability-2: 56 Vulnerability-1: 44 Vulnerability-2: 10.5 Vulnerability-1: 25 Vulnerability-2: 12 Vulnerability-1: 25 Vulnerability-2: 44

Vulnerability-1: 44 Vulnerability-2: 10.5 V1 = (50 x 0.8) - 0 + (50 x 0.8)(0.1) = 40 - 0 + 4 = 44 V2 = (50 x 0.3) - (50 x 0.3)(0.4) + (50 x 0.3)(0.1) = 15 - 6 + 1.5 = 10.5