CISSP Chapter 1
_____ is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. .
Abstraction
_____ , or monitoring, is the programmatic means by which a subject's actions are tracked and recorded for the purpose of holding the subject accountable for their actions while authenticated on a system.
Auditing - recording a log of the events and activities related to the system and subjects..
The process of verifying or testing that the claimed identity is valid is _____.
Authentication - proving that you are that identity.
The process of _____ ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity.
Authorization - defining the allows and denials of resource and object access for a specific identity.
Which of the following is the most important and distinctive concept in relation to layered security? A. Multiple B. Series C. Parallel D. Filter
B. Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective.
Which of the following is the lowest military data classification for classified data? A. Sensitive B. Secret C. Proprietary D. Private
B. Of the options listed, secret is the lowest classified military data classification. Keep in mind that items labeled as confidential, secret, and top secret are collectively known as classified, and confidential is below secret in the list.
Which of the following is typically not a characteristic considered when classifying data? A. Value B. Size of object C. Useful lifetime D. National security implications
B. Size is not a criterion for establishing data classification. When classifying an object, you should take value, lifetime, and security implications into consideration.
Which of the following contains the primary goals and objectives of security? A. A network's border perimeter B. The CIA Triad C. A stand-alone system D. The Internet
B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad .
What is the primary objective of data classification schemes? A. To control access to objects for authorized subjects B. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity C. To establish a transaction trail for auditing accountability D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality
B. The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.
If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can ______ the data, objects, and resources. A. Control B. Audit C. Access D. Repudiate
C. Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.
Which of the following is not considered a violation of confidentiality? A. Stealing passwords B. Eavesdropping C. Hardware destruction D. Social engineering
C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.
Data classifications are used to focus security controls over all but which of the following? A. Storage B. Processing C. Layering D. Transfer
C. Layering is a core aspect of security mechanisms, but it is not a focus of data classifications.
The level to which information is mission critical is its measure of _____. The higher the level of _____, the more likely the need to maintain the confidentiality of the information. High levels of _____ are essential to the operation or function of an organization.
Criticality
The movement of data between locations.
Data Flow Paths
This method uses asset valuation results and attempts to identify threats to the valuable assets.
Focused on Assets
_____ is the process by which a subject professes an identity and accountability is initiated.
Identification - claiming an identity when attempting to access a secured area or system.
Where external input is received.
Input Points Locations
_____ , also known as defense in depth, is simply the use of multiple controls in a series.
Layering
_____ ensures that the subject of an activity or event cannot deny that the event occurred.
Nonrepudiation - Nonrepudiation can be established using digital certificates, session identifiers, transaction logs, and numerous other transactional and access control mechanisms.
_____ include using multiple layers or levels of access, employing abstraction, hiding data, and using encryption.
Protection Mechanisms
The lowest level of classification. This is used for all data that does not fit in one of the higher classifications. Its disclosure does not have a serious negative impact on the organization.
Public
- Spoofing - Tampering - Repudiation - Information disclosure - Denial of service (DoS) - Elevation of privilege
STRIDE - is a threat categorization scheme developed by Microsoft used to assess threats against applications or operating Systems.
_____ involves storing something in an out-of-the-way location. This location can also provide strict access controls. _____ can help enforcement confidentiality protections.
Seclusion
Any location where the level of trust or security changes.
Trust Boundaries
The highest level of classification. This is used for data that is extremely sensitive and for internal use only. A significant negative impact could occur for a company if _____ data is disclosed. Sometimes the label proprietary is substituted for _____.
confidential
The security professional, _____ _____ _____, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management.
information security (InfoSec) officer
A _____ _____ is a long-term plan that is fairly stable. It defines the organization's security purpose. It also helps to understand security function and align it to goals, mission, and objectives of the organization.
strategic plan
Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security.
Privileged Operations
_____ are the final element of the formalized security policy structure. A _____ is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.
Procedures
1: Meeting Stakeholder Needs 2: Covering the Enterprise End-to-End 3: Applying a Single, Integrated Framework 4: Enabling a Holistic Approach 5: Separating Governance From Management.
COBIT's five key principles for governance and management of enterprise.
What are the two common data classification schemes? A. Military and private sector B. Personal and government C. Private sector and unrestricted sector D. Classified and unclassified
A. Military (or government) and private sector (or commercial business) are the two common data classification schemes.
Which of the following is not considered an example of data hiding? A. Preventing an authorized reader of an object from deleting that object B. Keeping a database from being accessed by unauthorized visitors C. Restricting a subject at a lower classification level from accessing data at a higher classification level D. Preventing an application from accessing hardware directly
A. Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you.
Vulnerabilities and risks are evaluated based on their threats against which of the following? A. One or more of the CIA Triad principles B. Data usefulness C. Due care D. Extent of liability
A. Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.
Effective _____ relies on the capability to prove a subject's identity and track their activities.
Accountability - Accounting (aka accountability) reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions.
Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects? A. Identification B. Availability C. Encryption D. Layering
B. Availability means that authorized subjects are granted timely and uninterrupted access to objects.
Which commercial business/private sector data classification is used to control information about individuals within an organization? A. Confidential B. Private C. Sensitive D. Proprietary
B. The commercial business/private sector data classification of private is used to protect information about individuals.
The organizational owner or _____ role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets.
senior manager
Used for data that is more classified than public data. A negative impact could occur for the company if _____ data is disclosed.
sensitive
The _____ _____ is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad-hoc based upon unpredicted events.
tactical plan
STRIDE is often used in relation to assessing threats against applications or operating systems. Which of the following is not an element of STRIDE? A. Spoofing B. Elevation of privilege C. Repudiation D. Disclosure
D. Disclosure is not an element of STRIDE. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
What ensures that the subject of an activity or event cannot deny that the event occurred? A. CIA Triad B. Abstraction C. Nonrepudiation D. Hash totals
C. Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.
______ refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed. A. Seclusion B. Concealment C. Privacy D. Criticality
C. Privacy refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed. Seclusion is to store something in an out of the way location. Concealment is the act of hiding or preventing disclosure. The level to which information is mission critical is its measure of criticality.
The highest level of classification. The unauthorized disclosure of _____ data will have drastic effects and cause grave damage to national security.
top-secret
_____ is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.
COBIT
Which of the following is not true? A. Violations of confidentiality include human error. B. Violations of confidentiality include management oversight. C. Violations of confidentiality are limited to direct intentional attacks. D. Violations of confidentiality can occur when a transmission is not properly encrypted.
C. Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.
_____ is the act of hiding or preventing disclosure. Often _____ is viewed as a means of cover, obfuscation, or distraction.
Concealment
_____ _____ is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements. Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments.
Reduction analysis
The lowest level of classification. This is used for data that is neither sensitive nor classified. The disclosure of _____ data does not compromise confidentiality or cause any noticeable damage.
unclassified
The _____ role is assigned to any person who has access to the secured system.
user (end user or operator)
What element of data categorization management can override all other forms of access control? A. Classification B. Physical access C. Custodian responsibilities D. Taking ownership
D. Ownership grants an entity full capabilities and privileges over the object they own. The ability to take ownership is often granted to the most powerful accounts in an operating system because it can be used to overstep any access control limitations otherwise implemented.
All but which of the following items requires awareness for all individuals affected? A. Restricting personal email B. Recording phone conversations C. Gathering information about surfing habits D. The backup mechanism used to retain email messages
D. Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.
What is the primary goal of change management? A. Maintaining documentation B. Keeping users informed of changes C. Allowing rollback of failed changes D. Preventing security compromises
D. The prevention of security compromises is the primary goal of change management.
_____ refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
Privacy
+ Damage potential— How severe is the damage likely to be if the threat is realized? + Reproducibility— How complicated is it for attackers to reproduce the exploit? + Exploitability— How hard is it to perform the attack? + Affected users— How many users are likely to be affected by the attack (as a percentage)? + Discoverability— How hard is it for an attacker to discover the weakness?
DREAD - rating system designed to provide a flexible rating solution that is based on the answers to five main questions about each threat.
_____ is exactly what it sounds like: preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.
Data Hiding
_____ is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.
Discretion
_____ is the art and science of hiding the meaning or intent of a communication from unintended recipients.
Encryption
Some organizations are able to identify potential attackers and can identify the threats they represent based on the attacker's goals.
Focused on Attackers
If an organization develops software, it can consider potential threats against the software.
Focused on Software
_____ is the act of keeping something separated from others. _____ can be used to prevent commingling of information or disclosure of information.
Isolation
_____ is the act of keeping something a secret or preventing the disclosure of information.
Secrecy
The declaration of the security policy, security foundations, and security assumptions.
Security Stance and Approach - Breaking down a system into its constituent parts makes it much easier to identity the essential components of each element as well as take notice of vulnerabilities and points of attack. The more you understand exactly how a program, system, or environment operates, the easier it is to identity threats to it.
_____ _____ is the collection of practices related to supporting, defining, and directing the security efforts of an organization.
Security governance
_____ refers to the quality of information, which could cause harm or damage if disclosed. Maintaining confidentiality of sensitive information helps to prevent harm or damage.
Sensitivity
_____ define compulsory requirements for the homogenous use of hardware, software, technology, and security controls. They provide a course of action by which technology and procedures are uniformly implemented throughout an organization.
Standards
If a security mechanism offers confidentiality, it offers a high level of assurance that data, objects, or resources are restricted from unauthorized subjects.
The first principle of the CIA Triad. If a threat exists against confidentiality, unauthorized disclosure could take place.
For integrity to be maintained, objects must retain their veracity and be intentionally modified by only authorized subjects.
The second principle of the CIA Triad is integrity. If a security mechanism offers integrity, it offers a high level of assurance that the data, objects, and resources are unaltered from their original protected state.
An _____ _____ policy is a commonly produced document that exists as part of the overall security documentation infrastructure. The _____ _____ policy is specifically designed to assign security roles within the organization as well as ensure the responsibilities tied to those roles.
acceptable use
An _____ is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.
auditor
A _____ defines a minimum level of security that every system throughout the organization must meet.
baseline
The goal of _____ _____ is to ensure that any change does not lead to reduced or compromised security. _____ _____ is also responsible for making it possible to roll back any change to a previous secured state.
change management
Used for data of a private, sensitive, proprietary, or highly valuable nature. The unauthorized disclosure of data classified as _____ will have noticeable effects and cause serious damage to national security.
confidential
The _____ _____ role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.
data custodian
The _____ _____ role is assigned to the person who is responsible for classifying information for placement and protection within the security solution.
data owner
A _____ offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
guideline
An _____ _____ is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. _____ _____ must be updated often (such as monthly or quarterly) to retain compliance with tactical plans.
operational plan
Used for data that is of a _____ or personal nature and intended for internal use only. A significant negative impact could occur for the company or individuals if _____ data is disclosed.
private
Used for data of a restricted nature. The unauthorized disclosure of data classified as _____ will have significant effects and cause critical damage to national security.
secret
