Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
123 Cards in this Set
- Front
- Back
|
What does CIA stand for? |
confidentiality, integrity, availability |
|
|
What does AAA stand for? |
authentication, authorization, accountability |
|
|
When a subject professes an identity and accountability is initiated. This starts AAA. |
Identification |
|
|
What is the process of verifying or testing that the claimed identity is valid? |
Authentication |
|
|
This ensures the requested activity or access is possible given the privileges assigned to the identity. |
Authorization |
|
|
The recording of a log of events to hold the subject accountable for their actions. |
Monitoring (Auditing) |
|
|
What part of AAA is reviewing log files checking for compliance and violations? |
Accountability |
|
|
Works to guarantee appropriate information security activities are being performed to reduce risk, security investments are being managed & executive management has visibility into its effectiveness. |
Security Governance |
|
|
True or False: Security professionals should see their role as risk advisors, not final decision makers. Management is decision maker. |
True |
|
|
The interrelationship between assessing risk & determining needs, monitoring & evaluating, promoting awareness and implementing policies & controls. |
Security and Risk Management |
|
|
4 steps to implement security policies |
Policy > Standards > Guidelines > Procedures |
|
|
2 data classification schemes |
1. Government/Military 2. Commercial business/Private sector |
|
|
What is the dynamic testing technique where you add to the SW to see what the test will uncover? |
Fuzz testing |
|
|
What does the system for thinking about security threats STRIDE stand for? |
S = spoofing T = tampering R = repudiation I = information disclosure D = denial of service E = elevation of privilege |
|
|
What does PII stand for? |
Personal identifiable information |
|
|
Who is responsible for the protection of all of the business information assets? |
Information Security Office |
|
|
What your legal duty is considered to be? The lack of this can be considered negligence. |
Due care |
|
|
Preemptive measure made to avoid harm. Examples are background checks of employees, credit checks of business partners. |
Due diligence |
|
|
What is the potential occurrence of an undesirable outcome? |
Threat |
|
|
What is a weakness in an asset? |
Vulnerability |
|
|
What is being susceptible to asset loss from a threat? |
Exposure |
|
|
What is the possibility or likelihood that a threat will exploit a vulnerability called? (Threat x Vulnerability = ?) |
Risk |
|
|
What is the exploitation of a vulnerability? |
Attack |
|
|
What is it called when a security control has been bypassed? |
Breach |
|
|
What risk analysis gives you concrete probability percentages? |
Quantitative Risk Analysis |
|
|
What risk analysis involves scenarios & ranks threats on a scale? |
Qualitative |
|
|
Asset Value (AV) x Exposure Factor (EF) = ? |
Single Loss Expectancy (SLE) |
|
|
What is the number of occurrences in a year called? |
Annualized Rate of Occurrence (ARO) |
|
|
Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = ? |
Annualized Loss Expectancy (ALE) |
|
|
Brainstorming, Delphi, storyboarding, surveys, interviews are what type of risk analysis? |
Qualitative |
|
|
What technique leverages anonymous feedback and responses? |
Delphi |
|
|
What is it called when you implement security controls in layers across physical, logical/technical, and administrative? |
Defense in Depth |
|
|
Guards, fences, motion detectors, camera's, alarms, mantraps are what type of controls? |
Physical |
|
|
Authentication, encryption, firewalls, routers, intrusion detection systems, clipping levels are what type of controls? |
Logical/ technical |
|
|
Policies, procedures, hiring practices, background checks, data classification are what type of controls? |
Administrative |
|
|
What are you setting when you set the number of password attempts allowed? |
Clipping level |
|
|
A guide for how risk is to be assessed, resolved and monitored. |
Risk Framework |
|
|
What are the 6 steps of the NIST Risk Management Framework? |
1. Categorize the system 2. Select security controls 3. Implement the security controls 4. Assess the security controls 5. Authorize the operation of the system 6. Monitor the security controls effectiveness |
|
|
4 possible responses to a risk |
Reduce, assign, accept,reject |
|
|
What Act made it illegal to access or harm federal computers and was amended in 1986 to include federal interest computers? |
Comprehensive Crime Control Act (CCCA) |
|
|
What Act goes beyond computers and into railroads, gas,telecommunications & all intentional acts are a felony. |
National Information Infrastructure Protection Act of 1996 |
|
|
What government organization controls federal classified computers? |
NSA National Security Agency |
|
|
What government organization controls all of the rest of the federal (non classified) computers? |
NIST National Institute of Standards & Technology |
|
|
What Act put NIST in charge & mandated baseline cyber security requirements for all federal agencies? |
Computer Security Act of 1987 |
|
|
What guidelines implemented the prudent man rule requiring executives to take personal responsibility for information security, not just fiscal? |
Federal Sentencing Guidelines released in 1991 |
|
|
What are intangible assets, such as brand? |
Intellectual property |
|
|
What protects creative works? |
Copyright laws |
|
|
What protects words, slogans, and logos? |
Trademarks |
|
|
What protects intellectual property of inventors? |
Patents |
|
|
What protects intellectual property of a company that is critical to their business & it is best to control them yourself and make everyone around it sign a NDA? |
Trade Secrets |
|
|
What looks out for the privacy of US citizens where their persons, papers and effects shall not be violated? |
4th Amendment |
|
|
What requires strict security measures in the medical community? |
Health Insurance Portability & Accountability Act (HIPPA) |
|
|
What broadened the powers of law enforcement, such as monitoring electronic communication, in the fight against terrorism? |
USA Patriot Act of 2001 |
|
|
Cyber crime makes up how much of the total crime around the world? |
1/3rd |
|
|
What are the 5 golden rules when answering CISSP exam questions? |
1. When it comes to people, safety first 2. Management buy-in is critical 3. Everyone is responsible for Security 4. Training is essential 5. Policy is the key to nearly everything |
|
|
What DES encryption mode is least secure and produces the same key for the same message every time and does so one at a time? |
Electronic Codebook (ECB) mode |
|
|
What DES encryption mode involves XOR'ing each block of text with text before it? |
Cipher Block Chaining (CBC) mode |
|
|
What DES encryption mode is a streaming version of the Cipher Block Chaining (CBC) mode? |
Cipher Feedback (CFB) mode |
|
|
What DES encryption mode uses a seed value, then operates like Cipher Feedback (CFB) mode and errors don't corrupt the rest of the message? |
Output Feedback (OFB) mode |
|
|
What DES encryption mode uses counter instead of seed value and errors don't corrupt the rest of the message? |
Counter (CTR) mode |
|
|
What encryption standard uses a long series of XOR operations and repeats the process 16 times for each encryption/decryption operation? |
Data Encryption Standard (DES) |
|
|
What is the triple data encryption algorithm symmetric key block cipher which applies the DES cipher 3 times to each data block? |
Triple DES (3DES) |
|
|
What symmetric key block encryption algorithm operates on 64 bit blocks using a 128 bit key and consists of eight identical rounds and is used in PGP? |
International Data Encryption Algorithm (IDEA) |
|
|
AES (Advanced Encryption Standard) uses what block cipher? |
Rijndael |
|
|
What are the 3 different key lengths/encryption rounds and text block size for AES? |
128 text - 128 key with 10 rounds 128 text - 192 key with 12 rounds 128 text - 256 key with 14 rounds |
|
|
What are 3 ways to exchange secret keys securely? |
1. Offline distribution 2. Public key infrastructure/CA 3. Diffie-Hellman key exchange |
|
|
What key exchange algorithm has both parties participate in making a secret key for them to share? |
Diffie-Hellman |
|
|
True or False. Private key algorithms are used for bulk data encryption and are 1000x faster than public key cryptosystems. |
True |
|
|
What is an arrangement in which the keys needed to decrypt data are held in escrow so that under certain circumstances and authorized 3rd party may gain access to the keys? |
Fair cryptosystems or key escrow |
|
|
What algorithm does the alternative key escrow approach, Escrowed Encryption Standard (aka Clipper), use? |
Skipjack |
|
|
Fill in the blank with one of the CIA triads: The objective of privacy is the _____ of personal data. |
Confidentiality |
|
|
Fill in the blanks: An _____ (short term) supports a goal (intermediate term), which supports a _____ (long term), which is accomplished with a well defined strategy. |
An objective (short term) supports a goal (intermediate term), which supports a mission (long term), which is accomplished with a well defined strategy. |
|
|
ISACA and ITGI developed this control framework for IT management and IT governance. |
COBIT (Control Objectives for Information and Related Technologies) |
|
|
What control framework is required by all US government agencies and is also widely adopted in private industry? |
NIST SP800-53 Security and Privacy Controls |
|
|
COSO, ISO/IEC 27002, and ITIL are all what? |
Control Frameworks |
|
|
What is the difference between due care and due diligence when it comes to logging? |
Due care is turning on logging; due diligence is regularly reviewing the logs. |
|
|
What are laws derived from judicial precedence rather than statutes? |
Common law |
|
|
What type of laws form the bulk of our laws and provide for an orderly society and are not considered crimes, so only financial restitution happens as opposed to jail time? |
Civil laws |
|
|
What type of laws are policies and regulations that government agencies enforce? |
Administrative law |
|
|
True or False. The US Computer Fraud and Abuse Act of 1986 is THE major computer crime law currently in effect that enhanced it's first 1984 revision which was the very first federal computer crime law. |
True |
|
|
What Act complemented the US Computer Fraud and Abuse Act of 1986 and prohibited eavesdropping, etc. without permission, which was later amended by the USA Patriot Act authorizing it for felony violations? |
US Electronic Communications Privacy Act (ECPA) of 1986 |
|
|
What European legislation protects personal information for all European citizens and led to the Safe Harbor agreement between Europe and the US in 1998 allowing US organizations to certify themselves to handle European citizens data? |
Directive 95/46/EC |
|
|
What industry standard (not yet legally required) is mandated by credit card companies who oversee their own compliance programs? |
Payment Card Industry Data Security Standard (PCI DSS) |
|
|
What is the ISC2 Code of Professional Ethics preamble? |
The safety of society and duty to our principles requires adherence to the highest ethical standards. Therefore, strict adherence to this Code is a condition of certification. |
|
|
What are the 4 canons of ISC Code of Ethics? |
1. Protect society, the common good, necessary public trust and confidence, and the infrastructure. 2. Act honorably, honestly, justly, responsibly, and legally. 3. Provide diligent and competent service to principals. 4. Advance and protect the profession. |
|
|
What are the 5 unethical practices issued by the Internet Architecture Board (IAB)? |
1. Seeks to gain unauthorized access to resources on the internet 2. Disrupts the intended use of the internet 3. Wastes resources (people, capacity, computer) 4. Destroys the integrity of computer based information 5. Compromises the privacy of users |
|
|
What are the 10 commandments of computer ethics? Thou shalt... |
1. not use a computer to harm people 2. not interfere with other people's computer work 3. not snoop around in other people's computer file 4. not use a computer to steal 5. not use a computer to bear false witness 6. not copy proprietary SW for which you have not paid 7. not use other people's computer without authorization 8. not appropriate other people's intellectual output 9. think about the social consequences of the program you write 10. use a computer in ways that show consideration and respect |
|
|
What are the 4 types of security policies? |
1. Sr management 2. Regulatory 3. Advisory 4. Informative |
|
|
True or False. The purpose of off site media storage is to ensure that up to date data is available in the event that systems in the primary data center area damaged. |
True |
|
|
What is the maximum period of time in which business must be restored after a disaster? |
Recovery Time Objective (RTO) |
|
|
What is the maximum period of time called in which data might be lost if a disaster strikes? |
Recovery Point Objective (RPO) You set your backup schedule with it. |
|
|
What consists of an asset, a threat, and vulnerability? |
Risk management triple. (A risk consists of a threat and a vulnerability of an asset.) |
|
|
What kicks off risk assessment? |
Risk identification |
|
|
What are the 4 steps of threat analysis? |
1. Define the threat 2. Identify consequences if the threat event occurs 3. Determine probable frequency of the event 4. Assess probability that the threat will actually happen |
|
|
What are the 4 steps of risk analysis (treatment)? |
1. Identify assets to be protected (asset valuation) 2. Define threats (threat analysis) 3. Calculate ALE (SLE x ARO) 4. Select safeguards |
|
|
What illustrates the steps used to attack a target system? |
An attack tree |
|
|
A general awareness program, formal training and education are 3 main components of what? |
An effective security awareness program. |
|
|
Tip: In CISSP questions, sometimes Security is called Information Assurance |
Security = Information Assurance |
|
|
What is any location called where the level of trust or security changes? |
Trust boundary |
|
|
What says executive's must perform their duties in good faith, in the best interest of the enterprise and with care and diligence that people in a similar position would exercise in a similar circumstance? |
Prudent Man Rule |
|
|
What is a conscious disregard of the need to use reasonable care? |
Gross negligence |
|
|
What is the opposite of CIA? |
DAD (disclosure, alteration, destruction) |
|
|
What cryptography option do you use for Integrity? |
Hashing |
|
|
What is the difference between encryption and hashing? |
Hashing is one way. Encryption is 2 way. |
|
|
What cryptography option do you use for authentication, integrity and/or nonrepudation? |
Digital signatures |
|
|
What is the flow of electronic data across political boundaries, such as states and countries, which can cause legal conflicts? |
Transborder data flow |
|
|
What links business objectives to IT goals? |
COBIT |
|
|
What is the role of ITIL in IT goals? |
ITIL defines a framework for achieving IT service level goals |
|
|
What is the EF if the cost to replace a datacenter is $10M and the damage a tornado would cause is $5M? |
50% |
|
|
What enables a system to continue operating properly in the event of a failure? |
Fault tolerance |
|
|
What are 3 common risk assessment frameworks? |
FAIR (Factor Analysis of Information Risk) OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) TARA (Threat Agent Risk Assessment) |
|
|
A security program cannot address which of the following business goals? A. Accuracy of information B. Change control C. User expectations D. Prevention of fraud |
A. Accuracy of information (cannot control how people enter data) |
|
|
True or False. An information security policy does not usually include guidelines for how to implement policy. |
True |
|
|
What should be the 1st step when a company suspects they have suffered a loss due to an employee's malfeasance, call law enforcement or review organizational policy? |
Review organizational policy |
|
|
What is the time you have to recover from a disaster? |
Recovery time objective |
|
|
What is the maximum period called where data can be lost from a disaster? This tells you how frequent you have to backup. |
Recovery point objective |
|
|
RTO (recovery time objective) + WRT (work recovery time) = ? |
MTD (maximum tolerable downtime) |
|
|
Who is best to own the information security program, the CEO or CIO? |
CIO |
|
|
Does electronic vaulting belong with disaster recovery or business continuity? |
Electronic vaulting is a data backup task and so belongs with disaster recovery |
|
|
What is it called when you decompose an application, system or environment during threat analysis to gain a better understanding of it? |
Reduction analysis |
|
|
What type of computer related crime is using a computer in an accompanying role, not a major role like the electronic distribution of illegal files? |
Incidental |
|
|
What is the maximum time a given biz process can be inoperative? |
MTD. Maximum Tolerable Downtime |
|
|
What is a form of one-time password authentication and can be synchronous (time-based value that expires) and asynchronous (challenge-response)? |
Token (device) |
