ISDS 4096 Exam 1

CIA Triad

Confidentiality, Integrity, Availability

DAD Triad

Disclosure, Alteration, Destruction

AAA Services

Identification, Authentication, Authorization, Accounting, Auditing

STRIDE

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege

DREAD

Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability

Employee Oversight

Monitoring and supervision of employees' activities

Offboarding, Transfers & Termination Process

Procedures for managing employee departures and transfers

Social Engineering Principles

Manipulation of individuals to gain unauthorized access or information

Risk Terminology and Concepts

• Asset; Asset Valuation; Threats; Threat Agent/Actors; Threat Events; Threat Vector; Vulnerability

End of Life & End of Support

Phases when a product or service is no longer maintained

Risk Frameworks - NIST Cybersecurity Framework

Identify, Protect, Detect, Respond, Recover

Identify, Protect, Detect, Respond, Recover

Cybersecurity Framework (CSF)

Incident Management Steps

1) preparation, 2) detection and analysis, 3) containment, eradication, and recovery, and 4) post‐incident recovery.

Basic Preventive Measures

Preventative & Detective controls

Intrusion Detection and Prevention Systems

Tools and techniques to detect and prevent unauthorized access

Difference between active and passive protection

Active protection takes action, passive protection observes

False Positive

Incorrect detection

True Negative

Correct non-detection

Logging and Monitoring

Recording and observing system activities for security purposes

Logging types/ techniques

Security, System, Application, Firewall, Proxy, & Change Logs

SOAR

Security Orchestration, Automation, and Response

Cyber Kill Chain

Stages of a cyber attack from reconnaissance to exfiltration

Risk Assessment Process

Prepare, Conduct, Communicate, Maintain

Risk Matrix/ Heatmap

Visual representation of risks based on likelihood and impact

Risk Register

Document that records identified risks and their details

Judgment about Risk Treatment

Assessment and decision-making regarding risk mitigation

Key to Quantification: Measurement

Measurement is crucial for quantifying risks

Measurement as Uncertainty Reduction

Measurement helps reduce uncertainty in risk assessment

Measurement Interpretation

Understanding and analyzing measurement results

Statistical significance vs. Practical (clinical) significance

Difference between statistical and practical importance

Rule of 5

Guideline for determining sample size in statistical analysis

Ranges vs. Precise Values

Comparison between approximate ranges and exact values

Modeling Random Outcomes of Known Likelihood

Predicting outcomes based on known probabilities

Modeling Impact

Assessing the potential consequences of a risk event

Distributional Assumptions

Assumptions about the probability distribution of data

Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?

Data custodian

3 multiple choice options

Who should receive initial business continuity plan training in an organization?

Everyone in the organization

3 multiple choice options

Beth is a human resources specialist preparing to assist in the termination of an employee. Which of the following is not typically part of a termination process?

Signing an NCA

3 multiple choice options

Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?

Baseline

Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning?

Documentation of the plan

3 multiple choice options

John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover?

Information Disclosure

Henry recently assisted one of his co-workers in preparing for the CISSP exam. During this process, Henry disclosed confidential information about the content of the exam, in violation of Canon IV of the Code of Ethics: "Advance and protect the profession." Who may bring ethics charges against Henry for this violation?

Any certified or licensed professional may bring charges.

Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?

Combination of quantitative and qualitative risk assessment

3 multiple choice options

Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server due to a missing patch in the company's web application. In this scenario, what is the threat?

Malicious hacker

Brenda's organization recently completed the acquisition of a competitor firm. Which one of the following tasks would be LEAST likely to be part of the organizational processes addressed during the acquisition?

Protection of intellectual property

James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organization's primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation?

Replacement cost

3 multiple choice options

You are completing your business continuity planning effort and have decided that you want to accept one of the risks. What should you do next?

Document your decision-making process.

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?

Separation of duties

Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?

Risk mitigation

3 multiple choice options

Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using?

Cold Site

Gina is working to protect a logo that her company will use for a new product they are launching. She has questions about the intellectual property protection process for this logo. What U.S. government agency would be best able to answer her questions?

USPTO

3 multiple choice options

Renee is designing the long-term security plan for her organization and has a three- to five-year planning horizon. Her primary goal is to align the security function with the broader plans and objectives of the business. What type of plan is she developing?

Strategic

Which one of the following stakeholders is not typically included on a business continuity planning team?

CEO

3 multiple choice options

Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?

Revoking Electronic Access Rights

3 multiple choice options

Roger's organization suffered a breach of customer credit card records. Under the terms of PCI DSS, what organization may choose to pursue an investigation of this matter?

Bank

Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model?

Elevation of privilege

3 multiple choice options

Chris' organization recently suffered an attack that rendered their website inaccessible to paying customers for several hours. Which information security goal was most directly impacted?

Avaliability

Renee is speaking to her board of directors about their responsibilities to review cybersecurity controls. What rule requires that senior executives take personal responsibility for information security matters?

Prudent Man Rule

Which of the following is not typically included in a pre-hire screening process?

Fitness Evaluation

3 multiple choice options

What principle of information security states that an organization should implement overlapping security controls whenever possible?

Defense in depth

3 multiple choice options

Use of a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels.

Qualitative Assessment

The ability to repeat an assessment in the future, in a manner that is consistent with, and hence comparable to, prior assessments.

Repeatability

Portion of risk remaining after security measures have been applied.

Residual Risk

Use of a set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment.

Quantitative Assessment

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Risk

An attack, via cyberspace, targeting an enterprise's use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.

Cyber Attack

condition that exists within an organization, a mission or business process, enterprise architecture, information system, or environment of operation, which affects (i.e., increases or decreases) the likelihood that threat events result in adverse impacts

Predisposing Condition

the process of identifying, estimating, and prioritizing information security risks.

Risk Assessment

magnitude of harm that can be expected to result from the consequences from a threat event

Impact

any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.

Threat

a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source

Vulnerability

weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability

Likelihood of Occurrence

the response of adversaries to perceived safeguards and/or countermeasures (i.e., security controls), in which adversaries change some characteristic of their intent/targeting in order to avoid and/or overcome those safeguards/countermeasures

Threat Shifting

the acceptable range of losses

Risk Tolerance

the benefit to the organization from enacting a control, should reduce likelihood or impact or both

Return on Mitigation

graphs the probability that a loss will exceed a certain value

Loss Exceedance Curve

has a specified order with unequal or unknown distances between values (example, rating satisfaction on a scale of 1 - 10)

Ordinal Data

has a specified order with equal distances between values (example, temperature)

Interval Data

has "absolute zero" allows for mathematical operations (example, weight)

Ratio Data

indicates category, not amount (example, color)

Nominal Data

A _________ uses a computer to generate a large number of scenarios based on probabilities for inputs.

Monte-Carlo Simulation

According to the authors, what is a weakness of current heatmap risk matrices?

Too much time and effort

How do the HTMA authors define an "enterprise attack surface"?

All the Options

3 multiple choice options

There is a ______ chance that the median of a population is between the smallest and largest values in any random sample of five from that population.

93.75%

What practical definition of measurement do the authors introduce?

Measurement as a quantitatively expressed reduction of uncertainty based on one or more observations