https://chercher.tech/cissp-certification/cissp-security-management What is the ISO 27002 standard focused on? Options are : ITSM. Protecting PHI. Risk management. HIPAA. Answer : ITSM. Explanation ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on how to implement security controls. It has 10 domains it uses for ITSM. As part of our risk management, we are working on quantitative risk analysis. Select all the terms we would use in this phase: Options are : Asset Value (AV) Future Growth Potential (FGP) Risk Analysis Matrix (RAM) Exposure factor (EF) Annualized Loss Expectancy (ALE) Answer : Asset Value (AV) Exposure factor (EF) Annualized Loss Expectancy (ALE) Explanation Quantitative Risk Analysis – We want exactly enough security for our needs. This is where we put a number on that. We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year. Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once? Annual Rate of Occurrence (ARO) – How often will this happen each year? Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing. We are in a court of law and we are presenting real evidence. What constitutes real evidence? Options are : The data on our hard drives. Something you personally saw or witnessed. Tangible and physical objects. Logs, audit trails and other data from the time of the attack. Answer : Tangible and physical objects. Explanation Real Evidence is tangible and physical objects, in IT Security it is things like hard disks, USB drives and not the data on them. What was the intent of the US Electronic Communications Privacy Act of 1986 (ECPA)? Options are : To allow search and seizure without immediate disclosure. To protect electronic communication against warrantless wiretapping. To protect electronic communication by mandating service providers to use strong encryption. To allow law enforcement to use wiretaps without a warrant or oversight. Answer : To protect electronic communication against warrantless wiretapping. Explanation Electronic Communications Privacy Act (ECPA) was designed for protection of electronic communications against warrantless wiretapping, but it was very weakened by the Patriot Act. Our organization is using least privilege in our user access management. How are our users assigned privileges? Options are : The same privileges as the rest of the group has. More privileges than they need for their day-to-day job, so they can perform certain tasks in an emergency. Exactly the minimum feasible access for the user to perform their job. Privileges at the on the data owners discretion. Answer : Exactly the minimum feasible access for the user to perform their job. Explanation Least Privilege also called "Minimum necessary access", we give our users and systems exactly the access they need, no more, no less. When we are performing background checks on our new employees, we would NEVER look at which of these? Options are : References, degrees, criminal records, credit history. References, degrees, political affiliation, employment history. References, employment history, criminal records. Employment history, credit history, references. Answer : References, degrees, political affiliation, employment history. Explanation When we hire new staff we often do background to ensure we minimize our risks. We can check: References, Degrees, Employment, Criminal, Credit history (less common, more costly). We have new staff sign an NDA (Non-Disclosure Agreement). It is illegal to check or inquire about political preference. After a security breach, Bob has been asked to ensure evidence integrity. What would he do with the compromised hard drive? Options are : Hash the drive and take a bit level copy, hash the copy drive and they should match, then work on the bit level copy. Encrypt the drive, then do his forensics on the original drive and when he is done do a hash. Add another drive to the system and copy all he can see on the compromised drive onto the new drive and then do his analysis on the new drive. Pull the drive from the system, format it and reinsert it into another production server. Answer : Hash the drive and take a bit level copy, hash the copy drive and they should match, then work on the bit level copy. Explanation Evidence Integrity – It is vital that the evidence’s integrity cannot be questioned. We do this with hashes; any forensics is done on copies and never the originals. We make a bit level copy of the original, hash it, and the copy should match. We do another hash after the forensics, and that should be the same as the prior two. Which of these hackers would you hire to do penetration testing? Options are : Black hat hacker. Gray hat hacker. Script kiddie. White hat hacker. Answer : White hat hacker. Explanation White Hat hackers: Professional Pen Testers trying to find flaws so we can fix it (Ethical Hackers). Black Hat hackers: Malicious hackers, trying to find flaws to exploit them (Crackers – they crack the code). Gray/Grey Hat hackers: They are somewhere between the white and black hats, they go looking for vulnerable code, systems or products. They often just publicize the vulnerability (which can lead to black hats using it before a patch is developed). Gray hats sometimes also approach the company with the vulnerability and ask them to fix it and if nothing happens they publish. Script Kiddies: They have little or no coding knowledge, but many sophisticated hacking tools are available and easy to use. They pose a very real threat. They are just as dangerous as skilled hackers; they often have no clue what they are doing. When the patriot act was signed into law in 2001, it allowed law enforcement to do what? Options are : Allows search and seizure without immediate disclosure. Protect electronic communication against warrantless wiretapping. Protect electronic communication by mandating service providers to use strong encryption. Allow law enforcement to use wiretaps without a warrant or oversight. Answer : Allows search and seizure without immediate disclosure. Explanation PATRIOT Act of 2001: Expands law enforcement electronic monitoring capabilities. Allows search and seizure without immediate disclosure. We are implementing biometric authentication. What would be a good reason to do that? Options are : It is easy to copy. People can easily change their biometrics. It rarely changes. It is much cheaper than knowledge factors. Answer : It rarely changes. Explanation Biometric features rarely change unless we have a serious accident. It is more difficult to copy, people can't change them unless they get surgery and it is normally more expensive than possession or knowledge factors. Those acting under "the color of law" can act on an exigent circumstance. What would constitute exigent circumstances? Options are : Potential threat to data or human life in the future. An unpatched vulnerability on our systems, attackers have no way of exploiting. Immediate threat to human life or of evidence destruction. An outside circumstance which does not pose any threat to life or data. Answer : Immediate threat to human life or of evidence destruction. Explanation Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law�? – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law. For access control management, which of these is considered something you have? Options are : Fingerprint. MAC address. Cookie on computer. PIN. Answer : Cookie on computer. Explanation Things in your possession, not things you know (knowledge factor) or something you are (biometrics). As part of improving the security posture of our organization we have added multifactor authentication. Which of these pairs does NOT constitute multifactor authentication? Options are : Password and username. PIN and credit card. Fingerprint and PIN. Username and smartcard. Answer : Password and username. Explanation Multifactor authentication uses authentication from more than one factor (something you know, are or have). Passwords and usernames are not multifactor, they are both knowledge factors. Which type of security governance and management would we want to see in our organization? Options are : Bottom-up. Top-down. Middle of the road. Agile. Answer : Top-down. Explanation We always want top-down security governance and management, we want senior leadership on our side. Top-Down: IT leadership is on board with IT Security, they lead and set the direction. Bottom-Up: IT Security is seen as a nuisance and not a helper, often change when breaches happen. When someone is typosquatting, what are they doing? Options are : Always illegal. Potentially illegal. Legal. Never profitable. Answer : Potentially illegal. Explanation Typosquatting – Buying an URL that is VERY close to real website name (Can be illegal in certain circumstances). With the CIA triad in mind, if we have too much confidentiality which other control will suffer the MOST? Options are : Availability. Integrity. Accountability. Authentication. Answer : Availability. Explanation Finding the right mix of Confidentiality, Integrity and Availability is a balancing act. This is really the cornerstone of IT Security – finding the RIGHT mix for your organization. Too much Confidentiality and the Availability can suffer. We are asked to help design the policies for our organization in regarding to PHI. What is that? Options are : Personal Health Information. Protected Human Interactions. Procured Hospital Information. Personal Heuristic Information. Answer : Personal Health Information. Explanation PHI is the abbreviation for Personal Health Information. One of your coworkers is telling you about our new policies for PII. What is she referring to? Options are : Professional Information Identifiers. Personally Identifiable Information. Personality Indicator Information. Personally Information Indicators. Answer : Personally Identifiable Information. Explanation PII is the abbreviation for Personally Identifiable Information. Which industry is the US Gramm-Leach-Bliley Act (GLBA) focused on? Options are : Healthcare. Aerospace. Online stores. Financial. Answer : Financial. Explanation Gramm-Leach-Bliley Act (GLBA): Applies to financial institutions; driven by the Federal Financial Institutions Examination Council (FFIEC); enforced by member agencies, OCC, FDIC, FRB, NCUA, and CFPB. Enacted in 1999, requires protection of the confidentiality and integrity of consumer financial information. Which is NOT one of the (ISC)² ethics canons? Options are : Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principles. Think about the social consequences of the program you are writing or the system you are designing. Answer : Think about the social consequences of the program you are writing or the system you are designing. Explanation ISC2 Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principles. Advance and protect the profession. Which type of a phishing attack is it when an attacker use phone calls to try to get access to our sensitive data? Options are : Spear phishing. Whale phishing. Phishing. Vishing. Answer : Vishing. Explanation Vishing (Voice Phishing): Attacks over automated VOIP (Voice over IP) systems, bulk spam similar to Phishing. These are: “Your taxes are due�?, “Your account is locked�? or “Enter your PII to prevent this�? types of calls. By implementing a layered defense strategy across our organization, what do we improve? Options are : Availability. Integrity. Confidentiality. All of these. Answer : All of these. Explanation Defense in Depth – Also called Layered Defense or Onion Defense. We implement multiple overlapping security controls to protect an asset. By implementing Defense in Depth you improve your organizations Confidentiality, Integrity and Availability. When you sign the (ISC)² code of ethics prior to taking the exam, what do you NOT promise to protect? Options are : Society. Your organization. Infrastructure. The common good. Answer : Your organization. Explanation While your organization is important, it is not part of the ISC2 code of ethics. The common good, infrastructure and society is. Who will ULTIMATELY determine if the evidence we present was obtained legally? Options are : The police. The lawyers. Senior management. The courts. Answer : The courts. Explanation The court will determine if evidence was obtained legally. If not, it is inadmissible in court. When we are talking about the governance part of our organization, who are we referring to? Options are : Middle management. The users. Senior management. The IT leadership team. Answer : Senior management. Explanation The senior leadership in our organization sets the company direction and clarifies when there are questions. They are the governing body, although they can at times be doing so under the directions of the board. Who is the person leading our organization? Options are : CFO. CTO. CEO. CIO. Answer : CEO. Explanation The CEO (Chief Executive Officer) is the head of the senior executives. If we are wanting to implement governance standard and control frameworks focused on internal risk analysis, which of these could we implement? Options are : COBIT. ITIL. COSO. FRAP Answer : FRAP Explanation FRAP (Facilitated Risk Analysis Process) analyses one business unit, application or system at a time in a roundtable brainstorm with internal employees. Impact analyzed, Threats and Risks Prioritized. n our organization we have a lot of policies, procedures, standards, and guidelines we use to make our decisions. Which of them is non-mandatory? Options are : Policies. Procedures. Standards. Guidelines. Answer : Guidelines. Explanation Guidelines – non-Mandatory. Recommendations, discretionary – Suggestions on how you would to do it. Which of these could be something we use to help us protect our datas confidentiality? Options are : Hashes. Multifactor authentication. Redundant hardware. Redundant software Answer : Multifactor authentication. Explanation To ensure confidentiality we can use strong passwords, multi factor authentication, masking, access control, need-to-know, least privilege and many other factors. Healthcare insurers, providers and clearing house agencies must comply with HIPAA (Health Insurance Portability and Accountability Act) if they operate in the United States. Which of these are rules they MUST follow? (Select all that apply). Options are : Breach notification rule. Encryption rule. Disclosure rule. Security rule. Privacy rule. Answer : Breach notification rule. Security rule. Privacy rule. Explanation Puts strict privacy and security rules on how PHI (Personal Health Information is handled by health insurers, providers and clearing house agencies (Claims)). HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate Administrative, Physical and Technical safeguards. Security Breach Notification Laws. NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many have an encryption clause. Lost encrypted data may not require disclosure. When an attacker is attacking our encryption, they are MOSTLY targeting which leg of the CIA triad? Options are : Authentication. Confidentiality. Availability. Integrity. Answer : Confidentiality. Explanation To ensure confidentiality we use encryption for data at rest (for instance AES256), full disk encryption. Secure transport protocols for data in motion. (SSL, TLS or IPSEC). There are many attacks against encryption, it is almost always easier to steal the key than breaking it, this is done with cryptanalysis. When authenticating against our access control systems, you present your ID. Which type of authentication are you using? Options are : A possession factor. A knowledge factor. A biometric factor. A location factor. Answer : A possession factor. Explanation Something you have - Type 2 Authentication: ID, passport, smart card, token, cookie on PC, these are called Possession factors. The subject uses these to authenticate their identity, if they have the item, they must be who they say they are. In the IAAA model, which of these is not NOT of the A's? Options are : Authentication. Alteration. Authorization. Accountability. Answer : Alteration. Explanation IAAA is Identification and Authentication, Authorization and Accountability. Alteration is the opposite of integrity from the CIA triad. We often use the IAAA model in IT security, but what does it do? Options are : Provide a framework where we authorize, identify and authenticate our users and hold accountable for their actions. Provide a framework where we provide integrity, authenticate, authorize our users and hold accountable for their actions. Provide a framework where we identify, authenticate, authorize our users and make sure the data they need is available. Provide a framework where we identify, authenticate, give users access dependent on their job title. Answer : Provide a framework where we authorize, identify and authenticate our users and hold accountable for their actions. Explanation IAAA is Identification and Authentication, Authorization and Accountability, we identify our staff, have them authenticate, authorize them to access what they are permitted and hold them accountable for their actions. During a security breach, one of our honeypots was used for a downstream attack on a rival business. The competitor lost over $200,000 in revenue from the attack. Who is ULTIMATELY liable? Options are : The IT security team. Middle management. Whomever deployed the honeypot. Senior management. Answer : Senior management. Explanation C-Level executives (senior leadership) are ultimately liable, this does not mean anyone else is not liable, if other people involved did not perform due care and due diligence they may be liable as well, but the questions was ultimately liable. We are in a court where the proof must be "More likely than not". Which court are we in? Options are : Criminal court. Civil court. Administrative court. Probation court. Answer : Administrative court. Explanation Administrative Law (Regulatory Law): Laws enacted by Government Agencies (FDA Laws, HIPAA, FAA Laws etc.) Proof “More likely than not�?. During a security incident you see something that is usable in court. This constitutes which type of evidence? Options are : Real evidence. Direct evidence. Secondary evidence. Circumstantial evidence. Answer : Direct evidence. Explanation Direct Evidence: Testimony from a first hand witness, what they experienced with their 5 senses. Which of these is something that is COMMONLY trademarked? Options are : Software. Logos. Inventions. Public domain (CC0) photos. Answer : Logos. Explanation Trademarks ™ and ® (Registered Trademark). Brand Names, logos, slogans, etc. Must be registered, is valid for 10 years at a time, can be renewed indefinitely. What would be one of the security concern we would need to address in a divestiture? Options are : Who gets the IT Infrastructure? How do we ensure their security standards are high enough? Security is part of the SLA. All of these. Answer : Who gets the IT Infrastructure? Explanation Divestitures: Your organization is being split up. How do you ensure no data crosses boundaries it shouldn't? Who gets the IT Infrastructure? Within our organization, it is important that we have a layered defense strategy. Which of these would be an example of a recovery access control? Options are : Encryption. Alarms Backups. Patches. Answer : Backups. Explanation Recovery: Controls that help us Recover after an attack – DR Environment, Backups, HA Environments . In our risk analysis, we are looking at the total risk of a vulnerability. What would we look at to find the total risk? Options are : Threat + vulnerability. Threat * vulnerability. Threat * vulnerability * asset value. (threat * vulnerability * asset value) - countermeasures. Answer : Threat * vulnerability * asset value. Explanation Total Risk = Threat * Vulnerability * Asset Value. We are looking at the different classifications for access controls. Which of these is a type of detective access control? Options are : Encryption. Backups. Patches. Intrusion detection systems. Answer : Intrusion detection systems. Explanation IDSs (Intrusion Detection Systems) on our network to capture and alert traffic seen as malicious. They can be categorized into 2 types and with 2 different approaches to identifying malicious traffic. Network based, placed on a network segment (a switch port in promiscuous mode). Host based, on a client, normally a server or workstation. Signature (Pattern) matching, similar to anti virus, it matches traffic against a long list of known malicious traffic patterns. Heuristic (Behavioral) based, uses a normal traffic pattern baseline to monitor for abnormal traffic. Looking at the governance of our organization, our standards could be described by which of these? Options are : Non-specific, but can contain patches, updates, strong encryption. Specific: all laptops are W10, 64-bit, 8GB memory. Low level step-by-step guides. Recommendations. Answer : Specific: all laptops are W10, 64-bit, 8GB memory. Explanation Standards – Mandatory. Describes a specific use of technology (All laptops are W10, 64-bit, 8GB memory, etc.) In our quantitative risk analysis, we are looking at the ARO. What does that tell us? Options are : How many times it happens per year. How much many percent of the asset is lost. What will it cost us it if happens once. What will it cost us per year if we do nothing. Answer : How many times it happens per year. Explanation Annual Rate of Occurrence (ARO) – How often will this happen each year? Where would be a good place for us to NOT implement defense in depth? Options are : Our data centers. Nowhere. Our call center. Our VPNs Answer : Nowhere. Explanation We would implement defense in depth everywhere. We would not implement it "no where", the double negative would cancel each other out. Remember this is also an exam in the English language assuming you take it in English, it does intend to trick you at times. We are in criminal court and the defendant says we used enticement. In this setting, enticement is which of these? Options are : A solid legal defense strategy. Not a solid legal defense strategy. Something we can do without consulting our legal department. Legal and unethical. Answer : Not a solid legal defense strategy. Explanation Enticement (Legal and ethical): Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so. Honeypots can be a good way to use enticement. Have open ports or services on a server that can be attacked. Enticement is not a valid defense. One of our senior VPs calls you up to explain a term he heard at a conference. He heard about cybersquatting and wants to know more. Which of these is TRUE about it? Options are : Always illegal. Potentially illegal. Legal. Never profitable. Answer : Legal. Explanation Cybersquatting – Buying an URL you know someone else will need (To sell at huge profit – not illegal). As an IT Security professional, you are expected to perform due care. What does this mean? Options are : Researching and acquiring the knowledge to do your job right. Do what is right in the situation and your job. Act on the knowledge. Continue the security practices of your company. Apply patches annually. Answer : Do what is right in the situation and your job. Act on the knowledge. Explanation Due Care – Prudent person rule – What would a prudent person do in this situation? Implementing the IT Security architecture, keep systems patched. If compromised: fix the issue, notify affected users (Follow the Security Policies to the letter). Senior management is looking at the ISO27799 standard. What is it focused around? Options are : ITSM. Protecting PHI. Risk management. PCI-DSS. Answer : Protecting PHI. Explanation ISO 27799: Directives on how to protect PHI (Personal Health Information). We are working on our risk management and we are doing quantitative risk analysis. What does the ALE tell us? Options are : How many times it happens per year. How much many percent of the asset is lost. What will it cost us if it happens once. What will it cost us per year if we do nothing. Answer : What will it cost us per year if we do nothing. Explanation Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing. With the CIA triad in mind, when we choose to have too much integrity, which other control will MOST LIKELY suffer? Options are : Confidentiality. Availability. Identity. Accountability. Answer : Availability. Explanation Finding the right mix of Confidentiality, Integrity and Availability is a balancing act. This is really the cornerstone of IT Security – finding the RIGHT mix for your organization. Too much Integrity and the Availability can suffer. Which of these would NOT be a factor we would consider to protect our availability? Options are : Patch management. Redundant hardware. SLA's. Non-redundant hardware. Answer : Non-redundant hardware. Explanation To ensure availability we use: IPS/IDS. Patch Management. Redundancy on Hardware Power (Multiple Power Supplies/UPS’/Generators), Disks (RAID), Traffic paths (Network Design), HVAC, Staff, HA (high availability) and much more. SLA’s – How high uptime to we want (99.9%?) – (ROI). We are looking at our risk responses. We are considering buying insurance to cover the gaps we have. Which type of response would that be? Options are : Risk transference. Risk rejection. Risk avoidance. Risk mitigation. Answer : Risk transference. Explanation Transfer the Risk – The Insurance Risk approach – We could get flooding insurance for the Data Center, the flooding will still happen, we will still lose 15% of the infrastructure, but we are insured for cost. Jane has suggested we implement full disk encryption on our laptops. Our organization, on average, loses 25 laptops per year, and currently it costs us $10,000 per laptop. The laptop itself costs $1,000, as well as $9,000 in losses from non-encrypted data being exposed. We want to keep using laptops, and have our ARO (Annualized Rate of Occurrence) stay the same. How much can the countermeasures we implement cost, for us to break even?? Options are : 2250000 225000 250000 22500 Answer : 225000 Explanation If we implemented full disk encryption, the break even point would be $225,000. We would still lose the 25 laptops per year ($1,000 per), and the cost of that loss is $25,000 per year from that ,regardless of encryption. What we would save is the 25 * $9,000 ($225,000) from the non-encrypted data exposure. This is what we can use for the encryption.