Beruflich Dokumente
Kultur Dokumente
15 Abril 2016
Asset Security
www.alapsi.com/WP/educacion/cissp/
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
Objetivos
Compartir un mismo entendimiento
Leer-Entender-Comprender-Aprender-Ejercer
Familiarizarse con
El concepto
Con la aplicacin del concepto
Con escenarios
Asset Security
Overview
Asset Security
www.alapsi.com/WP/educacion/cissp/
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
Asset Security
Asset Security
www.alapsi.com/WP/educacion/cissp/
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
Asset Security
SESIN DE PREGUNTAS
Asset Security
1.
A.
B.
C.
D.
Asset Security
www.alapsi.com/WP/educacion/cissp/
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
D. Regardless of the specifics of a security solution, humans are the weakest element.
Asset Security
2.
A.
B.
C.
D.
Asset Security
www.alapsi.com/WP/educacion/cissp/
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
A. The first step in hiring new employees is to create a job description. Without a job description,
there is no consensus on what type of individual needs to be found and hired.
Asset Security
3.
A.
B.
C.
D.
Asset Security
www.alapsi.com/WP/educacion/cissp/
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
B. The primary purpose of an exit interview is to review the nondisclosure agreement (NDA).
Asset Security
4.
A.
B.
C.
D.
Asset Security
www.alapsi.com/WP/educacion/cissp/
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
B. You should remove or disable the employees network user account immediately before or at
the same time they are informed of their termination.
Asset Security
Asset Security
www.alapsi.com/WP/educacion/cissp/
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
Asset Security
6. Which of the following is a document that defines the scope of security needed by an
organization, lists the assets that need protection, and discusses the extent to which security
solutions should go to provide the necessary protection?
A. Security policy
B. Standard
C. Guideline
D. Procedure
Asset Security
www.alapsi.com/WP/educacion/cissp/
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
A. The document that defines the scope of an organizations security requirements is called a
security policy. The policy lists the assets to be protected and discusses the extent to which
security solutions should go to provide the necessary protection.
Asset Security
7. Which of the following policies is required when industry or legal standards are applicable to
your organization?
A. Advisory
B. Regulatory
C. Baseline
D. Informative
Asset Security
www.alapsi.com/WP/educacion/cissp/
10
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
B. A regulatory policy is required when industry or legal standards are applicable to your
organization. This policy discusses the rules that must be followed and outlines the procedures
that should be used to elicit compliance.
Asset Security
8.
A.
B.
C.
D.
Asset Security
www.alapsi.com/WP/educacion/cissp/
11
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
C. Risk analysis includes analyzing an environment for risks, evaluating each risk as to its
likelihood of occurring and the cost of the damage it would cause, assessing the cost of various
countermeasures for each risk, and creating a cost/benefit report for safeguards to present to
upper management. Selecting safeguards is a task of upper management based on the results
of risk analysis. It is a task that falls under risk management, but it is not part of the risk
analysis process.
Asset Security
9.
A.
B.
C.
D.
Asset Security
www.alapsi.com/WP/educacion/cissp/
12
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
D. The personal files of users are not assets of the organization and thus not considered in a risk
analysis.
Asset Security
10.
Which of the following represents accidental exploitations of vulnerabilities?
A. Threat events
B. Risks
C. Threat agents
D. Breaches
Asset Security
www.alapsi.com/WP/educacion/cissp/
13
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
Asset Security
11. When a safeguard or a countermeasure is not present or is not sufficient, what is created?
A. Vulnerability
B. Exposure
C. Risk
D. Penetration
Asset Security
www.alapsi.com/WP/educacion/cissp/
14
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
Asset Security
Asset Security
www.alapsi.com/WP/educacion/cissp/
15
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
B. Anything that removes a vulnerability or protects against one or more specific threats is
considered a safeguard or a countermeasure, not a risk.
Asset Security
13.
When evaluating safeguards, what is the rule that should be followed in most cases?
A. Expected annual cost of asset loss should not exceed the annual costs of safeguards.
B. Annual costs of safeguards should equal the value of the asset.
C. Annual costs of safeguards should not exceed the expected annual cost of asset loss.
D. Annual costs of safeguards should not exceed 10 percent of the security budget.
Asset Security
www.alapsi.com/WP/educacion/cissp/
16
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.
Asset Security
14.
How is single loss expectancy (SLE) calculated?
A. Threat + vulnerability
B. Asset value ($) * exposure factor
C. Annualized rate of occurrence * vulnerability
D. Annualized rate of occurrence * asset value * exposure factor
Asset Security
www.alapsi.com/WP/educacion/cissp/
17
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
B. SLE is calculated using the formula SLE = asset value ($) * exposure factor.
http://www.digitalthreat.net/2010/05/information-security-risk-analysis/
Asset Security
15.
How is the value of a safeguard to a company calculated?
A. ALE before safeguard ALE after implementing the safeguard annual cost of safeguard
B. ALE before safeguard * ARO of safeguard
C. ALE after implementing safeguard + annual cost of safeguard controls gap
D. Total risk controls gap
Asset Security
www.alapsi.com/WP/educacion/cissp/
18
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
A. The value of a safeguard to an organization is calculated by ALE before safeguard ALE after
implementing the safeguard annual cost of safeguard.
Asset Security
16.
What security control is directly focused on preventing collusion?
A. Principle of least privilege
B. Job descriptions
C. Separation of duties
D. Qualitative risk analysis
Asset Security
www.alapsi.com/WP/educacion/cissp/
19
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
C. The likelihood that a coworker will be willing to collaborate on an illegal or abusive scheme is
reduced due to the higher risk of detection created by the combination of separation of duties,
restricted job responsibilities, and job rotation.
Asset Security
17.
Which security role is responsible for assigning the sensitivity label to objects?
A. Users
B. Data owner
C. Senior management
D. Data custodian
Asset Security
www.alapsi.com/WP/educacion/cissp/
20
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
B. The data owner is responsible for assigning the sensitivity label to new objects and resources.
Asset Security
18.
When you are attempting to install a new security mechanism for which there is not a
detailed step-by-step guide on how to implement that specific product, which element of the
security policy should you turn to?
A. Policies
B. Procedures
C. Standards
D. Guidelines
Asset Security
www.alapsi.com/WP/educacion/cissp/
21
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
D. If no detailed step-by-step instructions or procedures exist, then turn to the guidelines for
general principles to follow for the installation.
Asset Security
19.
While performing a risk analysis, you identify a threat of fire and a vulnerability because
there are no fire extinguishers. Based on this information, which of the following is a possible
risk?
A. Virus infection
B. Damage to equipment
C. System malfunction
D. Unauthorized access to confidential information
Asset Security
www.alapsi.com/WP/educacion/cissp/
22
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
B. The threat of a fire and the vulnerability of a lack of fire extinguishers leads to the risk of
damage to equipment.
Asset Security
20.
Youve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk
relation. You select a possible countermeasure. When re-performing the calculations, which of
the following factors will change?
A. Exposure factor
B. Single loss expectancy
C. Asset value
D. Annualized rate of occurrence
Asset Security
www.alapsi.com/WP/educacion/cissp/
23
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
D. A countermeasure directly affects the annualized rate of occurrence, primarily because the
countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency
per year.
Asset Security
21. Which one of the following malicious code objects might be inserted in an application by a
disgruntled software developer with the purpose of destroying system data upon the deletion
of the developers account (presumably following their termination)?
A. Virus
B. Worm
C. Trojan horse
D. Logic bomb
Asset Security
www.alapsi.com/WP/educacion/cissp/
24
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
D. Logic bombs are malicious code objects programmed to lie dormant until certain logical
condition, such as a certain date, time, system event, or other criteria, are met. At that time,
they spring into action, triggering their malicious payload.
Asset Security
22. What term is used to describe code objects that act on behalf of a user while operating in an
unattended manner?
A. Agent
B. Worm
C. Applet
D. Browser
Asset Security
www.alapsi.com/WP/educacion/cissp/
25
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
A. Intelligent agents are code objects programmed to perform certain operations on behalf of a
user in their absence. They are also often referred to as bots.
Asset Security
23. An application or system that is distributed to a number of different locations is evaluated for
what type of information system security accreditation?
A. System accreditation
B. Site accreditation
C. Application accreditation
D. Type accreditation
Asset Security
www.alapsi.com/WP/educacion/cissp/
26
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
http://infohost.nmt.edu/~sfs/Regs/nstissi_1000.pdf
Asset Security
24. Which of the following characteristics can be used to differentiate worms from viruses?
A. Worms infect a system by overwriting data in the Master Boot Record of a storage device.
B. Worms always spread from system to system without user intervention.
C. Worms always carry a malicious payload that impacts infected systems.
D. All of the above.
Asset Security
www.alapsi.com/WP/educacion/cissp/
27
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
B. The major difference between viruses and worms is that worms are self-replicating whereas
viruses require user intervention to spread from system to system. Infection of the Master Boot
Record is a characteristic of a subclass of viruses known as MBR viruses. Both viruses and
worms are capable of carrying malicious payloads.
Asset Security
25. What programming language(s) can be used to develop ActiveX controls for use on an
Internet site?
A. Visual Basic
B. C
C. Java
D. All of the above
Asset Security
www.alapsi.com/WP/educacion/cissp/
28
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
Asset Security
26. For what type of information system security accreditation is a major application or general
support system evaluated?
A. System accreditation
B. Site accreditation
C. Application accreditation
D. Type accreditation
Asset Security
www.alapsi.com/WP/educacion/cissp/
29
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
A. A major application or general support system is evaluated for DITSCAP and NIACAP system
accreditation. DITSCAP (Department of Defense Information Technology Security Certification
and Accreditation Process). NIACAP (National Information Assurance Certification and
Accreditation Process).
Asset Security
27. Which one of the following key types is used to enforce referential integrity between database
tables?
A. Candidate key
B. Primary key
C. Foreign key
D. Super key
Asset Security
www.alapsi.com/WP/educacion/cissp/
30
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
C. Foreign keys are used to enforce referential integrity constraints between tables that
participate in a relationship.
http://www.agiledata.org/essays/referentialIntegrity.html#ReferentialIntegrityImplementationOptions
Asset Security
28. Richard believes that a database user is misusing his privileges to gain information about the
companys overall business trends by issuing queries that combine data from a large number of
records. What process is the database user taking advantage of?
A. Inference
B. Contamination
C. Polyinstantiation
D. Aggregation
Asset Security
www.alapsi.com/WP/educacion/cissp/
31
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
D. In this case, the process the database user is taking advantage of is aggregation. Aggregation
attacks involve the use of specialized database functions to combine information from a large
number of database records to reveal information that may be more sensitive than the
information in individual records would reveal.
Asset Security
29. What database technique can be used to prevent unauthorized users from determining
classified information by noticing the absence of information normally available to them?
A. Inference
B. Manipulation
C. Polyinstantiation
D. Aggregation
Asset Security
www.alapsi.com/WP/educacion/cissp/
32
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
C. Polyinstantiation allows the insertion of multiple records that appear to have the same primary
key values into a database at different classification levels.
Asset Security
30. Which one of the following terms cannot be used to describe the main RAM of a typical
computer system?
A. Nonvolatile
B. Sequential access
C. Real memory
D. Primary memory
Asset Security
www.alapsi.com/WP/educacion/cissp/
33
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
B. Random access memory (RAM) allows for the direct addressing of any point within the
resource. A sequential access storage medium, such as a magnetic tape, requires scanning
through the entire media from the beginning to reach a specific address.
Asset Security
31. What type of information is used to form the basis of an expert systems decision-making
process?
A. A series of weighted layered computations
B. Combined input from a number of human experts, weighted according to past performance
C. A series of if/then rules codified in a knowledge base
D. A biological decision-making process that simulates the reasoning process used by the human
mind
Asset Security
www.alapsi.com/WP/educacion/cissp/
34
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
C. Expert systems utilize a knowledge base consisting of a series of if/then statements to form
decisions based upon the previous experience of human experts.
Asset Security
32. Which one of the following intrusion detection systems makes use of an expert system to
detect anomalous user activity?
A. PIX
B. IDIOT
C. AAFID
D. NIDES
Asset Security
www.alapsi.com/WP/educacion/cissp/
35
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
D. The Next-Generation Intrusion Detection Expert System (NIDES) system is an expert systembased intrusion detection system. PIX (Private Internet Exchange) is a firewall, and IDIOT
(Intrusion Detection In Our Time) and AAFID (Autonomous Agents for Intrusion Detection),
are intrusion detection systems that do not utilize expert systems.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.89.2492&rep=rep1&type=pdf
Asset Security
33. For what type of information system security accreditation are the applications and systems at
a specific, self-contained location evaluated?
A. System accreditation
B. Site accreditation
C. Application accreditation
D. Type accreditation
Asset Security
www.alapsi.com/WP/educacion/cissp/
36
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
B. The applications and systems at a specific, self-contained location are evaluated for DITSCAP
and NIACAP site accreditation. DITSCAP (Department of Defense Information Technology
Security Certification and Accreditation Process). NIACAP (National Information Assurance
Certification and Accreditation Process).
Asset Security
34. Which software development life cycle model allows for multiple iterations of the development
process, resulting in multiple prototypes, each produced according to a complete design and
testing process?
A. Software Capability Maturity Model
B. Waterfall model
C. Development cycle
D. Spiral model
Asset Security
www.alapsi.com/WP/educacion/cissp/
37
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
D. The spiral model allows developers to repeat iterations of another life cycle model (such as the
waterfall model) to produce a number of fully tested prototypes.
Asset Security
35. In systems utilizing a ring protection scheme, at what level does the security kernel reside?
A. Level 0
B. Level 1
C. Level 2
D. Level 3
Asset Security
www.alapsi.com/WP/educacion/cissp/
38
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
A. The security kernel and reference monitor reside at Level 0 in the ring protection scheme,
where they have unrestricted access to all system resources.
Asset Security
36. Which database security risk occurs when data from a higher classification level is mixed with
data from a lower classification level?
A. Aggregation
B. Inference
C. Contamination
D. Polyinstantiation
Asset Security
www.alapsi.com/WP/educacion/cissp/
39
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
C. Contamination is the mixing of data from a higher classification level and/or need-to-know
requirement with data from a lower classification level and/or need-to-know requirement.
Asset Security
37. Which of the following programming languages is least prone to the insertion of malicious
code by a third party?
A. C++
B. Java
C. VBScript
D. FORTRAN
Asset Security
www.alapsi.com/WP/educacion/cissp/
40
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
C. Of the languages listed, VBScript is the least prone to modification by third parties because it is
an interpreted language whereas the other three languages (C++, Java, and FORTRAN) are
compiled languages.
http://www.cs.uky.edu/~paulp/CS216F12/CS216Java.htm
Asset Security
38. Which one of the following is not part of the change control process?
A. Request control
B. Release control
C. Configuration audit
D. Change control
Asset Security
www.alapsi.com/WP/educacion/cissp/
41
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
C. Configuration audit is part of the configuration management process rather than the change
control process.
Asset Security
What transaction management principle ensures that two transactions do not interfere with each
other as they operate on the same data?
A. Atomicity
B. Consistency
C. Isolation
D. Durability
Asset Security
www.alapsi.com/WP/educacion/cissp/
42
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
C. The isolation principle states that two transactions operating on the same data must be
temporally separated from each other such that one does not interfere with the other.
Asset Security
40. Which subset of the Structured Query Language is used to create and modify the database
schema?
A. Data Definition Language
B. Data Structure Language
C. Database Schema Language
D. Database Manipulation Language
Asset Security
www.alapsi.com/WP/educacion/cissp/
43
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
A The Data Manipulation Language (DML) is used to make modifications to a relational databases schema.
Asset Security
Asset Security
SESIN DE PREGUNTAS
Asset Security
www.alapsi.com/WP/educacion/cissp/
44
Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
15 Abril 2016
www.alapsi.com/WP/educacion/cissp/
45