42 CISSP Asset Security (15abr2016) - QsAs GES

Asociacin Latinoamericana de
Profesionales en Seguridad Informtica A.C.
CISSP Seminar ALAPSI AC- Domain Asset

Security
Asociacin Latinoamericana de Profesionales en

Seguridad Informtica A.C.
Seminario de Preparacin CISSP

Asset Security
LIC., CISSP, CISM, GONZALO ESPINOSA
http://mx.linkedin.com/in/gonzaloespinosasp
https://twitter.com/G_Espinosa_Mx
A.G.Espinosa.Mx@gmail.com
15 Abril 2016
Contenido del Seminario

Repaso de conceptos
Coffee Break
Sesin de preguntas y respuestas con la
participacin de los alumnos
Asset Security
www.alapsi.com/WP/educacion/cissp/

Security
Objetivos
Compartir un mismo entendimiento
Leer-Entender-Comprender-Aprender-Ejercer
Familiarizarse con
El concepto
Con la aplicacin del concepto
Con escenarios
Asset Security
Overview
CISSP candidates are expected to be well versed in

information asset ownership, classification,
management and protection.
Asset Security focuses on the classifying, managing
and securing information assets and supporting
infrastructure throughout its lifecycle with an
emphasis on privacy protection.
Asset Security

Security
A CISSP candidate is expected to
Classify information and supporting assets

Determine and maintain ownership
Protect Privacy
Ensure appropriate retention
Determine data security controls
Establish handling requirements
Asset Security
Asset Security - Topics
Asset Security

Security
Asset Security
SESIN DE PREGUNTAS
Asset Security
1.
A.
B.
C.
D.
Which of the following is the weakest element in any security solution?

Software products
Internet connections
Security policies
Humans
Asset Security

Security
D. Regardless of the specifics of a security solution, humans are the weakest element.
Asset Security
2.
A.
B.
C.
D.
When seeking to hire new employees, what is the first step?

Create a job description.
Set position classification.
Screen candidates.
Request resumes.
Asset Security

Security
A. The first step in hiring new employees is to create a job description. Without a job description,
there is no consensus on what type of individual needs to be found and hired.
Asset Security
3.
A.
B.
C.
D.
What is the primary purpose of an exit interview?

To return the exiting employees personal belongings
To review the nondisclosure agreement
To evaluate the exiting employees performance
To cancel the exiting employees network access accounts
Asset Security

Security
B. The primary purpose of an exit interview is to review the nondisclosure agreement (NDA).
Asset Security
4.
A.
B.
C.
D.
When an employee is to be terminated, which of the following should be done?

Inform the employee a few hours before they are officially terminated.
Disable the employees network access just before they are informed of the termination.
Send out a broadcast e-mail informing everyone that a specific employee is to be terminated.
Wait until you and the employee are the only people remaining in the building before
announcing the termination.
Asset Security

Security
B. You should remove or disable the employees network user account immediately before or at
the same time they are informed of their termination.
Asset Security
5. Who is liable for failing to perform prudent due care?

A. Security professionals
B. Data custodian
C. Auditor
D. Senior management
Asset Security

Security
D. Senior management is liable for failing to perform prudent due care.
Asset Security
6. Which of the following is a document that defines the scope of security needed by an
organization, lists the assets that need protection, and discusses the extent to which security
solutions should go to provide the necessary protection?
A. Security policy
B. Standard
C. Guideline
D. Procedure
Asset Security

Security
A. The document that defines the scope of an organizations security requirements is called a
security policy. The policy lists the assets to be protected and discusses the extent to which
security solutions should go to provide the necessary protection.
Asset Security
7. Which of the following policies is required when industry or legal standards are applicable to
your organization?
A. Advisory
B. Regulatory
C. Baseline
D. Informative
Asset Security
10

Security
B. A regulatory policy is required when industry or legal standards are applicable to your
organization. This policy discusses the rules that must be followed and outlines the procedures
that should be used to elicit compliance.
Asset Security
8.
A.
B.
C.
D.
Which of the following is not an element of the risk analysis process?

Analyzing an environment for risks
Creating a cost/benefit report for safeguards to present to upper management
Selecting appropriate safeguards and implementing them
Evaluating each risk as to its likelihood of occurring and cost of the resulting damage
Asset Security
11

Security
C. Risk analysis includes analyzing an environment for risks, evaluating each risk as to its
likelihood of occurring and the cost of the damage it would cause, assessing the cost of various
countermeasures for each risk, and creating a cost/benefit report for safeguards to present to
upper management. Selecting safeguards is a task of upper management based on the results
of risk analysis. It is a task that falls under risk management, but it is not part of the risk
analysis process.
Asset Security
9.
A.
B.
C.
D.
Which of the following would not be considered an asset in a risk analysis?

A development process
An IT infrastructure
A proprietary system resource
Users personal files
Asset Security
12

Security
D. The personal files of users are not assets of the organization and thus not considered in a risk
analysis.
Asset Security
10.
Which of the following represents accidental exploitations of vulnerabilities?
A. Threat events
B. Risks
C. Threat agents
D. Breaches
Asset Security
13

Security
A. Threat events are accidental exploitations of vulnerabilities.
Asset Security
11. When a safeguard or a countermeasure is not present or is not sufficient, what is created?
A. Vulnerability
B. Exposure
C. Risk
D. Penetration
Asset Security
14

Security
A. A vulnerability is the absence or weakness of a safeguard or countermeasure.
Asset Security
12. Which of the following is not a valid definition for risk?

A.
An assessment of probability, possibility, or chance
B.
Anything that removes a vulnerability or protects against one or more specific threats
C.
Risk = threat + vulnerability
D.
Every instance of exposure
Asset Security
15

Security
B. Anything that removes a vulnerability or protects against one or more specific threats is
considered a safeguard or a countermeasure, not a risk.
Asset Security
13.
When evaluating safeguards, what is the rule that should be followed in most cases?
A. Expected annual cost of asset loss should not exceed the annual costs of safeguards.
B. Annual costs of safeguards should equal the value of the asset.
C. Annual costs of safeguards should not exceed the expected annual cost of asset loss.
D. Annual costs of safeguards should not exceed 10 percent of the security budget.
Asset Security
16

Security
C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.
Asset Security
14.
How is single loss expectancy (SLE) calculated?
A. Threat + vulnerability
B. Asset value ($) * exposure factor
C. Annualized rate of occurrence * vulnerability
D. Annualized rate of occurrence * asset value * exposure factor
Asset Security
17

Security
B. SLE is calculated using the formula SLE = asset value ($) * exposure factor.
http://www.digitalthreat.net/2010/05/information-security-risk-analysis/
Asset Security
15.
How is the value of a safeguard to a company calculated?
A. ALE before safeguard ALE after implementing the safeguard annual cost of safeguard
B. ALE before safeguard * ARO of safeguard
C. ALE after implementing safeguard + annual cost of safeguard controls gap
D. Total risk controls gap
Asset Security
18

Security
A. The value of a safeguard to an organization is calculated by ALE before safeguard ALE after
implementing the safeguard annual cost of safeguard.
Asset Security
16.
What security control is directly focused on preventing collusion?
A. Principle of least privilege
B. Job descriptions
C. Separation of duties
D. Qualitative risk analysis
Asset Security
19

Security
C. The likelihood that a coworker will be willing to collaborate on an illegal or abusive scheme is
reduced due to the higher risk of detection created by the combination of separation of duties,
restricted job responsibilities, and job rotation.
Asset Security
17.
Which security role is responsible for assigning the sensitivity label to objects?
A. Users
B. Data owner
C. Senior management
D. Data custodian
Asset Security
20

Security
B. The data owner is responsible for assigning the sensitivity label to new objects and resources.
Asset Security
18.
When you are attempting to install a new security mechanism for which there is not a
detailed step-by-step guide on how to implement that specific product, which element of the
security policy should you turn to?
A. Policies
B. Procedures
C. Standards
D. Guidelines
Asset Security
21

Security
D. If no detailed step-by-step instructions or procedures exist, then turn to the guidelines for
general principles to follow for the installation.
Asset Security
19.
While performing a risk analysis, you identify a threat of fire and a vulnerability because
there are no fire extinguishers. Based on this information, which of the following is a possible
risk?
A. Virus infection
B. Damage to equipment
C. System malfunction
D. Unauthorized access to confidential information
Asset Security
22

Security
B. The threat of a fire and the vulnerability of a lack of fire extinguishers leads to the risk of
damage to equipment.
Asset Security
20.
Youve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk
relation. You select a possible countermeasure. When re-performing the calculations, which of
the following factors will change?
A. Exposure factor
B. Single loss expectancy
C. Asset value
D. Annualized rate of occurrence
Asset Security
23

Security
D. A countermeasure directly affects the annualized rate of occurrence, primarily because the
countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency
per year.
Asset Security
21. Which one of the following malicious code objects might be inserted in an application by a
disgruntled software developer with the purpose of destroying system data upon the deletion
of the developers account (presumably following their termination)?
A. Virus
B. Worm
C. Trojan horse
D. Logic bomb
Asset Security
24

Security
D. Logic bombs are malicious code objects programmed to lie dormant until certain logical
condition, such as a certain date, time, system event, or other criteria, are met. At that time,
they spring into action, triggering their malicious payload.
Asset Security
22. What term is used to describe code objects that act on behalf of a user while operating in an
unattended manner?
A. Agent
B. Worm
C. Applet
D. Browser
Asset Security
25

Security
A. Intelligent agents are code objects programmed to perform certain operations on behalf of a
user in their absence. They are also often referred to as bots.
Asset Security
23. An application or system that is distributed to a number of different locations is evaluated for
what type of information system security accreditation?
A. System accreditation
B. Site accreditation
C. Application accreditation
D. Type accreditation
Asset Security
26

Security
D. An application or system that is distributed to a number of different locations is evaluated for

the DITSCAP (Department of Defense Information Technology Security Certification and
Accreditation Process) and NIACAP (National Information Assurance Certification and
Accreditation Process) type accreditation.
http://infohost.nmt.edu/~sfs/Regs/nstissi_1000.pdf
Asset Security
24. Which of the following characteristics can be used to differentiate worms from viruses?
A. Worms infect a system by overwriting data in the Master Boot Record of a storage device.
B. Worms always spread from system to system without user intervention.
C. Worms always carry a malicious payload that impacts infected systems.
D. All of the above.
Asset Security
27

Security
B. The major difference between viruses and worms is that worms are self-replicating whereas
viruses require user intervention to spread from system to system. Infection of the Master Boot
Record is a characteristic of a subclass of viruses known as MBR viruses. Both viruses and
worms are capable of carrying malicious payloads.
Asset Security
25. What programming language(s) can be used to develop ActiveX controls for use on an
Internet site?
A. Visual Basic
B. C
C. Java
D. All of the above
Asset Security
28

Security
D. Microsofts ActiveX technology supports a number of programming languages, including Visual

Basic, C, C++, and Java. On the other hand, only the Java language may be used to write Java
applets.
Asset Security
26. For what type of information system security accreditation is a major application or general
support system evaluated?
Asset Security
29

Security
A. A major application or general support system is evaluated for DITSCAP and NIACAP system
accreditation. DITSCAP (Department of Defense Information Technology Security Certification
and Accreditation Process). NIACAP (National Information Assurance Certification and
Accreditation Process).
Asset Security
27. Which one of the following key types is used to enforce referential integrity between database
tables?
A. Candidate key
B. Primary key
C. Foreign key
D. Super key
Asset Security
30

Security
C. Foreign keys are used to enforce referential integrity constraints between tables that
participate in a relationship.
http://www.agiledata.org/essays/referentialIntegrity.html#ReferentialIntegrityImplementationOptions
Asset Security
28. Richard believes that a database user is misusing his privileges to gain information about the
companys overall business trends by issuing queries that combine data from a large number of
records. What process is the database user taking advantage of?
A. Inference
B. Contamination
C. Polyinstantiation
D. Aggregation
Asset Security
31

Security
D. In this case, the process the database user is taking advantage of is aggregation. Aggregation
attacks involve the use of specialized database functions to combine information from a large
number of database records to reveal information that may be more sensitive than the
information in individual records would reveal.
Asset Security
29. What database technique can be used to prevent unauthorized users from determining
classified information by noticing the absence of information normally available to them?
A. Inference
B. Manipulation
C. Polyinstantiation
D. Aggregation
Asset Security
32

Security
C. Polyinstantiation allows the insertion of multiple records that appear to have the same primary
key values into a database at different classification levels.
Asset Security
30. Which one of the following terms cannot be used to describe the main RAM of a typical
computer system?
A. Nonvolatile
B. Sequential access
C. Real memory
D. Primary memory
Asset Security
33

Security
B. Random access memory (RAM) allows for the direct addressing of any point within the
resource. A sequential access storage medium, such as a magnetic tape, requires scanning
through the entire media from the beginning to reach a specific address.
Asset Security
31. What type of information is used to form the basis of an expert systems decision-making
process?
A. A series of weighted layered computations
B. Combined input from a number of human experts, weighted according to past performance
C. A series of if/then rules codified in a knowledge base
D. A biological decision-making process that simulates the reasoning process used by the human
mind
Asset Security
34

Security
C. Expert systems utilize a knowledge base consisting of a series of if/then statements to form
decisions based upon the previous experience of human experts.
Asset Security
32. Which one of the following intrusion detection systems makes use of an expert system to
detect anomalous user activity?
A. PIX
B. IDIOT
C. AAFID
D. NIDES
Asset Security
35

Security
D. The Next-Generation Intrusion Detection Expert System (NIDES) system is an expert systembased intrusion detection system. PIX (Private Internet Exchange) is a firewall, and IDIOT
(Intrusion Detection In Our Time) and AAFID (Autonomous Agents for Intrusion Detection),
are intrusion detection systems that do not utilize expert systems.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.89.2492&rep=rep1&type=pdf
Asset Security
33. For what type of information system security accreditation are the applications and systems at
a specific, self-contained location evaluated?
Asset Security
36

Security
B. The applications and systems at a specific, self-contained location are evaluated for DITSCAP
and NIACAP site accreditation. DITSCAP (Department of Defense Information Technology
Security Certification and Accreditation Process). NIACAP (National Information Assurance
Certification and Accreditation Process).
Asset Security
34. Which software development life cycle model allows for multiple iterations of the development
process, resulting in multiple prototypes, each produced according to a complete design and
testing process?
A. Software Capability Maturity Model
B. Waterfall model
C. Development cycle
D. Spiral model
Asset Security
37

Security
D. The spiral model allows developers to repeat iterations of another life cycle model (such as the
waterfall model) to produce a number of fully tested prototypes.
Asset Security
35. In systems utilizing a ring protection scheme, at what level does the security kernel reside?
A. Level 0
B. Level 1
C. Level 2
D. Level 3
Asset Security
38

Security
A. The security kernel and reference monitor reside at Level 0 in the ring protection scheme,
where they have unrestricted access to all system resources.
Asset Security
36. Which database security risk occurs when data from a higher classification level is mixed with
data from a lower classification level?
A. Aggregation
B. Inference
C. Contamination
D. Polyinstantiation
Asset Security
39

Security
C. Contamination is the mixing of data from a higher classification level and/or need-to-know
requirement with data from a lower classification level and/or need-to-know requirement.
Asset Security
37. Which of the following programming languages is least prone to the insertion of malicious
code by a third party?
A. C++
B. Java
C. VBScript
D. FORTRAN
Asset Security
40

Security
C. Of the languages listed, VBScript is the least prone to modification by third parties because it is
an interpreted language whereas the other three languages (C++, Java, and FORTRAN) are
compiled languages.
http://www.cs.uky.edu/~paulp/CS216F12/CS216Java.htm
Asset Security
38. Which one of the following is not part of the change control process?
A. Request control
B. Release control
C. Configuration audit
D. Change control
Asset Security
41

Security
C. Configuration audit is part of the configuration management process rather than the change
control process.
Asset Security
What transaction management principle ensures that two transactions do not interfere with each
other as they operate on the same data?
A. Atomicity
B. Consistency
C. Isolation
D. Durability
Asset Security
42

Security
C. The isolation principle states that two transactions operating on the same data must be
temporally separated from each other such that one does not interfere with the other.
Asset Security
40. Which subset of the Structured Query Language is used to create and modify the database
schema?
A. Data Definition Language
B. Data Structure Language
C. Database Schema Language
D. Database Manipulation Language
Asset Security
43

Security
A The Data Manipulation Language (DML) is used to make modifications to a relational databases schema.
Asset Security
Asset Security
SESIN DE PREGUNTAS
Asset Security
44

Security
Asociacin Latinoamericana de Profesionales en

Seguridad Informtica A.C.
Seminario de Preparacin CISSP

Asset Security
LIC., CISSP, CISM, GONZALO ESPINOSA
http://mx.linkedin.com/in/gonzaloespinosasp
https://twitter.com/G_Espinosa_Mx
A.G.Espinosa.Mx@gmail.com
15 Abril 2016
45

42 CISSP Asset Security (15abr2016) - QsAs GES

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

42 CISSP Asset Security (15abr2016) - QsAs GES

Hochgeladen von

Copyright:

Verfügbare Formate

Asociacin Latinoamericana de

Profesionales en Seguridad Informtica A.C.

CISSP Seminar ALAPSI AC- Domain Asset

Asociacin Latinoamericana de Profesionales en

Seminario de Preparacin CISSP

Contenido del Seminario

CISSP Seminar ALAPSI AC- Domain Asset

CISSP candidates are expected to be well versed in

CISSP Seminar ALAPSI AC- Domain Asset

A CISSP candidate is expected to

Classify information and supporting assets

Asset Security - Topics

CISSP Seminar ALAPSI AC- Domain Asset

Which of the following is the weakest element in any security solution?

CISSP Seminar ALAPSI AC- Domain Asset

When seeking to hire new employees, what is the first step?

CISSP Seminar ALAPSI AC- Domain Asset

What is the primary purpose of an exit interview?

CISSP Seminar ALAPSI AC- Domain Asset

When an employee is to be terminated, which of the following should be done?

CISSP Seminar ALAPSI AC- Domain Asset

5. Who is liable for failing to perform prudent due care?

CISSP Seminar ALAPSI AC- Domain Asset

D. Senior management is liable for failing to perform prudent due care.

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

Which of the following is not an element of the risk analysis process?

CISSP Seminar ALAPSI AC- Domain Asset

Which of the following would not be considered an asset in a risk analysis?

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

A. Threat events are accidental exploitations of vulnerabilities.

CISSP Seminar ALAPSI AC- Domain Asset

A. A vulnerability is the absence or weakness of a safeguard or countermeasure.

12. Which of the following is not a valid definition for risk?

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

D. An application or system that is distributed to a number of different locations is evaluated for

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

D. Microsofts ActiveX technology supports a number of programming languages, including Visual

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset

CISSP Seminar ALAPSI AC- Domain Asset