lOMoAR cPSD| 19500986
lOMoAR cPSD| 19500986
C836 Exam And Review Updated Chapter 1 To Chapter 6
Questions And Answer Verified 100% Correct
CHAPTER 1
Identify the four types of attacks (i.e., interception, interruption, modification, and fabrication).
- Interception attacks allow unauthorized users to access our data, applications,
or environments, and are primarily an attack against confidentiality. Interception
might take the form unauthorized file viewing or copying, eavesdropping on
phone conversations, or reading e-mail, and be conducted against data at rest or
in motion. Properly executed, interception attacks can be very difficult to detect.
- Interruption attacks cause our assets to become unusable or unavailable for our
use, on a temporary or permanent basis. Interruption attacks often affect
availability but can be an attack on integrity as well.
- Modification attacks involve tampering with our asset. Such attacks might
primarily be considered an integrity attack but could also represent an
availability attack.
- Fabrication attacks involve generating data, processes, communications, or
other similar activities with a system. Fabrication attacks primarily affect
integrity but could be considered an availability attack as well.
- Confidentiality (Interception), Integrity (Interruption, Modification, Fabrication),
Availability (Interruption, Modification, Fabrication)
Compare threats, vulnerabilities, risk, and impact.
- Threat is something that has the potential to cause us harm. Threats tend to be
specific to certain environments particularly in the world of information security.
- Vulnerabilities are weaknesses that can be used to harm us. In the essence they
are holes that can be exploited by threats in order to cause us harm. A
vulnerability might be a specific operating system or application that we are
running, a physical location where we have chosen to place our office building, a
data center that is populated over the capacity of its air-conditioning system, a
lack of backup generators, or other factors.
- Risk is the likelihood that something bad will happen. In order for us to have a
risk in a particular environment, we need to have both a threat and vulnerability
that the specific threat can exploit.
- Impact is considering the value of the asset being threatened to be a factor, this
may change whether we see a risk as being present or not.
Define the risk management process and its stages.
- Identify assets, one of the first and arguably one of the most important parts of
the risk management process is identifying and categorizing the assets that we
are protecting. If we cannot enumerate the assets that we have and evaluate the
importance of each of them, protecting them can become a very difficult task.
Once we have been able to identify that asset in use, deciding which of them is
, lOMoAR cPSD| 19500986
a critical business asset is another question entirely. Making an accurate
determination of which assets are truly critical to conducting business will
generally require the input of functions that make use of the asset, those that
support the asset itself, and potentially other involved parties as well. Not all
assets need to be protected equally, by determining where resources should be
focused, and cost can reduce while security increased.
- Identify threats takes place after critical assets are enumerated. It is useful to a
have a framework within which to discuss the nature of a given threat and the
CIA triad or Parkerian hexad serve nicely for this purpose. There needs to be a
concern with losing control of data, maintaining accurate data, and keeping the
system up and running. Given this information, we can begin to look at areas of
vulnerability and potential risk.
- Assess vulnerabilities, in the context of potential threats. An asset may have
thousands or millions of threats that could impact it, but only a small fraction of
these will actual be relevant. The issue of identifying these is narrowed by
considerably by looking at the potential threats first.
- Assess risks, once we have identified the threats and vulnerabilities for a given
asset, we can assess the overall risk. Risk is the conjunction of a threat and a
vulnerability. A vulnerability with no matching threat or a threat with no matching
vulnerability do not constitute risk.
- Mitigating risks, to help mitigate risk, we can put measures in place to help
ensure that a given type of threat is accounted for. These measures are referred
to as controls. Controls are divided into three categories: physical, logical, and
administrative.
Define the incident response process and its stages.
- If our risk management efforts fail, incident response exists to react to such
events. Incident response should be primarily oriented to the items that we feel
are likely to cause us pain as an organization, which we should now know based
on our risk management efforts. Reactions to such incidents should be based, as
much as is possible or practical, on documented incident response plan, which
are regularly reviewed, tested, and practiced by those who will be expected to
enact them in the case of an actual incident. The incident response process at a
high level consists of: Preparation, Detection and analysis, Containment,
Eradication, Recovery, Post incident activity.
- Preparation, the preparation phase of incident response consists of all the
activities that we can perform, in advance of the incident itself, in order to better
enable us to handle it. This involves having the policies and procedures that
govern incident response and handling in place, conducting training and
education for both incident handlers and those who are expected to report
incidents, conducting incident response exercises, developing and maintaining
documentation, and numerous other such activities. The importance of this
phase of incident response should not be underestimated. Without adequate
preparation, it is extremely unlikely that response to an incident will go well
and/or in the direction that we expect to go. The time determines what needs
, lOMoAR cPSD| 19500986
to be done, who needs to do it, and how to do it, is not when we are faced with
a burning emergency.
- Detection and analysis phase is where the action begins to happen in our incident
response process. This phase will detect the occurrence of an issue and decide
whether it is an incident so that we can respond to it appropriately. The detection
portion of this phase will often be the result of monitoring of or alerting based
on the output of a security tool or service. The analysis portion is often a
combination of automation from a tool or service.
- Containment, eradication, and recovery phase is where most of the work takes
place to solve the incident, at least in the short term. Containment involves
taking takes steps to ensure that the situation does not cause any more damage
that it already has, or at least lessen any on going harm. Eradication is the
attempt to remove the effects of the issue from the environment. Recovery is to
recover to a better state that were in which we were prior to the incident, or
perhaps prior to the issue started if we did not detect the problem immediately.
This could potentially involve restoring devices or date from backup media,
rebuilding systems, reloading applications, or any similar activities.
Post incident activity phase is often referred to as postmortem, we attempt to determine specifically what
happened, why it happened, and what we can do to keep it from happening again.
Define “defense in depth.”
- Is a strategy common to both military maneuvers and information security. The
basic concept of is to formulate a multilayered defense that will allow us to still
achieve a successful defense should one or more of our defense measures fail.
Define compliance, including regulatory and industry compliance.
Identify types of controls to mitigate risk (i.e., physical, logical, administrative).
o Physical controls are those controls that protect the physical environment in
which our systems sit, or where our data is stored. Such controls also control
access in and out of such environments. Physical controls logically include items
such as fences, gates, locks, bollards, guards, and cameras, but also include
systems that maintain the physical environment such as heating and air-
conditioning systems, fire suppression systems, and backup power generators.
o Logical and technical controls are those that protect systems, networks, and
environments that process, transmit, and store out data. Logical controls can
include items such as passwords, encryption, logical access controls firewalls,
and intrusion detection systems. Logical controls enable us, in a logical sense, to
prevent unauthorized activities from taking place. If our logical controls are
implemented properly and are successful, an attacker or unauthorized user
cannot access our applications and data without subverting the controls that
are in place. This allows multiple functions like finance, HR, and sales to all be
run on one server, but none of them to have access to each other. If one is
compromised, they are not all compromised.
o Administrative controls are based on rules, laws, policies, procedures,
guidelines, and other items that are paper in nature. Administrative controls set
lOMoAR cPSD| 19500986
C836 Exam And Review Updated Chapter 1 To Chapter 6
Questions And Answer Verified 100% Correct
CHAPTER 1
Identify the four types of attacks (i.e., interception, interruption, modification, and fabrication).
- Interception attacks allow unauthorized users to access our data, applications,
or environments, and are primarily an attack against confidentiality. Interception
might take the form unauthorized file viewing or copying, eavesdropping on
phone conversations, or reading e-mail, and be conducted against data at rest or
in motion. Properly executed, interception attacks can be very difficult to detect.
- Interruption attacks cause our assets to become unusable or unavailable for our
use, on a temporary or permanent basis. Interruption attacks often affect
availability but can be an attack on integrity as well.
- Modification attacks involve tampering with our asset. Such attacks might
primarily be considered an integrity attack but could also represent an
availability attack.
- Fabrication attacks involve generating data, processes, communications, or
other similar activities with a system. Fabrication attacks primarily affect
integrity but could be considered an availability attack as well.
- Confidentiality (Interception), Integrity (Interruption, Modification, Fabrication),
Availability (Interruption, Modification, Fabrication)
Compare threats, vulnerabilities, risk, and impact.
- Threat is something that has the potential to cause us harm. Threats tend to be
specific to certain environments particularly in the world of information security.
- Vulnerabilities are weaknesses that can be used to harm us. In the essence they
are holes that can be exploited by threats in order to cause us harm. A
vulnerability might be a specific operating system or application that we are
running, a physical location where we have chosen to place our office building, a
data center that is populated over the capacity of its air-conditioning system, a
lack of backup generators, or other factors.
- Risk is the likelihood that something bad will happen. In order for us to have a
risk in a particular environment, we need to have both a threat and vulnerability
that the specific threat can exploit.
- Impact is considering the value of the asset being threatened to be a factor, this
may change whether we see a risk as being present or not.
Define the risk management process and its stages.
- Identify assets, one of the first and arguably one of the most important parts of
the risk management process is identifying and categorizing the assets that we
are protecting. If we cannot enumerate the assets that we have and evaluate the
importance of each of them, protecting them can become a very difficult task.
Once we have been able to identify that asset in use, deciding which of them is
, lOMoAR cPSD| 19500986
a critical business asset is another question entirely. Making an accurate
determination of which assets are truly critical to conducting business will
generally require the input of functions that make use of the asset, those that
support the asset itself, and potentially other involved parties as well. Not all
assets need to be protected equally, by determining where resources should be
focused, and cost can reduce while security increased.
- Identify threats takes place after critical assets are enumerated. It is useful to a
have a framework within which to discuss the nature of a given threat and the
CIA triad or Parkerian hexad serve nicely for this purpose. There needs to be a
concern with losing control of data, maintaining accurate data, and keeping the
system up and running. Given this information, we can begin to look at areas of
vulnerability and potential risk.
- Assess vulnerabilities, in the context of potential threats. An asset may have
thousands or millions of threats that could impact it, but only a small fraction of
these will actual be relevant. The issue of identifying these is narrowed by
considerably by looking at the potential threats first.
- Assess risks, once we have identified the threats and vulnerabilities for a given
asset, we can assess the overall risk. Risk is the conjunction of a threat and a
vulnerability. A vulnerability with no matching threat or a threat with no matching
vulnerability do not constitute risk.
- Mitigating risks, to help mitigate risk, we can put measures in place to help
ensure that a given type of threat is accounted for. These measures are referred
to as controls. Controls are divided into three categories: physical, logical, and
administrative.
Define the incident response process and its stages.
- If our risk management efforts fail, incident response exists to react to such
events. Incident response should be primarily oriented to the items that we feel
are likely to cause us pain as an organization, which we should now know based
on our risk management efforts. Reactions to such incidents should be based, as
much as is possible or practical, on documented incident response plan, which
are regularly reviewed, tested, and practiced by those who will be expected to
enact them in the case of an actual incident. The incident response process at a
high level consists of: Preparation, Detection and analysis, Containment,
Eradication, Recovery, Post incident activity.
- Preparation, the preparation phase of incident response consists of all the
activities that we can perform, in advance of the incident itself, in order to better
enable us to handle it. This involves having the policies and procedures that
govern incident response and handling in place, conducting training and
education for both incident handlers and those who are expected to report
incidents, conducting incident response exercises, developing and maintaining
documentation, and numerous other such activities. The importance of this
phase of incident response should not be underestimated. Without adequate
preparation, it is extremely unlikely that response to an incident will go well
and/or in the direction that we expect to go. The time determines what needs
, lOMoAR cPSD| 19500986
to be done, who needs to do it, and how to do it, is not when we are faced with
a burning emergency.
- Detection and analysis phase is where the action begins to happen in our incident
response process. This phase will detect the occurrence of an issue and decide
whether it is an incident so that we can respond to it appropriately. The detection
portion of this phase will often be the result of monitoring of or alerting based
on the output of a security tool or service. The analysis portion is often a
combination of automation from a tool or service.
- Containment, eradication, and recovery phase is where most of the work takes
place to solve the incident, at least in the short term. Containment involves
taking takes steps to ensure that the situation does not cause any more damage
that it already has, or at least lessen any on going harm. Eradication is the
attempt to remove the effects of the issue from the environment. Recovery is to
recover to a better state that were in which we were prior to the incident, or
perhaps prior to the issue started if we did not detect the problem immediately.
This could potentially involve restoring devices or date from backup media,
rebuilding systems, reloading applications, or any similar activities.
Post incident activity phase is often referred to as postmortem, we attempt to determine specifically what
happened, why it happened, and what we can do to keep it from happening again.
Define “defense in depth.”
- Is a strategy common to both military maneuvers and information security. The
basic concept of is to formulate a multilayered defense that will allow us to still
achieve a successful defense should one or more of our defense measures fail.
Define compliance, including regulatory and industry compliance.
Identify types of controls to mitigate risk (i.e., physical, logical, administrative).
o Physical controls are those controls that protect the physical environment in
which our systems sit, or where our data is stored. Such controls also control
access in and out of such environments. Physical controls logically include items
such as fences, gates, locks, bollards, guards, and cameras, but also include
systems that maintain the physical environment such as heating and air-
conditioning systems, fire suppression systems, and backup power generators.
o Logical and technical controls are those that protect systems, networks, and
environments that process, transmit, and store out data. Logical controls can
include items such as passwords, encryption, logical access controls firewalls,
and intrusion detection systems. Logical controls enable us, in a logical sense, to
prevent unauthorized activities from taking place. If our logical controls are
implemented properly and are successful, an attacker or unauthorized user
cannot access our applications and data without subverting the controls that
are in place. This allows multiple functions like finance, HR, and sales to all be
run on one server, but none of them to have access to each other. If one is
compromised, they are not all compromised.
o Administrative controls are based on rules, laws, policies, procedures,
guidelines, and other items that are paper in nature. Administrative controls set
