CISSP Study.txt

Card Set Information

Author:
Anonymous
ID:
157476
Filename:
CISSP Study.txt
Updated:
2012-06-05 20:56:09
Tags:
CISSP
Folders:

Description:
CISSP
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user Anonymous on FreezingBlue Flashcards. What would you like to do?


  1. Incident Response Phases

    What are the 3 main phases of incident response?
    • - Triage
    • - Action/reaction
    • - Follow up
  2. Evidence Categories

    Commonly used as proof to aid the jury.
    Examples include:
    - Models
    - Experiments
    - Charts
    - Illustrations
    Demonstrative evidence
  3. Evidence Categories

    Usually in the form of business records, manuals and print outs.
    Documentary evidence
  4. Evidence Categories

    Tangible evidence that proves or disproves guilt. Examples include:
    - Tools used
    - Reproduced evidence
    - Fruits of crime
    Real evidence
  5. Evidence Categories

    Used to prove a fact or act.
    Examples include:
    - Eye witness statements
    - Witness testimony
    Direct evidence
  6. Evidence Categories

    Categories of evidence include:
    • - Real
    • - Direct
    • - Documentary
    • - Demonstrative
  7. Evidence Collection

    What is the evidence life cycle?
    • 1. Collection and identification
    • 2. Analysis
    • 3. Storage preservation and transport
    • 4. Court presentation
    • 5. Return to victim
  8. Legal Concepts

    Actions include:
    - Background checks
    - Physical and logical access controls
    - Encryption
    - Backups
    - Disaster recovery
    - Training employees
    - Developing policies
    - Updating AVSW
    - Penetration testing
    - SLAs
    - Audit reviews
    Due care
  9. Legal Concepts

    An organization that keeps up with due care practices and properly investigates possible weaknesses and vulnerabilities
    Due diligence
  10. IS Governance and Risk Management

    What does CMMI stand for?
    Capability Maturity Model Integration
  11. IS Governance and Risk Management

    What are the components of ITIL?
    • - Service strategy
    • - Service design
    • - Service transition
    • - Service operations
    • - Service improvement
  12. IS Governance and Risk Management

    What does ITIL stand for?
    Information Technology Infrastructure Library
  13. IS Governance and Risk Management

    What does ISO/IEC 27002 define?
    Code of practice and control areas. Guidlines
  14. IS Governance and Risk Management

    What does ISO/IEC 27001 define?
    How to manage INFOSEC
  15. IS Governance and Risk Management

    What replaced 17799 standards?
    ISO/IEC 27000
  16. IS Governance and Risk Management

    COBIT has how many:
    Domains
    Processes
    Objectives?
    • 4 domains
    • 34 processes
    • 214 objectives
  17. IS Governance and Risk Management

    What does COBIT stand for?
    Control OBjectives for Information and related Technology
  18. IS Governance and Risk Management

    Components of COSO framework.
    • - Control environment
    • - Risk assessment
    • - Control activities
    • - Information and communication about control performance
    • - Monitory/evaluation of controls
  19. IS Governance and Risk Management

    Key terms associated with COSO
    • - Financial reporting
    • - Sarbanes-Oxley section 405
  20. IS Governance and Risk Management

    What does COSO stands for?
    Committee Of Sponsoring Organizations
  21. IS Governance and Risk Management

    Define framework evaluation criteria.
    Assurance requirements that ensure appropriate controls were selected, performed as intended, have the desired effect and are monitored.
  22. IS Governance and Risk Management

    Define compliance controls.
    • - Functional security requirements
    • - Layered security controls
    • - How to fail and still maintain security
  23. IS Governance and Risk Management

    Define compliance framework
    Provide standards to determine effectiveness of ISS programs
  24. IS Governance and Risk Management

    2 types of compliance.
    • - Legal/regulatory: organization-wide, activity specific
    • - Privacy: privacy and breach notification
  25. IS Governance and Risk Management

    Key terms associated with baselines
    • - Configurations of security settings
    • - Platform specific
    • - Efficient RA across enterprise
    • - Foundation for CM
  26. IS Governance and Risk Management

    Key terms associated with standards
    • - Hardware/software
    • - Technical means to reduce vulnerabilities
    • - Standard terms are must use or must conform to
    • - Reference external bodies
  27. IS Governance and Risk Management

    Key Terms associates with procedures.
    • - How
    • - Due Diligence
  28. IS Governance and Risk Management


    Key terms associated with policy review.
    • - foundations
    • - management expectations
    • - violation process
    • - Reviewed 3-5 years
    • - Due Care
  29. IS Governance and Risk Management

    Key Terms associated with external governance.
    • - Organizatrions requirements externally
    • - external parties
    • - auditing effectiveness
    • - managing others
  30. IS Governance and Risk Management

    Key terms associated with internal governance.
    • - Multiple Stakeholders
    • - Accountable to
    • - management of ourselves
  31. IS Governance and Risk Management

    2 types of governance oversight.
    • - Enterprise-wide: oversees program
    • - Management level: representatives from organizational stakeholders
  32. IS Governance and Risk Management


    Key terms associated with due diligence.
    • - ensuring you do the right thing
    • - assures compliance
    • - detecting, checking and auditing
    • - checks policy
  33. IS Governance and Risk Management


    Key terms associated with due care.
    • - doing the right thing
    • - sets policies, procedures and standards
    • - taking responsibility
  34. IS Governance and Risk Management

    Key terms associated with operational/project plans.
    • - specific accountability
    • - milestones
    • - resources
    • - short-term
    • - day to day
  35. IS Governance and Risk Management

    Key terms associated with tactical planning
    • - multiple phases or projects
    • - mid-term
    • - 6-18 months
  36. IS Governance and Risk Management

    Key terms associated with strategic planning
    • - organizational goals
    • - long term
    • - high level
    • - 3-5 years
  37. IS Governance and Risk Management

    what are the 3 security planning strategies?
    • - strategic planning
    • - tactical planning
    • - operational/project plans
  38. IS Governance and Risk Management

    What is security planning?
    aligning security activities to organizations mission and level of risk tolerance.
  39. IS Governance and Risk Management

    key terms associated with functional or issue specific policies.
    • - management security directives
    • - specific activities
    • - more detailed
    • - revised 1-2 years
    • - events or changes prompt review
  40. IS Governance and Risk Management

    Key terms associated with organizational policy
    • - managements security statement
    • - brief, high level
    • - wording contains "must", "will", "shall"
    • - states what not how
    • - scope, purpose, goals
    • - authority, roles, responsibilities, accountability
  41. IS Governance and Risk Management

    Responsibilities include:
    - governance by same policies
    - MOU/MOAs
    - Must have exit strategy (data custody)
    Third Parties
  42. IS Governance and Risk Management

    Responsibilities include:
    - deciding who gets access
    - determining permissions
    - change control
    - disaster recovery
    system/application owners
  43. IS Governance and Risk Management

    Responsibilities include:
    - Maintaining and protecting data
    data custodians
  44. IS Governance and Risk Management

    Responsibilities include
    - classify and prioritize information
    - design access controls
    data owners
  45. IS Governance and Risk Management

    responsibilities include ensuring personnel security controls are implemented.
    human resources personnel
  46. IS Governance and Risk Management

    Responsibilities include determining that activities are in compliance.
    Information system auditor
  47. IS Governance and Risk Management

    Responsibilities incliude planning, coordinating, and organizing information security activities
    Information Security Professional
  48. IS Governance and Risk Management

    Responsibilities include:
    - Risk governance
    - protection of organizational assets.
    Executive Management
  49. IS Governance and Risk Management

    What are the levels of CMMI
    • 1. Initial
    • 2. Managed
    • 3. Defined
    • 4. Quantitatively managed
    • 5. Optimizing
  50. IS Governance and Risk Management

    What is the purpose of CMMI?
    Improving processes to meet business objectives.
  51. IS Governance and Risk Management

    What does FMEA stand for?
    Failure Modes and Effects Analysis
  52. IS Governance and Risk Management

    Key terms associated with CRAMM
    • - United Kingdon
    • - 3 stages
    • - Asset ID and value
    • - Threat and vulnerability assessment
    • - countermeasures
    • - Technical and Non-Technical
  53. IS Governance and Risk Management

    What does CRAMM stand for?
    CCTA Risk Analysis and Management Method
  54. IS Governance and Risk Management

    What is the NIST publication for determining risk?
    800-30
  55. IS Governance and Risk Management

    What is the formula to determine ALE?
    ALE=SLE*ARO
  56. IS Governance and Risk Management

    What does ALE stand for?
    Annual Loss Expectancy
  57. IS Governance and Risk Management

    What does ARO stand for?
    Annual Rate of occurance
  58. IS Governance and Risk Management

    What is the formula to determine SLE?
    SLE=Asset Value * Exposure Factor
  59. IS Governance and Risk Management

    What does SLE stand for?
    Single Loss Expectancy
  60. IS Governance and Risk Management

    Steps in quantitative risk assessment
    • - management approval
    • - develop RA team
    • - Review historical data
    • - determine residual risk
  61. IS Governance and Risk Management


    Define hybrid analysis
    • - use of quantitative and qualitative
    • - use of multiple tools
    • - integrated across the organization
  62. IS Governance and Risk Management

    Formula for calculating cost-benefit analysis
    value of control = risk without control - risk with control - annual cost
  63. IS Governance and Risk Management

    List factors for selecting appropriate controls and countermeasures
    • - reliability of solution
    • - cost effective
    • - depth and breadth of defense
    • - failures
    • - residual risk
  64. IS Governance and Risk Management

    formula to determine risk
    risk = threat liklihood * Impact
  65. IS Governance and Risk Management


    2 types of reporting risk likelihood.
    • - quantitative: mathmatically derived
    • - qualitative: high, medium, low. numerical but not mathmatical
  66. IS Governance and Risk Management

    List steps of the risk assessment process
    • 1. Determine values of assets and information
    • 2. identify threats
    • 3. identify vulnerabilities
    • 4. determine likelihood
    • 5. determine impacts
    • 6. determine risk
    • 7. report findings
    • 8. select countermeasures
  67. IS Governance and Risk Management

    List risk treatment options.
    • - risk avoidance
    • - risk transfer
    • - risk mitigation
    • - risk acceptance
    • - risk averse
  68. IS Governance and Risk Management

    Define VAR
    • Value at Risk
    • - Identify threats
    • - estimate likelihood
    • - estimate value
    • - mitigate risk
  69. IS Governance and Risk Management

    Define risk
    likelihood of a threat exploiting a vulnerability
  70. IS Governance and Risk Management

    define risk management
    actions to protect the organization and its ability to perform essential missions.
  71. IS Governance and Risk Management

    Differences between:
    awareness
    training
    education
    • awareness: emphasizes importance
    • training: conveys policy at hiring and annually
    • education: professionally focused
  72. IS Governance and Risk Management

    List ways to manage personnel security.
    • - job position sensativity
    • - job rotation
    • - separation of duties
    • - least privilege
    • - mandatory vacations
  73. IS Governance and Risk Management

    List personnel security hiring/firing practices
    • - job descriptions
    • - reference checks
    • - background investigations
    • - employment agreements
    • - termination of employees
    • - job transfers
  74. IS Governance and Risk Management

    Key terms associated with OCTAVE
    • - carnegie-mellon
    • - self-directed
    • - improvement in security strategy
    • - process focused
    • - 3 phases
    • - identify assets
    • - identify vulnerabilities and safeguards
    • - risk analysis
  75. IS Governance and Risk Management

    What does OCTAVE Stand for?
    Operational critical threat, asset and vulnerability evaluation
  76. IS Governance and Risk Management

    Key terms associated with FRAP.
    • - single system, software, application or process
    • - focus on key risks
    • - low cost
    • - facilitated meetings
  77. IS Governance and Risk Management

    What does FRAP stand for?
    Facilitated Risk analysis process
  78. IS Governance and Risk Management

    Key terms associated with FTA
    • - top-down approach
    • - sub-systems combined to complex systems
    • - starts with single failure and identifies all situations contributing
  79. IS Governance and Risk Management

    What does FTA stand for?
    Fault Tree Analysis
  80. IS Governance and Risk Management

    Key terms associated with FMEA.
    • - hardware failure analysis
    • - component to system
    • - bottom-up approach
    • - 3 levels to examin failures
    • - part or module
    • - process or package
    • - system wide
  81. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime


    Evidence includes:
    - discrepencies in output reports
    - computer usage and file request logs
    - undocumented transactions
    excess privileges
  82. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime


    Detected through:
    - file comparisons with historical copies
    - computer usage logs
    - noted discrepancies
    excess privileges
  83. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime


    Offenders include:
    - programmers with access to superzap
    - computer operations staff
    excess privileges
  84. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Evidence includes:
    - telephone company records
    - computer logs
    - war dialing programs
    - possession of compromised information
    scanning
  85. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Detected through:
    - computer log analysis
    - telephone company logs
    - loss of data
    - transfer of funds
    scanning
  86. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Offender include:
    - malicious intruders
    - criminals
    - spies
    scanning
  87. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Evidence includes:
    - data documents for source data and transactions
    - manual logs
    - audit logs
    - storage media
    - violation alarms
    data diddling
  88. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Detected through:
    - data comparison
    - manual controls
    - analysis of validation reports
    - integrity tests
    - audit logs
    - computer outputs
    data diddling
  89. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Offenders include:
    - people who enter or update data
    - suppliers of source data
    - non-participants with access
    data diddling
  90. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Evidence includes:
    - output reports with unexpected results
    - computer usage and file request logs
    - undocumented transactions
    - analysis program results
    - audit logs
    Malicious Code
  91. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Detected by:
    - comparing program code with backup copies
    - observing financial activities
    - detailed analysis of data
    - audit logs
    - testing suspect programs
    - analyzing transaction audits
    malicious code
  92. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Offenders include:
    - specialist programmers
    - financial system programmers
    - crackers
    - computer operators
    - vendors
    - employees
    malicious code
  93. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Evidence includes:
    - computer operation logs
    - output not expected
    timing attacks
  94. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Detected through:
    - system tests of suspected attack methods
    - complaints from system users
    - repeated executions of a job
    timing attacks
  95. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Offenders include:
    - system analysts
    - advanced system programmers
    timing attacks
  96. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Evidence includes:
    - programs performing tasks not specified
    - output reports
    trap doors
  97. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Detected by:
    - extensive testing
    - specific testing based on evidence
    - comparison of specifications to performance
    trap doors
  98. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Potential offenders include:
    - system and application programmers
    trap doors
  99. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Categories of computer crime
    • - computer as the target
    • - computer as the instrument
    • - computer as incidental to other crimes
    • - crimes associated with prevalance of computers
  100. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Detected by:
    - observing or tracking information back to its source
    - analyzing data left over after execution
    dumpster diving
  101. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Evidence includes:
    - screen shots of executed software
    - data stores
    - media
    - print outs
    software piracy
  102. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Detected through:
    - observation reports of legitimate purchasers
    - searches of facilities and computers
    software piracy
  103. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Potential offenders include:
    - employees who steal proprietary information
    - commercial software purchasers
    - users
    software piracy
  104. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Evidence includes:
    - witnesses
    - backups
    - system audit logs
    - telephone company records
    - violation reports
    - documents found on suspect
    masquerading
  105. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Detected by:
    - analyzing audit logs
    - checking password violations
    - reports from impersonated people
    masquerading
  106. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Committed by anyone
    masquerading
  107. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Evidence includes:
    - voice wiretapping
    - computer output forms
    - audit logs
    - storage media
    - attendance registers
    wiretapping and eavesdropping
  108. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Detected by:
    - using voice wiretapping methods
    - tracing the origin of equipment
    - observation
    - stolen information
    wiretapping and eavesdropping
  109. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Offenders include:
    - communication technicians
    - competitors
    - vendors
    - foreign intelligence agents
    wiretapping and eavesdropping
  110. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Offenders include:
    - system users
    - anyone with acces to trash
    dumpster diving
  111. Legal, Regulations, Investigations, and Compliance
    Types of Computer Crime

    Evidence include:
    - information included in output media
    - copies of the information produced in a similar way
    dumpster diving
  112. Legal, Regulations, Investigations, and Compliance
    Security Breaches

    Examples include:
    - IP spoofing
    - password sniffing
    - scanning
    - excess privileges
    - data diddling
    Breach of operations security
  113. Legal, Regulations, Investigations, and Compliance
    Security Breaches

    defined as traffic analysis of data that appears to have no value.
    Breach of data security
  114. Legal, Regulations, Investigations, and Compliance
    Security Breaches

    Examples include:
    - use of trap doors
    - tunneling
    - timing attacks
    - salami attacks
    - malicious code
    breach of communications security
  115. Legal, Regulations, Investigations, and Compliance
    Security Breaches

    examples include social engineering
    breach of personnel security
  116. Legal, Regulations, Investigations, and Compliance
    Security Breaches

    examples include:
    - dumpster diving
    - wiretapping
    - shoulder surfing
    breach of physical access
  117. Legal, Regulations, Investigations, and Compliance
    Security Breaches

    List categories of security breaches
    • Breach of physical security
    • Breach of personnel security
    • Breach of communications security
    • Breach of data security
    • Breach of Operations security
  118. Legal, Regulations, Investigations, and Compliance
    Law Categories

    Laws that reflects society norms and values and clarify acceptable behaviors and social contracts
    Customary laws
  119. Legal, Regulations, Investigations, and Compliance
    Law Categories

    Laws that define organizational performance and conduct
    administrative laws
  120. Legal, Regulations, Investigations, and Compliance
    Law Categories

    Laws that mainly deal with civil wrongs and often tried in civil court
    Tort law
  121. Legal, Regulations, Investigations, and Compliance
    Law Categories

    Examples include:
    - unauthorized access
    - copyright violations
    - computer fraud
    - equipment piracy
    - invasion of privacy
    - sagotage
    - terrorism
    - masquerading
    criminal law
  122. Legal, Regulations, Investigations, and Compliance
    Law Categories

    Laws that protect society
    Criminal laws
  123. Legal, Regulations, Investigations, and Compliance
    Computer Crime Categories

    Examples include:
    - DoS
    - Sniffing
    - password attacks
    Computer as a target
  124. Legal, Regulations, Investigations, and Compliance
    Computer Crime Categories

    Examples include:
    - Copyright violations
    - Software Piracy
    - black marketing of computer equipment
    Crime associated to prevelance of computers
  125. Legal, Regulations, Investigations, and Compliance
    Computer Crime Categories

    Examples include:
    - money laundering
    - unlawful activities on bulletin boards
    computer as incidental to other crimes
  126. Legal, Regulations, Investigations, and Compliance
    Computer Crime Categories

    Examples include:
    - theft from online bank accounts
    - fraudulent use of credit cards
    - telecommunications fraud
    computer as the instrament
  127. Legal, Regulations, Investigations, and Compliance
    Crime-related Laws

    Laws associated with data protection
    • - Medical Crime Computer Act
    • - HIPAA
    • - Security and freedom through encryption act
    • - copyright act
    • - public safety act
  128. Legal, Regulations, Investigations, and Compliance
    Crime-related Laws

    Laws related to misuse.
    • - Computer fraud and abuse act
    • - national information infrastructure protection act
    • - computer security act
    • - foreign corrupt practices act
  129. Legal, Regulations, Investigations, and Compliance
    Crime-related Laws

    This law applies to financial institutions and prohibits from sharing information without customer knowledge.
    Gramm-Leach-Bliley Act
  130. Legal, Regulations, Investigations, and Compliance
    Crime-related Laws

    Laws and regulations that protect privacy.
    • - US Federal Provacy Act
    • - Electronic Communication Privact Act
    • - Gramm-Leach-Bliley Act
    • - European Union Laws
  131. Legal, Regulations, Investigations, and Compliance
    Legal Concepts

    When an organization takes all steps to protect against breaches and has proper countermeasures in place to mitigate damages.
    due care
  132. Legal, Regulations, Investigations, and Compliance
    Legal Concepts

    Describes an organizations responsibilities to protect against threats.
    • - Due Care
    • - Due diligence
  133. Legal, Regulations, Investigations, and Compliance
    Legal Systems

    - Based on Roman Law
    - Basis of European and Asian legal systems
    - derived from broad legal principles and interpretation of doctrines
    - Judges investigate and determin facts
    Civil Laws
  134. Legal, Regulations, Investigations, and Compliance Legal Systems

    - Originated in England
    - Basis of US legal system
    - passed by legislature
    - depends on decisions based on tradition custom and precedent
    - adopts adversarial system
    Common Law

What would you like to do?

Home > Flashcards > Print Preview