Section: Asset Security Explanation
Explanation/Reference:
Explanation:
Steganography allows you to hide data in another media type, concealing the very existence of the data.
Incorrect Answers:
B, D: Alternate data stream (ADS) is a feature of Windows New Technology File System (NTFS) that includes metadata for locating a specific file by author or title.
C: Encryption is a method of transforming readable data into a form that appears to be random and unreadable.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 774 http://searchsecurity.techtarget.com/definition/alternate-data-stream
QUESTION 194
Which of the following can be best defined as computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data and for detecting or extracting the marks later?
A. Steganography B. Digital watermarking C. Digital enveloping D. Digital signature Correct Answer: B Section: Asset Security Explanation
Explanation/Reference:
Explanation:
Digital watermarking is defined as “Computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data -- text, graphics, images, video, or audio -- and for detecting or extracting the marks later.”
A "digital watermark", i.e., the set of embedded bits, is sometimes hidden, usually imperceptible, and always intended to be unobtrusive. Depending on the particular technique that is used, digital watermarking can assist in proving ownership, controlling duplication, tracing distribution, ensuring data integrity, and performing other functions to protect intellectual property rights.
Incorrect Answers:
A: Steganography is a method of hiding data in another media type so the very existence of the data is concealed. Digital Watermarking is considered to be a type of steganography. However, steganography is not what is described in the question.
C: A digital envelope is another term used to describe hybrid cryptography where a message is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key. This is not what is described in the question.
D: A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. This is not what is described in the question.
References:
http://tools.ietf.org/html/rfc4949 QUESTION 195
What is Dumpster Diving?
A. Going through dust bin
B. Running through another person's garbage for discarded document, information and other various items that could be used against that person or company
C. Performing media analysis
D. performing forensics on the deleted items Correct Answer: B
Section: Asset Security Explanation
Explanation/Reference:
Explanation:
Dumpster diving refers to the concept of rummaging through a company or individual’s garbage for discarded documents, information, and other precious items that could then be used in an attack against that company or person.
Incorrect Answers:
A: Dumpster Diving is more specific than going through dust bins.
C: Dumpster Diving does not refer to media analysis.
D: Dumpster Diving does not refer to forensics on deleted items.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1060 QUESTION 196
The control of communications test equipment should be clearly addressed by security policy for which of the following reasons?
A. Test equipment is easily damaged.
B. Test equipment can be used to browse information passing on a network.
C. Test equipment is difficult to replace if lost or stolen.
D. Test equipment must always be available for the maintenance personnel.
Correct Answer: B Section: Asset Security Explanation
Explanation/Reference:
Explanation:
A Protocol Analyzer (also known as a packet sniffer) is a useful tool for testing or troubleshooting network communications.
A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing packets sent from a computer system is known as packet sniffing.
The ability to browse information passing on a network is a security risk which means access to a protocol analyzer should be carefully managed and therefore addressed by security policy.
Incorrect Answers:
A: Damage to test equipment is not a ‘security’ risk so does not need to be addressed by security policy.
C: Test equipment is generally not difficult to replace if lost or stolen. Even if it was, that would not constitute a
‘security’ risk so it would not need to be addressed by security policy.
D: The need for test equipment to always be available for the maintenance personnel would not constitute a
‘security’ risk so it would not need to be addressed by security policy.
QUESTION 197
Which of the following would BEST be defined as an absence or weakness of safeguard that could be exploited?
A. A threat.
B. A vulnerability.
C. A risk.
D. An exposure.
Correct Answer: B
Section: Asset Security Explanation
Explanation/Reference:
Explanation:
A vulnerability is defined as “the absence or weakness of a safeguard that could be exploited”.
A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.
Incorrect Answers:
A: A threat is any potential danger that is associated with the exploitation of a vulnerability.
C: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact.
D: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 26 QUESTION 198
Which of the following could be BEST defined as the likelihood of a threat agent taking advantage of a vulnerability?
A. A risk.
B. A residual risk.
C. An exposure.
D. A countermeasure.
Correct Answer: A Section: Asset Security Explanation
Explanation/Reference:
Explanation:
A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late.
Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.
Incorrect Answers:
B: Residual risk is the risk that remains after countermeasures have been implemented.
C: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages.
D: A countermeasure is a step taken to mitigate a risk.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 26 QUESTION 199
Which of the following is responsible for MOST of the security issues?
A. Outside espionage B. Hackers
C. Personnel
D. Equipment failure Correct Answer: C Section: Asset Security Explanation
Explanation/Reference:
Explanation:
Personnel represent the leading source of computer crime losses. This can be through hardware theft, data theft, physical damage and interruptions to services.
Laptop theft is increasing at incredible rates each year. They have been stolen for years, but in the past they were stolen mainly to sell the hardware. Now laptops are also being stolen to gain sensitive data for identity theft crimes. Since employees use laptops as they travel, they may have extremely sensitive company or customer data on their systems that can easily fall into the wrong hands.
Incorrect Answers:
A: Losses caused by industrial outside espionage can be high. However, this is very rare in comparison to losses caused by personnel.
B: Losses caused by hackers can be high. However, this is rare in comparison to losses caused by personnel.
D: Equipment failure can be a cause of security issues. However, security issues caused by personnel are more common.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 457 QUESTION 200
Passwords can be required to change monthly, quarterly, or at other intervals:
A. depending on the criticality of the information needing protection.
B. depending on the criticality of the information needing protection and the password's frequency of use.
C. depending on the password's frequency of use.
D. not depending on the criticality of the information needing protection but depending on the password's frequency of use.
Correct Answer: B Section: Asset Security Explanation
Explanation/Reference:
Explanation:
A password that is the same for each log-on is called a static password. A password that changes with each log-on is termed a dynamic password. The changing of passwords can also fall between these two extremes.
Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised.
Incorrect Answers:
A: This answer is not complete. Passwords can also be required to change depending on the password's frequency of use.
C: This answer is not complete. Passwords can also be required to change depending on the criticality of the information needing protection.
D: Passwords CAN be required to change depending on the criticality of the information needing protection.
References:
Krutz, Ronald L. and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley Publishing, Indianapolis, 2007, p. 57
QUESTION 201
Computer security should be first and foremost which of the following?
A. Cover all identified risks B. Be cost-effective.
C. Be examined in both monetary and non-monetary terms.
D. Be proportionate to the value of IT systems.
Correct Answer: B Section: Asset Security Explanation
Explanation/Reference:
Explanation:
Each organization is different in its size, security posture, threat profile, and security budget. One organization may have one individual responsible for information risk management (IRM) or a team that works in a
coordinated manner. The overall goal of the team is to ensure the company is protected in the most cost-effective manner.
Incorrect Answers:
A: Not all identified risks are mitigated. Some risks are accepted.
C: It is not true that computer security should be first and foremost examined in both monetary and non-monetary terms.
D: It is not true that computer security should be first and foremost proportionate to the value of IT systems.
The value of IT systems does not necessarily mean that more or less security is required.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 87 QUESTION 202
IT security measures should:
A. be complex.
B. be tailored to meet organizational security goals.
C. make sure that every asset of the organization is well protected.
D. not be developed in a layered fashion.
Correct Answer: B Section: Asset Security Explanation
Explanation/Reference:
Explanation:
The National Institute of Standards and Technology (NIST) defines 33 IT Security principles.
Principle 8 states:
“Implement tailored system security measures to meet organizational security goals.”
In general, IT security measures are tailored according to an organization’s unique needs. While numerous factors, such as the overriding mission requirements, and guidance, are to be considered, the fundamental issue is the protection of the mission or business from IT security-related, negative impacts. Because IT security needs are not uniform, system designers and security practitioners should consider the level of trust when connecting to other external networks and internal sub-domains. Recognizing the uniqueness of each system allows a layered security strategy to be used – implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas.
Incorrect Answers:
A: According to the NIST IT security principles, IT security measures should strive for simplicity not be complex.
C: According to the NIST IT security principles, you should not implement unnecessary security mechanisms.
Protecting ‘every’ asset may be unnecessary.
D: According to the NIST IT security principles, IT security measures should be developed in a layered fashion.
References:
http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf, p.10 QUESTION 203
The absence of a safeguard, or a weakness in a system that may possibly be exploited is called a(n)?
A. Threat B. Exposure C. Vulnerability D. Risk
Correct Answer: C Section: Asset Security Explanation
Explanation/Reference:
Explanation:
A vulnerability is defined as “the absence or weakness of a safeguard that could be exploited”.
A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.
Incorrect Answers:
A: A threat is any potential danger that is associated with the exploitation of a vulnerability.
B: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages.
D: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 26 QUESTION 204
What can be defined as an event that could cause harm to the information systems?
A. A risk B. A threat C. A vulnerability D. A weakness Correct Answer: B Section: Asset Security Explanation
Explanation/Reference:
Explanation:
A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information.
Incorrect Answers:
A: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact.
C: A vulnerability is the absence or weakness of a safeguard that could be exploited.
D: A weakness is the state of something being weak. For example, a weak security measure would be a vulnerability. A weakness is not what is described in this question.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 26 QUESTION 205
Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data?
A. Business and functional managers B. IT Security practitioners
C. System and information owners D. Chief information officer Correct Answer: C
Section: Asset Security Explanation
Explanation/Reference:
Explanation:
Both the system owner and the information owner (data owner) are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data.
The system owner is responsible for one or more systems, each of which may hold and process data owned by different data owners. A system owner is responsible for integrating security considerations into application and system purchasing decisions and development projects. The system owner is responsible for ensuring that adequate security is being provided by the necessary controls, password management, remote access
controls, operating system configurations, and so on. This role must ensure the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner.
The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information.
The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classification of the data she is responsible for and alters that classification if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, defining security requirements per classification and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and defining user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers.
Incorrect Answers:
A: Business and functional managers are not responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data.
B: IT Security practitioners implement the security controls. However, they are not ultimately responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data.
D: The Chief Information Officer (CIO) is responsible for the strategic use and management of information systems and technology within the organization. The CIO is not responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 121 QUESTION 206
Which of the following BEST defines add-on security?
A. Physical security complementing logical security measures.
B. Protection mechanisms implemented as an integral part of an information system.
C. Layer security.
D. Protection mechanisms implemented after an information system has become operational.
Correct Answer: D Section: Asset Security Explanation
Explanation/Reference:
Explanation:
Add-on security is defined as “Security protection mechanisms that are hardware or software retrofitted to a system to increase that system’s protection level.”
Incorrect Answers:
A: Add-on security can be physical security (hardware) but it is often software as well.
B: An add-on is something ‘added’ to an existing system; it is not an integral part of a system.
C: Add-on security can be a layer of security. However, layered security does not refer specifically to security add-ons.
QUESTION 207
Which of the following is BEST practice to employ in order to reduce the risk of collusion?
A. Least Privilege B. Job Rotation
C. Separation of Duties D. Mandatory Vacations Correct Answer: B Section: Asset Security Explanation
Explanation/Reference:
Explanation:
The objective of separation of duties is to ensure that one person acting alone cannot compromise the company’s security in any way. High-risk activities should be broken up into different parts and distributed to different individuals or departments. That way, the company does not need to put a dangerously high level of trust in certain individuals. For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time.
Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. By moving people willing to collude to commit fraud, we can reduce the risk of collusion.
Incorrect Answers:
A: Least privilege means an individual should have just enough permissions and rights to fulfill his role in the company and no more. It is not the best control for reducing collusion.
C: Separation of Duties prevents one person being able to commit fraud. With separation of duties, collusion between two or more people would be required to commit the fraud. However, separation of duties does not
C: Separation of Duties prevents one person being able to commit fraud. With separation of duties, collusion between two or more people would be required to commit the fraud. However, separation of duties does not