cissp secure-u

what is the definition of countermeasure?

A control put into place to mitigate potential losses

What is the definition of vulnerability?

Weakness in a mechanism that can threaten the confidentiality, integrity, or availability of an asset.

What is the definition of threat?

Someone uncovering a vulnerability and exploiting it

What is the definition of risk?

Probability of a threat becoming real, and the corresponding potential damages.

What is the definition of exposure?

When a threat agent exploits a vulnerability

What are the three control types?

AdministrativeManagements responsibilities necessary to protect assets"soft" controlsTechnicalLogical protection mechanismsBuilt in software and hardwarePhysicalControls to protect the facility's perimeter and internal resources

What does the CIA triad acronym mean?

ConfidentialIntegrityAvailability

What are the two approaches to security management?

1. top down2. bottom up

Explain top down security approach

Security is directed, driven, and supported by senior management

explain bottom up security approach

staff member or group drives initiative

What is the industry best practice standard?

BS/ISO 7799 / ISO 27001ISO 17799 also

How many sections are in the industry best practice?

There are 101. Security policy2. Security Organization3. assets classification and control4. personnel security5. physical and environmental security6. computer and network management7. system access control8. system development and maintenance9. business continuity planning10. compliance

What is senior managements role in Security?

Defines the scope, objectives, priorities, and strategies of the company's security programProvides vision, funds, visibility, and enforcementultimately liablewithout management's support, efforts can be doomed from the start

What are the four security roles?

Data ownersystem ownerdata custodianuser

Define the security role "data owner

Responsible for the subset(s) of data and data classificationSets security requirements for data protection

define the security role "system owner

Responsible for specific computer system(s)One system will have one system ownerCan hold data from several data owners

define the security role "data custodian

is delegated data maintenance tasksrequired to implement and maintain controls to provide the protection level dictated by data owner

define the security role "user

person who routinely uses company data for work-related tasks

Information classification criteria

Usefulness and value of informationhow long information will hold this protection requirementthe level of damage possible if the data was disclosed, modified, or corruptedLaws, regulations, or liability responsibilities pertaining to the datawho should be accessing this data?who should maintain this data? who should monitor and audit the use of this data?

What is the main rule for "liability and its ramifications"?

Prudent person rule - Perform duties that prudent and responsible people would exercise in similar circumstances

What is SLE?

Single Loss Expectancy

What is the SLE formula?

SLE = Asset value X exposure factor

What is ALE?

Annualized Loss Expectancy

What is the ALE formula?

ALE = SLE X Annualized rate of occurence

Calculate the ALE for the following: Facility is worth 650,000 and a fire is expected once every 10 years that will damage 35% of the facility.

Answer:650,000 x 0.35 x 0.10 = 22,750

Define total risk

total risk is defined by the following formula.threats x vulnerability x asset value

define residual risk

residual risk is defined by the following formula.(threats x vulnerability x asset value) x control gap

What are the different memory types?

primary memoryreal memorycache memoryvirtual memory

what are the seven memory management responsibilities?

1. keep track of used and unused memory segments2. assign memory segments to processes3. manage swapping between main memory and secondary storage4. memory protection5. access control6. keeping track of software and virtual addressing schemes7. multi-user OS requires more complex memory managerdos and windoes 9x are single-user OSes

What are the four process states?

1. Stopped2. Waiting3. Running4. Ready

What is the order of the best process states?

RunningReady/WaitingStopped

What does TCB mean?

Trusted Computing Base

What are Access Control Models?

Provides rules and structures used to control access and shows how access decisions are madeThe main components are subjects, objects, operations and their relationshipsThe goal is to control how objects are accessed and ensure one security principle or another (confidentiality, integrity)

What is the main state machine model characteristic?

If a system comes up in a secure state (all state transitions are secure; including failing) and shuts down in a secure state, the system is secure.

What is the Rule of "Bell-LaPadula"?

no write up and no read down - the strong star property

what does "* star property" mean

strong star property