Appendix
Answers to Review Questions

Chapter 1: The Business Case for Decision Assurance and Information Security

  1. B. This is the scientific method in action: make observations, ask questions, make informed guesses, get more data, and see if it fits what you think you've learned thus far. Repeat until you are highly confident. Option C refers to data analysis techniques that by themselves are useful, but still require interpretation to be part of knowledge creation. Option D is vague, imprecise, and not repeatable and, therefore, not scientific. Option A does not fit the definition of the data to wisdom pyramid of concepts, even though to many people, data, information, and knowledge are interchangeable terms.
  2. B. People make decisions based on what they know, what they remember, and what they observe; that data, information, and knowledge are independent of the paper, books, computers, or radio waves that brought those observations to them in the first place. Options C and D confuse the role of the technologies with the information itself; option A is a true statement that does not address the actual question.
  3. B. The fact that systems monitoring and event data is collected at all indicates that Paul or his staff determined it was a necessary part of keeping the organization's information systems secure—they took (due) care of those responsibilities. But by not reviewing the data to verify proper systems behavior and use, or to look for potential intrusions or compromises, Paul has not been diligent. Option A is incorrect, as due care focuses on planning and setting activities into motion, more so than supervising or monitoring their conduct. Clearly, options C and D cannot, therefore, be correct.
  4. D. The logic is the set of steps and decisions necessary to achieve the objective; some of those decisions may compare intermediate results with constraints and then branch to alternate steps in the logic to make corrections, for example. The rules and constraints by themselves are not the business logic. Processes (software or people procedures) are not the business logic, but they should accurately and effectively implement that logic. Options A, B, and C are all partially correct, but not complete.
  5. A. The sequence of steps in a process (such as a recipe for baking a cake) reflects the logic and knowledge of what needs to be done, in what order, and within what limits, as well as the constraints to achieve the desired conditions or results. That's what business logic is. Most businesses know how to do something that they do better, faster, or cheaper than their competitors, and thus their business logic gives them an advantage in the marketplace. Protecting that advantage requires preventing one's competitors from learning how one does that value-creating set of tasks, and ensuring that everything (including information) needed to perform those tasks is on hand and ready to use when required. Option B in effect says that industries have no trade secrets, which is false. Option C is incorrect, because business logic exists for low-priority as well as for high-priority tasks, and Option D mistakenly assumes that all work done uses IT (digital computer) systems, which is false in practice.
  6. B. Disclosure of intellectual property in unauthorized ways can end up giving away any competitive advantage that IP might have had for the business. Option A is concerned only with data about personal identities, which are not intellectual property (ideas created by someone). Options C and D are important for all information assets, but do not best address what needs to be protected (kept as secret knowledge) when referring to intellectual property.
  7. A. All other groups (options B, C, and D) have a valid personal or financial interest in the success and safe operation of the company; a major chemical spill or a fire producing toxic smoke, for example, could directly injure them or damage their property. Although tax authorities might also suffer a loss of revenues in such circumstances, they are not involved with the company or its operation in any way.
  8. C. Options A and B are both examples of due care; due diligence is the verification that all is being done well and that nothing is not done properly. Option D can be an important part of due diligence but is missing the potential for follow-up action.
  9. B, D. In many respects the debate about what to call what we're studying is somewhat meaningless, as reflected in the apparent contradiction between options B and D. Option D shows that in different communities the different terms are held in greater or lesser favor. It is how people use terms that establishes their meaning and not what a “language authority” declares the terms to mean. Option B describes this common use of different terms as if they are different ideas—defense and intelligence communities, for example, prefer cybersecurity, whereas financial and insurance risk managers prefer information assurance. And yet defense will use information assurance to refer to what senior commanders need when making decisions, and everybody talks about information security as if all it involves is the hard, technical stuff—but didn't cybersecurity cover that? Options A and C are other incomplete expressions of these ideas.
  10. A, B, C. Option D is incorrect; almost everything that holds our IT world together is done via directly building protocols into hardware and software. Options A, B, and C are correct, and they show the human social communications need for signaling one another about the communication we're trying to achieve.
  11. D. Each person's immunization or test records represent a set of data; gathering a lot of data together to determine a higher-level, more abstract finding (is that person safe to board, or should boarding be denied?) is creating new information. Option A might take each individual's records and extract the fields that contain specific data that the operator needs to use (such as name, vaccination type and date, and so on). Option C might be appropriate for the way that the operator determines if a particular voyage's total crew and passenger manifest is safe. Option B refers to a general process of organizing, directing, and controlling the ways that information is gathered, used, stored, and disposed of.
  12. C. Collecting all of the current versions of government guidance and turning it into useful, meaningful direction to a team of workers is generating knowledge. If that knowledge is written down, it is made explicit. If it's left to human memory of a conversation or an experience, that knowledge is tacit—skills and experience possessed but not codified. Thus, option A is incorrect. Option B is incorrect, as this refers to taking many samples of the same kind of measurement (such as a person's skin temperature) and using a mathematical process to eliminate false readings and find the reading with the greatest likelihood of being correct. Option D is incorrect, as this is a general name for the set of steps used in completing a set of tasks, including the criteria used by workers at each step if necessary to make decisions required as part of that task.
  13. A and B. They have clearly defined a process for making each board/no-board decision, and they control that process with detailed, written instructions and guidance. Their attention to detail in this suggests taking due care. As described, however, nothing indicates that they monitor the execution of that process to make sure instructions are being used correctly and that this produces correct results; thus, option C is incorrect. No mention is made of holding individual passenger agents, their supervisors, or the company itself responsible for incorrect decisions; thus, option D is incorrect (has not been addressed in the scenario thus far).
  14. E. Ascertaining that a set of input data comes from a trustworthy source and is true and correct is part of establishing the authenticity of that data. The other attributes (options A, B, C, and D) are important, but do not directly bear on whether the source of the data is recognized as being the “authoritative” voice to provide that data in the first place.
  15. A. In this situation, a business case might show the risks of being shut down by government regulators (for making unsafe decisions about passengers) versus the immediate costs and impacts of making changes to implement an authentication process. Their business logic (option B) would need to be updated by these changes. Option C is incorrect, as this type of change would (presumably) be more immediate than long-term or strategic in nature, which is the normal scale of change covered by a business plan. Option D confuses Generally Accepted Accounting Principles (GAAP) with a comparative analysis of requirements or standards versus an in-use design to identify what's missing (or “in the gap”).
  16. D. Information systems do not depend upon any one technology for their implementation or use. Options A and B address information technology systems and thus are incomplete. Option C is incorrect, as it addresses only one possible use of an information system.
  17. D. The customer's attempt to repudiate the order (i.e., claim they did not submit such an order) must somehow be protected against. Option E, authenticity, is necessary to first establish that the person logging in to attempt the order is in fact who they claim to be. Other options address protecting the data and the transaction, but in themselves do not protect the brokerage from customers falsely claiming to have never sent in such an order.
  18. C. Option A may or may not be correct—a new law or regulation may dictate the need for an immediate change in security processes—but it says nothing about justifying the proposed change. Option B is incorrect, as it reverses part of the nature of a business plan and a business case.
  19. C. Options A and B certainly raise aspects that security professionals, managers, and leaders of organizations must consider, and they contribute to a “sooner is better” attitude.
  20. A. Option A focuses on the core concepts of trust and reliability, which directly relate to information security concepts of confidentiality, integrity, availability, nonrepudiation, and authentication. Options B and C incorrectly refute this, but the root meaning of integrity as a security concept shows this refutation to be false. Option D is incorrect, as a simple desire for efficient and correct operation of a system leads directly to the information security concepts mentioned; laws are not needed to recognize their value.

Chapter 2: Information Security Fundamentals

  1. A. Keeping information secret means agreeing to limit or control how (or if) that information can be passed on to others. Privacy is the freedom from intrusion into your own affairs, person, property, or ideas. The other options either confuse confidentiality with privacy or do not use the concepts correctly.
  2. A. The correctness or wholeness of the data may have been violated, inflating some employees’ ratings while deflating others. This violates the presumed integrity of the appraisal data. Presumably, HR staff have legitimate reasons to access the data, and even enter or change it, so it is not a confidentiality violation; since the systems are designed to store such data and make it available for authorized use, privacy has not been violated. Appraisals have not been removed, so there are no availability issues.
  3. C. What we say and do in public places is, by definition, visible to anyone who wants to watch or listen. Publishing a letter or a book, or writing on a publicly visible social media page, is also considered public speech. We have no reasonable expectation of privacy in social media—we have no basis on which to assume that by posting something on our private pages, others whom we've invited to those pages will not forward that information on to someone else.
  4. D. If the equipment cannot run because there is no power, then no data stored in it can be displayed, printed, or shared with users—data is not available. Some transactions may have to be recovered and rerun once the power comes back up and everything is turned on again, but only if transactions were lost completely would there be a data integrity concern.
  5. B. Although it is clear that the necessary parameter files are not available, this seems to have been caused because somebody could violate the integrity requirements of those files—deleting them does not seem to have been an authorized change. That unauthorized change led to (caused) option (C), availability, to be compromised; but lack of availability is not the best statement of the problem. Improper change management and security may have resulted from lack of due care (option D), but that does not identify what needs to be fixed to get machines back into operation.
  6. D. Payment of an invoice should involve some form of control, limiting it to just specifically authorized individuals. The ones suspected of being involved with this fraud may be exceeding their authorizations or abusing the authority they are already granted. Option D would address the need to have effective recordkeeping in place, recording who authorized such payments, when, and how; its presence or absence does not enable the fraud. Privacy and confidentiality (options A and B) are not involved directly.
  7. A, B, C. “Safety” for information systems can mean keeping the system from suffering damage, keeping the system from failing in ways that cause damage, or both. Thus, options A and C are correct, though they are different aspects of safety. Option B might be true in some cases, but in most circumstances, the safety issues would take precedence. Option D is incorrect because it tries to separate safety and security when they are in fact related to each other.
  8. A. Option A correctly interprets the words themselves of the preamble. Option B is incorrect. The preamble does not set personal values (such as honesty); these are in the canons and tied to actions we should take. Option C misses the point of the purpose of the code. Option D incorrectly assumes that the list of these constituencies in the preamble implies a priority order, and it does not.
  9. C. Options A and B are both examples of due care; due diligence is the verification that all is being done well and that nothing is not done properly. Option D can be an important part of due diligence but is missing the potential for follow-up action.
  10. B. Option A ignores that failures in security design or practice can lead to data input or systems usage that might be safe and reliable tomorrow, for example, but not today. Option C, true as far as it goes, does not address security at all. Option D ignores that the vulnerability assessments that should drive security measures are all based on consequences if the risk becomes real.
  11. D. Options A and C are confusing information, and our systems or processes for using it, with the technologies with which we create, store, and use that information. Option B is a partial answer (it does not address anything other than confidentiality), and it might be true, but this is a decision that company leadership and management should make (with advice from the SSCP). Option D is the most complete and correct answer.
  12. D. Options B and C are partly correct, but even if both of you are conversant with all of those laws about data residency and data localization, your senior managers do need to get the lawyers’ advice. Quickly.
  13. C. Start with the specifics of the complaints by confirming whether these customers are mistakenly or fraudulently trying to claim they never made the orders in question or whether some other system error may be responsible. After that's been eliminated, it's time to investigate whether the security of these customers’ accounts was compromised (option D). If so, that may indicate a failure of the privacy protections (option B). While it's easy to think this is a data integrity problem (option A), that is a result; Yoshi needs to investigate to find what systems function(s) failed to operate correctly to make that result happen.
  14. A. From the information provided, this seems to be an unauthorized attempt to interfere with the safe operation of the chemical treatment system. Option C may be a factor in this, if the supervisor's login credentials were compromised, but this is minor compared to the potential safety issues involved. Systems integrity (option B) is in doubt because of this attack, but as with authentication, it's not the driver. Option D, nonrepudiation, does not apply to this case.
  15. C. The merchant has to organize, use, and update their records about you as an employee, regardless of where you live or how you do work for them. Option A is incorrect, as it seems to assume that GDPR doesn't apply to you somehow. Option B is not a defined GDPR role with respect to data protection. Option D is incorrect, as you (in this case) are the subject of the data in question.
  16. D. You are the person described or identifiable by the data. Options A, B, and C refer to different functional roles that the merchant has responsibility for and therefore has the data protection responsibilities associated with these roles.
  17. B. The controller has ultimate responsibility for protecting the data, even when it is in the hands of another who performs processing tasks on it. Option A refers to one who stores the data, but does nothing with it. Option D refers to you, as the data is about you.
  18. D. Note the difference between options C and D; the burden to protect confidentiality applies only to “secrets,” that is, to specifically declared types of communications. Saying “hello” to one's doctor or lawyer, while encountering them in a public place, is not a privileged communication; what you speak about with them in consultation is. Option A refers to required protection and treatment of some data that must be held in confidence (kept from disclosure), but these laws do not define what “confidentiality” means as a security concept. Option B misstates the purpose and intent of protecting privileged communications, that is, the sharing of secrets. It may be a side effect of invoking such protections, which in many cases may be unethical, illegal, or both.
  19. B. Although nothing is said here whether this company is subject to GDPR or not, your company may have some designated official who acts as the focal point for such concerns. Ethically, you have a duty to the employer to attempt to use all means they make available to you to raise such an issue, even if this puts you at risk of losing your job. Option A suggests that perhaps you doubt your own conclusions; assuming you do not, this choice risk putting you in tacit (unspoken) agreement with their decision, which you just told your boss you believed to be unethical if not illegal. Option C suggests you're willing to stay silent about the situation and protect your own interests first; this does not fulfill your professional obligations to your company, your profession, or to society as a whole. Option D would be your last resort, if attempting to raise the issue through company channels fails to satisfy you.
  20. B. Clearly the scenario involves the risks of compromise of private data. Since insurance billing tends to be after medical treatment has been rendered, safety of the patient (in medical terms) isn't at risk. Option A, given the information in the scenario, does not seem to apply. Arguably, data in compromised accounts could be further exploited by attackers in ways that might put people or property at risk, but this is part of the argument of why private data needs to be protected. Options C and D do not seem to apply to this scenario.

Chapter 3: Integrated Information Risk Management

  1. C. Option D incorrectly has the BIA first, but the BIA has to come after the organization's leadership has agreed to risk tolerance and set priorities. Option B is incorrect partly because the basic “common sense” posture is not part of a formal risk management process but a bare-minimum immediate set of actions to take if needed. Option A has establishing a posture (which consists of policies and decisions that drive implementation and operation steps) and implementation in the wrong order.
  2. B. Option B is the simplest and most effective definition of information risk. Options A and C do not include probability of occurrence (risks are not certain to happen), and describe how risks become events rather than what the risk actually is. Option D is one example, but it does not define information risk.
  3. B. Option B correctly shows the use of information to make decisions, as well as the roles of processes and technologies in doing so. Option A mistakenly suggests that the IT risks are more important; IT risks may be how important information is lost or compromised, but it is that information loss or impact that puts businesses out of business and not the failure of their IT systems. Option C confuses risk management with information risk. Option D also mistakes the role of information and the roles of processes and technologies, both in achieving objectives and in risk management.
  4. D. Options A, B, and C are correct statements about each perspective, but they each falsely proclaim that their approach is the only one needed.
  5. C. Option C shows both the purpose of an integrated approach (timely incident characterization and management) and the use of communications capabilities in doing so. Options A and D demonstrate that vendor self-description of their products can sound good but does not really address key needs. Option B is true, and partially addresses how point solutions need to be mutually supportive, but does not go far enough.
  6. D. Proactive involves thinking ahead and planning for contingencies, as opposed to being reactive, or waiting until things break. Option A is both wrong and probably illegal in most circumstances. Option B might be true, but it is a general statement about “being proactive” rather than specifically about information security. Option C describes an integrated information security management approach.
  7. D. Options A and C highlight what seem to be Tom's failures to adequately plan for or implement offsite backup storage of system images and data, and his failures to institute effective verification of the security of that storage. Option B is incorrect—the lack of records does not relieve Tom of the burden to check that things are working correctly anyway.
  8. A, B. Option C is the safeguard value, which we cannot compute until we have completed a risk assessment and a vulnerability assessment, and then designed, specified, or selected such controls or countermeasures. Option D is typically not the loss incurred by damage of an asset; of greater interest regarding impact to an asset would be the cost to repair it (if repairable), replace it, or design and implement new processes to do without the damaged or disrupted asset.
  9. A. The business impact analysis (BIA) is an integrated view of the prioritized risks and the projected impacts they could have on the business. Option B is a misstatement of the confidentiality, integrity, and availability (CIA) needs for information security. Options C and D suggest realistic management needs for bringing together plans, costs, budgets, and timelines, but they are incomplete as stated and may not even exist.
  10. C. Options A and D reflect biases toward or against qualitative assessments (presumably for being “soft” or potentially based on emotions or intuition) or quantitative ones (the data is too hard to get or validate). Using published common vulnerability and exposure (CVE) information can be quite illuminating, but as in Option D, be careful to not assume that other people's experiences and systems are a good match for your own, or to bow to authoritative statements without carefully considering whether they fit your situation.
  11. B, C, D. These are the expression of confidentiality, integrity, and availability for these data sets. Note that in military terms, information that exposes significant vulnerabilities that could place the organization at risk of great harm is often classified as “Top Secret.”
  12. C. Option B has the annualized rate of occurrence (ARO) use incorrect; if the ARO was less than 1, the single loss expectancy is in effect spread over multiple years (as if it were amortized). Option A involves restore time and point objectives, which are not involved in the annualized loss expectancy (ALE) calculation. Option D misunderstands ALE = ARO * SLE (single loss expectancy) as the basic math involved.
  13. B, C, D. Option A is a misstatement of RTO and RPO.
  14. B. Whether the system is small and simple or large and complex, its owners, builders, and users have to treat it like a “black box” and know what can happen across every interface it has with the outside world. Thus Option B is correct. Option A has the steps in the wrong order; detailed threat modeling and assessment needs detailed system architectural information to be valid. Option C misstates how threat modeling is done. While Option D may address a useful set of tools, it does not explain what threat modeling and assessment are or how to do them.
  15. B. Choice 3, perspective, should reflect priorities, risk appetite, or tolerance, and decision-making culture, and this has to lead all risk management activities. Next comes Choice 4, which feeds into the BIA. Choice 2 should be a product of the BIA process, because it combines costs or magnitude of impacts with acceptable damage limitation strategies. Finally, we choose what to fix, transfer (pay someone else to worry about), accept, or avoid, and any residual risk is recast or re-expressed to reflect these decisions.
  16. B. Although Options B and C seem to say the same thing, C is more confrontational and perhaps would seem judgmental—probably not an effective way to sell the benefits of using an RMF. Options A and D are similar, but perhaps they advise too much caution. As an SSCP, Jill has pledged to offer her best advice to her employers. Start the dialogue, according to Option B.
  17. A, B. Options C and D may or may not be true in fact, but it's not clear whether these have any bearing on how the company determines priorities and risk tolerance, or what its decision-making processes and styles are. Options A and B are key elements of organizational culture that can impede or facilitate implementation of a risk management approach.
  18. A. All are correct as far as they go in comparing “ignore” and “accept.” However, the key to due care and due diligence is the standard of reasonable and prudent effort. You would not be prudent if you spent millions of dollars to relocate your business from Atlanta, Georgia (1,050 feet above mean sea level [MSL]) to Boulder, Colorado (5,328 feet above MSL) simply to avoid the risk of a tsunami flooding out your facility, given how astronomically huge that tidal wave would have to be! Thus, Options C and D do not apply, and Option B merely restates the due care or due diligence argument.
  19. D. Despite the name, the 24 hours of a day have nothing to do with the element of surprise associated with attacking a heretofore-unknown vulnerability. Option C is false, since the term is well understood in IT security communities. Option D correctly explains the period from discovery in the wild to first recognition by system owners, users, or the IT community, and how this element of surprise may give the attacker an advantage.
  20. B, C. Option A is correct in that tolerance or appetite for risk should drive setting the maximum allowable outage time; the costs incurred during a maximum outage are part of computing single loss expectancy. Option B is incorrect, since the power outages seem to be happening monthly, so SLE alone overstates the potential losses. Option C annualizes the expected losses, but comparing it to the safeguard value assumes a one-year payback period is required. Option D reflects that management may be willing to spend significant money on a safeguard that requires more than one year to justify (pay back) its expense in anticipated savings.
  21. B. Option A confuses the results of establishing a security baseline (and thus a labeling and handling procedure) with the classification determination itself. Option C is partly correct, but compromise must consider impacts to more than just confidentiality (i.e., to all of the CIANA+PS characteristics). Option D confuses classification with categorization.
  22. B. Option A confuses the results of establishing a security baseline (and thus a labeling and handling procedure) with the classification determination itself. Option C confuses classification with categorization. Option D confuses categorization with security baselining.
  23. B. This is an intentional act caused by a human being, which may lead to loss or impact to the organization. Options A and D represent hazards. Option C, which is an intentional act, is not in and of itself a potential risk event (if, for example, the workstation is in a secured work area that only systems administrators can access); however, it may represent one or more exploitable vulnerabilities in the overall security posture of the organization.

Chapter 4: Operationalizing Risk Mitigation

  1. D. Improving product quality is a laudable goal but in and of itself it is not related to information systems security; thus Option A is incorrect. Option B refers to activities after an incident; mitigation activities happen before an incident occurs, or result from lessons learned because of the incident. Option C is most likely being done to implement new or revised security policies. Option D is part of information risk management and should precede information risk mitigation.
  2. C, D. Options C and D focus on trying to discern the “as-built” current state of the systems; whether this goes down to the cable-by-cable verification of what's plugged in where could depend on how thorough the baseline needs to be. Options A and B refer to ongoing operation of the system after mitigation steps have been taken to see if incidents of interest are happening or if there is a need for additional risk mitigation.
  3. B. Option D is an exaggeration. Options A and C have the cart driving the horse: the IT architecture should only exist in the first place because it supports achieving business objectives, and the information architecture is where humans work and make decisions. This is what Option B states.
  4. C. Option A seems to blindly assume that a contractual transfer of responsibility was necessary, sufficient, and agreed to, and this is normally not the case. Option B is false; platforms and infrastructures still require substantial effort by users (and their IT security team) to establish policies, implement them in controls, and monitor their ongoing correct operation. Option D seems to ignore BIA-driven risk assessment and is inherently misleading.
  5. B, C. Option B correctly describes what shadow IT systems are; thus Option A is false. Options B and C demonstrate that in many cases, it cannot be shown that shadow IT systems taken as a whole correctly perform business logic or that they attain the CIA levels commensurate with the impacts if they fail.
  6. C. Option B does correctly state the risk that attackers may know more about your systems than you do if you haven't thoroughly checked CVE data as part of your vulnerabilities assessment. But it incorrectly goes on to suggest that you fix those first—they may not relate to your organization's highest-priority impacts as spelled out by the business impact analysis (BIA). Option A is therefore false. Option D is also false, since even the most Linux-based of organizations will probably have non-Linux systems elements (such as network components) that common vulnerabilities and exploits (CVE) could have information about.
  7. B. Option A is overcomplicating the threat modeling process. Options C and D misstate the purpose of threat modeling.
  8. C, D. Option A may be a commonplace statement, but it incorrectly suggests this is where the assessment should start. The BIA should establish the priorities (which processes to assess first and which ones can wait until later). Option B's concerns about culture and context are irrelevant to whether a process step contains a vulnerability and whether the BIA has characterized that as of high interest or concern.
  9. B. Option A confuses accepting a risk with accepting the assessment of all risks as an actionable basis on which to proceed with mitigation efforts. Option C confuses accepting with transferring a risk. Option D confuses accepting with ignoring a risk. Acceptance requires knowing, informed consent; ignoring a risk is simply choosing not to investigate, assess, characterize, or even think about the risk.
  10. A, B, C. Option D is typically an example of remediating, sometimes called fixing or mitigating the risk.
  11. A, B. Option C makes it seem that businesses are helpless to choose their goals, objectives, and where or how they will operate; this statement exaggerates. Option D confuses psychological avoidance behavior with an informed choice to step out of the way of a risk; it confuses ignoring with avoiding.
  12. A. Fixing or applying patches to eliminate a vulnerability is the definition of remediating, mitigating, fixing, or repairing a vulnerability.
  13. B. Option A misunderstands that controls are chosen and then implemented, and proper mitigation planning seeks to have controls or countermeasures mutually reinforce each other. Option C misstates the mitigation planning task. Option D suggests that if “administrators” are network or systems administrators, then we hope they do understand something about IT security; if they are not, they are probably not the ones who have to work to ensure these controls are part of an interlocking system of information security.
  14. B. If Option A or C was plausible, then you wouldn't actually have a gap. Option D correctly defines the gap but fails to look to how to mitigate the risk posed by the gap.
  15. A, B, C. Option D may reflect a legitimate need for ongoing insight, but this is rather like testing to verify that your testing was done correctly. It's not clear such a step would be productive.
  16. A, B, D. Option C is incorrect—you cannot test systems before they are built (i.e. during the systems analysis phase).
  17. A, B, C. Option D is an important task to do on a routine basis, but it involves monitoring the outside threat world and not the behavior or performance of the systems we are protecting.
  18. B. Option A misstates the role of ongoing monitoring, and conflicts with Option B. Option C suggests a redundant set of capabilities, which may be mission critical for a select few organizations but is not common. Option D may be a useful capability, but it is not the reason for ongoing monitoring.
  19. D. Options A and C both underestimate the value of a good key performance indicator, whether for real-time incident detection and response or for trending and analysis. Option B is also mistaken in that it suggests that aggregate measures such as link loading, resource utilization, and so forth have no value in incident detection.
  20. A. Option B is incorrect; incident response and management is a vital part of risk management. Options C and D do not recognize that risk management includes all processes necessary to identify, assess, characterize, control, respond to, and recover from risks.
  21. B, D, E. Triggering the lights, the intruder may pause and reconsider continuing with their attack. They may, of course, decide to continue, so the lights by themselves do not prevent intrusion. The lights can be part of an integrated alarm system (option B). The motion detectors (as their name implies) detect a potential intrusion (option D), but it is the reactive element of turning the floodlights on (option E) that delivers the message to the intruder that they have been noticed by the system.
  22. F, G. The combination of these features sends the message to users and intruders that the bank takes the security of your account seriously. It has put all of these measures in place to make it difficult for anyone to impersonate you and gain access to your accounts. Banners at login, instructions, and reminders do part of the direct messaging (option A, directive, is performed). Options B and C (deterrent and preventative controls) are achieved by denying access if the user does not successfully engage with the controls. Corrective and recovery (options F and G) are functions not performed during login or normal use of the system but would apply after an incident of some kind has occurred.
  23. A, C. Whether it's the building's heating, ventilation, and air conditioning (HVAC), its internal fire suppression and security alarm systems, or the systems in the labs, these OT systems may be vulnerable to an over-the-Internet intrusion and attack (option A is correct). Option C is correct; this tends to be the first step in responding to the discoveries made during risk and vulnerability assessment, and it shapes the planning for more physical and technical mitigation strategies. Option B is incorrect; even if those systems are fully isolated from any external network, until you've done a vulnerability assessment, you don't know what you don't know. Option D is incorrect; it gives the COO false comfort and, if nothing else, seems self-serving (my budget is all I care for, it seems to say).

Chapter 5: Communications and Network Security

  1. D. Option D accurately reflects the use of both of these as conceptual models and protocol stacks—by builders, attackers, and defenders alike. Option A reflects an incorrect bias that many network engineers have, who somewhat dismissively ignore things above the Transport layer. Option B is its logical opposite, also false. Option C is incorrect, as all three sets of concepts drive the design and operation of real hardware, software, and systems.
  2. A. Option B is incorrect, because the changes in address field sizes, and therefore packet header structures, have nothing to do with security (although IPv6 does provide enhancements to security). Option C is incorrect; such a conversion could be done by a gateway, but that is not part of IPv6 and is only supported by it. Option D is incorrect, although the transport protocols (like TCP and UDP) have not changed, but this is not where the incompatibility comes from.
  3. B. Option A is false, as there is no one central node that serves the entire net; further, millions of Internet nodes have connections between them. Option C is incorrect, as many nodes on the Internet can fail, but this does not prevent alternate routing of frames around the failure; the Internet is “self-annealing” in this way. Option D is false, as there is no one straight line connection from the first Internet node to the last. Option B correctly identifies the billions of nodes on the Internet as being part of a very large mesh.
  4. C. Option A is incorrect; VPNs provide connectivity but have no more role in service delivery than other Layer 1 or Layer 2 network elements do. Option B is incorrect, as neither peer controls the other in service sharing. Option D is incorrect; in such a case, either the server is a peer to the other server or the peer is actually a client. Option C correctly identifies that most services need one node to control the service delivery process, and the other node, requesting the service, follows the first node's control of the conversation.
  5. B. Options A and C both incorrectly leave out subnetting in IPv6 and misstate what Classless Inter-Domain Routing (CIDR) is about, even though the two options say this differently. Option D is partly correct in that IPv6 does have a 16-bit subnet field, and (as Option B says) the overall address field size makes subnetting much easier to do, but there is no subnet field in IPv4.
  6. C. Option A is the backbone of most LANs, because physical cables can be protected in a variety of ways, and unless a hacker can access your patch panels or other hardware, it is difficult to intrude at the Physical layer. Option B is also very secure; it is harder to physically tap into a fiber as well. Option D tends to see use in limited circumstances, but this may change in time. Option C is correct because Wi-Fi is, quite literally, everywhere; it is expected to be available; people and businesses demand it; and many Wi-Fi devices, such as SOHO routers, are trivially easy to set up and leave unsecured. Wi-Fi is subject to many kinds of eavesdropping, snooping, and spoofing attacks unless properly secured.
  7. A, D. Ports are a fundamental part of the way apps request services from processes running on other nodes on the Internet. Standardized port numbers make applications designs easier to manage; thus, port 80 and HTTP are associated with each other. Thus, Options A and D show a misunderstanding of what ports are and why they are necessary.
  8. B. From the Physical layer on up, the injection of unauthorized traffic into a network can cause almost any protocol to fall for a “mistaken identity” that leads to an Man-in-the-Middle (MITM) attack. Session stealing (Layers 5 and 7) is a prime example; thus Option A is false. Option C is incorrect, since IP (Layer 2) is inherently connectionless and is prone to MITM attacks. Option D is also false, as session stealing (and others) demonstrates.
  9. C. Option A is incorrect, since the local host file (cache) is quite easily corrupted as part of an attack. Option B shows a misunderstanding of DNS and the role of DNS servers. Option D sounds tempting, but without this being part of an extensive data-at-rest protection scheme it may not work and would probably impede network operations.
  10. A. Option A is correct; this is “unwrapping” as datagrams have their headers and footers removed on their way up the stack. Option B is incorrect—wrapping happens on the way down from Transport (or higher) to Physical (by way of Data Link). Options C and D describe what the Presentation layer does as it passes datagrams to applications, which is beyond the Transport layer and going up, not down, the stack.
  11. B. Option B is correct; it is an internetworking layer security process and protocol set added to IPv4. Option A is incorrect; IPSec works with packets, not frames (IP addresses, not MAC addresses). Option C is also incorrect, because IPSec is not a transport protocol. Option D is incorrect; IPSec is not a session layer protocol.
  12. C. This IP address is the link local address, which is assigned to your system by the operating system and its network protocol stack when a DHCP server does not respond. Check the configuration settings for any switches, routers, and modems between your system and your ISP so that you know where the DHCP service resides; then find that device. Thus, Options A and B are incorrect. Option D may be a good step after you determine which device is supposed to be your DHCP server. Option C is your best next step. Ping it or use tracert it to see if it responds.
  13. B. In almost all circumstances, the boundary between an organization's information infrastructure and the outside world of the Internet is the highest-risk threat surface. Any channel crossing this boundary should be rigorously assessed for vulnerabilities, and all access via it should be well controlled and well monitored. Thus Option B is probably the best recommendation. Internal systems links, such as Options A and C, might help in containment of intrusions, but there may be other ways to do this than with IDS/IPS remotes. Option D restricts the effectiveness of the IPS or IDS to just those network segments and resources it can directly see and control, which may be a very small subset of your network.
  14. A, B. Option C is false; the physical access point itself needs to be protected from somebody attacking it with an unauthorized firmware update, for example, or simply plugging into an unblocked network jack on it. Option D is one component of mobile device management, but it is not sufficient. Option B can reduce exposure to many threats related to mobile device access, whereas a mobile device management system can help track, force compliance, block, or lock down a device reported lost or stolen.
  15. D. Option C is false; even if your company didn't use these planes as part of its design and build-out of the networks, this viewpoint can still help you as you look at what the protocol analyzers, SIEMs, IDSs, and IPSs are reporting to you. Options A and B are therefore partly correct; Option D brings all of your tools to bear on the problem.
  16. B, C, D. Options B, C, and D all describe ways that having better insight into how your systems and networks are being used, right now, can help you determine if they might be suffering some kind of problems. And if they are, that data can help you resolve whether this is a security event or not. Option A is false and also lacks the insight to apply these systems to your overall information systems security strategy.
  17. A. Option B is false; these products ship with everything wide open for a number of practical reasons, including making it easier for administrators to initially configure them. Option C is tempting fate. Option D is a little bit less risky than Option C, since at least you've prevented an intruder from reconfiguring your device to suit their needs and not yours.
  18. D. Option D brings AES encryption to Wi-Fi. Option A is incorrect; WEP was easily broken early on. Option B, WPA, is also incorrect, since this was a step in the right direction while IEEE 802.11i was being developed as a standard. Option C, also incorrect, was part of the interim WPA design, and WPA2 supersedes WPA in all respects.
  19. C. Option A is true in part (the range) but ignores other aspects of Bluetooth vulnerabilities. Option B is incorrect—it seems to assume keyboards and mice are the only Bluetooth devices to worry about. Option C is very real and not very well understood by many organizations. Option D isn't real. Yet.
  20. B, C. Option A shows a conceptual misunderstanding about network operations and security operations, regardless of who conducts them or is responsible for them. Option D is also incorrect; many smaller organizations can easily and affordably have their network operations team handle the key security operations functions. Option B may indeed be true in some organizations and in some marketplaces, but the organization should always let its business case for security drive the decision. Option C is correct; NOC focuses on design, deployment, operation, and maintenance of the network and changes to it, and the SOC focus is on keeping it secure, detecting events and characterizing them, and containing and responding to them if necessary.

Chapter 6: Identity and Access Control

  1. B. Option A is false; each additional factor checked increases the challenge an attacker has to overcome to spoof an identity claim. Option C is false; hardware is only needed for factors involving what the subject has, such as a keyfob code generator, or biometric factors. Option D is tempting, and high-risk functions might be best protected with additional security measures, but compared to Option B, it is not as compellingly correct.
  2. C. Option A is incorrect; proofing establishes the truthfulness of documents or other information that attest to a person's claim to be that person and is used during the identity provisioning process. Option B can be used as single-factor or as part of a multifactor system, for example, by using a Microsoft account to sign on to a Web service. Option D is incorrect; while this is two different measurements, they both attest to what the subject is (the physical body), and multifactor would require us to look at what the subject has or knows as well.
  3. B. A positive result of an authentication test means that the claimant is who (or what) they claim to be. Thus a false positive is allowing an incorrect identity to access the system, which probably is a threat actor. A negative result denies an identity's claim to be who (or what) they claim to be. Thus a false negative denies a legitimate identity from system access. Thus, Options A and D incorrectly use the concept of negative and positive authentication results (correct and false). While Option C is true, Option B indicates the situation of greatest risk—a threat actor has been legitimized and granted access.
  4. B. Option B is correct, as it emphasizes the need to have a rigorous threat modeling or vulnerability assessment drive the way you design and use access control at a very fine-grain level. Option A is only partially correct, because it considers SSO as if it's a one-ingredient answer to a complex situation. Option C confuses single sign-OFF with single sign-ON; it's correct in what it says, but single sign-off is relatively minor issue of little security risk. Option D is incorrect, as it exaggerates basic OS and network capabilities into a “support” that isn't really there. It also misinterprets managements’ concern about security risk and addresses implementation risk instead.
  5. B. Option D is high risk, and therefore incorrect; plugging a device into an empty network connection should start a connection handshake that is an opportunity to block an unknown or unauthorized device from joining the network. Options A and C are parts of how Option B performs such an authentication, and therefore B is the most correct answer and the most secure approach of the three.
  6. B. Option A is incorrect; SSO is a subset of both the capabilities and security (issues and security solutions) that federated access can support. Option C correctly raises the issue of the trust architecture, but going from there to a full federated access control system, and keeping that secure, can be challenging. Keeping it secure will always require monitoring, analysis, and testing. Option D is incorrect; federated access, like SSO, can use any means of identity authentication that meets the organization's CIANA needs.
  7. D. Option A demonstrates misunderstanding of the concept of a trust architecture, which Option D clarifies. Option B also misstates the purpose and intent of trust architectures and their role in reducing the risk of an unconstrained (or totally trusted) extranet. Option C does not correctly state what an extranet is (it allows those external to the organization to share in using the sponsoring organization's internal systems and data); it also is mistaken in saying that the same systems, technologies, connections, etc., that are the internal trust architecture would therefore be appropriate to secure and protect the extranet.
  8. C. Option A is false; zero trust architectures have been used since 2007, and many systems vendors are actively supporting them with additional protocols and capabilities. Option B is only the first step in the process; risk mitigation is where implementation of network designs, including zero trust features, takes place. Option D is false; as an architecture, first you plan how to segment, secure, and “never trust, always verify.” Then you build that design, and existing IPv4 commodity products are more than adequate to support such architectures.
  9. C. Option A is incorrect; single sign on (SSO) provides sign-on capabilities for an organization's domain of users, while trust relationships refers to interorganizational trust of each other's users as domains or sets. Option B is correct as far as it goes, but it does not relate this to access control; Option C does this correctly. Option D is incorrect; federated access control deals with this in almost all cases.
  10. B. Step 1, Proofing, is part of provisioning, and thus Options A and C are incorrect. Step 5, Deletion, happens after revocation, but it is a cleanup of files, assets, and records, and it is more properly part of a records retention and housekeeping process. It is not part of identity management. Thus, Option D is incorrect. Option B correctly reflects that we start by provisioning an identity, we continually review the privileges assigned to it versus the needs of the job and the organization, and then we revoke it.
  11. B, C. Access control is not involved with resource chargeback, that is, billing; thus Option A is not correct. Option D has confused the roles of authorization and authentication, which Option C states correctly. Option B is correct—this is the “triple A” of access control.
  12. D. Each of the options (A, B, C) is allowing a subject to modify the security enforcements in the system, either for an object it has been granted access to or for some other part of the system. Mandatory access control does not permit this. Thus Option D is correct.
  13. C, D. Discretionary access control policies allow the systems administrators to grant capabilities (permissions) to subjects to modify aspects of access control restraints, but these must be uniformly defined for all subjects. Thus, Option C is correct, as is Option D. Options A and B apply to mandatory or nondiscretionary access control policies.
  14. A. Option B looks at specific aspects of the subject, which might include duties and tasks in their job description, but Option A is more correct in that role-based access control can apply to subjects and objects both. Option D can contain role-based criteria, but normally this looks at many more conditions and criteria. Option C focuses more on the nature of the object—which may be used by more than one role.
  15. D. Option D, attribute-based, can use complex Boolean logic statements to conditionally evaluate almost any criteria, environmental or situational conditions, and so forth, to authorize an access request. Each of the others provides limited capabilities by comparison; zero trust typically requires the most rigorous access control possible.
  16. A, C. Be careful of the negative in the question! Mandatory access control policies do not allow subjects or objects to modify the security-related aspects of the systems, its subjects, and its objects; thus, granting the privileges in Option A or C cannot be allowed. Options B and D reflect reasonable and prudent access control checks that all systems should perform before granting access.
  17. A. The reference monitor is the functionality that checks every access attempt to see if it should be authorized or denied. As a result, Option D is false (accounting is a recordkeeping function, necessary to access control but done after the access request is granted or denied). Option C is false, as the reference monitor is in fact implemented in operating systems (typically in their security kernel), or as part of a trusted computing base (TCB) module on a motherboard. Option B is the reverse of what's required; we need to be able to inspect, analyze, and verify that the logic and code of the reference monitor does its job completely and correctly and that it does nothing else if we are to consider it highly trustworthy.
  18. D. Option A unnecessarily removes the identity from your systems and those of other systems in your federated access system; this would not be called for until the fate of the employee is known to warrant a permanent removal of access privileges. Options B and C still allow devices that the employee had been known to use to access your systems; if the employee, these devices, or both are in hostile hands, this places your systems at risk. Option D is the most secure response.
  19. B, C, D. Option A confuses the roles of third-party service providers with those of organizations and individuals that collaborate with you via federated access and is not correct. The others are legitimate examples of third-party roles; note that Option D is still a relatively immature market, and if you're tempted to use IDaaS, choose your vendor with care!
  20. A. Subjects, by definition, want to do something that involves an object. Thus, Option A has these roles reversed. Subjects can be any kind of entity that can take action. Objects contain information, but also can provide requested services (that is, take action upon request), so Options B and C are correct.
  21. A. Option A correctly describes malware quarantine, and remediation by quarantine networks for systems not meeting requirements. Option B is incorrect, since antimalware systems do not quarantine systems but only files they encounter during scanning. Option C correctly describes captive portal quarantine by network access control systems, which differs from antimalware file-based quarantine. Option D misstates the capabilities of antimalware systems (unless they fully incorporate access control and identity management functions, of course).
  22. A. Option B is partly correct, but Diameter never caught on in the market for a variety of reasons and is probably out of date by now. Option C is also incorrect—first came TACACS, which gave rise to both XTACACS, a proprietary product, and TACAC+, not the other way around. Option D is incorrect, since systems may be de facto “standards” (because a lot of companies use them), but they are not published standards by appropriate standards agencies.
  23. C. Option A is false; not only does IPv6 contain and support IPSec, it also makes it mandatory. Option B is false; app-level encryption does not protect lower-layer traffic from being snooped or spoofed. Thus Option C is correct. Option D is false; IPv6 doesn't do this encryption, but it builds the features into the protocol stack so that user organizations can choose to implement it. IPv6 and IPv4 are not compatible, so a gateway of some kind will be required anyway, and the issue of security through the gateway will still need to be addressed.

Chapter 7: Cryptography

  1. A. Options B, C, and D all are parts of what cryptography entails, and taken together sum it up. Option A is more suggestive of camouflage, honeypots, or other efforts to draw attackers away from what you wish to defend and divert their energies elsewhere.
  2. B. Option A is an incomplete description of asymmetric encryption; Option C is false, since hybrid systems are in widespread use; and Option D is unrelated to symmetric or asymmetric encryption.
  3. C. Option A is false; this option confuses the message digest with the hash itself; a hash value contains no meaning. Option B is one use of hashing, but there are so many more, particularly in cryptographic systems like PKI and digital signatures. Option D contains a misunderstanding of the digital signature process.
  4. C, D. Options A and B both suggest encrypting the file in some way, which hides its meaning; Option B is a concept being explored by IBM and is not readily available anyway. Options C and D would both accomplish this; Windows, Office, and many software systems use both techniques in their distribution and update processes.
  5. D. Using proper cryptographic techniques, all aspects of CIANA (confidentiality, integrity, availability, nonrepudiation, authentication) can be enhanced, even availability and integrity.
  6. D. Although Option A is tempting, cryptographic processes cannot confirm that the certificate and key are correctly associated with a specific human or organization. The CA does that through other (noncryptographic) means and, as an anchor in the chain of trust, attests that this person and this certificate go together. Thus Option D is correct. Option B refers to integrity and Option C to confidentiality, which are not directly part of nonrepudiation.
  7. A, D. Option B confuses where the signals go (through space) with the movement of the information from one user as an endpoint to another. Similarly, Option C misses the point about protecting data at rest, which is from when it is written to storage to some time later, in the future, when it is read back.
  8. A. The incorrect answers show misapplication of the steps of the process. Option C has reversed who encrypts and who decrypts. Option B confuses the use of the sender's public and private key, and if the recipient knows the sender's private key it must no longer be private! Option D won't work, because decrypting the unencrypted hash won't produce anything that is useful.
  9. B. Option A shows incomplete understanding of the digital signature process. Option C confuses whether the sender or recipient needs to trust signed content and signatures. Option D is incorrect, as it is missing the receiving client's need for installed, trustworthy operating systems, browsers, or other signature-handling applications; it also misstates the role of government in the CA process.
  10. A, B. Option C starts with an incorrect assumption, since many email systems use POP, IMAP, or other nonsecure connections. Option D may be correct as far as it goes, but this represents a tiny fraction of the routine uses of email.
  11. C. Option A is one classical approach to using a one-time pad, but the key itself is the process for choosing key values out of the book, and that algorithm can easily be compromised, typically with lexical analysis. Option B is incorrect, as Shannon's work shows one-time pad is unbreakable only if truly random numbers are used as a key. Option D may be partially correct, but it does not address how the one-time pad itself is generated.
  12. A, C. Option B is incorrect, reversing which concept (webs or hierarchies) have their trust anchors as part of the supply chain. Option D is incorrect, as the differences shown in Options A and C would indicate.
  13. A, B, D. Option C is incorrect; by making significant contributions to access control, information integrity, and confidentiality, cryptography can reduce or eliminate many vulnerabilities that could lead to information or systems being unavailable when and where needed.
  14. C. Options A and B are high on the “wish lists” of many governments but are just not obtainable, nor would they make widespread e-commerce possible, as there would be no basis of trust for it. Option D overstates the role of cryptographic module verification programs, since they validate only that the module does what it claims to and not whether it is suitable for any specific information security need.
  15. C. Arguably, Option D as a blanket statement might be true, but in practice it's not true. Stream ciphers depend on the stream being shorter than the key (no repeat use of the key), which leads to implementations that are susceptible to algorithm attacks. Option B is also false for this reason. Option A is true but incomplete for the same reason.
  16. A. Option B demonstrates complacency that's been disproven time and again; continued cryptanalysis suggests that even the largest keys in use today on RSA are not as secure as we think. Option C is true but for character and stream ciphers as well. Option D makes a mistaken assumption about requiring more complex algorithms.
  17. C. Although all are real threats, Option B is probably of lowest likelihood for most small and medium-sized businesses. Options A and D are not technically attacks but vulnerabilities that user organizations inflict upon themselves.
  18. D. Although all are real vulnerabilities, Option B typically arises only when disposing of equipment (or if physical security of equipment is lacking). Option C can be an issue, especially for software-based cryptographic systems, if access control and configuration management allow unauthorized or uncontrolled software update and installation. Option A is a subset of Option D.
  19. A. Option B is incorrect; hash comparisons for purportedly the same text will reveal even a single bit difference in the inputs, which some error correcting and detecting codes cannot provide; reversible hashes do not improve on this. Option C incorrectly states what “reversibility” means for an algorithm. Option D is incorrect, because hash functions must be one-to-one; any attempt at collision avoidance (many-to-one) would negate reversibility and uniqueness, which are the essence of what we need secure hash functions for.
  20. A, B. Option C misunderstands the use of a public key, which can only be used to authenticate your identity by decrypting something you've digitally signed with your corresponding private key. Option D seems to confuse key length with usage: although having key change intervals is something that policy and systems choices should dictate, it's probably not a fixed (suspiciously binary) number like this.

Chapter 8: Hardware and Systems Security

  1. D. Starting with Option A is a commonsense approach to quickly implementing some reasonable and prudent protection, but it lacks any judgment as to which vulnerabilities are important to your organization's risk management strategy and which are not. Option B is the systems inventory, and you will need it, as it describes the as-built systems. Option C is what drives Option D. Therefore, start shopping for countermeasures with Option D in hand.
  2. C. Although Options A and B correctly indicate roles that others in the company fulfill in securing the IT supply chain, the SSCP does have the responsibility and opportunity to advise and assist. Option D may be a factor, but it is not the sole factor in IT supply chain risk management.
  3. B, C. Option A is false—SNMP by itself cannot trigger a device to download and install a firmware patch file. Option D is false—that operator action can be misdirected to use the wrong file as the update. Option B may be true in some cases, if the device is set to allow remote management from other than a connected endpoint system such as a laptop or smartphone. Option C happens a lot!
  4. D. While some zero day exploits have been discovered and exploited within the same day, typically after the release of a new software product to the market, most take the attackers understand a newly discovered vulnerability, design an exploit against it, and then find a suitable target. So Option A is not correct. Option B incorrectly refers to exploits that leave behind payloads or features that will take action later. Option C incorrectly associates the media reporting of cybersecurity, in general, with the time from discovery to exploitation of a vulnerability.
  5. D. All of these are legitimate risks to worry about; some big box stores’ computer repair services are known to do full scans and voluntarily report what they find to law enforcement, or possibly others, for example. Option A happens frequently, but it's more of an impact to ongoing availability than it is an exploitable vulnerability. Option B can cause equipment to fail or behave erratically. Option D is far and away the most prevalent hardware-related cause of data loss, systems breach, or information security failures, of the items on this list.
  6. B. Since trusted platform modules (TPMs) are special, sealed hardware modules added to the motherboards of computers or phones by their manufacturers, Option D is incorrect, even though TPM device driver software must be incorporated into most OSs to enable their use. Option A is incorrect; the TPM doesn't simplify this but allows for a more trustworthy hardware storage and management of certificates, digital signatures, and so forth. Option C is not correct; these functions in the OS and host hardware remain, while all the TPM provides is its own implementations with which it secures keys, manages certificates, and hashes (preserves) machine identification information.
  7. B. Option A was originally used, differentiating between Trojan horses (or “giftware”), worms, and viruses, for example; this has proved to be inadequate. Option C has merit for signature analysis, either as patterns of behavior or patterns in the executable code and other files that are part of the malware. Option D is of use when looking to specific systems and their vulnerabilities. Option B combines purpose, intent, design, and effect and is arguably the more important characterization to use.
  8. A, D. Option B would be unusual for malware—but it might signify anything from loose connections to storage devices through congestion on networks slowing down directory updates. Option C is not correct; many behavioral effects are noticeable by the non-geeky user. Option D is how malware detection systems actually work.
  9. C. Options A and B misstate the role of application allowed listing or an antivirus program; firewalls do not do these functions. Option C is what a network firewall does. Option D describes what a network firewall does but misstates the firewall's role in malware defense.
  10. B. Option A misses the “destination” end of the connection attempt to the host: a program running on it. Option C is incorrect; firewalls do not do this. Option D is incorrect; although network-based firewalls may protect a lot of systems, they cannot control attempts by software on a host from exceeding prescribed limits of behavior.
  11. A, C, D. Option B does not typically shed light on security-specific features, fixes, vendor-supplied updates, or patches. The other options go from real-time indications and warnings, to health and status monitoring in real or near-real time, to mitigation plans and status.
  12. A, C. Option B overstates how the line between private and secure browsing is blurring; the “browser wars” continue to hold security and privacy hostage to revenue generation based on users and their history being products. Option D is only partly true, as it misses browser telemetry, your own interaction with webpages, and other ways that browsers leak information about you and your system.
  13. D. In almost all cases, using a media player built into your browser will not allow malware to be stored on your computer. All of the rest are known vectors (paths) for malware infection.
  14. B, C. Option A may be confusing a “blocked listing” approach (thou shalt nots) for bring your own devices (BYOD) and mobile device management systems (MDMs), rather than a allowed listing (permitted activities); nonetheless, this is a major problem with mobile devices regardless of ownership. Option D is one of the major problems MDMs are designed to help manage or solve, so this is false.
  15. B. Option A requires other capabilities, such as mobile device management, to provide this protection. Option C overlooks many complexities of using encryption on an endpoint device. Option D seems tempting, but current practice does not provide seamless encryption-based protection of data in use, especially on most mobile / smartphone endpoints.
  16. C, D. Option A is false; BYOI brings the potential for dynamic subnets of people and organizations becoming part of your infrastructure, and for loosely coupled cloud storage and processing to impact your business logic's use of enterprise systems. Option B is tempting but misleading, as most of your employees using BYOI capabilities do not have the capacity to solve the risks those capabilities can introduce.
  17. C. Option A is safe, but may overstate the need. Option B may apply for VMs executing in a sandboxed or partially isolated way, but does not address VMs used for production systems. Option D does not recognize that VM software—the OS and applications—can still become infected with malware, or that software-defined networks that support the VMs can still suffer intrusions if not adequately protected.
  18. C. Option A fails in practice, as lost or stolen devices may not be noticed as “missing” right away. Option B seems to subvert system security planning. Option D does not address identity or access control.
  19. E. Option A ignores the many instances where malware has shut off safety features in computers or destroyed hard disk drives. Option B ignores the losses a small business can suffer if even one employee's or customer's PII is compromised, or if critical data is lost. Options C and D are strongly related to each other, but both ignore the many other pathways that malware can enter a system that don't involve a browser.
  20. A, D. Option B confuses what signing an email does (it merely authenticates the sender's identity); it does nothing to ensure that the contents or attachments are safe. Option C mistakenly assumes that malware must be large executable files, when a few hundred bytes may be all that is needed.

Chapter 9: Applications, Data, and Cloud Security

  1. B. While many people feel that Option A is true, it's an overgeneralization; most commercial apps go through rigorous design and testing, and include information security requirements. Option C exaggerates how much shadow IT exists, while ignoring the widespread use of platforms and services, productivity suites, etc. Option D addresses why apps already installed still have known vulnerabilities in them, but it does not address how those vulnerabilities got there in the first place. Option B is the number one reason we see the same kinds of errors, decade after decade, baked into new programs as they are written.
  2. C. Option C is correct in terms of the major benefit of allowed listing; Option D, its logical opposite, addresses the zero day risks of blocked listing approaches without saying why any other approach (such as allowed listing) is better. Option A is false on its face; no such program (thankfully!) exists to “trust-mark” applications. However, digitally signed installation kits do give some assurance that the software came from the vendor you thought provided it. Option B is true on its face but does not say why one approach provides better security than the other.
  3. B. Option A is false; it effectively assumes that private clouds are as secure as private datacenters or LANs and desktops. Option C is correct as far as it goes, since PaaS (for example) may provide platform-based controls while introducing additional boundaries (or threat surfaces). Option D is false and misstates the shared responsibility concept. Option B focuses on where to start thinking about the proposed migration and the role of threat modeling in planning for information security in the chosen cloud.
  4. D. Option A is incorrect by oversimplifying the ongoing need to understand changing conditions and how these affect the business relationship between host and customer. Option B is false; cloud systems technologies, whether Azure, Google Cloud, or Amazon Web Services, are updated virtually every week, with changes impacting customer-migrated systems utility and security. Option C overemphasizes the administrative/contractual burden of change. Option D better reflects the need to thoroughly understand both the contractual and the technical up front and how the effort spent on both will likely change over time.
  5. B, C. Option A is false; the laws of the host nation apply to the cloud datacenter operator in that country, and that means they apply to all of the data and processing performed on that cloud datacenter. Option D is false, as nearly all countries claim the right to control the import and export of information, particularly (as in Option C) where that information violates, attacks, or ridicules a strong cultural, religious, or political value in that country. Options B and C are true.
  6. B, C. Option D most correctly states the bottom line to most organizations in terms of how stakeholders, investors, legal and regulatory authorities, customers, and others will judge responsibility when things go wrong. Option A is a specific example; due care requires that you have the contractual, technical, and administrative ways to do such verifications, while due diligence requires that you actually do such verifications and hold the third party to task. Option B can only set day-to-day expectations; when a major data breach happens, Option D suggests that even if the service provider failed to fulfill their contract, your stakeholders will still hold you responsible. Option C is false.
  7. A, B, C. Option D is incorrect. Authentication data, which defines user and process privileges, identity verification, and so forth, is as subject to being wiped out, corrupted, lost, or stolen as any other data on any information system.
  8. A. Option B is partly correct but exaggerates the effort to set up an SDN or hypervisor. Option C is false, as it requires explicit actions by administrators to allow access to other system resources, devices, and so forth. Option D is also false, as the hardware, hypervisor, and host OS if used are where you start to define and configure VM images and the parameters that control their being dispatched to run and then retired.
  9. B. Option A is true insofar as it describes a common malware vector, but it misses the key point. Option C may be true in a very limited sense (police call this the “broken window” theory of urban crime control), but it misunderstands the role of the endpoints in an IT system. Option D is false; all output that humans can use is done at an endpoint, be that a laptop, a phone, an annunciator, a process control status board, or even a printer. Option B correctly captures the value proposition of information work and the high-leverage role of action that happens at endpoints.
  10. D. Currently, most Internet of Things (IoT) devices are limited to performing only a few related functions; it is also as difficult if not impossible to configure their access control or other security features (if they have any), or update or patch their onboard firmware. This means that Options A and B are probably not correct. Option C is also doubtful for this same reason—would Jayne's bosses want her to specify a human safety function be managed by an IoT device that anyone could hack into and subvert? Option D provides a sound alternative; the process control marketplace has many solutions available, all highly modularized.
  11. C, D. Continuity is about planning for alternative modes of action—having a stack of “just in case” options already laid out in plans, procedures, software, or other IT elements. Thus, Option D is correct and Option A is false. Resilience is the ability to bend, adapt, tolerate, or even ignore unanticipated disruptions, without completely breaking down. Thus, Option B is incorrect, and Option C is correct.
  12. A, D. Phishing and many other social engineering tactics have played a major role in over 60 percent of major data breaches in the past few years. Such tactics have high payoff to the attacker during their search for a possible target, gathering information about its systems and security, and then their initial entry into the target's systems. Thus Options A and D are correct. Options B and C are almost exclusively done surreptitiously, exploiting information that social engineering may have revealed to the attacker; few if any signs of phishing in these activities have been noted.
  13. A, B. Option C makes it harder for an unauthorized user to use a resource, whether it's in its original form or it's been copied and exfiltrated; this does not help detect an ongoing attack beyond what proper access control should do. Option D is easily thwarted by attackers when they restructure, clump, aggregate, encrypt, or disguise the data; the rules and filters don't know what to look for as a result. Option A can reveal an attack in the early stages, but it is analysis intensive. Option B might usefully warn of attacks against data that is encrypted at rest but for which access control is not sensing a violation of privilege.
  14. D. Option A is false; no such agreements apply worldwide. At best, regulations like the General Data Protection Regulation (GDPR) apply to EU member states. Option B is true as far as it goes, but with a catch: if the organization guesses wrong, it could end up in serious legal trouble in multiple jurisdictions. Option C is false; storage of data in a center in another country must involve movement of data from your jurisdiction into the one the datacenter is in and movement in the reverse direction when you need to use the backup. In almost all cases, data protection laws and regulations apply to data in use, at rest, and in motion.
  15. B. Option A is a real risk but not what GIGO is about. Option C may involve throwing things in the “garbage” that should have been destroyed or zeroized first, but it's also incorrect. Option D is a very common attack attempt against many apps, but it usually does not lead to the application producing what looks like correctly formed outputs with distorted meanings. GIGO processing, as in Option B, can result in incorrect transactions being posted to an account, such as when a patient billing record has too many copies of the same lab procedure billed incorrectly to it.
  16. C, D. The key determiner of whether user-defined and user-maintained “stuff” is shadow IT is the amount of business logic that it embeds or implements; the more such business logic is built into uncontrolled or unmanaged apps or tools, the greater the risk of something going wrong in undetected ways. Thus, Option A is not a probable risk; Option B seems to have a lot of frequent, intensive review of the results of these queries, which would need to correlate or compare with what the production information systems would show. Option C implements customer relationship management and systems/product maintenance business logic; Option D seems to circumvent information classification, segregation of duties, and other access control principles. Both Options C and D bear close watching.
  17. D. Option D is probably illegal in most of the jurisdictions in question; even where it is not, it is certainly unethical to attempt to evaluate a storage provider's security by trying to hack into other customers’ data without their express written consent and the consent of the provider. The rest are reasonable and prudent parts of due care and due diligence checks on a candidate third-party provider of this type.
  18. B. Option A glosses over the growing “BYOx,” where x can be infrastructure, device, or most any service; we might argue that Option A also ignores the blurring of the boundary between an endpoint and the information system itself. Option B reminds us to do integrated, coherent threat modeling and analysis across our total systems environment. Option C just echoes what the boss said, although it does add a minor bit about tailoring; overall, it doesn't contribute much to the conversation with the boss. Option D offers no support for this rather unusual viewpoint.
  19. B, C, D. Option A by itself won't do what is needed; at a minimum, Option D and its implementation of rigorous access control and identity management is necessary to protect network storage resources from being corrupted, tampered with, and so on. The others are all valuable parts of a data governance and data security/data protection plan.
  20. A, C. Option B is scary; it seems to assume that we can drown in data the government inspectors, auditors, or the attorneys who are suing us, and they'll never figure out it is meaningless. Very risky business! Option D suggests that perhaps senior leadership just did not realize the potential impacts that bad data (or a lack of data quality) can have on maintaining confidentiality, integrity, availability, nonrepudiation, and authentication of all information-based business processes. Options A and C are real risks that many organizations face each day.

Chapter 10: Incident Response and Recovery

  1. B, D. Option A is incorrect; this is a very high-risk strategy, as it allows the attacker to roam freely around some of your systems for an indeterminate period of time. Although Option C is probably true, it won't help defuse the production manager's frustration very much. Options B and D clearly explain the risk and put it in the context of impacts across the organization.
  2. B, D. Although Option A may be true, it is naïve and incorrect; the air conditioning company that serviced Target stores didn't handle retail (credit card) sales either, yet attackers found it to be an ideal entry into Target's payment processing systems. Option C is also incorrect; your cloud hosts will protect their systems, and their platforms, from malware attacks from your connections, but attackers who spoof bogus, privileged accounts into your systems can still destroy your business's presence in those cloud systems. Option B points out a real business risks; Option D offers the boss a sensible first step.
  3. A, B. Option D is false; the business continuity plan (BCP) and disaster recovery plan (DRP) should start with the broad strategic goals and flow them down into all activities necessary to keep the business operating, and to help it recover from a major disruption, respectively; this certainly includes the actions of the computer emergency response team (CERT) and the systems they support. Option C is true as far as it goes, but since all of those depend on continued use of business processes, which depend on the IT systems, the CERT plays a pivotal support role to those plans and the people who execute them. Options B and A are correct.
  4. B, C, D. Option A is incorrect. Note that the question asks regarding a subsequent investigation; the team has to act in ways that don't make such an investigation pointless by destroying the evidence the forensics investigation may need. Thus, Options B, C, and D spell out what the responders should be mindful of and take due care to do, while management has the responsibility to strike the balance.
  5. A, D. Option A is not normally useful; what the CSIRT does need at their fingertips is the emergency contact information for technical support, or information security incident coordination, with such organizations. Option D is also not normally useful, because the computer security incident response team (CSIRT) will more than likely work at the systems and networks level (data, control, and management planes), and if a hardware unit is not responding properly, they'll just isolate it, flag it for later maintenance, and move on. Option B captures business logic and translates it into major information flows or processes, akin to Layer 7 (Applications) in the OSI model. Option C is vital to problem analysis and correction.
  6. A, B. Option D would not normally be useful during incident response, as the responders are dealing with abnormal behavior of as-built systems; the requirements that drove the design of these systems usually aren't helpful at that point. Option C is also not correct; what the team needs is more of a focused directory of key users and managers for different applications platforms or systems. Options A and B may prove valuable as the team tries to identify, characterize, and then deal with an attack or abnormal behavior. These both can guide choices about containment, eradication, and restoration tactics and priorities.
  7. B, D. Option B has the alarm thresholds described backward: setting them low would let many more alarms through, setting them high filters more alarms out, passing fewer reports up to the security operations or response team. Option D may be correct—taking more of a zero trust approach and re-segmenting the network, for example, might be worth considering—but it won't help the response team today. Options A and C are correct statements regarding precursors (such as email threats claiming to be from activist groups) and indicators (such as changes to access control and accounting settings on a subject or object).
  8. B. When it comes to incident detection, a precursor is an observable signal or result of an event, which may suggest to us that an event of interest (such as a security-related event) may happen in the near future. Precursors do not, in themselves, suggest that the incident is currently happening. Thus Option A is false. Option C mistakes indicators for precursors. Option D confuses events with the observable signals from them (such as the changes they make to target systems, which we can observe). “Warnings” in this context has no meaning—that is, our IDS or IPS technologies detect indicators and issue alarms. Thus, Option B is most correct.
  9. B. Option A is incorrect; this may be a consequence of the way that the team's detection, response, and recovery responsibilities are defined and supported, but it's not generally the case. Option C is incorrect; though this might be true in some organizations, it is not related to due diligence and misstates that concept. Option D is incorrect; NIST publications provide guidance, while federal regulations can make them obligatory on federal and other government activities, they do not in general dictate what the private sector must do. Option B is correct; management and leadership may have legal, regulatory, or business reasons for knowing immediately that an incident might have occurred or might be occurring, but they cannot fulfill those obligations if no one on the response team tells them about it.
  10. B, C. Containment looks to isolating systems that have been infected by a causal agent such as malware, or whose software and data may have been corrupted, so as to prevent either the causal agent or the damage from spreading. Thus, Option A wouldn't achieve containment, since an infected or corrupted application could have many service requests already sent to systems services, any of which could be a vector to spread the damage to other systems. Option D does not contain anything; the attack agent or damaged software and data can still flow from the affected systems to others. Shutting down that link, however, would contain the causal agent (by shutting down two-way traffic). Option B isolates the organization's LAN from the Internet, which is effective containment of the incident to the organization's systems. Option C addresses segmenting the organization's systems into infected (and thus contained or isolated) and not infected systems. Whether there's enough connectivity between the “believed healthy” systems to function as a network, or whether they are only capable of being islands of automation, will be determined by the network design and the incident's effects.
  11. D. Option A is incorrect; containment may occur system by system or host by host as the networks are segmented and isolated, and thus the eradication specialists can start cleaning systems as they are isolated (or the causal agents on them are contained). Option B is incorrect, since different tools are needed to disable network connections than you'd use to scan systems for malware, as an example. Option C is incorrect; malware quarantine is more an example of eradication combined with recovery. Option D correctly explains isolating systems and then cleaning them.
  12. A. Option A usually does not have a legal or regulatory obligation that the CSIRT must respond to (although there may be requirements for the organization to report statistics on such incidents to regulators or other authorities). Option B could lead to disciplinary actions or firing the employee involved, which could result in litigation. Option C may be criminal trespass or violation of other criminal laws. Option D may, depending on the nature of the business and its activities, require safety, security, or investor and consumer protection reporting and notification actions by the organization, regardless of cause.
  13. B, C. Option A, documenting lessons learned, is a critical part of post-recovery activities and thus is incorrect. Option D is incorrect; verification of complete containment and eradication should be done as part of containment and eradication, prior to starting recovery tasks. Option B, restoring or rebuilding systems, and Option C, restoring databases and storage systems, are correct.
  14. C. Option A is false; the response team should only need to know how to find and use such backups and should not be responsible for their initial generation or routine update. Option B is false; the DRP would address options spelled out in the BCP as to alternative processing locations, contingency plans, and so forth, all of which need the backups that the BCP directs be made. Option D is false; configuration management is the decision process that allows or prevents changes to hardware, software, or key data items or structures, but it doesn't manage backups. Option C correctly links the purpose of backups—continuing to get business done in the face of accidents, systems failures, attacks, or natural disasters—with the need for a specific set of resources, such as backups.
  15. B, C. Option A is incorrect; delaying a post-event debriefing allows human memory to fade, and important insights can get lost very quickly. Option D may be true in this circumstance, but this is not strictly a post-recovery phase activity. It may very well be a great task for your many-talented IT team to take on, but just not as a CSIRT task. Option B addresses due care and due diligence, since there are many reasons why data from such incidents needs to be retained and kept secure. Option C is also a sound investment strategy, which will need to be weighed against the lost opportunity costs of your team continuing to fall behind on routine work tasks.
  16. D. Option A might conceivably be true, but it's doubtful this could be a good indicator of an incident. Option B is technically correct, but it doesn't offer a justification for making clock synchronization be required. Option C, like Option A, might theoretically be true, but it's not clear this can easily be an indicator or precursor of a security incident. Option D correctly states the simple justification; networks with hundreds of devices, each producing dozens of event logs, will quickly overwhelm any manual attempts to bias the clocks in each log file to get things to collate together usefully.
  17. A, C. Option D is incorrect; even if most employees won't need to know the details of new procedures, the fact of learning the lessons from the most recent, painful event will restore confidence in the “IT wizards” and in management. Option B is incorrect, or at least not strongly advised; it does not provide a strong link between pen testing, failure to detect and respond, and the new procedures. Option A should be a part of any procedural change process (how do you know the change did what you were promised it would?). Option C is critical to preparing these key people to respond properly when the next incident occurs.
  18. D. Option A could be social engineering or other attempts to gain entry into your systems. Option B could be caused by malware, corrupted data entered by a user in attempting to exploit a vulnerability in the application. Option C could be the result of bogus data being entered in via an exploited vulnerability in a process or application, or it could indicate a corrupted application task (malware infected or otherwise exploited). Option D could be from any number of sources, most of which are not attackers.
  19. A, C, D. Option B is incorrect; not only does it miss the actual value-added purposes of having the team do its own timeline analysis, but it also confuses the role of detailed evidence with broader cause-and-effect relationships (as in Option A). Option C is correct, as is Option D, in justifying the use of timeline analysis in incident investigation and response.
  20. B. Option A is incorrect; it's actually rather dismissive of the knowledge that most line workers have when it comes to how business actually gets done every day. Users may need better training as to what to do when they think they see a problem, but that's not addressed by this answer. Option C is incorrect, demonstrating a narrow vision that only sees the technological solutions as useful. Option D is incorrect, notably that it is never too late to sound an alarm. Option B correctly expresses the value of knowledge and experience. Harnessing this insight in real time as part of an intrusion or anomaly detection process, however, is another story.

Chapter 11: Business Continuity via Information Security and People Power

  1. A, B. Option A is incorrect; relocation of business operations is typically part of disaster recovery plans. Option B is incorrect, as temporary staffing implies that existing staff are not available to work or cannot work for some reason, and this is more in the scope of disaster recovery. Option C, off-site systems and data archives, may well be used in the restoration phase of an information security incident response. Option D is part of all incident response, continuity, and recovery planning.
  2. C. Option A is incorrect; NIST is mandatory for US government agencies and their contractors. Option B is incorrect, because NIST publications are not mandatory for the private sector. Option C correctly expresses the relationship of NIST publications to the private sector for this and many other aspects of information systems risk management. Option D is incorrect; most private organizations can learn a great many valuable lessons from NIST's publications.
  3. A, B. Option A is correct; it is the focal point for linking organizational priorities, goals, and objectives to risks and vulnerabilities and thence to impacts. The BIA should drive all other response plans. Option B is also correct; this is (or should be!) driven by the BIA, is the result of looking at significant disruptions to business operations, and shows concepts, plans, and resources needed to recover from the disruptions and continue to operate or get back to normal operations. Option C is incorrect; this would typically not address how the organization recovers from loss or damage to such an asset. Option D is incorrect, as like Option C, it looks at prevention and deterrence rather than recovery.
  4. D. These assessments look at cost and likelihood of loss or impact from a risk; thus, Option D is the right place to find them being used as part of the risk management decision process. The other answers all are incorrect, since they are response plans; these should be built to meet the time-based (or data loss–based) assessments such as recovery time objective as best as they can; during the incident response, you're not particularly worried about a probability of a loss when it's actually happening.
  5. B, C. Option A is incorrect; without a known baseline to restore to (or rebuild if the primary systems are destroyed), you have no place to start from. Option B is correct, since restoring from backups needs to check for changes made to the production systems after the date/time of the backup. Option C is correct; in the event of major damage to the production systems, hardware, or facilities, you need to know what to start putting together to get back into operations. Option D is incorrect; the contingency operations procedures may identify assets (computers, etc.) in place for alternate operations locations, or for reduced capabilities, but they won't document the in-use production system at the requirements, design, and implementation detail level that the configuration managed baselines should do.
  6. C. Option A is nearly correct—recovery time objective less than maximum allowable outage allows for some slack or reserve time before hitting the MAO constraint; however, the true condition is that expressed in Option C, which allows for when RTO and MAO are equal. Option B has this relationship backward; we plan to achieve the objective (RTO) so as to not exceed the maximum allowed. Option D is false; they do not have to be equal.
  7. B. Option A is incorrect; recovery time objective (RTO) is not related to data loss. Option C, maximum allowable outage time (MAO), is incorrect. Option D, annual rate of occurrence (ARO), or the number of such events expected on a yearly basis, is incorrect. Option B is correct; the recovery point objective (RPO) sets the maximum time lag or latency time for data in order to be considered useful for business operations.
  8. D. Option A is false; appropriate administrative and technical controls can and should be used to reduce information security risks to acceptable levels. Option B is correct in part, but without the users of the tool being fully aware of the CIANA needs pertaining to the data, information, and knowledge that are being collaborated upon, the technical controls are meaningless. Option C is correct in part, but it does not address user awareness, education, or training. Option D covers the key elements of user awareness and education, and supports the CIANA requirements for this collaboration; thus, the technical controls can do their job more effectively.
  9. D. Option A is false; even if thousands of phishing emails are sent as part of a low-and-slow attack, one response can generate exploitable information for the attacker. Option C is false; in doing so, you confirm that your email address connects to a real (and somewhat underinformed) person. Expect more. Option B is false; attackers work hard to mimic the style, format, expression, and construction of their phishing emails, and continually attempt to spoof email addresses, domain names, and so forth. Tools may filter a lot of such junk email for you, but they won't catch it all. Option D is most correct.
  10. A. Option A is correct; phishing tends to seek information, and whaling (and spear phishing) seek action, typically the release of funds to the attacker. Option B is incorrect; whaling is primarily aimed at senior business leaders, whereas phishing can be aimed at anybody, anywhere, if the attacker perceives there is something worthwhile to learn in doing so. Option C has these reversed; whaling attacks depend on credibility of the business transaction they request. Option D is false on its face; there is a significant difference, as shown in Option A.
  11. C. Option A is incorrect; in general, the same core information security team members should actively shape and guide all information security awareness, education, and training efforts across the organization. Option B is incorrect; it shows a misunderstanding of separation of duties, which typically breaks a task for one trustworthy person or group into two or more sets of tasks for two (or more) trustworthy people or groups so as to provide a check and balance arrangement. This would typically involve information at the same level of sensitivity or classification. Option C is correct, since it links the opportunities that separation of duties can suggest for focusing such education and training. Option D, like Option B, does not apply separation of duties correctly. It is not intended to produce “compartments” that others cannot know about, in and of itself; rather, it drives the design of access controls or administrative controls to prevent one person from taking incorrect action.
  12. C. Option A is not correct; most of the risk is in what people say to each other over these systems, and technical controls can do little to mitigate this. Option B is incorrect; the service provider has no role in how you keep your people from saying the wrong things to the wrong parties. Option C correctly focuses on what people in your organization need to know: how and why to protect the organization, by controlling what they say to others. Option D is incorrect; a signed NDA may make the employee signing it aware of the restrictions, and provide authority for sanctions (such as litigation, termination, etc.), but it doesn't help operationally in achieving information security.
  13. C. Options A, B, and D all demonstrate the hallmarks of social engineering attacks—they work (and have worked for thousands of years) because people are generally trusting, open, and willing to engage with strangers. Option C, the correct choice, is unfortunately not true; tools may help filter out some email-based social engineering attacks, but few organizations have truly been able to operate with a “loose lips sink ships” approach and deal openly with customers, clients, and many other outside stakeholders.
  14. C. Options A and B are incorrect; tempting as they are to the geek in us, they are not the first place that effort needs to be spent. Option D is a necessary and vital task, but given the dynamics of this organization, it sounds like Option C is the most immediate need. Getting this small group of people totally focused on protecting their own future while collaborating with many others in building that future is going to be key to success; thus, more dialogue (Option C) can lead to a better, more informed and effective information risk management and classification approach (Option D).
  15. A, B. Option D is inadvisable as a first step; you need to first check to see if the company has policies that effectively set boundaries or constraints for acceptable use, bring your own device or software, and configuration management and control. Option C is also inadvisable, without first checking (again) with company policy and perhaps with company legal advisers, especially if you wish to scan employee-owned devices. Options A and B, starting with reviewing current policy, are your best first starts.
  16. A, B. Option D is inadvisable; it's a legitimate thing for you to think about, but you might want to avoid such a confrontational question that seems to challenge the company's logic and reasoning for this practice. Option C is also inadvisable; it might be part of the decision logic to set the review period, but it shouldn't be high on your list of things to know as a new team member. Option A is a good, task-focused question that could very well be something you'd expect to encounter during or after incident response efforts. Option B is a good question, looking to the overall risk information architecture itself (what does the company learn from its monitoring for precursors and indicators?).
  17. B. Option B is correct; changing backup and restore strategies may affect backup data latency—the time between the last backup of the data, and the need to have the data in the system current and up to date, accurately reflecting all transactions since that last backup. Option A is incorrect, as RTO would set the goal for getting the system capabilities restored and able to accept new data; data latency is often assumed to be something that can be dealt with in parallel to processing new transactions after the system has been restored. Option C is incorrect; clearly, the ability to get back to normal business depends on the data being correct, complete, and current (that is, meeting integrity and availability needs). Option D is not correct; this is most likely set by business and market conditions, and not by the “how do we achieve this” that choices about data backup may affect.
  18. D. Planning should be an ongoing, continuous, and iterative process; plans are thus continually tested against reality so that changes to plans and procedures stay harmonized. Thus, Option D is most correct. Option C, unfortunately, is a commonly held view and can lead to work being done to obsolete ideas or to assumptions long since proven to be incorrect by reality. Option B is good, but not as correct and complete as Option D. Option A is incorrect; plans are good, useful and necessary, but it is the planning process that brings the team together to better understand needs versus resources.
  19. A, D. Options B and C both flow directly from the (ISC)2 code of professional ethics, and they express the responsibilities we have to take due care of the people our actions might affect. They are points worth bringing up in this discussion. Option A may be technically or legally correct, but it suggests that the bottom-line financial measure of disruption and restitution is all that is required; this seems and may be heartless. Option D seems to treat people in the company, at any level, as objects that are merely parts of the productive processes that the company uses.
  20. A, B, D. Option C is incorrect; it ignores the ability of human experience, combined with focused awareness and training, to detect out-of-tolerance conditions and raise an alarm. Option A is a valid comparison of proofing (verifying that the offered claims of identity are legitimate). Option B is a valid comparison of authenticating that the person or subject in question is recognized as one entitled to access. Option D is a valid application of accounting for access attempts.

Chapter 12: Cross-Domain Challenges

  1. C. Incident response and recovery needs to combine thoughtful, well-considered, pre-planned procedural responses with informed, real-time decision making. Workflows for each (relatively small) procedure, organized into playbooks, can and should include decision call-outs or breakpoints. Option A is true as written, but it confuses application-specific workflows and playbooks with ones used for other purposes, such as security. Option B is false; nearly all workflow and playbook systems (for security or other uses) support a mix of routine and ad hoc activities. Option D is false; it's actually recommended to start small and simple and improve both the organization's procedures and its use of workflows and playbooks as its understanding and experience grow.
  2. A. Automation is the use of scripts and similar techniques to predefine and then perform sequences of activities, which can be grouped in workflows and playbooks (of workflows); orchestration refers to organizing and managing the data flows from various security information sensors, agents, and devices. Option B is false, it reverses these terms. Option C is incorrect, although it is a useful caution as security vendors try to turn existing SIEMs or NGFW products and services into SOAR-like offerings. Option D incorrectly describes both automation (which is workbooks and playbooks together to plan, manage, and perform tasks) and orchestration (of input data).
  3. D. The correct sequence is SIEM, SDN, SDS, and then SOAR.

    SOAR depends upon centralized, virtualized control of security (SDS), which is built on top of network virtualization (SDN). SIEM systems do not in general require network virtualization. This reflects integration of data from physical network and systems security devices, virtualized networks providing for scripted configuration (and reconfiguration) of network VMs, including their security characteristics; specialized applications that integrate security monitoring and configuration for virtual and physical systems; and process and activity workflow management and execution.

  4. D. Option A is incorrect, as there is no real restriction (such as single simulated transaction at a time) on how organizations plan and conduct such assessment and compliance monitoring. Option B is correct as far as it goes, but not as complete as answer D. Option C is unnecessarily restrictive; this may be one such strategy that an organization may consider and use for this, but it is not the only such strategy.
  5. A. Option A accurately expresses the goals and the benefits of doing these on a continuous basis. Option B may or may not accurately state the cost comparison, but it ignores the growing need for faster intrusion detection (which means faster, or continuous, verification that security controls are working against each new day's threat landscape). Option C may be true with respect to culture, but like option B misstates the need to have much faster intrusion detection. Option D seems to describe a continuous assessment and compliance approach that is in need of rebalancing; this is not the general case.
  6. B, D. Option A addresses a worker health and safety issue that is legitimate, but not normally in the scope of an information systems security plan or activity. Option C is primarily implemented by technical, not physical, security controls. Option D does address physical availability and might be necessary on a case-by-case basis for individual workers or workgroups requiring high availability.
  7. B. Option A is incorrect; clearly the interface is two-way and could allow entities that can access the controller to have access to the IT systems at headquarters. Option B is correct; if the vendor refuses to share, or has only minimal data and insights to share, that should be a strong warning that the vendor has not done their own risk assessment properly. Option C is incorrect only in that it is relieving the vendors of responsibility right away, which is not advisable. Option D is incorrect, as such referrals may be hand-picked by the vendor to offer slanted or biased observations to you.
  8. E. Most OT systems in use today use very small onboard controllers with minimal RAM or other storage capacity; as a result, many are difficult to update or make changes to, especially via remote push. Few have any kind of host-based intrusion detection or prevention capabilities, either built-in or available as after-market add-ons. As such, options A, B, C, D are incorrect.
  9. B. Option B highlights how easy it can be in many environments to gather information and use it to attempt to access services that should be restricted. Option A is incorrect, as no attempts were made to elevate to administrative or other privileged user modes. Nor is option D correct, as the student was using either her own credentials or a publicly accessible (unsecured) Wi-Fi access point. Option C is not correct; no attempts were made to alter web page contents to attack other users or sites.
  10. D. Option D correctly states this definition; a specific human, disk drive, laptop computer, or instance of a software process being executed is a specific, unique entity, even if it has been reproduced by copying it. Each entity must have an identity to access a system; the identity is what is authenticated for access and then for authorization. Option A is correct as far as it goes, but does not connect these concepts to access control or identity management. Option B swaps the label (identity or entity) and definition; option C is incorrect, and also does not represent current use of the terms in industry.
  11. A, B. In effect, this organization is creating new things (the mashups) from the inputs selected in response to user inputs. Option A addresses how many different threats can cause search results to be tainted (misdirected or contaminated with malformed data) or that code libraries selected for reuse are infected with malware of many types. Option B addresses the passing on of these risks to customers, who then use those mashups for business or leisure use. Options C and D are not unique to this business model.
  12. C. Option C best describes the improper entry of a query instead of data values, and having the application process that query as a query, rather than as data field values. Options B and D might describe parts of the problem in this situation, but they are too broad to focus attention on the specific problem. Option A is false, as this incident does not involve the attacker placing bogus scripts into web pages for other users to execute.
  13. A. Each of these answers is a valid technique to reduce the risk that malformed data attacks can occur; only option A provides a real-time opportunity to check user and entity actions, across the organization's systems and infrastructures, for behaviors that are suspicious and might be exploiting a malformed data vulnerability. Option B simulates such attacks and is valuable in finding such vulnerabilities or stress-testing the controls put in place to mitigate them. Option C can identify attacks that have happened during the audit period, but not usually in real time. It may still be the only way to detect that your systems were successfully invaded weeks or months ago and might reveal where they are currently abusing your resources and assets. Option D, trending, will highlight types of errors, if the systems and applications generate log entries or other telemetry when these events happen; this may be useful in highlighting vulnerabilities, but not in identifying that a specific attack has been made.
  14. C. Buffer overflows can cause improperly structured software to have portions of their instruction space overwritten by data input that has more characters in it than space reserved for it by the program. In such cases, the bytes beyond the declared length of the buffer may be executed as machine instructions; this is option C. Option A is false; firewalls do not play a part in preventing this form of malformed data attacks. Option B is false; the security kernel is not disabled by entering privileged mode, and in most systems it cannot be disabled at all. Option D is false; phishing attempts may provide an attacker with access to a system, but this is not a case of malformed data attack.
  15. D. Option C, while true as far as it goes, does not actually address the underlying concern. Option A is incorrect, as DNSSEC is not something that is implemented by end user organizations. Option B is also incorrect, as CSPs are end user organizations from the perspective of the DNS infrastructure. Option D corrects the misunderstanding of DNSSEC and offers a way forward.
  16. B. Option B correctly identifies analytics (or large-scale data analysis) being used in two ways to predict future outcomes or to describe current and past events and systems behaviors. Options A and D are incorrect; these are techniques that can be used in either prescriptive or descriptive analytics. Option C is also incorrect, although this does succinctly express one of the major barriers to human managers placing trust in automation driven by analytics.
  17. C. Option C correctly states the essence of the trust and confidence problem. Without explicability, these tools are often seen as little more than magic; either their users trust in them blindly or they don't. Options A and B don't address this, but these techniques can play a role in initial systems and tools selection, initial training and calibration, and ongoing operational evaluation of them. Option D is incorrect and is somewhat self-defeating.
  18. A. Option A correctly identifies that adding additional work steps, checks and balances, or validation activities to a work process can require additional processing time, resources, or the involvement of additional human review and authorization to complete. Too much friction can cause customers (internal and external) to go elsewhere, or attempt to circumvent the controls. Option B is incomplete and doesn't address well-designed controls that still add steps (and friction). Option C is incorrect, as it refers to activities that happen after a customer process has completed (presumably). Option D is incorrect; staff time to resolve complaints is presumably spent after the process has been completed (or abandoned) and does not relate to its real-time performance.
  19. D. Option D in effect implements a “need to know” approach but in a different way by providing the new (or refresher) security insights right at the point of work where the user can make best use of them. This enables the worker to take more positive, security-correct action. Option A is a traditional approach, which tends to consider users as the weakest link in the overall chain of security controls. Option B is an improvement on A, but still often results in tick-the-box training compliance rather than a more well-informed workforce. Option C is a just-in-time learning and security delivery model, but is lacking a more complete, full-spectrum teaching, learning, skills-building, and assessment set of methods.
  20. B. Option A is incorrect, in that other operational, compliance, and the current risk and threat context may be better sources of priority and urgency to use for assessment activity planning and conduct. Option B correctly refers to the one process informing, but not driving, the other. Option C is incorrect and misstates the relationship of monitoring with assessment and compliance. Option D is incorrect, as the successful validation of an assessment activity actually drives both the close-out of the vulnerability and the completion of a compliance check.