The CISSP Prep Guide Gold Edition phần 7 ppt

BS7799 requires that companymanagement address 10 specific areas: Security policy Security organization Assets, classification, and control Personnel security Physical and environme

Evaluation—assessment of an IT product or system against defined security

functional and assurance criteria, performed by a combination of testing

and analytic techniques

Evaluation Assurance Level (EAL)—one of seven increasingly rigorous

packages of assurance requirements from CC Part 3 Each numbered

package represents a point on the CCs predefined assurance scale An

EAL can be considered a level of confidence in the security functions of

an IT product or system

Package—a reusable set of either functional or assurance components (e.g.,

an EAL), combined together to satisfy a set of identified security

objectives

Product—IT software, firmware and/or hardware, providing functions

designed for use or incorporation within a multiplicity of systems

Protection Profile (PP)—an implementation-independent set of security

functional and assurance requirements for a category of IT products thatmeet specific consumer needs

Security Functional Requirements—requirements, preferably from CC Part

2, that when taken together specify the security behavior of an IT

product or system

Security Objective—A statement of intent to counter specified threats

and/or satisfy specified organizational security policies and

assumptions

Security Target (ST)—a set of security functional and assurance requirements

and specifications to be used as the basis for evaluation of an identified

product or system

System—a specific IT installation, with a particular purpose and operational

environment

Target of Evaluation (TOE)—another name for an IT product or system

described in a PP or ST The TOE is the entity that is subject to security

evaluation

For More Information

REFERENCES:

NIST CSL Bulletin, April 1996

Common Criteria for IT Security v.2.0

ISO FDIS 15408, Parts 1-2-3

Common Criteria Mutual Recognition Arrangement, October 1998

Bundesamt für Sicherheit in der Informationstechnik (BSI)

German Information Security Agency (GISA)

A group of leading companies joined, first, to develop the Code of Practicefor Information Security Management, now known as BS7799 Part 1, Code ofPractice, then, in 1998, to develop BS7799 Part 2, Specification for InformationSecurity Management Systems The United Kingdom Department of Trade andIndustry commissioned the BS 7799 certification scheme in 1998.

BS7799 is geared to assuring integrity, availability, and confidentiality ofinformation assets Assurance is attained through controls that managementcreates and maintains within the organization BS7799 requires that companymanagement address 10 specific areas:

Security policy

Security organization

Assets, classification, and control

Personnel security

Physical and environmental security

Computer and network management

System access control

System development controls

Business continuity planning

Compliance and auditing

The scheme requires that participating certification bodies be accredited byrecognized national accreditation bodies The United Kingdom AccreditationService has accredited six bodies under ISO Guide 62 (EN 45012) to performcertification to BS7799:

BSI Quality Assurance

Bureau Veritas Quality International Ltd

Det Norske Veritas Quality Assurance Ltd

Lloyd’s Register Quality Assurance Ltd

National Quality Assurance Ltd

SGS Yarsley International Certification Service Ltd

A drive to gain worldwide acceptance of BS7799 has been the primarythrust of the Joint Information Technology Committee of the ISO and the Inter-national Electrotechnical Commission (IEC) These organizations are transition-ing BS7799 into an international standard known as ISO 17799

Porta-

Provide for greater access to personal health care information

Enable portability of health insurance

Establish strong penalties for health care fraud

Administrative simplification

Title II of HIPAA, Administrative Simplification, contains the Security andPrivacy requirements and, therefore, the remainder of this discussion focuses onAdministrative Simplification

Title II Administrative Simplification

The goals of Title II are to:

Improve the efficiency and effectiveness of the U.S health care system

by standardizing the exchange of administrative and financial data

Protect Security and Privacy of individually identifiable health informationCovered Entities under HIPAA are health plans, health care clearinghouses,insurers to include corporate employers’ self-insured plans, and health careproviders who transmit health information electronically in connection withstandard transactions

The principle areas addressed under Administrative Simplification are:

Transaction Standards and Code Sets for claims, enrollment, premiumpayments and others as adopted by HHS

Unique Health Identifiers for health care providers, health plans,

employers and individuals

Security and Electronic Signatures

Privacy for individually identifiable health information

by the Privacy rule.” The changes were subject to a 30-day pubic commentperiod that ended on April 26, 2002 These proposed changes would not affectthe April 14, 2003 deadline for compliance with the final Privacy rule Thesechanges were finalized by HHS and went into effect in August 2002

Transactions and Code Sets

The final rule for electronic transactions and code sets was published on August

17, 2000, with a compliance date of October 16, 2002 On December 27, 2001, ident Bush amended HIPAA with the Administrative Simplification ComplianceAct, Public Law 107-105 This act gave organizations the option of applying for aone-year delay in implementing the transactions and code sets standards if theorganization applied for an extension before October 16, 2002 Thus, the newdeadline for an organization requesting a delay will be October 16, 2003

Pres-Unique Health Identifiers

Proposed rules for a national provider identifier and national employer fier were published in 1998 Proposed rules for a national health plan identifierhave not been released as of this writing, and plans for a national individualidentifier are on hold because of privacy concerns

Administrative procedures such as awareness training, chain of trust

agreements, policies and internal auditing

Physical safeguards to include physical protection of workstations and

media, facility access control, and disposal of magnetic media

Technical services and mechanisms such as authentication and access

controls

Electronic Signatures when an industry standard can be agreed upon

They are not currently required

Appointment of a security officer

Privacy

The HIPAA Privacy rule covers PHI that is transmitted or stored in electronic,paper or oral form The final Privacy rule of December 28, 2000, stated that PHIcannot be disclosed unless:

Disclosure is approved by the individual

Permitted by the legislation

Requirement

Concerns focused on the impracticality of providers’ obtaining consent beforethe initial encounter with the patient Pharmacies commented on the need toallow individuals other than the patient to pick up the patient’s prescription,and so on

The amendment removes the consent requirement and would permit coveredentities to use and disclose a patient’s PHI for their own treatment, payment orhealth care operations and for treatment, payment, and certain health care oper-ations of other parties without prior written patient permission

Use and Disclosure with an Authorization

Under the Privacy Rule, covered entities must obtain a written authorization forthe use or disclosure of PHI for purposes other than treatment, payment oroperations The amendments consolidate the various essential elements forauthorizations into a single set of criteria

Accounting of Disclosures of PHI

The Privacy Rule provides individuals with the right to obtain an accounting ofany disclosures of their PHI made by a covered entity pursuant to an authoriza-tion during the six years preceding the request for accounting HHS exemptsfrom the accounting requirement all disclosures made pursuant to an individ-ual’s authorization

Minimum Necessary and Oral

Communications

The Privacy Rule requires that covered entities disclose only that amount of PHIthat is necessary to fulfill the purpose of the disclosure HHS explicitly permitsincidental use or disclosure of PHI

in which to modify existing written (but not oral) agreements or amendments oftheir PHI if the BA does not have the PHI in a “designated record set,” asdefined by the Privacy Rule.

Marketing

The Privacy Rule defines marketing as the making of a communication “about aproduct or service a purpose of which is to encourage recipients of the commu-nication to purchase or use the product or service.” The amendments to the Pri-vacy Rule require a patient authorization for any use or disclosure of PHI formarketing purposes, unless the marketing occurs in a face-to-face communica-tion between the covered entity and the patient or the covered entity is merelyproviding a promotional gift of nominal value

Parents/Minors

Under the Privacy Rule, a covered entity must treat a person with the authority

to act on behalf of an unemancipated minor as that minor’s personal tative for purposes of use and disclosure of the minor’s PHI The amendmentspermit a covered entity to disclose PHI to a parent if a specific provision of state

represen-or other law, including case law, permits such a disclosure Conversely, if suchlaw prohibits such a disclosure, the covered entity would not be permitted tomake it Finally, the amendments require a covered entity, consistent with state

or other applicable law, to disclose the minor’s PHI to a parent or other personalrepresentative of the minor, to the minor, or to both

Research

The amendment makes significant changes to research authorizations by fying and clarifying the requirements HHS defines a single set of essential ele-ments that apply generally to any authorization regardless of the purpose for theuse or disclosure

simpli-Uses and Disclosures for FDA-Regulated

Products or Activities

Public health organizations have expressed concern that the Privacy Rule stiflescurrent public health reporting activities In addition, some covered entitieshave expressed fear of liability for disclosing PHI to a manufacturer’s employeewho is not a person subject to FDA jurisdiction The amendment clarifies that acovered entity may disclose protected health information to representatives ofmanufacturers or other companies, who are subject to FDA jurisdiction

Research Transition Provisions

The research community is also concerned that the Privacy Rule does notaddress transition for studies that will continue after the compliance date butfor which patient consent or authorization had not been sought The amend-ments eliminate the distinction between research involving treatment and otherresearch for purposes of transition

De-Identification of PHI

The Privacy Rule provides two ways by which a covered entity can ensure thatPHI has been adequately de-identified: It may obtain an expert opinion thatthere is a statistically small risk that the released information could be used toidentify the individual subject; or it may strip from all disclosed information the

18 identifiers that are enumerated in the Privacy Rule’s safe harbor provision.Hybrid Entities

The Privacy Rule defines covered entities that primarily engage in non-coveredfunctions as “hybrid entities” and applies the Privacy standards only to theirhealth care components HHS eliminates the term “primary functions” from itsdefinition of “hybrid entity” and effectively permits covered entities, such asmany universities and insurance companies, that engage in both covered func-tions and non-covered functions to elect to be treated as either a hybrid entity or

a single entity

Transactions and Code Sets

This portion of Title II requires the adoption of ANSI (American National dards Institute) ASC X12N (Accredited Standards Committee X12) version 4010EDI (Electronic Data Interchange) Standard for transactions This requirementspecifies standards for the “enveloping” of data for successful message routing.This rule also mandates the use of standard code sets for diagnoses and inpa-tient services, professional services, dental services (replaces ‘D’ codes), drugs(instead of ‘J’ codes) and eliminates “local” codes

Stan-HIPAA EDI Transactions

The HIPAA EDI Transaction Standards specifically apply to:

Health claims or similar encounter information

Health care payment and remittance advice

Coordination of benefits

Health claim status

Enrollment and dis-enrollment in a health plan

Eligibility for a health plan

Health plan premium payments

Referral certification and authorization

The Transactions Standard defines data elements required or conditionallyrequired, each data element, technical transaction formats for the transmission

of the data, and code sets or values that can appear in selected data elements.The following standard “forms” are to be used:

Health care claims or coordination of benefits

Retail drug NCPCP (National Council for Prescription Drug

Programs) v 32

Dental claim ASC X12N 837: dental

Professional claim ASC X12N 837: professional

Institutional claim ASC X12N 837: institutional

Payment & remittance advice ASC X12N 835

Health claim status ASC X12N 276/277

Plan enrollment ASC X12 834

Plan eligibility ASC X12 270/271

Plan premium payments ASC X12 820

Referral certification ASC X12 N 278

Code Sets

Code sets specifications are as follows:

For diseases, injuries, impairments, other health related problems, their

manifestations, and causes of injury, disease, impairment:

International Classification of Diseases, 9th Ed., Clinical Modification)

ICD-9-CM (vol 1 & 2)

For procedures or other actions taken to prevent, diagnose, treat, or

manage diseases, injuries and impairments: (Current Procedural

Terminology, 4th Ed.) CPT-4, (Code on Dental Procedures and

Nomenclature, 2nd Ed.) CDT-2, or ICD -9-CM (vol 3)

For drugs: (National Drug Codes) NDC

For other health related services, other substances, equipment, supplies,

or other items used in health care services:(Health Care Financing

Administration Common Procedure Coding System) HCPCS

Unique Health Identifiers

The Unique Health Identifier (UHI) is used to identify a health care provider, ahealth plan, an employer or an individual Its purpose is to facilitate electronictransactions The present formats for the different identifiers are as follows:

Provider.Ten-digit numeric with a check digit or an eight-character

alphanumeric

Employer Federal Employer Identification Number (EIN) that consists ofnine digits separated by a hyphen in the format dd-ddddddd

Health Plan.No Notice of Proposed Rule Making (NPRM) has been

released as of this writing; possibly will be a 10-digit number with acheck digit

Individual On hold at this time

Penalties

The penalties for violation of the HIPAA law are given in Table F.1

Table F.1 Summary of HIPAA Violation Penalties

MONETARY TERM OF

PENALTY IMPRISONMENT OFFENSE

Up to $25,000 N/A Multiple violations of an identical

requirement or prohibition made during a calendar year

Up to $50,000 Up to one year Wrongful disclosure of individually

identifiable health information

Up to $100,000 Up to five years Wrongful disclosure of individually

identifiable health information mitted under false pretenses

com-Up to $250,000 Up to 10 years Wrongful disclosure of individually

identifiable health information committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm

Conclusion

Compliance with HIPAA is a challenge for most organizations, but it offers theopportunity to streamline transaction processing and implement proceduresthat will make an organization more efficient and thus, a stronger competitor inthe marketplace

G

References for Further Study

This appendix contains a listing of the references we used for the compilation ofthe book, some additional references that may be useful to you, and the URLs ofWeb sites that have good information for study or general security information

We used almost all of these publications when researching for this text, andmany of them you should read to study for the exam We have listed them inwhat we consider to be priority order, from the most relevant to the CISSP can-didate to the least In some cases, newer editions of the reference books areavailable

Books

Krause, Micki and Tipton, Harold F., Eds Handbook of Information Security

Management, 1999 Boca Raton: CRC Press\Auerbach Publications, 1999

Kaufman, Elizabeth and Newman, Andrew Implementing IPSec New York:

John Wiley & Sons, 1999

Russell, Deborah and Gangemi, G T., CISSP Computer Security Basics New

York: O’Reilly & Associates, 1992

Horak, Ray Communication Systems and Networks (Second Edition) New York:

John Wiley & Sons, Inc., 2000

Garfinkel, Simson and Spafford, Gene Practical Unix & Internet Security NewYork: O’Reilly & Associates, 1996.

Schneier, Bruce Applied Cryptography (Second Edition) New York: John Wiley &Sons, 1996

Schneier, Bruce Secrets and Lies: Digital Security in a Networked World NewYork: John Wiley & Sons, 2000

Smith, Marina Virtual LANs New York: McGraw-Hill, 1997

Parker, Donn B Fighting Computer Crime New York: John Wiley & Sons, 1998.Wood, Charles C Information Security Policies Made Easy Sausalito: BaselineSoftware, 1999

Stallings, William Cryptography and Network Security (Second Edition) UpperSaddle River: Prentice Hall Inc., 1999

Kabay, Michel E The NCSA Guide to Enterprise Security New York: Hill, 1996

McGraw-Hutt, Arthur E., Seymour Bosworth, and Douglas B Hoyt Computer SecurityHandbook, Third Edition New York: John Wiley & Sons, 1995

Denning, Dorothy Information Warfare and Security New York: Addison-Wesley,1999

Denning, Dorothy Internet Besieged New York: Addison-Wesley, 1998

Gollmann, Dieter Computer Security New York: John Wiley & Sons, 1999.Oaks, Scott Java Security Cambridge: O’Reilly and Associates, 1998

Northcutt, Stephen Network Intrusion Detection Indianapolis: New RidersPublishing, 1999

Nichols, Randall K., Ryan, Daniel J., and Ryan, Julie J C H Defending YourDigital Assets New York: McGraw-Hill, 1999

Klarder, Lars Hacker Proof Las Vegas: Jamsa Press, 1997

McClure, Stuart, Scambray, Joel, and Kurtz, George Hacking Exposed NewYork: Osborne/McGraw Hill, 1999

Escamilla, Terry Intrusion Detection New York: John Wiley & Sons, 1998

Kaeo, Merike Designing Network Security Indianapolis: Cisco Press, 1999.Brenton, Chris Mastering Network Security San Francisco: SYBEX, 1999

Anonymous Maximum Security (Second edition) Indianapolis:

Scott, Charlie, Wolfe, Paul, Erwin, Mike, and Oram, Andy (Ed.).Virtual Private

Networks (Second edition) Cambridge: O’Reilly and Associates, 1998

Tiwana, Amrit Web Security Boston: Butterworth-Heinemann, 1999

Garfinkel, Simson and Spafford, Gene Web Security and Commerce

Cambridge: O’Reilly and Associates, 1997

Rubin, Aviel D., Geer, Daniel, and Ranum, Marcus J Web Security Sourcebook

New York: John Wiley & Sons, 1997

CISSP Examination Textbooks, Volume 1: Theory Schaumburg: SRV Professional

Publications, 2000 www.srvbooks.com

Shim, Jae K., Qureshi, Anique A., and Siegel, Joel G The International

Handbook of Computer Security Chicago: Glenlake Publishing Company,

2000

Andress, Mandy Surving Security Indianapolis: SAMS Publishing, 2002

Web Sites

The Web sites are of interest to the CISSP candidate, either directly (as in the case

of the (ISC2) or indirectly (as a resource for more info on InfoSec)

InfoSec and Government Information Sites

www.isc2.org (This site is the headquarters of

the CISSP program, your maincontact for the CISSP certificationprocess.)

www.intiss.com/intisslinks.html (This site has a lot of great links

for every domain of InfoSec.)

www.cert.orgwww.ciac.org/ciacwww.asisonline.orgwww.bsa.orgwww.eff.orgwww.fbi.gov/scitech.htmwww.first.org

www.hert.orgwww.htcia.orgwww.usenix.orgwww.ntbugtrak.com

Information Security Products,

Services, and Training

www.nsi.org/compsec.html

www.boran.com/security

xforce.iss.net

www.itpolicy.gsa.govwww.nswc.navy.mil/ISSECwww.dda-ltd.co.uk/bs7799.html

575

Answers to Sample and Bonus Questions

Chapter 1—Security Management

The correct answer is a Answer b is the formula for an SLE, and

answers c and d are nonsense

2 What is an ARO?

a A dollar figure assigned to a single event

b The annual expected financial loss to an organization from a threat

c A number that represents the estimated frequency of an occurrence of

an expected threat

d The percentage of loss that a realized threat event would have on aspecific asset

Answer: cThe correct answer is c Answer a is the definition of SLE, b is anALE, and d is an EF

3 Which choice MOST accurately describes the difference between the role

of a data owner versus the role of a data custodian?

a The custodian implements the information classification scheme afterthe initial assignment by the owner

b The data owner implements the information classification schemeafter the initial assignment by the custodian

c The custodian makes the initial information classification ments, and the operations manager implements the scheme

assign-d The custodian implements the information classification scheme afterthe initial assignment by the operations manager

Answer: a

4 Which choice is NOT an accurate description of C.I.A.?

a C stands for confidentiality

b I stands for integrity

c A stands for availability

d A stands for authorization

6 Which choice is the BEST description of authentication as opposed to

authorization?

a The means by which a user provides a claim of his or her identity to a

system

b The testing or reconciliation of evidence of a user’s identity

c A system’s capability to determine the actions and behavior of a

sin-gle individual within a system

d The rights and permissions granted to an individual to access a

com-puter resource

Answer: b

The correct answer is b Answer a is identification, c is

accountabil-ity, and d is authorization

7 What is a noncompulsory recommendation on how to achieve

compli-ance with published standards called?

8 Place the following four information classification levels in their

proper order, from the least sensitive classification to the most

9 How is an SLE derived?

a (Cost – benefit)
(% of Asset Value)

b AV
EF

c ARO
EF

d % of AV – implementation cost

Answer: b

The correct answer is b A Single Loss Expectancy is derived by

multiplying the Asset Value with its Exposure Factor The other

answers do not exist

10 What are the detailed instructions on how to perform or implement acontrol called?

11 What is the BEST description of risk reduction?

a Altering elements of the enterprise in response to a risk analysis

b Removing all risk to the enterprise at any cost

c Assigning any costs associated with risk to a third party

d Assuming all costs associated with the risk internally

Answer: aThe correct answer is a Answer b is not possible or desirable, c isrisk transference, and d is risk acceptance

12 Which choice MOST accurately describes the differences between dards, guidelines, and procedures?

stan-a Standards are recommended policies, and guidelines are mandatorypolicies

b Procedures are step-by-step recommendations for complying withmandatory guidelines

c Procedures are the general recommendations for compliance withmandatory guidelines

d Procedures are step-by-step instructions for compliance with tory standards

manda-Answer: dThe correct answer is d The other answers are incorrect

13 A purpose of a security awareness program is to improve:

a The security of vendor relations

b The performance of a company’s intranet

c The possibility for career advancement of the IT staff

d The company’s attitude about safeguarding data

Answer: d

14 What is the MOST accurate definition of a safeguard?

a A guideline for policy recommendations

b A step-by-step instructional procedure

c A control designed to counteract a threat

d A control designed to counteract an asset

Answer: c

The correct answer is c Answer a is a guideline, b is a procedure,

and d is a distracter

15 What does an Exposure Factor (EF) describe?

a A dollar figure that is assigned to a single event

b A number that represents the estimated frequency of the occurrence of

16 Which choice would be an example of a cost-effective way to enhance

security awareness in an organization?

a Train every employee in advanced InfoSec

b Create an award or recognition program for employees

c Calculate the cost-benefit ratio of the asset valuations for a risk

analysis

d Train only managers in implementing InfoSec controls

Answer: b

17 What is the prime directive of Risk Management?

a Reduce the risk to a tolerable level

b Reduce all risks regardless of cost

c Transfer any risk to external third parties

d Prosecute any employees that are violating published security policies

Answer: a

The correct answer is a Risk can never be eliminated, and Risk

Management must find the level of risk the organization can tolerate

and still function effectively

18 Which choice MOST closely depicts the difference between qualitative

and quantitative risk analysis?

a A quantitative RA does not use the hard costs of losses, and a

qualita-tive RA does

b A quantitative RA uses less guesswork than a qualitative RA

c A qualitative RA uses many complex calculations

d A quantitative RA cannot be automated

Answer: b

The correct answer is b The other answers are incorrect

19 Which choice is NOT a good criterion for selecting a safeguard?

a The ability to recover from a reset with the permissions set to “allowall”

b Comparing the potential dollar loss of an asset to the cost of a guard

safe-c The ability to recover from a reset without damaging the asset

d Accountability features for tracking and identifying operators

Answer: aThe correct answer is a Permissions should be set to “deny all”during reset

20 Which policy type is MOST likely to contain mandatory or compulsorystandards?

be followed by the organization Answers a and d are informational

or recommended policies only

21 What are high-level policies?

a They are recommendations for procedural controls

b They are the instructions on how to perform a Quantitative RiskAnalysis

c They are statements that indicate a senior management’s intention tosupport InfoSec

d They are step-by-step procedures to implement a safeguard

Answer: cThe correct answer is c High-level policies are senior managementstatements of recognition of the importance of InfoSec controls

Bonus Questions

1 Place the general information classification procedures below in theirproper order:

_ a Classify the data

_ b Specify the controls

_ c Specify the classification criteria.

_ d Publicize awareness of the classification controls

The correct answer is c Data owners, custodians, and users all

have defined roles in the process of information classification

Answer c is a distracter

3 Which choice below is NOT an example of the appropriate external

distri-bution of classified information?

a Compliance with a court order

b Upon senior-level approval after a confidentiality agreement

c IAW contract procurement agreements for a government project

d To influence the value of the company’s stock price

Answer: d

The correct answer is d Answers a, b, and c are all examples of the

need for possible external distribution of internal classified

informa-tion

4 Which choice below is usually the number one used criterion to

deter-mine the classification of an information object?

The correct answer is a Value of the information asset to the

orga-nization is usually the first and foremost criteria used in determining

its classification Answer b refers to declassification of an information

object due to some change in situation

5 Which choice below is the BEST description of a vulnerability?

a A weakness in a system that could be exploited

b A company resource that could be lost due to an incident

c The minimization of loss associated with an incident

d A potential incident that could cause harm

Answer: aThe correct answer is a Answer b describes an asset, answer cdescribes risk management, and answer d describes a threat.

6 Which choice below is NOT a common result of a risk analysis?

a A detailed listing of relevant threats

b Valuations of critical assets

c Likelihood of a potential threat

d Definition of business recovery roles

Answer: dThe correct answer is d The first three answers are common results

of a risk analysis to determine the probability and effect of threats tocompany assets Answer d is a distracter

7 Which choice below is the BEST definition of advisory policies?

a Non-mandated policies, but strongly suggested

b Policies implemented for compliance reasons

c Policies implemented due to public regulation

d Mandatory policies implemented as a consequence of legal actionAnswer: a

The correct answer is a Advisory policies might have quences of failure attached to them, but they are still considered non-mandatory The other three answers are examples of mandatory,regulatory policies

conse-8 Which statement below BEST describes the primary purpose of riskanalysis?

a To create a clear cost-to-value ratio for implementing security controls

b To influence the system design process

c To influence site selection decisions

d To quantify the impact of potential threats

Answer: dThe correct answer is d The main purpose of performing a riskanalysis is to put a hard cost or value onto the loss of a business func-tion The other answers are benefits of risk management but not itsmain purpose

9 Put the following steps in the qualitative scenario procedure in order: _ a The team prepares its findings and presents them to management. _ b A scenario is written to address each identified threat

_ c Business unit managers review the scenario for a reality check. _ d The team works through each scenario by using a threat, asset,

and safeguard

Answer: b, c, d, a

10 Which statement below is NOT correct about safeguard selection in the

risk analysis process?

a Maintenance costs need to be included in determining the total cost of

The correct answer is b Performing a cost-benefit analysis of the

proposed safeguard before implementation is vital The level of

secu-rity afforded could easily outweigh the value of a proposed

safe-guard Other factors need to be considered in the safeguard selection

process, such as accountability, auditability, and the level of manual

operations needed to maintain or operate the safeguard

Chapter 2—Access Control Systems

and Methodology

Sample Questions

1 The goals of integrity do NOT include:

a Accountability of responsible individuals

b Prevention of the modification of information by unauthorized users

c Prevention of the unauthorized or unintentional modification of

infor-mation by authorized users

d Preservation of internal and external consistency

Answer: a

The correct answer is a Accountability is holding individuals

respon-sible for their actions Answers b, c, and d are the three goals of

integrity

2 Kerberos is an authentication scheme that can be used to implement:

a Public key cryptography

b Digital signatures

c Hash functions

d Single Sign-On (SSO)

Answer: d

The correct answer is d Kerberos is a third-party authentication

protocol that can be used to implement SSO Answer a is incorrect

because public key cryptography is not used in the basic Kerberosprotocol Answer b is a public key-based capability, and answer c is aone-way transformation used to disguise passwords or to implementdigital signatures.

3 The fundamental entity in a relational database is the:

4 In a relational database, security is provided to the access of data through:

5 In biometrics, a “one-to-one” search to verify an individual’s claim of anidentity is called:

a Audit trail review

b Authentication

c Accountability

d Aggregation

Answer: bThe correct answer is b Answer a is a review of audit system data,usually done after the fact Answer c is holding individuals responsi-ble for their actions, and answer d is obtaining higher-sensitivityinformation from a number of pieces of information of lower sensi-tivity

6 Biometrics is used for identification in the physical controls and for

Answer: c

The correct answer is c The other answers are different categories

of controls where preventive controls attempt to eliminate or reduce

vulnerabilities before an attack occurs; detective controls attempt to

determine that an attack is taking place or has taken place; and

cor-rective controls involve taking action to restore the system to normal

operation after a successful attack

7 Referential integrity requires that for any foreign key attribute, the

refer-enced relation must have:

a A tuple with the same value for its primary key

b A tuple with the same value for its secondary key

c An attribute with the same value for its secondary key

d An attribute with the same value for its other foreign key

Answer: a

The correct answer is a Answers b and c are incorrect because a

secondary key is not a valid term Answer d is a distracter, because

referential integrity has a foreign key referring to a primary key in

The correct answer is b In answer a, the password changes at each

logon For answer c, a passphrase is a long word or phrase that is

converted by the system to a password In answer d, a one-time pad

refers to a using a random key only once when sending a

crypto-graphic message

9 The number of times a password should be changed is NOT a function of:

a The criticality of the information to be protected

b The frequency of the password’s use

c The responsibilities and clearance of the user

d The type of workstation used

Answer: d

The correct answer is d The type of workstation used as the

plat-form is not the determining factor Items a, b, and c are determining

factors

10 The description of a relational database is called the:

a Attribute

b Record

c Schema

d Domain

Answer: cThe correct answer is c The other answers are portions of a relation

or table

11 A statistical anomaly-based intrusion detection system:

a Acquires data to establish a normal system operating profile

b Refers to a database of known attack signatures

c Will detect an attack that does not significantly change the system’soperating characteristics

d Does not report an event that caused a momentary anomaly in thesystem

Answer: aThe correct answer is a A statistical anomaly-based intrusion detec-tion system acquires data to establish a normal system operating pro-file Answer b is incorrect because it is used in signature-based intrusiondetection Answer c is incorrect because a statistical anomaly-basedintrusion detection system will not detect an attack that does not signif-icantly change the system operating characteristics Similarly, answer d

is incorrect because the statistical anomaly-based IDS is susceptible toreporting an event that caused a momentary anomaly in the system

12 Intrusion detection systems can be all of the following types EXCEPT:

13 In a relational database system, a primary key is chosen from a set of:

14 A standard data manipulation and relational database definition

The correct answer is b All other answers do not apply

15 An attack that can be perpetrated against a remote user’s callback access

The correct answer is a A cracker can have a person’s call

for-warded to another number to foil the callback system Answer b is

incorrect because it is an example of malicious code embedded in

useful code Answer c is incorrect because it might enable bypassing

controls of a system through a means used for debugging or

mainte-nance Answer d is incorrect because it is a distracter

16 The definition of CHAP is:

a Confidential Hash Authentication Protocol

b Challenge Handshake Authentication Protocol

c Challenge Handshake Approval Protocol

d Confidential Handshake Approval Protocol

Answer: b

17 Using symmetric key cryptography, Kerberos authenticates clients to

other entities on a network and facilitates communications through the

The correct answer is b Session keys are temporary keys assigned

by the KDC and used for an allotted period of time as the secret key

between two entities Answer a is incorrect because it refers to

asym-metric encryption that is not used in the basic Kerberos protocol.Answer c is incorrect because it is not a key, and answer d is incorrectbecause a token generates dynamic passwords.

18 Three things that must be considered for the planning and tion of access control mechanisms are:

implementa-a Threats, assets, and objectives

b Threats, vulnerabilities, and risks

c Vulnerabilities, secret keys, and exposures

d Exposures, threats, and countermeasures

Answer: bThe correct answer is b Threats define the possible source of secu-rity policy violations; vulnerabilities describe weaknesses in the sys-tem that might be exploited by the threats; and the risk determines theprobability of threats being realized All three items must be present tomeaningfully apply access control Therefore, the other answers areincorrect

19 In mandatory access control, the authorization of a subject to have access

to an object is dependent upon:

20 The type of access control that is used in local, dynamic situations wheresubjects have the ability to specify what resources certain users can access

is called:

a Mandatory access control

b Rule-based access control

c Sensitivity-based access control

d Discretionary access control

Answer: dThe correct answer is d Answers a and b require strict adherence

to labels and clearances Answer c is a made-up distracter

21 Role-based access control is useful when:

a Access must be determined by the labels on the data

b There are frequent personnel changes in an organization

c Rules are needed to determine clearances.

d Security clearances must be used

Answer: b

The correct answer is b Role-based access control is part of

non-discretionary access control Answers a, c, and d relate to mandatory

access control

22 Clipping levels are used to:

a Limit the number of letters in a password

b Set thresholds for voltage variations

c Reduce the amount of data to be evaluated in audit logs

d Limit errors in callback systems

Answer: c

The correct answer is c—reducing the amount of data to be

evalu-ated by definition Answer a is incorrect because clipping levels do

not relate to letters in a password Answer b is incorrect because

clip-ping levels in this context have nothing to do with controlling voltage

levels Answer d is incorrect because they are not used to limit

call-back errors

23 Identification is:

a A user being authenticated by the system

b A user providing a password to the system

c A user providing a shared secret to the system

d A user professing an identity to the system

Answer: d

The correct answer is d A user presents an ID to the system as

identification Answer a is incorrect because presenting an ID is not

an authentication act Answer b is incorrect because a password is an

authentication mechanism Answer c is incorrect because it refers to

cryptography or authentication

24 Authentication is:

a The verification that the claimed identity is valid

b The presentation of a user’s ID to the system

c Not accomplished through the use of a password

d Only applied to remote users

Answer: a

The correct answer is a Answer b is incorrect because it is an

iden-tification act Answer c is incorrect because authentication can be

accomplished through the use of a password Answer d is incorrect

because authentication is applied to local and remote users

25 An example of two-factor authentication is:

a A password and an ID

b An ID and a PIN

c A PIN and an ATM card

d A fingerprint

Answer: cThe correct answer is c These items are something you know andsomething you have Answer a is incorrect because essentially, onlyone factor is being used: something you know (password.) Answer b

is incorrect for the same reason Answer d is incorrect because onlyone biometric factor is being used

26 In biometrics, a good measure of performance of a system is the:

a False detection

b Crossover Error Rate (CER)

c Positive acceptance rate

d Sensitivity

Answer: bThe correct answer is b The other items are made-up distracters

27 In finger scan technology,

a The full fingerprint is stored

b Features extracted from the fingerprint are stored

c More storage is required than in fingerprint technology

d The technology is applicable to large, one-to-many database searches.Answer: b

The correct answer is b The features extracted from the fingerprintare stored Answer a is incorrect because the equivalent of the full fin-gerprint is not stored in finger scan technology Answers c and d areincorrect because the opposite is true of finger scan technology

28 An acceptable biometric throughput rate is:

a One subject per two minutes

b Two subjects per minute

c Ten subjects per minute

d Five subjects per minute

Answer: c

29 In a relational database, the domain of a relation is the set of allowable ues:

val-a That an attribute can take

b That tuples can take

c That a record can take.

d Of the primary key

Answer: a

30 Object-Oriented Database (OODB) systems:

a Are ideally suited for text-only information

b Require minimal learning time for programmers

c Are useful in storing and manipulating complex data, such as images

and graphics

d Consume minimal system resources

Answer: c

The correct answer is c The other answers are false, because for

answer a relational databases are ideally suited to text-only

informa-tion, b and d OODB systems have a steep learning curve and

con-sume a large amount of system resources

Bonus Questions

1 An important element of database design that ensures that the attributes

in a table depend only on the primary key is:

The correct answer is b Normalization includes eliminating

redundant data and eliminating attributes in a table that are not

dependent on the primary key of that table In answer a, a database

management system (DBMS) provides access to the database and is

used for maintaining the database Answers c and d are distracters

2 A database View operation implements the principle of:

The correct answer is a Least privilege, in the database context,

requires that subjects be granted the most restricted set of access

priv-ileges to the data in the database that are consistent with the

perfor-mance of their tasks Answer b, separation of duties, assigns parts of

security-sensitive tasks to several individuals Entity integrity,answer c, requires that each row in the relation table must have anon-NULL attribute Relational integrity, answer d, refers to therequirement that for any foreign key attribute, the referenced relationmust have the same value for its primary key.

3 Which of the following is NOT a technical (logical) mechanism for

protecting information from unauthorized disclosure?

4 A token that generates a unique password at fixed time intervals is called:

a An asynchronous dynamic password token

b A time-sensitive token

c A synchronous dynamic password token

d A challenge-response token

Answer: cThe correct answer is c An asynchronous dynamic passwordtoken, answer a, generates a new password that does not have to fitinto a fixed time window for authentication, as is the case for a syn-chronous dynamic password token Answer b is a distracter Answer

d, a challenge-response token, generates a random challenge string

as the owner enters the string into the token along with a PIN Then,the token generates a response that the owner enters into the work-station for authentication

5 In a biometric system, the time it takes to register with the system by viding samples of a biometric characteristic is called:

6 Which of the following is NOT an assumption of the basic Kerberos

paradigm?

a Client computers are not secured and are easily accessible

b Cabling is not secure

c Messages are not secure from interception

d Specific servers and locations cannot be secured

Answer: d

The correct answer is d Kerberos requires that centralized servers

implementing the trusted authentication mechanism must be secured

7 Which one of the following statements is TRUE concerning the Terminal

Access Controller Access Control System (TACACS) and TACACS+?

a TACACS supports prompting for a password change

b TACACS+ employs tokens for two-factor, dynamic password

authentication

c TACACS+ employs a user ID and static password

d TACACS employs tokens for two-factor, dynamic password

authentication

Answer: b

The correct answer is b TACACS employs a user ID and static

password and does not support prompting for password change or

the use of dynamic password tokens

8 Identity-based access control is a subset of which one of the following

access control categories?

a Discretionary access control

b Mandatory access control

c Non-discretionary access control

d Lattice-based access control

Answer: a

The correct answer is a Identity-based access control is a type of

discretionary access control that grants access privileges based on

the user’s identity A related type of discretionary access control is

user-directed access control that gives the user, with certain

limitations, the right to alter the access control to certain objects

9 Procedures that ensure that the access control mechanisms correctly

implement the security policy for the entire life cycle of an information

system are known as:

a Accountability procedures

b Authentication procedures

c Assurance procedures.

d Trustworthy procedures

Answer: cThe correct answer is c Accountability, answer a, refers to the abil-ity to determine the actions and behaviors of a single individualwithin a system and to identify that individual Answer b, authenti-cation, involves testing or reconciling of evidence of a user’s identity

in order to establish that identity Answer d is a distracter

10 Which of the following is NOT a valid database model?

2 Which of the following is NOT a network cabling type?

3 Which of the following is NOT a property of a Packet Filtering Firewall?

a Considered a first-generation firewall

b Uses ACLs

c Operates at the Application Layer

d Examines the source and destination addresses of the incoming

packet

Answer: c

The correct answer is c A packet-filtering firewall can operate at

the network or transport layers

4 Which of the following is NOT a remote computing technology?

6 RAID refers to the:

a Redundant Arrays of Intelligent Disks

b Redundant And fault tolerant Internetworking Devices

c Rapid And Inexpensive Digital tape backup

d Remote Administration of Internet Domains

Answer: a

The correct answer is a, Redundant Arrays of Intelligent Disks The

other acronyms do not exist

7 Which of the following is NOT a true statement about Network Address

Translation (NAT)?

a NAT is used when corporations want to use private addressing

ranges for internal networks

b NAT is designed to mask the true IP addresses of internal systems

c Private addresses can easily be routed globally.

d NAT translates private IP addresses to registered “real” IP addresses.Answer: c

The correct answer is c Private addresses are not easily routable;hence the reason for using NAT

8 What does LAN stand for?

a Local Arena News

b Local Area Network

c Layered Addressed Network

d Local Adaptive Network

Answer: b

9 What does CSMA stand for?

a Carrier Station Multi-port Actuator

b Carrier Sense Multiple Access

c Common Systems Methodology Applications

d Carrier Sense Multiple Attenuation

Answer: bThe correct answer is b The other acronyms do not exist

10 Which is NOT a property of a packet-switched network?

a Packets are assigned sequence numbers

b Characterized by “bursty” traffic

c Connection-oriented network

d Connectionless network

Answer: cThe correct answer is c Packet-switched networks are consideredconnectionless networks; circuit-switched networks are consideredconnection-oriented

11 Which is NOT a layer in the OSI architecture model?

12 Which is NOT a layer in the TCP/IP architecture model?

a Internet

b Application

c Host-to-host

d Session

Answer: d

The correct answer is d The Session Layer is an OSI model layer

13 Which is NOT a backup method type?

The correct answer is c Reactive is not a backup method

14 What does TFTP stand for?

a Trivial File Transport Protocol

b Transport for TCP/IP

c Trivial File Transfer Protocol

d Transport File Transfer Protocol

Answer: c

The correct answer is c The other acronyms do not exist

15 What does the Data Encapsulation in the OSI model do?

a Creates seven distinct layers

b Wraps data from one layer around a data packet from an adjoining

layer

c Provides “best effort” delivery of a data packet

d Makes the network transmission deterministic

Answer: b

The correct answer is b Data Encapsulation attaches information

from one layer to the packet as it travels from an adjoining layer The

OSI-layered architecture model creates seven layers The TCP/IP

protocol UDP provides “best effort” packet delivery, and a

token-passing transmission scheme creates a deterministic network because

it is possible to compute the maximum predictable delay

16 What is NOT a feature of TACACS+?

a Enables two-factor authentication

b Replaces older Frame Relay-switched networks

c Enables a user to change passwords

d Resynchronizes security tokens

Answer: b

The correct answer is b TACACS+ has nothing to do with Frame

Relay networks

17 What is NOT true of a star-wired topology?

a Cabling termination errors can crash the entire network

b The network nodes are connected to a central LAN device

c It has more resiliency than a BUS topology

d 10BaseT Ethernet is star-wired

Answer: aThe correct answer is a Cabling termination errors are an inherentissue with bus topology networks

18 FDDI uses what type of network topology?

19 What does the protocol ARP do?

a Takes a MAC address and finds an IP address to match

b Sends messages to the devices regarding the health of the network

c Takes an IP address and finds out the MAC address to which it

belongs

d Facilitates file transfers

Answer: cThe correct answer is c ARP starts with an IP address, then queriesthe network to find the MAC or hardware address of the workstation

to which it belongs ICMP performs b, RARP performs a, and FTPperforms d

20 What does the protocol RARP do?

a Takes a MAC address and finds an IP address to match

b Sends messages to the devices regarding the health of the network

c Takes an IP address and finds out the MAC address to which it

belongs

d Facilitates file transfers

Answer: aThe correct answer is a, the reverse of ARP The Reverse AddressResolution Protocol knows a MAC (Media Access Control) addressand asks the RARP server to match it with an IP address

21 What is the protocol that supports sending and receiving email?

a SNMP

b SMTP