SANS SEC 301 ACTUAL EXAM WITH DETAILED
ANSWERS GRADED PASS
Prevent /defense as much as you can; detect for
everything else; or if the preventive measures fail,
respond to what is detected
-Prevention is ideal
-detection is a must
-detection without response is useless - answer-
Prevent/Detect/Respond (PRD)
Everyone can do everything they need to do and
nothing more. Bradley Manning - WikiLeaks Target
- HVAC hack - answer-Principle of Least Privilege
The cornerstone of all security: Everyting done in
security addresses one or more of these three
things
Confidentiality, Integrity, availability
Confidentiality - Only those who need to access
something can; ties into principle of least privilege
,Integrity - data is edited correctly and by the right
people. Failure ex.: Delta $5 tickets round trip
tickets to anywhere Delta flies/attach on pricing
database
Availability - If you cannot use it, why do you have
it? - answer-CIA Triad
Pharmaceuticals and government, research -
answer-Confidentiality
Financials maintained in part by confidentiality -
answer-Integrity
eCommerce Ex. Amazon make $133,000/per minute
thus denial of service is critical business impact;
power company need to keep lights on = availability
issue - answer-Availability
Authentication, Authorization, Accountability -
answer-AAA
,Detailed steps to make policy happen - answer-
Procedure
Policy, Procedure and Training - answer-PPT
Users must know what policies and procedures say
to follow them. - answer-Training
Broad general statement of management's intent to
protect information - answer-Policy
A security professional needs to be:
1/3 technologist
1/3 manager
1/3 lawyer
-Tkhis is the perfect summation of the career field.
-Technology supports security efforts
-Management decisions (and budgets) drive
security
, -Legal issues mandate security requirements -
answer-Security by Thirds
Senior Mgmt:
-Has legal responsibility to protect the assets of the
org:
That give him the ultimate responsibility for security
-Authority can be delegated - responsibility cannot
be
Data owner - person or office with primary
responsibility for data; owners determine
classification, protective measures and more
Data custodian - the person/group that implement
the controls; make the decisions of the owner
happens
Users - use data; are also automatically data
custodians - answer-Security Roles and
Responsiblities
safety of people - answer-Number 1 Goal of
Security
ANSWERS GRADED PASS
Prevent /defense as much as you can; detect for
everything else; or if the preventive measures fail,
respond to what is detected
-Prevention is ideal
-detection is a must
-detection without response is useless - answer-
Prevent/Detect/Respond (PRD)
Everyone can do everything they need to do and
nothing more. Bradley Manning - WikiLeaks Target
- HVAC hack - answer-Principle of Least Privilege
The cornerstone of all security: Everyting done in
security addresses one or more of these three
things
Confidentiality, Integrity, availability
Confidentiality - Only those who need to access
something can; ties into principle of least privilege
,Integrity - data is edited correctly and by the right
people. Failure ex.: Delta $5 tickets round trip
tickets to anywhere Delta flies/attach on pricing
database
Availability - If you cannot use it, why do you have
it? - answer-CIA Triad
Pharmaceuticals and government, research -
answer-Confidentiality
Financials maintained in part by confidentiality -
answer-Integrity
eCommerce Ex. Amazon make $133,000/per minute
thus denial of service is critical business impact;
power company need to keep lights on = availability
issue - answer-Availability
Authentication, Authorization, Accountability -
answer-AAA
,Detailed steps to make policy happen - answer-
Procedure
Policy, Procedure and Training - answer-PPT
Users must know what policies and procedures say
to follow them. - answer-Training
Broad general statement of management's intent to
protect information - answer-Policy
A security professional needs to be:
1/3 technologist
1/3 manager
1/3 lawyer
-Tkhis is the perfect summation of the career field.
-Technology supports security efforts
-Management decisions (and budgets) drive
security
, -Legal issues mandate security requirements -
answer-Security by Thirds
Senior Mgmt:
-Has legal responsibility to protect the assets of the
org:
That give him the ultimate responsibility for security
-Authority can be delegated - responsibility cannot
be
Data owner - person or office with primary
responsibility for data; owners determine
classification, protective measures and more
Data custodian - the person/group that implement
the controls; make the decisions of the owner
happens
Users - use data; are also automatically data
custodians - answer-Security Roles and
Responsiblities
safety of people - answer-Number 1 Goal of
Security
