CISA Domain 5: Protection of Information Assets
Comprehensive Questions and Answers
Information Access/Data Owners ...responsibility to define criticality (and sensitivity) levels of
information assets
Also given FINAL responsibility for authorizing access to business app\c\Data
Custodians: ...responsibility to implement information security within an app - based on
requirements set by data owner (safeguarding data according to direction provided by data
owner)m\c\Piggybacking ...unauthorized persons following authorized persons, physically or
virtually, into restricted areas - (addresses polite behaviour problem of holding open doors for
strangers)m\c\Advanced Encryption Standard (AES) ...provides strongest encryption of all - would
provide greatest assurance that data is protected. Recovering data encrypted with AES is considered
computationally infeasible. (ALWAYS USE to encrypt a USB)m\c\Data Encryption Standard
(DES) ...susceptible to brute force attacks and has been broken publicly - algorithm for encoding
binary data. It is a secret key cryptosystem published by National Bureau of Standards (NBS) -
REPLACED BY AES\c\Message Digest 5 (MD5) ...algorithm used to generate a one-way hash of data (a
fixed length value) to test and verify data integrity (no encryption but puts data through math
process that cannot be reversed)m\c\Secure Shell (SSH) ...protocol used to establish a secure,
encrypted, command-line shell session, typically used for remote logon\c\Vitality Detection ...tries to
ensure that a user presenting biometric is alive and not merely an image or photocopy of the
biometric values\c\Multimodal biometrics ...uses combo of biometric methods to authenticate a
user\c\Kerberos Authentication System ...extends function of a key distribution center by generating
tickets to define the facilities on networked machines, which are accessible to each user
1) Network authentication protocol for client server apps that can be used to restrict access to the
database to authorized users
user
1) Network authentication protocol for client server apps that can be used to restrict access to the
database to authorized users
2) Key Distribution Center: part of Kerberos implementation suitable for internal communication for
a large group within an institution and will distribute symmetric keys for each session\c\Intrusion
Detection System (IDS) ...should be placed between the org's firewall and network (if firewall didn't
detect it, the IDS would before it was able to access the network\c\Power Line Conditioners ...used
to compensate for peaks and valleys in power supply and reduce peaks in power flow to what is
needed by machine - valleys removed by power stored in equipment\c\Alternative Power
, Supplies ...intended for power failures that last for longer periods - normally coupled with other
devices such as uninterruptible power Supply (UPS) to compensate for power loss until alternate
power supply becomes available\c\War Driving ...technique used for locating and gaining access to a
wireless network by driving or walking around a building with a wireless equipped computer\c\War
dialing ...technique for gaining access to a computer or network through dialing of defined blocks of
telephone numbers with hope of getting answer from modem\c\TEMPEST ...investigation and study
of compromising emanations of unintentional intelligence-bearing signals - if intercepted and
analysed, may reveal their contents\c\Reliability and Quality of Service (QoS) ...primary
consideration to be addressed with VoIP systems - require consistent levels of service, which may be
provided through QoS and class of Service (CoS) controls\c\Web of Trust ...key distribution method
suitable for communication in a small group. Used by tools such as Pretty Good Privacy (PGP) and
distributes public keys of users within a group\c\Equal-error Rate (EER) ...(crossover error rate)
overall quantitative measure of performance of a biometric control device (expressed as a
percentage)
1) Measure of the number of times that the FRR and FAR are equal
2) Low EER: combo of low FRR and low FAR --- LOWEST EER IS MOST EFFECTIVE
a) False-rejection rate (FRR): only measures the number of times an authorized person is denied
entry
i) In A HIGHLY SECURE environment - FAR is most important indicator -- limits the number of false
acceptance
b) False-acceptance rate (FAR): measures number of times an unauthorized person may be
accepted\c\Mantrap ...controlling access used to prevent piggybacking\c\Discretionary Access
Controls (DAC) ...means of restricting access to objects based on the identify of subjects to which
they belong. Controls are discretionary in the sense that a subject with certain access permission is
capable of passing that permission on to any other subject (allowing data owners to modify access
when it is a low risk application - normal procedure)
owner of resources decides who should have access to that resource - most access control systems
are an implementation of DAC)m\c\Mandatory access control (MAC) ...expensive, difficult to
implement and maintain in a large complex organization\c\Role based access controls (RBAC) ...easy
to manage and can enforce strong and efficient access controls in large scale web environments
utilizing VoIP implementation
i) Best method to allow only authorized users to view reports on a need-to-know basis\c\Single sign
on (SSO) ...manage access to multiple systems, networks, and apps
i) MOST IMPORTANT ACTION: to mandate a strong password policy - best preventive control to
prevent unauthorized access\c\Fine-grained access control ...based on individual user identifying
specific technical privileges (not good for VoIP web apps bc it doesn't scale to enterprise wide
systems)m\c\Targeted Testing ...penetration testers provided with info related to target and
network design and target's IT team is aware of testing\c\Internal Testing ...attacks and control
circumvention attempts on the target from within the perimeter - system admin is typically aware of
this testing\c\External Testing ...generic term that refers to attacks and control circumvention
Comprehensive Questions and Answers
Information Access/Data Owners ...responsibility to define criticality (and sensitivity) levels of
information assets
Also given FINAL responsibility for authorizing access to business app\c\Data
Custodians: ...responsibility to implement information security within an app - based on
requirements set by data owner (safeguarding data according to direction provided by data
owner)m\c\Piggybacking ...unauthorized persons following authorized persons, physically or
virtually, into restricted areas - (addresses polite behaviour problem of holding open doors for
strangers)m\c\Advanced Encryption Standard (AES) ...provides strongest encryption of all - would
provide greatest assurance that data is protected. Recovering data encrypted with AES is considered
computationally infeasible. (ALWAYS USE to encrypt a USB)m\c\Data Encryption Standard
(DES) ...susceptible to brute force attacks and has been broken publicly - algorithm for encoding
binary data. It is a secret key cryptosystem published by National Bureau of Standards (NBS) -
REPLACED BY AES\c\Message Digest 5 (MD5) ...algorithm used to generate a one-way hash of data (a
fixed length value) to test and verify data integrity (no encryption but puts data through math
process that cannot be reversed)m\c\Secure Shell (SSH) ...protocol used to establish a secure,
encrypted, command-line shell session, typically used for remote logon\c\Vitality Detection ...tries to
ensure that a user presenting biometric is alive and not merely an image or photocopy of the
biometric values\c\Multimodal biometrics ...uses combo of biometric methods to authenticate a
user\c\Kerberos Authentication System ...extends function of a key distribution center by generating
tickets to define the facilities on networked machines, which are accessible to each user
1) Network authentication protocol for client server apps that can be used to restrict access to the
database to authorized users
user
1) Network authentication protocol for client server apps that can be used to restrict access to the
database to authorized users
2) Key Distribution Center: part of Kerberos implementation suitable for internal communication for
a large group within an institution and will distribute symmetric keys for each session\c\Intrusion
Detection System (IDS) ...should be placed between the org's firewall and network (if firewall didn't
detect it, the IDS would before it was able to access the network\c\Power Line Conditioners ...used
to compensate for peaks and valleys in power supply and reduce peaks in power flow to what is
needed by machine - valleys removed by power stored in equipment\c\Alternative Power
, Supplies ...intended for power failures that last for longer periods - normally coupled with other
devices such as uninterruptible power Supply (UPS) to compensate for power loss until alternate
power supply becomes available\c\War Driving ...technique used for locating and gaining access to a
wireless network by driving or walking around a building with a wireless equipped computer\c\War
dialing ...technique for gaining access to a computer or network through dialing of defined blocks of
telephone numbers with hope of getting answer from modem\c\TEMPEST ...investigation and study
of compromising emanations of unintentional intelligence-bearing signals - if intercepted and
analysed, may reveal their contents\c\Reliability and Quality of Service (QoS) ...primary
consideration to be addressed with VoIP systems - require consistent levels of service, which may be
provided through QoS and class of Service (CoS) controls\c\Web of Trust ...key distribution method
suitable for communication in a small group. Used by tools such as Pretty Good Privacy (PGP) and
distributes public keys of users within a group\c\Equal-error Rate (EER) ...(crossover error rate)
overall quantitative measure of performance of a biometric control device (expressed as a
percentage)
1) Measure of the number of times that the FRR and FAR are equal
2) Low EER: combo of low FRR and low FAR --- LOWEST EER IS MOST EFFECTIVE
a) False-rejection rate (FRR): only measures the number of times an authorized person is denied
entry
i) In A HIGHLY SECURE environment - FAR is most important indicator -- limits the number of false
acceptance
b) False-acceptance rate (FAR): measures number of times an unauthorized person may be
accepted\c\Mantrap ...controlling access used to prevent piggybacking\c\Discretionary Access
Controls (DAC) ...means of restricting access to objects based on the identify of subjects to which
they belong. Controls are discretionary in the sense that a subject with certain access permission is
capable of passing that permission on to any other subject (allowing data owners to modify access
when it is a low risk application - normal procedure)
owner of resources decides who should have access to that resource - most access control systems
are an implementation of DAC)m\c\Mandatory access control (MAC) ...expensive, difficult to
implement and maintain in a large complex organization\c\Role based access controls (RBAC) ...easy
to manage and can enforce strong and efficient access controls in large scale web environments
utilizing VoIP implementation
i) Best method to allow only authorized users to view reports on a need-to-know basis\c\Single sign
on (SSO) ...manage access to multiple systems, networks, and apps
i) MOST IMPORTANT ACTION: to mandate a strong password policy - best preventive control to
prevent unauthorized access\c\Fine-grained access control ...based on individual user identifying
specific technical privileges (not good for VoIP web apps bc it doesn't scale to enterprise wide
systems)m\c\Targeted Testing ...penetration testers provided with info related to target and
network design and target's IT team is aware of testing\c\Internal Testing ...attacks and control
circumvention attempts on the target from within the perimeter - system admin is typically aware of
this testing\c\External Testing ...generic term that refers to attacks and control circumvention
