CISA Domain 5: Protection of
Information Assets
Comprehensive Questions and
Answers
.Active Monitors - ANSWER-interpret disk operating systems (DOS) and read only memory (ROM) basic
input-output system (BIOS) calls, looking for virus like actions. Can be misleading, bc they cannot
distinguish between a user request and program or virus request. Result: users are asked to confirm
actions such as formatting a disk or deleting a file or set of files
.Address Resolution Protocol (ARP) cache - ANSWER-(used to eavesdrop on VoIP) on the ethernet switch
-- stores mappings between media access control (MAC) and IP addresses - during normal operations,
ethernet switches only allow directed traffic to flow between ports involved in conversation and no
other ports can see the traffic - if ARP cache is intentional, it could allow an attacker to monitor traffic
not normally visible to the port where the attacker was connected to eavesdrop
.Advanced Encryption Standard (AES) - ANSWER-provides strongest encryption of all - would provide
greatest assurance that data is protected. Recovering data encrypted with AES is considered
computationally infeasible. (ALWAYS USE to encrypt a USB)
.Alternative Power Supplies - ANSWER-intended for power failures that last for longer periods - normally
coupled with other devices such as uninterruptible power Supply (UPS) to compensate for power loss
until alternate power supply becomes available
.Application Gateway - ANSWER-(Greatest control and granularity) - app level (best for apps not
network) similar to circuit gateway, but has specific proxies for each service. For web services, has HTTP
proxy that acts as intermediary between externals and internals, but only for HTTP. Checks packet IP
addresses (layer 3) and ports it is directed to (port 80, or layer 4), it also checks HTTP command (layers 5
& 7). Works in more detailed (very granular) way that other choices
,.Application-Level Gateway - ANSWER-ternet:
i. Application-Level Gateway: best way to protect against hacking because it can be configured with
detailed rules that describe the type of user or conneciton that is or is not permitted
.Authentication Header (AH) - ANSWER-does not provide confidentiality , but provides authentication of
data origin and connectionless integrity
.Baseband network - ANSWER-usually shared with many other users and requires encryption of traffic,
but still may allow some traffic analysis by attacker
.Bayesian Filtering - ANSWER-applies statistical modeling to messages by performing frequency analysis
on each word within the message and evaluating the message as a whole - can ignore a suspicious
keyword if entire message is within normal bounds (best to filter against a heavily weighted spam
keyword use)
.BEST FILTER RULE for DoS - ANSWER-deny all outgoing traffic with IP source addresses external to the
network
.Blind/Black Box Penetration Test - ANSWER-penetration tester is not given any info and is forced to rely
on publicly available info (real attack, except target org is aware of test)
a) Assumes no prior knowledge of infrastructure to be tested - testers simulate attack from someone
who is unfamiliar with system
b) Most important factor: have management know of proceedings so that if someone identifies the test,
legality of actions can be determined quickly
.Buffer overflow exploitation - ANSWER-(exploiting a flaw)
Inadequate programming and coding practices introduce the risk of this -- occurs when programs do not
check the length of the data that are input into a program so attacker can send data that exceeds the
length of a buffer and override part of the program with malicious code
.Certificate Authority (CA) - ANSWER-trusted 3rd party (NOT OWNED BY ORG) that serves authentication
infrastructures or orgs and registers entities and issues them certificates (confirms identity of entity
owning a certificate issued by that CA)
, .Certificate revocation list (CRL) - ANSWER-instrument for checking continued validity of certificates for
which certification authority has responsibility - CRL details digital certificates that are no longer valid -
time gap between two updates critical and also risk in digital certificates verification
.Circuit Gateway - ANSWER-based on proxy or program that acts as an intermediary between external
and internal accesses - during external access, instead of opening a single connection to the internal
server, two connections are established (one from external server to the proxy and one from the proxy
to the internet server)
.Classifying Data - ANSWER-i. FIRST STEP: establish ownership -
ii. Most essential: that org policies and standards are understood by owner or custodian of data to be
properly classified
iii. Benefit of well-defined classification policies: decreased cost of controls
1) Classifying correctly ensures that appropriate controls are applied - less appropriate and more risk
and costly
helpful for end user management and security admin
.Column and row level permissions - ANSWER-control what info users can access - achieved in a
relational database by allowing users to access logical representations of data rather than physical
tables (fine-grained security model) - offers best balance between info protection while still supporting a
wide range of analytical and reporting uses
.Common Gateway Interface (CGI) - ANSWER-offers standard protocol for web servers to execute
programs that execute Console apps running on a server that generates web pages dynamically
.Computer Security Incident Response Team (CSIRT) - ANSWER-disseminates detailed descriptions of
recent threats to assist them in understanding security risk of errors and omissions
Indicator of effectiveness: financial impact per security incident - team should be able to limit the cost of
incidents through effective prevention, detection, and response to incidents
Information Assets
Comprehensive Questions and
Answers
.Active Monitors - ANSWER-interpret disk operating systems (DOS) and read only memory (ROM) basic
input-output system (BIOS) calls, looking for virus like actions. Can be misleading, bc they cannot
distinguish between a user request and program or virus request. Result: users are asked to confirm
actions such as formatting a disk or deleting a file or set of files
.Address Resolution Protocol (ARP) cache - ANSWER-(used to eavesdrop on VoIP) on the ethernet switch
-- stores mappings between media access control (MAC) and IP addresses - during normal operations,
ethernet switches only allow directed traffic to flow between ports involved in conversation and no
other ports can see the traffic - if ARP cache is intentional, it could allow an attacker to monitor traffic
not normally visible to the port where the attacker was connected to eavesdrop
.Advanced Encryption Standard (AES) - ANSWER-provides strongest encryption of all - would provide
greatest assurance that data is protected. Recovering data encrypted with AES is considered
computationally infeasible. (ALWAYS USE to encrypt a USB)
.Alternative Power Supplies - ANSWER-intended for power failures that last for longer periods - normally
coupled with other devices such as uninterruptible power Supply (UPS) to compensate for power loss
until alternate power supply becomes available
.Application Gateway - ANSWER-(Greatest control and granularity) - app level (best for apps not
network) similar to circuit gateway, but has specific proxies for each service. For web services, has HTTP
proxy that acts as intermediary between externals and internals, but only for HTTP. Checks packet IP
addresses (layer 3) and ports it is directed to (port 80, or layer 4), it also checks HTTP command (layers 5
& 7). Works in more detailed (very granular) way that other choices
,.Application-Level Gateway - ANSWER-ternet:
i. Application-Level Gateway: best way to protect against hacking because it can be configured with
detailed rules that describe the type of user or conneciton that is or is not permitted
.Authentication Header (AH) - ANSWER-does not provide confidentiality , but provides authentication of
data origin and connectionless integrity
.Baseband network - ANSWER-usually shared with many other users and requires encryption of traffic,
but still may allow some traffic analysis by attacker
.Bayesian Filtering - ANSWER-applies statistical modeling to messages by performing frequency analysis
on each word within the message and evaluating the message as a whole - can ignore a suspicious
keyword if entire message is within normal bounds (best to filter against a heavily weighted spam
keyword use)
.BEST FILTER RULE for DoS - ANSWER-deny all outgoing traffic with IP source addresses external to the
network
.Blind/Black Box Penetration Test - ANSWER-penetration tester is not given any info and is forced to rely
on publicly available info (real attack, except target org is aware of test)
a) Assumes no prior knowledge of infrastructure to be tested - testers simulate attack from someone
who is unfamiliar with system
b) Most important factor: have management know of proceedings so that if someone identifies the test,
legality of actions can be determined quickly
.Buffer overflow exploitation - ANSWER-(exploiting a flaw)
Inadequate programming and coding practices introduce the risk of this -- occurs when programs do not
check the length of the data that are input into a program so attacker can send data that exceeds the
length of a buffer and override part of the program with malicious code
.Certificate Authority (CA) - ANSWER-trusted 3rd party (NOT OWNED BY ORG) that serves authentication
infrastructures or orgs and registers entities and issues them certificates (confirms identity of entity
owning a certificate issued by that CA)
, .Certificate revocation list (CRL) - ANSWER-instrument for checking continued validity of certificates for
which certification authority has responsibility - CRL details digital certificates that are no longer valid -
time gap between two updates critical and also risk in digital certificates verification
.Circuit Gateway - ANSWER-based on proxy or program that acts as an intermediary between external
and internal accesses - during external access, instead of opening a single connection to the internal
server, two connections are established (one from external server to the proxy and one from the proxy
to the internet server)
.Classifying Data - ANSWER-i. FIRST STEP: establish ownership -
ii. Most essential: that org policies and standards are understood by owner or custodian of data to be
properly classified
iii. Benefit of well-defined classification policies: decreased cost of controls
1) Classifying correctly ensures that appropriate controls are applied - less appropriate and more risk
and costly
helpful for end user management and security admin
.Column and row level permissions - ANSWER-control what info users can access - achieved in a
relational database by allowing users to access logical representations of data rather than physical
tables (fine-grained security model) - offers best balance between info protection while still supporting a
wide range of analytical and reporting uses
.Common Gateway Interface (CGI) - ANSWER-offers standard protocol for web servers to execute
programs that execute Console apps running on a server that generates web pages dynamically
.Computer Security Incident Response Team (CSIRT) - ANSWER-disseminates detailed descriptions of
recent threats to assist them in understanding security risk of errors and omissions
Indicator of effectiveness: financial impact per security incident - team should be able to limit the cost of
incidents through effective prevention, detection, and response to incidents
