CISSP-The day before the exam preparation n
1. Elaborate on the statement:
Because CISSP professionals need to protect the society, they need to think about the social consequences of the
program they design.: There are positive and negative social consequences. CISSP pros may Only need to consider just
the negative social consequences.
2. EAL5 - brief description and assurance requirements: - Belong to the Com- mon Criteria model
- Semiformally designed and tested; this is sought when the requirement is for a high level of independently ensured
security.
3. The IAB considers these following acts unethical: - Gaining unauthorized access
- Disrupting uses of Internet
- Wasting resources
- Destroying integrity
- Compromising privacy
- Negligence in internet experiments
4. The most important canon of the ISC2 Code of Ethics: Protect society, the commonwealth, and the
infrastructure
5. The three goals of Integrity in Clark-Wilson model: - Prevent unauthorized users from making modifications
- Prevent authorized users from making improper modifications (separation of du- ties)
- Maintain internal and external consistency (well-formed transaction)
6. Modifications to system hardware should be controlled by the Configuration process or the Change
management process?: Change management process
7. Risk analysis is most useful at this stage of the system development process: Project initiation and
planning
8. One of the best reasons for the use of automated risk analysis tool: Informa- tion gathering would be minimized
and expedited due to the amount of information already built into the tool
9. If your property insurance has Replacement Cost Valuation (RCV) clause, your damaged property will be
compensated..: based on NEW, comparable, or identical for old regardless of condition of lost item
10.Actual Cash Value (ACV) v.s Replacement Cost Value (RCV): Replacement cost value (RCV) is a product at
100 percent, with no use or diminished life span. Actual cash value (ACV) is the use (or life left) of a product after
reduction for depreciation.
11.BIA - Business Impact Analysis - Step 1 to 4: 1- Select individuals to interview for data gathering
, CISSP-The day before the exam preparation n
2- Create data-gathering techniques
3- Identify the company's critical business functions
4- Identify the resources these functions depend upon
12.BIA - Business Impact Analysis - Step 5 to 8: 5- Calculate how long business functions can survive without
resources
6- Identify vulnerabilities and threats to these functions 7- Calculate the risk for
each different business function 8- Document findings and report them to
management
13.Among vulnerability analysis, uncertainty analysis, likelihood assessment and threat identification, the
Uncertainty Analysis best allows risk manage- ment results to be used knowledgeably because?: It addresses
uncertainties in the risk management report which generally consists of 1. lack of confidence in model or methodology 2.
lack of sufficient information
14.Design specification and verification FIRST required in this level of the Orange Book: B1
15.Are assumptions allowed in security planning?: Yes - Planning assumptions
16.Configuration management is required starting with this level in the Or- ange book: B2
17.COSO v.s COBIT: COSO is for corporate governance and aims at strategic level.
COBIT is for IT governance and aims at operational level COSO is broader than
COBIT
18.SOX is based on this model: COSO
19.Definition of Decision Support System (DSS): a computer-based information system supporting decision-making
activities at mid and higher management, deal- ing with rapidly changing info.
20.DSS characteristics: flexible and adaptable, aimed at less well-structured data and underspecified problem,
combines models or analytic techniques with traditional data access and retrieval
21.Components of Life Cycle Assurance in the Orange book: - Security testing
- Design specification and testing
- Configuration management
- Trusted distribution
22.Who can best decide what are the adequate technical security controls in a computer-based application
system in regard to the protection of the data being used, the criticality of the data, and its sensitivity level?:
Data or information owner
, CISSP-The day before the exam preparation n
23.Level1/Class1 of assurance for a digital certificate: verify e-mail addresses, name (probably)
--> assure that the person may reply back
24.Level 2 / Class 2 assurance for a digital certificate: verify user's name, address, social security number, and
other information against credit bureau db
25.Level 3 / Class 3 assurance for a digital certificate: - aka "extended valida- tion" and available to companies,
used for EV SSL and EV Code Signing
- provides photo identification in addition to items covered in level 2
26.Media Viability Controls: designed to preserve the proper working state of the media, particularly to facilitate the
timely and accurate restoration of the system after a failure
The controls is supposed to protect the media from damages
27.Damages will occur to magnetic media at what degree?: 100F or 37.7C
28.This establishes the minimum national standard for certifying and accred- iting national security systems:
NIACAP -
National Information Assurance Certification and Accreditation Process
29.Between Job Rotation and Separation of Duties, which one is better at reducing the risk of collusion?: SoD is
more about management and JR is more about operation. JR is, therefore, closer to reducing the operational risk of
collusion. JR mostly implies SoD as well.
30.Four domains of COBIT: Plan and Organize Acquire and
Implement
Deliver and Support Monitor
and Evaluate
31.COSO's main purpose: Prevent fraudulent financial reporting in organizations
32.L0phtCrack tool: L0phtCrack is used to test password strength and sometimes to recover lost Microsoft Windows
passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables. It was one of the crackers' tools of choice
33.Ophcrack: Ophcrack is a free open-source (GPL licensed) program that cracks Windows log-in passwords by using
LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats,
including dumping directly from the SAM files of Windows.
34.John the Ripper: John the Ripper is a free password cracking software tool. Initially developed for the Unix
operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix,
DOS, Win32, BeOS, and OpenVMS).
35.In SDLC, the security requirements are formalized during this phase: Func- tional Requirement Definition
(security requirements are functional requirements)
1. Elaborate on the statement:
Because CISSP professionals need to protect the society, they need to think about the social consequences of the
program they design.: There are positive and negative social consequences. CISSP pros may Only need to consider just
the negative social consequences.
2. EAL5 - brief description and assurance requirements: - Belong to the Com- mon Criteria model
- Semiformally designed and tested; this is sought when the requirement is for a high level of independently ensured
security.
3. The IAB considers these following acts unethical: - Gaining unauthorized access
- Disrupting uses of Internet
- Wasting resources
- Destroying integrity
- Compromising privacy
- Negligence in internet experiments
4. The most important canon of the ISC2 Code of Ethics: Protect society, the commonwealth, and the
infrastructure
5. The three goals of Integrity in Clark-Wilson model: - Prevent unauthorized users from making modifications
- Prevent authorized users from making improper modifications (separation of du- ties)
- Maintain internal and external consistency (well-formed transaction)
6. Modifications to system hardware should be controlled by the Configuration process or the Change
management process?: Change management process
7. Risk analysis is most useful at this stage of the system development process: Project initiation and
planning
8. One of the best reasons for the use of automated risk analysis tool: Informa- tion gathering would be minimized
and expedited due to the amount of information already built into the tool
9. If your property insurance has Replacement Cost Valuation (RCV) clause, your damaged property will be
compensated..: based on NEW, comparable, or identical for old regardless of condition of lost item
10.Actual Cash Value (ACV) v.s Replacement Cost Value (RCV): Replacement cost value (RCV) is a product at
100 percent, with no use or diminished life span. Actual cash value (ACV) is the use (or life left) of a product after
reduction for depreciation.
11.BIA - Business Impact Analysis - Step 1 to 4: 1- Select individuals to interview for data gathering
, CISSP-The day before the exam preparation n
2- Create data-gathering techniques
3- Identify the company's critical business functions
4- Identify the resources these functions depend upon
12.BIA - Business Impact Analysis - Step 5 to 8: 5- Calculate how long business functions can survive without
resources
6- Identify vulnerabilities and threats to these functions 7- Calculate the risk for
each different business function 8- Document findings and report them to
management
13.Among vulnerability analysis, uncertainty analysis, likelihood assessment and threat identification, the
Uncertainty Analysis best allows risk manage- ment results to be used knowledgeably because?: It addresses
uncertainties in the risk management report which generally consists of 1. lack of confidence in model or methodology 2.
lack of sufficient information
14.Design specification and verification FIRST required in this level of the Orange Book: B1
15.Are assumptions allowed in security planning?: Yes - Planning assumptions
16.Configuration management is required starting with this level in the Or- ange book: B2
17.COSO v.s COBIT: COSO is for corporate governance and aims at strategic level.
COBIT is for IT governance and aims at operational level COSO is broader than
COBIT
18.SOX is based on this model: COSO
19.Definition of Decision Support System (DSS): a computer-based information system supporting decision-making
activities at mid and higher management, deal- ing with rapidly changing info.
20.DSS characteristics: flexible and adaptable, aimed at less well-structured data and underspecified problem,
combines models or analytic techniques with traditional data access and retrieval
21.Components of Life Cycle Assurance in the Orange book: - Security testing
- Design specification and testing
- Configuration management
- Trusted distribution
22.Who can best decide what are the adequate technical security controls in a computer-based application
system in regard to the protection of the data being used, the criticality of the data, and its sensitivity level?:
Data or information owner
, CISSP-The day before the exam preparation n
23.Level1/Class1 of assurance for a digital certificate: verify e-mail addresses, name (probably)
--> assure that the person may reply back
24.Level 2 / Class 2 assurance for a digital certificate: verify user's name, address, social security number, and
other information against credit bureau db
25.Level 3 / Class 3 assurance for a digital certificate: - aka "extended valida- tion" and available to companies,
used for EV SSL and EV Code Signing
- provides photo identification in addition to items covered in level 2
26.Media Viability Controls: designed to preserve the proper working state of the media, particularly to facilitate the
timely and accurate restoration of the system after a failure
The controls is supposed to protect the media from damages
27.Damages will occur to magnetic media at what degree?: 100F or 37.7C
28.This establishes the minimum national standard for certifying and accred- iting national security systems:
NIACAP -
National Information Assurance Certification and Accreditation Process
29.Between Job Rotation and Separation of Duties, which one is better at reducing the risk of collusion?: SoD is
more about management and JR is more about operation. JR is, therefore, closer to reducing the operational risk of
collusion. JR mostly implies SoD as well.
30.Four domains of COBIT: Plan and Organize Acquire and
Implement
Deliver and Support Monitor
and Evaluate
31.COSO's main purpose: Prevent fraudulent financial reporting in organizations
32.L0phtCrack tool: L0phtCrack is used to test password strength and sometimes to recover lost Microsoft Windows
passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables. It was one of the crackers' tools of choice
33.Ophcrack: Ophcrack is a free open-source (GPL licensed) program that cracks Windows log-in passwords by using
LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats,
including dumping directly from the SAM files of Windows.
34.John the Ripper: John the Ripper is a free password cracking software tool. Initially developed for the Unix
operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix,
DOS, Win32, BeOS, and OpenVMS).
35.In SDLC, the security requirements are formalized during this phase: Func- tional Requirement Definition
(security requirements are functional requirements)
