SSCP : System Security Certified Practitioner (SSCP) : Part 47

SSCP : System Security Certified Practitioner (SSCP) : Part 47

1. If an organization were to monitor their employees’ e-mail, it should not:

   • Monitor only a limited number of employees.
   • Inform all employees that e-mail is being monitored.
   • Explain who can read the e-mail and how long it is backed up.
   • Explain what is considered an acceptable use of the e-mail system.

   Explanation:

   Monitoring has to be conducted is a lawful manner and applied in a consistent fashion; thus should be applied uniformly to all employees, not only to a small number.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 9: Law, Investigation, and Ethics (page 304).

2. Which of the following is not a preventive operational control?

   • Protecting laptops, personal computers and workstations.
   • Controlling software viruses.
   • Controlling data media access and disposal.
   • Conducting security awareness and technical training.
   Explanation:
   Conducting security awareness and technical training to ensure that end users and system users are aware of the rules of behaviour and their responsibilities in protecting the organization’s mission is an example of a preventive management control, therefore not an operational control.
   Source: STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology Systems, 2001 (page 37).

3. Which of the following questions are least likely to help in assessing controls covering audit trails?

   • Does the audit trail provide a trace of user actions?
   • Are incidents monitored and tracked until resolved?
   • Is access to online logs strictly controlled?
   • Is there separation of duties between security personnel who administer the access control function and those who administer the audit trail?
   Explanation:

   Audit trails maintain a record of system activity by system or application processes and by user activity. In conjunction with appropriate tools and procedures, audit trails can provide individual accountability, a means to reconstruct events, detect intrusions, and identify problems. Audit trail controls are considered technical controls. Monitoring and tracking of incidents is more an operational control related to incident response capability.

   Reference(s) used for this question:

   SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-50 to A-51).

   NOTE: NIST SP 800-26 has been superceded By: FIPS 200, SP 800-53, SP 800-53A
   You can find the new replacement at: http://csrc.nist.gov/publications/PubsSPs.html
   However, if you really wish to see the old standard, it is listed as an archived document at:
   http://csrc.nist.gov/publications/PubsSPArch.html

4. Which of the following recovery plan test results would be most useful to management?

   • elapsed time to perform various activities.
   • list of successful and unsuccessful activities.
   • amount of work completed.
   • description of each activity.
   Explanation:

   After a test has been performed the most useful test results for manangement would be knowing what worked and what didn’t so that they could correct the mistakes where needed.

   The following answers are incorrect:

   elapsed time to perform various activities. This is incorrect because it is not the best answer, these results are not as useful as list of successful and unsuccessful activities would be to managment.

   amount of work completed. This is incorrect because it is not the best answer, these results are not as useful as list of successful and unsuccessful activities would be to managment.

   description of each activity. This is incorrect because it is not the best answer, these results are not as useful as list of successful and unsuccessful activities would be to managment.

5. In addition to the Legal Department, with what company function must the collection of physical evidence be coordinated if an employee is suspected?

   • Human Resources
   • Industrial Security
   • Public Relations
   • External Audit Group
   Explanation:

   If an employee is suspected of causing an incident, the human resources department may be involved—for example, in assisting with disciplinary proceedings.

   Legal Department. The legal experts should review incident response plans, policies, and procedures to ensure their compliance with law and Federal guidance, including the right to privacy. In addition, the guidance of the general counsel or legal department should be sought if there is reason to believe that an incident may have legal ramifications, including evidence collection, prosecution of a suspect, or a lawsuit, or if there may be a need for a memorandum of understanding (MOU) or other binding agreements involving liability limitations for information sharing.

   Public Affairs, Public Relations, and Media Relations. Depending on the nature and impact of an incident, a need may exist to inform the media and, by extension, the public.

   The Incident response team members could include:

         Management
         Information Security
         Legal / Human Resources
         Public Relations
         Communications
         Physical Security
         Network Security
         Network and System Administrators
         Network and System Security Administrators
         Internal Audit

   Events versus Incidents
   An event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data. This guide addresses only adverse events that are computer security- related, not those caused by natural disasters, power failures, etc.

   A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

   Examples of incidents are:
   An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.

   Users are tricked into opening a “quarterly report” sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.

   An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money.

   A user provides or exposes sensitive information to others through peer-to-peer file sharing services.

   The following answers are incorrect:

   Industrial Security. Is incorrect because it is not the best answer, the human resource department must be involved with the collection of physical evidence if an employee is suspected.

   public relations. Is incorrect because it is not the best answer. It would be an important element to minimize public image damage but not the best choice for this question.

   External Audit Group. Is incorrect because it is not the best answer, the human resource department must be involved with the collection of physical evidence if an employee is suspected.

   Reference(s) used for this question:
   NIST Special Publication 800-61

6. To be admissible in court, computer evidence must be which of the following?

   • Relevant
   • Decrypted
   • Edited
   • Incriminating
   Explanation:

   Before any evidence can be admissible in court, the evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence. This holds true for computer evidence as well.

   While there are no absolute means to ensure that evidence will be allowed and helpful in a court of law, information security professionals should understand the basic rules of evidence. Evidence should be relevant, authentic, accurate, complete, and convincing. Evidence gathering should emphasize these criteria.

   As stated in CISSP for Dummies:

   Because computer-generated evidence can sometimes be easily manipulated, altered , or tampered with, and because it’s not easily and commonly understood, this type of evidence is usually considered suspect in a court of law. In order to be admissible, evidence must be

   Relevant: It must tend to prove or disprove facts that are relevant and material to the case.

   Reliable: It must be reasonably proven that what is presented as evidence is what was originally collected and that the evidence itself is reliable. This is accomplished, in part, through proper evidence handling and the chain of custody. (We discuss this in the upcoming section
   “Chain of custody and the evidence life cycle.”)

   Legally permissible: It must be obtained through legal means. Evidence that’s not legally permissible may include evidence obtained through the following means:

   Illegal search and seizure: Law enforcement personnel must obtain a prior court order; however, non-law enforcement personnel, such as a supervisor or system administrator, may be able to conduct an authorized search under some circumstances.

   Illegal wiretaps or phone taps: Anyone conducting wiretaps or phone taps must obtain a prior court order.

   Entrapment or enticement: Entrapment encourages someone to commit a crime that the individual may have had no intention of committing. Conversely, enticement lures someone toward certain evidence (a honey pot, if you will) after that individual has already committed a crime. Enticement is not necessarily illegal but does raise certain ethical arguments and may not be admissible in court.

   Coercion: Coerced testimony or confessions are not legally permissible.

   Unauthorized or improper monitoring: Active monitoring must be properly authorized and conducted in a standard manner; users must be notified that they may be subject to monitoring.

   The following answers are incorrect:

   decrypted. Is incorrect because evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence.

   edited. Is incorrect because evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence. Edited evidence violates the rules of evidence.

   incriminating. Is incorrect because evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence.

   Reference(s) used for this question:

   CISSP STudy Guide (Conrad, Misenar, Feldman) Elsevier. 2012. Page 423

   and
   Mc Graw Hill, Shon Harris CISSP All In One (AIO), 6th Edition , Pages 1051-1056
   and
   CISSP for Dummies , Peter Gregory

7. Which of the following is biggest factor that makes Computer Crimes possible?

   • The fraudster obtaining advanced training & special knowledge.
   • Victim carelessness.
   • Collusion with others in information processing.
   • System design flaws.
   Explanation:

   The biggest factor that makes Computer Crimes possible is Victim Carelessness. Awareness and education can reduce the chance of someone becomming a victim.

   The types and frequency of Computer Crimes are increasing at a rapid rate. Computer Crime was once mainly the result of insiders or disgruntled employees. Now just about everybody has access to the internet, professional criminals are taking advantage of this.

   Specialized skills are no longer needed and a search on the internet can provide a fraudster with a plethora of tools that can be used to perpetuate fraud.

   All too often carelessness leads to someone being a victim. People often use simple passwords or write them down in plain sight where they can be found by fraudsters. People throwing away papers loaded with account numbers, social security numbers, or other types of non-public personal information. There are phishing e-mail attempts where the fraudster tries to redirect a potential victim to a bogus site that resembles a legitimate site in an attempt to get the users’ login ID and password, or other credentials. There is also social engineering. Awareness and training can help reduce the chance of someone becoming a victim.

   The following answers are incorrect:

   The fraudster obtaining advanced training and special knowledge. Is incorrect because training and special knowledge is not required. There are many tools widely available to fraudsters.

   Collusion with others in information processing. Is incorrect because as more and more people use computers in their daily lives, it is no longer necessary to have someone on the inside be a party to fraud attempts.

   System design flaws. Is incorrect because while System design flaws are sometimes a factor in Computer Crimes more often then not it is victim carelessness that leads to Computer Crimes.

   References:
   OIG CBK Legal, Regulations, Compliance and Investigations (pages 695 – 697)

8. Under United States law, an investigator’s notebook may be used in court in which of the following scenarios?

   • When the investigator is unwilling to testify.
   • When other forms of physical evidence are not available.
   • To refresh the investigators memory while testifying.
   • If the defense has no objections.
   Explanation:

   An investigator’s notebook cannot be used as evidence is court. It can only be used by the investigator to refresh his memory during a proceeding, but cannot be submitted as evidence in any form.

   The following answers are incorrect:

   When the investigator is unwilling to testify. Is incorrect because the notebook cannot be submitted as evidence in any form.

   When other forms of physical evidence are not available. Is incorrect because the notebook cannot be submitted as evidence in any form.

   If the defense has no objections. Is incorrect because the notebook cannot be submitted as evidence in any form.

9. Which of the following cannot be undertaken in conjunction or while computer incident handling is ongoing?

   • System development activity
   • Help-desk function
   • System Imaging
   • Risk management process
   Explanation:

   If Incident Handling is underway an incident has potentially been identified. At that point all use of the system should stop because the system can no longer be trusted and any changes could contaminate the evidence. This would include all System Development Activity.

   Every organization should have plans and procedures in place that deals with Incident Handling.

   Employees should be instructed what steps are to be taken as soon as an incident occurs and how to report it. It is important that all parties involved are aware of these steps to protect not only any possible evidence but also to prevent any additional harm.

   It is quite possible that the fraudster has planted malicous code that could cause destruction or even a Trojan Horse with a back door into the system. As soon as an incident has been identified the system can no longer be trusted and all use of the system should cease.

   Shon Harris in her latest book mentions:
   Although we commonly use the terms “event” and “incident” interchangeably, there are subtle differences between the two. An event is a negative occurrence that can be observed, verified, and documented, whereas an incident is a series of events that negatively affects the company and/ or impacts its security posture. This is why we call reacting to these issues “incident response” (or “incident handling”), because something is negatively affecting the company and causing a security breach.

   Many types of incidents (virus, insider attack, terrorist attacks, and so on) exist, and sometimes it is just human error. Indeed, many incident response individuals have received a frantic call in the middle of the night because a system is acting “weird.” The reasons could be that a deployed patch broke something, someone misconfigured a device, or the administrator just learned a new scripting language and rolled out some code that caused mayhem and confusion.

   When a company endures a computer crime, it should leave the environment and evidence unaltered and contact whomever has been delegated to investigate these types of situations. Someone who is unfamiliar with the proper process of collecting data and evidence from a crime scene could instead destroy that evidence, and thus all hope of prosecuting individuals, and achieving a conviction would be lost.

   Companies should have procedures for many issues in computer security such as enforcement procedures, disaster recovery and continuity procedures, and backup procedures. It is also necessary to have a procedure for dealing with computer incidents because they have become an increasingly important issue of today’s information security departments. This is a direct result of attacks against networks and information systems increasing annually. Even though we don’t have specific numbers due to a lack of universal reporting and reporting in general, it is clear that the volume of attacks is increasing.

   Just think about all the spam, phishing scams, malware, distributed denial-of-service, and other attacks you see on your own network and hear about in the news. Unfortunately, many companies are at a loss as to who to call or what to do right after they have been the victim of a cybercrime. Therefore, all companies should have an incident response policy that indicates who has the authority to initiate an incident response, with supporting procedures set up before an incident takes place.

   This policy should be managed by the legal department and security department. They need to work together to make sure the technical security issues are covered and the legal issues that surround criminal activities are properly dealt with. The incident response policy should be clear and concise. For example, it should indicate if systems can be taken offline to try to save evidence or if systems have to continue functioning at the risk of destroying evidence. Each system and functionality should have a priority assigned to it. For instance, if the file server is infected, it should be removed from the network, but not shut down. However, if the mail server is infected, it should not be removed from the network or shut down because of the priority the company attributes to the mail server over the file server. Tradeoffs and decisions will have to be made, but it is better to think through these issues before the situation occurs, because better logic is usually possible before a crisis, when there’s less emotion and chaos.

   The Australian Computer Emergency Response Team’s General Guidelines for Computer Forensics:

   Keep the handling and corruption of original data to a minimum.
   Document all actions and explain changes.
   Follow the Five Rules for Evidence (Admissible, Authentic, Complete, Accurate, Convincing).
   • Bring in more experienced help when handling and/ or analyzing the evidence is beyond your knowledge, skills, or abilities.
   Adhere to your organization’s security policy and obtain written permission to conduct a forensics investigation.
   Capture as accurate an image of the system( s) as possible while working quickly.
   Be ready to testify in a court of law.
   Make certain your actions are repeatable.
   Prioritize your actions, beginning with volatile and proceeding to persistent evidence.
   Do not run any programs on the system( s) that are potential evidence.
   Act ethically and in good faith while conducting a forensics investigation, and do not attempt to do any harm.

   The following answers are incorrect:

   help-desk function. Is incorrect because during an incident, employees need to be able to communicate with a central source. It is most likely that would be the help-desk. Also the help-desk would need to be able to communicate with the employees to keep them informed.

   system imaging. Is incorrect because once an incident has occured you should perform a capture of evidence starting with the most volatile data and imaging would be doen using bit for bit copy of storage medias to protect the evidence.

   risk management process. Is incorrect because incident handling is part of risk management, and should continue.

   Reference(s) used for this question:
   Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 21468-21476). McGraw-Hill. Kindle Edition.
   and
   Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 21096-21121). McGraw-Hill. Kindle Edition.
   and
   NIST Computer Security incident handling http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter12.html

10. Devices that supply power when the commercial utility power system fails are called which of the following?

    • power conditioners
    • uninterruptible power supplies
    • power filters
    • power dividers
    Explanation:

    From Shon Harris AIO Fifth Edition:

    Protecting power can be done in three ways: through UPSs, power line conditioners, and backup sources.

    UPSs use battery packs that range in size and capacity. A UPS can be online or standby.

    Online UPS systems use AC line voltage to charge a bank of batteries. When in use, the UPS has an inverter that changes the DC output from the batteries into the required AC form and that regulates the voltage as it powers computer devices.

    Online UPS systems have the normal primary power passing through them day in and day out. They constantly provide power from their own inverters, even when the electric power is in proper use. Since the environment’s electricity passes through this type of UPS all the time, the UPS device is able to quickly detect when a power failure takes place. An online UPS can provide the necessary electricity and picks up the load after a power failure much more quickly than a standby UPS.

    Standby UPS devices stay inactive until a power line fails. The system has sensors that detect a power failure, and the load is switched to the battery pack. The switch to the battery pack is what causes the small delay in electricity being provided.
    So an online UPS picks up the load much more quickly than a standby UPS, but costs more of course.

11. The typical computer fraudsters are usually persons with which of the following characteristics?

    • They have had previous contact with law enforcement
    • They conspire with others
    • They hold a position of trust
    • They deviate from the accepted norms of society
    Explanation:

    These people, as employees, are trusted to perform their duties honestly and not take advantage of the trust placed in them.

    The following answers are incorrect:

    They have had previous contact with law enforcement. Is incorrect because most often it is a person that holds a position of trust and this answer implies they have a criminal background. This type of individual is typically not in a position of trust within an organization.

    They conspire with others. Is incorrect because they typically work alone, often as a form of retribution over a percieved injustice done to them.

    They deviate from the accepted norms of society. Is incorrect because while the nature of fraudsters deviate from the norm, the fraudsters often hold a position of trust within the organization.

12. Once evidence is seized, a law enforcement officer should emphasize which of the following?

    • Chain of command
    • Chain of custody
    • Chain of control
    • Chain of communications
    Explanation:

    All people that handle the evidence from the time the crime was committed through the final disposition must be identified. This is to ensure that the evidence can be used and has not been tampered with.

    The following answers are incorrect:

    chain of command. Is incorrect because chain of command is the order of authority and does not apply to evidence.

    chain of control. Is incorrect because it is a distractor.
    chain of communications. Is incorrect because it is a distractor.

13. Which of the following is the most important consideration in locating an alternate computing facility during the development of a disaster recovery plan?

    • It is unlikely to be affected by the same disaster.
    • It is close enough to become operational quickly.
    • It is close enough to serve its users.
    • It is convenient to airports and hotels.
    Explanation:

    You do not want the alternate or recovery site located in close proximity to the original site because the same event that create the situation in the first place might very well impact that site also.

    From NIST: “The fixed site should be in a geographic area that is unlikely to be negatively affected by the same disaster event (e.g., weather-related impacts or power grid failure) as the organization’s primary site.

    The following answers are incorrect:

    It is close enough to become operational quickly. Is incorrect because it is not the best answer. You’d want the alternate site to be close but if it is too close the same event could impact that site as well.

    It is close enough to serve its users. Is incorrect because it is not the best answer. You’d want the alternate site to be close to users if applicable, but if it is too close the same event could impact that site as well

    It is convenient to airports and hotels. Is incorrect because it is not the best answer, it is more important that the same event does not impact the alternate site then convenience.

    References:

    OIG CBK Business Continuity and Disaster Recovery Planning (pages 368 – 369)
    NIST document 800-34 pg 21

14. Contracts and agreements are often times unenforceable or hard to enforce in which of the following alternate facility recovery agreement?

    • hot site
    • warm site
    • cold site
    • reciprocal agreement
    Explanation:

    A reciprocal agreement is where two or more organizations mutually agree to provide facilities to the other if a disaster occurs. The organizations must have similiar hardware and software configurations. Reciprocal agreements are often not legally binding.

    Reciprocal agreements are not contracts and cannot be enforced. You cannot force someone you have such an agreement with to provide processing to you.

    Government regulators do not accept reciprocal agreements as valid disaster recovery sites.

    Cold sites are empty computer rooms consisting only of environmental systems, such as air conditioning and raised floors, etc. They do not meet the requirements of most regulators and boards of directors that the disaster plan be tested at least annually.

    Time Brokers promise to deliver processing time on other systems. They charge a fee, but cannot guaranty that processing will always be available, especially in areas that experienced multiple disasters.

    With the exception of providing your own hot site, commercial hot sites provide the greatest protection. Most will allow you up to six weeks to restore your sites if you declare a disaster. They also permit an annual amount of time to test the Disaster Plan.

    References:
    OIG CBK Business Continuity and Disaster Recovery Planning (pages 368 – 369)

    The following answers are incorrect:
    hot site. Is incorrect because you have a contract in place stating what services are to be provided.
    warm site. Is incorrect because you have a contract in place stating what services are to be provided.
    cold site. Is incorrect because you have a contract in place stating what services are to be provided.

15. Which of the following computer recovery sites is only partially equipped with processing equipment?

    • hot site
    • rolling hot site
    • warm site
    • cold site
    Explanation:

    A warm site has some basic equipment or in some case almost all of the equipment but it is not sufficient to be operational without bringing in the last backup and in some cases more computers and other equipment.

    The following answers are incorrect:

    hot site. Is incorrect because a hot-site is fully configured with all the required hardware. The only thing missing is the last backup and you are up and running.

    Rolling hot site. Is incorrect because a rolling hot-site is fully configured with all the required hardware.

    cold site. Is incorrect because a cold site has basically power, HVAC, basic cabling, but no or little as far as processing equipment is concerned. All other equipment must be brought to this site. It might take a week or two to reconstruct.

    References:
    OIG CBK Business Continuity and Disaster Recovery Planning (pages 368 – 369)

16. Which of the following computer recovery sites is the least expensive and the most difficult to test?

    • non-mobile hot site
    • mobile hot site
    • warm site
    • cold site
    Explanation:

    Is the least expensive because it is basically a structure with power and would be the most difficult to test because you would have to install all of the hardware infrastructure in order for it to be operational for the test.

    The following answers are incorrect:

    non-mobile hot site. Is incorrect because it is more expensive then a cold site and easier to test because all of the infrastructure is in place.

    mobile hot site. Is incorrect because it is more expensive then a cold site and easier to test because all of the infrastructure is in place.

    warm site. Is incorrect because it is more expensive then a cold site and easier to test because more of the infrastructure is in place.

17. Which of the following is the best reason for the use of an automated risk analysis tool?

    • Much of the data gathered during the review cannot be reused for subsequent analysis.
    • Automated methodologies require minimal training and knowledge of risk analysis.
    • Most software tools have user interfaces that are easy to use and does not require any training.
    • Information gathering would be minimized and expedited due to the amount of information already built into the tool.
    Explanation:

    The use of tools simplifies this process. Not only do they usually have a database of assests, threats, and vulnerabilities but they also speed up the entire process.

    Using Automated tools for performing a risk assessment can reduce the time it takes to perform them and can simplify the process as well. The better types of these tools include a well-researched threat population and associated statistics. Using one of these tools virtually ensures that no relevant threat is overlooked, and associated risks are accepted as a consequence of the threat being overlooked.

    In most situations, the assessor will turn to the use of a variety of automated tools to assist in the vulnerability assessment process. These tools contain extensive databases of specific known vulnerabilities as well as the ability to analyze system and network configuration information to predict where a particular system might be vulnerable to different types of attacks. There are many different types of tools currently available to address a wide variety of vulnerability assessment needs. Some tools will examine a system from the viewpoint of the network, seeking to determine if a system can be compromised by a remote attacker exploiting available services on a particular host system. These tools will test for open ports listening for connections, known vulnerabilities in common services, and known operating system exploits.

    Michael Gregg says:
    Automated tools are available that minimize the effort of the manual process. These programs enable users to rerun the analysis with different parameters to answer “what-ifs.” They perform calculations quickly and can be used to estimate future expected losses easier than performing the calculations manually.

    Shon Harris in her latest book says:
    The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. The risk analysis team can also print reports and comprehensive graphs to present to management.

    Reference(s) used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4655-4661). Auerbach Publications. Kindle Edition.

    and
    CISSP Exam Cram 2 by Michael Gregg
    and
    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 2333-2335). McGraw-Hill. Kindle Edition.

    The following answers are incorrect:

    Much of the data gathered during the review cannot be reused for subsequent analysis. Is incorrect because the data can be reused for later analysis.

    Automated methodologies require minimal training and knowledge of risk analysis. Is incorrect because it is not the best answer. While a minimal amount of training and knowledge is needed, the analysis should still be performed by skilled professionals.

    Most software tools have user interfaces that are easy to use and does not require any training. Is incorrect because it is not the best answer. While many of the user interfaces are easy to use it is better if the tool already has information built into it. There is always a training curve when any product is being used for the first time.

18. A deviation from an organization-wide security policy requires which of the following?

    • Risk Acceptance
    • Risk Assignment
    • Risk Reduction
    • Risk Containment
    Explanation:

    A deviation from an organization-wide security policy requires you to manage the risk. If you deviate from the security policy then you are required to accept the risks that might occur.

    In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.

    The OIG defines Risk Management as: This term characterizes the overall process.

    The first phase of risk assessment includes identifying risks, risk-reducing measures, and the budgetary impact of implementing decisions related to the acceptance, avoidance, or transfer of risk.

    The second phase of risk management includes the process of assigning priority to, budgeting, implementing, and maintaining appropriate risk-reducing measures.

    Risk management is a continuous process of ever-increasing complexity. It is how we evaluate the impact of exposures and respond to them. Risk management minimizes loss to information assets due to undesirable events through identification, measurement, and control. It encompasses the overall security review, risk analysis, selection and evaluation of safeguards, cost–benefit analysis, management decision, and safeguard identification and implementation, along with ongoing effectiveness review.

    Risk management provides a mechanism to the organization to ensure that executive management knows current risks, and informed decisions can be made to use one of the risk management principles: risk avoidance, risk transfer, risk mitigation, or risk acceptance.

    The 4 ways of dealing with risks are: Avoidance, Transfer, Mitigation, Acceptance

    The following answers are incorrect:

    Risk assignment. Is incorrect because it is a distractor, assignment is not one of the ways to manage risk.

    Risk reduction. Is incorrect because there was a deviation of the security policy. You could have some additional exposure by the fact that you deviated from the policy.

    Risk containment. Is incorrect because it is a distractor, containment is not one of the ways to manage risk.

    Reference(s) used for this question:

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 8882-8886). Auerbach Publications. Kindle Edition.
    and
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10206-10208). Auerbach Publications. Kindle Edition.

19. Organizations should not view disaster recovery as which of the following?

    • Committed expense.
    • Discretionary expense.
    • Enforcement of legal statutes.
    • Compliance with regulations.
    Explanation:

    Disaster Recovery should never be considered a discretionary expense. It is far too important a task. In order to maintain the continuity of the business Disaster Recovery should be a commitment of and by the organization.

    A discretionary fixed cost has a short future planning horizon—under a year. These types of costs arise from annual decisions of management to spend in specific fixed cost areas, such as marketing and research. DR would be an ongoing long term committment not a short term effort only.

    A committed fixed cost has a long future planning horizon— more than on year. These types of costs relate to a company’s investment in assets such as facilities and equipment. Once such costs have been incurred, the company is required to make future payments.

    The following answers are incorrect:

    committed expense. Is incorrect because Disaster Recovery should be a committed expense.

    enforcement of legal statutes. Is incorrect because Disaster Recovery can include enforcement of legal statutes. Many organizations have legal requirements toward Disaster Recovery.

    compliance with regulations. Is incorrect because Disaster Recovery often means compliance with regulations. Many financial institutions have regulations requiring Disaster Recovery Plans and Procedures.

20. Which of the following groups represents the leading source of computer crime losses?

    • Hackers
    • Industrial saboteurs
    • Foreign intelligence officers
    • Employees
    Explanation:

    There are some conflicting figures as to which group is a bigger threat hackers or employees. Employees are still considered to the leading source of computer crime losses. Employees often have an easier time gaining access to systems or source code then ousiders or other means of creating computer crimes.

    A word of caution is necessary: although the media has tended to portray the threat of cybercrime as existing almost exclusively from the outside, external to a company, reality paints a much different picture. Often the greatest risk of cybercrime comes from the inside, namely, criminal insiders. Information security professionals must be particularly sensitive to the phenomena of the criminal or dangerous insider, as these individuals usually operate under the radar, inside of the primarily outward/external facing security controls, thus significantly increasing the impact of their crimes while leaving few, if any, audit trails to follow and evidence for prosecution.

    Some of the large scale crimes committed agains bank lately has shown that Internal Threats are the worst and they are more common that one would think. The definition of what a hacker is can vary greatly from one country to another but in some of the states in the USA a hacker is defined as Someone who is using resources in a way that is not authorized. A recent case in Ohio involved an internal employee who was spending most of his day on dating website looking for the love of his life. The employee was taken to court for hacking the company resources.

    The following answers are incorrect:

    hackers. Is incorrect because while hackers represent a very large problem and both the frequency of attacks and overall losses have grown hackers are considered to be a small segment of combined computer fraudsters.

    industrial saboteurs. Is incorrect because industrial saboteurs tend to go after trade secrets. While the loss to the organization can be great, they still fall short when compared to the losses created by employees. Often it is an employee that was involved in industrial sabotage.

    foreign intelligence officers. Is incorrect because the losses tend to be national secrets. You really can’t put t cost on this and the number of frequency and occurances of this is less than that of employee related losses.

    Reference(s) used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 22327-22331). Auerbach Publications. Kindle Edition.