Topic 1
A shared resource matrix is a technique commonly used to locate:
D
Explanation:
Analyzing resources of a system is one standard for locating covert channels because the basis of a covert channel is a
shared resource. The following properties must hold for a storage channel to exist:
1. Both sending and receiving process must have access to the same attribute of a shared object.
2. The sending process must be able to modify the attribute of the shared object.
3. The receiving process must be able to reference that attribute of the shared object.
4. A mechanism for initiating both processes and properly sequencing their respective accesses to the shared resource must
exist.
Note: Similar properties for timing channel can be listed The following answers are incorrect:
All other answers were not directly related to discovery of Covert Channels.
Reference:
Acerbic Publications, Acerbic Publications (Test Series) - CRC Press LLC, Page No. 225
http://www.cs.ucsb.edu/~sherwood/cs290/papers/covert-kemmerer.pdf
http://www.cs.utexas.edu/~byoung/cs361/lecture16.pdf http://www.cs.utexas.edu/~byoung/cs361/lecture16.pdf
Topic 1
You are part of a security staff at a highly profitable bank and each day, all traffic on the network is logged for later review.
Every Friday when major deposits are made you're seeing a series of bits placed in the "Urgent Pointer" field of a TCP
packet. This is only 16 bits which isn't much but it concerns you because:
A
Explanation:
The Urgent Pointer is used when some information has to reach the server ASAP. When the TCP/IP stack at the other end
sees a packet using the Urgent Pointer set, it is duty bound to stop all ongoing activities and immediately send this packet up
the stack for immediate processing. Since the packet is plucked out of the processing queue and acted upon immediately, it
is known as an Out Of Band (OOB)packet and the data is called Out Of Band (OOB) data.
The Urgent Pointer is usually used in Telnet, where an immediate response (e.g. the echoing of characters) is desirable.
Covert Channels are not directly synonymous with backdoors. A covert channel is simply using a communication protocol in
a way it was not intended to be used or sending data without going through the proper access control mechanisms or
channels. For example, in a Mandatory Access Control systems a user at secret has found a way to communicate
information to a user at Confidential without going through the normal channels.
In this case the Urgent bit could be used for a few reasons:
1. It could be to attempt a Denial of service where the host receiving a packet with the Urgent bit set will give immediate
attention to the request and will be in wait state until the urgent message is receive, ifthe sender does not send the urgent
message then it will simply sit there doing nothing until it times out. Some of the TCP/IP stacks used to have a 600 seconds
time out, which means that for 10 minutes nobody could use the port. By sending thousands of packet with the URGENT flag
set, it would create a very effective denial of service attack.
2. It could be used as a client server application to transmit data back and forward without going through the proper
channels. It would be slow but it is possible to use reserved fields and bits to transmitdata outside the normal communication
channels.
The other answers are incorrect
Reference:
http://www.fas.org/irp/nsa/rainbow/tg030.htm document covering the subject of covert channels and also see: http://gray-
world.net/papers.shtml which is a large collection of documents on Covert Channels
Topic 1
John is the product manager for an information system. His product has undergone under security review by an IS auditor.
John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the
following technique is used by John to treat the identified risk provided by an IS auditor?
A
Explanation:
Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented.
For your exam you should know below information about risk assessment and treatment:
A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing
the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are
analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security
can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough
security, or the wrong security controls, and to spend too much money in the process without attaining the necessary
objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should
be applied to protecting against those risks in a sensible manner.
A risk analysis has four main goals:
Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of these potential threats.
Provide an economic balance between the impact of the threat and the cost of the countermeasure.
Treating Risk
Risk Mitigation
Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk
mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves
applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information
that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion
detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive
information. In the underage driver example, risk mitigation could take the form of driver education for the youth or
establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have
more than one friend in the car as a passenger at any given time.
Risk Transfer
Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at
one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage
driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk
of a youth being in an accident to the insurance company, which provides the family with auto insurance.
It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example
presented earlier, and can be seen in other insurance instances, such as liability insurance for a vendor or the insurance
taken out by companies to protect against hardware and software theft or destruction. This may also be true if an
organization must purchase and implement security controls in order to make their organization less desirable to attack. It is
important to remember that not all risk can be transferred. While financial risk is simple to transfer through insurance,
reputational risk may almost never be fully transferred.
Risk Avoidance
Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have
you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the risks
that many of these children face as they become mobile? Some of these families will decide that the child in question will not
be allowed to drive the family car, but will rather wait until he or she is of legal age (i.e., 18 years of age) before committing to
owning, insuring, and driving a motor vehicle.
In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an underage driver, such
as poor driving performance or the cost of insurance for the child. Although this choice may be available for some situations,
it is not available for all. Imagine a global retailer who, knowing the risks associated with doing business on the Internet,
decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if, indeed, the
company has products or services that consumers wish to purchase). In addition, the decision may require the company to
build or lease a site in each of the locations, globally, for which it wishes to continue business. This could have a catastrophic
effect on the companys ability to continue business operations
Risk Acceptance
In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk
acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost
versus the benefit of dealing with the risk in another way.
For example, an executive may be confronted with risks identified during the course of a risk assessment for their
organization. These risks have been prioritized by high, medium, and low impact to the organization. The executive notes
that in order to mitigate or transfer the low-level risks, significant costs could be involved. Mitigation might involve the hiring
of additional highly skilled personnel and the purchase of new hardware, software, and office equipment, while transference
of the risk to an insurance company would require premium payments. The
executive then further notes that minimal impact to the organization would occur if any of the reported low-level threats were
realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to forgo the costs and accept the risk. In
the young driver example, risk acceptance could be based on the observation that the youngster has demonstrated the
responsibility and maturity to warrant the parents trust in his or her judgment.
The following answers are incorrect:
Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance
company. Let us look at one of the examples that were presented above in a different way.
Risk Avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized.
Risk Acceptance - Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that
may also weigh the cost versus the benefit of dealing with the risk in another way.
Reference:
CISA Review Manual 2014 Page number 51
Official ISC2 guide to CISSP CBK 3rd edition page number 383,384 and 385
Topic 1
Sam is the security Manager of a financial institute. Senior management has requested he performs a risk analysis on all
critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the
risks, the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the
potential lost that could be incurred. What kind of a strategy should Sam recommend to the senior management to treat
these risks?
B
Explanation:
Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the
cost versus the benefit of dealing with the risk in another way.
For your exam you should know below information about risk assessment and treatment:
A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing
the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are
analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security
can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough
security, or the wrong security controls, and to spend too much money in the process without attaining the necessary
objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should
be applied to protecting against those risks in a sensible manner.
A risk analysis has four main goals:
Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of these potential threats. Provide an economic balance between the impact of
the threat and the cost of the countermeasure.
Treating Risk
Risk Mitigation
Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk
mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves
applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information
that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion
detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive
information. In the underage driver example, risk mitigation could take the form of driver education for the youth or
establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have
more than one friend in the car as a passenger at any given time.
Risk Transfer
Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at
one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage
driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk
of a youth being in an accident to the insurance company, which provides the family with auto insurance.
It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example
presented earlier, and can be seen in other insurance instances, such as liability insurance for a vendor or the insurance
taken out by companies to protect against hardware and software theft or destruction. This may also be true if an
organization must purchase and implement security controls in order to make their organization less desirable to attack. It is
important to remember that not all risk can be transferred. While financial risk is simple to transfer through insurance,
reputational risk may almost never be fully transferred.
Risk Avoidance
Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have
you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the risks
that many of these children face as they become mobile? Some of these families will decide that the child in question will not
be allowed to drive the family car, but will rather wait until he or she is of legal age (i.e., 18 years of age) before committing to
owning, insuring, and driving a motor vehicle.
In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an underage driver, such
as poor driving performance or the cost of insurance for the child. Although this choice may be available for some situations,
it is not available for all. Imagine a global retailer who, knowing the risks associated with doing business on the Internet,
decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if, indeed, the
company has products or services that consumers wish to purchase). In addition, the decision may require the company to
build or lease a site in each of the locations, globally, for which it wishes to continue business. This could have a catastrophic
effect on the companys ability to continue business operations
Risk Acceptance
In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk
acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost
versus the benefit of dealing with the risk in another way.
For example, an executive may be confronted with risks identified during the course of a risk assessment for their
organization. These risks have been prioritized by high, medium, and low impact to the organization. The executive notes
that in order to mitigate or transfer the low-level risks, significant costs could be involved. Mitigation might involve the hiring
of additional highly skilled personnel and the purchase of new hardware, software, and office equipment, while transference
of the risk to an insurance company would require premium payments. The
executive then further notes that minimal impact to the organization would occur if any of the reported low-level threats were
realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to forgo the costs and accept the risk. In
the young driver example, risk acceptance could be based on the observation that the youngster has demonstrated the
responsibility and maturity to warrant the parents trust in his or her judgment.
The following answers are incorrect:
Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance
company. Let us look at one of the examples that were presented above in a different way.
Risk Avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized.
Risk Mitigation -Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented.
Reference:
CISA Review Manual 2014 Page number 51 and
Official ISC2 guide to CISSP CBK 3rd edition page number 534-539
Topic 1
Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not
realized?
C
Explanation:
Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized.
For your exam you should know below information about risk assessment and treatment:
A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing
the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are
analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security
can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough
security, or the wrong security controls, and to spend too much money in the process without attaining the necessary
objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should
be applied to protecting against those risks in a sensible manner.
A risk analysis has four main goals:
Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of these potential threats. Provide an economic balance between the impact of
the threat and the cost of the countermeasure.
Treating Risk
Risk Mitigation
Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk
mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves
applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information
that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion
detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive
information. In the underage driver example, risk mitigation could take the form of driver education for the youth or
establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have
more than one friend in the car as a passenger at any given time.
Risk Transfer
Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at
one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage
driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk
of a youth being in an accident to the insurance company, which provides the family with auto insurance.
It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example
presented earlier, and can be seen in other insurance instances, such as liability insurance for a vendor or the insurance
taken out by companies to protect against hardware and software theft or destruction. This may also be true if an
organization must purchase and implement security controls in order to make their organization less desirable to attack. It is
important to remember that not all risk can be transferred. While financial risk is simple to transfer through insurance,
reputational risk may almost never be fully transferred.
Risk Avoidance
Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have
you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the risks
that many of these children face as they become mobile? Some of these families will decide that the child in question will not
be allowed to drive the family car, but will rather wait until he or she is of legal age (i.e., 18 years of age) before committing to
owning, insuring, and driving a motor vehicle.
In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an underage driver, such
as poor driving performance or the cost of insurance for the child. Although this choice may be available for some situations,
it is not available for all. Imagine a global retailer who, knowing the risks associated with doing business on the Internet,
decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if, indeed, the
company has products or services that consumers wish to purchase). In addition, the decision may require the company to
build or lease a site in each of the locations, globally, for which it wishes to continue business. This could have a catastrophic
effect on the companys ability to continue business operations
Risk Acceptance
In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios. Risk
acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost
versus the benefit of dealing with the risk in another way.
For example, an executive may be confronted with risks identified during the course of a risk assessment for their
organization. These risks have been prioritized by high, medium, and low impact to the organization. The executive notes
that in order to mitigate or transfer the low-level risks, significant costs could be involved. Mitigation might involve the hiring
of additional highly skilled personnel and the purchase of new hardware, software, and office equipment, while transference
of the risk to an insurance company would require premium payments. The
executive then further notes that minimal impact to the organization would occur if any of the reported low-level threats were
realized. Therefore, he or she (rightly) concludes that it is wiser for the organization to forgo the costs and accept the risk. In
the young driver example, risk acceptance could be based on the observation that the youngster has demonstrated the
responsibility and maturity to warrant the parents trust in his or her judgment.
The following answers are incorrect:
Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance
company. Let us look at one of the examples that were presented above in a different way.
Risk Acceptance - Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that
may also weigh the cost versus the benefit of dealing with the risk in another way.
Risk Mitigation -Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented
Reference:
CISA Review Manual 2014 Page number 51 and
Official ISC2 guide to CISSP CBK 3rd edition page number 534-536
Topic 1
Which of the following control is intended to discourage a potential attacker?
A
Explanation:
Deterrent Control are intended to discourage a potential attacker
For your exam you should know below information about different security controls
Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks
by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent
the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the
attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of
success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies,
the potential for incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential impact become
infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent,
curbing an attackers appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform
unauthorized functions, leading to unwanted events.
When users begin to understand that by authenticating into a system to perform a function, their activities are logged and
monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the
threat agent, and any potential for identification and association with their actions is avoided at all costs.
It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the
form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an
employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing
wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from
performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and
cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control
rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or
the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only
way to bypass the control is to find a flaw in the controls implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy.
Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the
required controls, there may exist other technology or processes that can supplement the existing environment, closing the
gap in controls, meeting policy requirements, and reducing overall risk.
For example, the access control policy may state that the authentication process must be encrypted when performed over
the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure
Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support
the policy statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate
for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as
authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access
controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of
least privilege. However, the detective nature of access controls can provide significant visibility into the access environment
and help organizations manage their access strategy and related security risk.
As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce
the risk exposure of the enterprises assets by limiting the capabilities that authenticated user has. However, there are few
options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a
file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established to log activity
regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when
provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful
and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective
controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the
environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or
compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls
must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation
at hand or the particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer temporary
compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that
may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown
disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls
placed on system files or even have default administrative accounts unknowingly implemented upon install.
Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding
separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially
exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.
The following answers are incorrect:
Preventive - Preventive controls are intended to avoid an incident from occurring
Corrective - Corrective control fixes components or systems after an incident has occurred
Recovery - Recovery controls are intended to bring the environment back to regular operations
Reference:
CISA Review Manual 2014 Page number 44 and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51
Topic 1
Which of the following security control is intended to avoid an incident from occurring?
B
Explanation:
Preventive controls are intended to avoid an incident from occurring
For your exam you should know below information about different security controls
Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks
by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent
the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the
attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of
success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies,
the potential for incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential impact become
infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent,
curbing an attackers appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform
unauthorized functions, leading to unwanted events.
When users begin to understand that by authenticating into a system to perform a function, their activities are logged and
monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the
threat agent, and any potential for identification and association with their actions is avoided at all costs.
It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the
form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an
employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing
wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from
performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and
cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control
rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or
the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only
way to bypass the control is to find a flaw in the controls implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy.
Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the
required controls, there may exist other technology or processes that can supplement the existing environment, closing the
gap in controls, meeting policy requirements, and reducing overall risk.
For example, the access control policy may state that the authentication process must be encrypted when performed over
the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure
Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support
the policy statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate
for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as
authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access
controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of
least privilege. However, the detective nature of access controls can provide significant visibility into the access environment
and help organizations manage their access strategy and related security risk.
As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce
the risk exposure of the enterprises assets by limiting the capabilities that authenticated user has. However, there are few
options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a
file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established to log activity
regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when
provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful
and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective
controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the
environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or
compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls
must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation
at hand or the particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer temporary
compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that
may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown
disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls
placed on system files or even have default administrative accounts unknowingly implemented upon install.
Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding
separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially
exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.
The following answers are incorrect:
Deterrent - Deterrent controls are intended to discourage a potential attacker
Corrective - Corrective control fixes components or systems after an incident has occurred
Recovery - Recovery controls are intended to bring the environment back to regular operations
Reference:
CISA Review Manual 2014 Page number 44 and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51
Topic 1
Which of the following control fixes a component or system after an incident has occurred?
C
Explanation:
Corrective control fixes components or systems after an incident has occurred
For your exam you should know below information about different security controls
Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks
by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent
the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the
attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of
success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies,
the potential for incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential impact become
infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent,
curbing an attackers appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform
unauthorized functions, leading to unwanted events.
When users begin to understand that by authenticating into a system to perform a function, their activities are logged and
monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the
threat agent, and any potential for identification and association with their actions is avoided at all costs.
It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the
form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an
employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing
wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from
performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and
cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control
rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or
the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only
way to bypass the control is to find a flaw in the controls implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy.
Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the
required controls, there may exist other technology or processes that can supplement the existing environment, closing the
gap in controls, meeting policy requirements, and reducing overall risk.
For example, the access control policy may state that the authentication process must be encrypted when performed over
the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure
Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support
the policy statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate
for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as
authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access
controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of
least privilege. However, the detective nature of access controls can provide significant visibility into the access environment
and help organizations manage their access strategy and related security risk.
As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce
the risk exposure of the enterprises assets by limiting the capabilities that authenticated user has. However, there are few
options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a
file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established to log activity
regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when
provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful
and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective
controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the
environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or
compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls
must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation
at hand or the particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer temporary
compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that
may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown
disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls
placed on system files or even have default administrative accounts unknowingly implemented upon install.
Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding
separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially
exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.
The following answers are incorrect:
Deterrent - Deterrent controls are intended to discourage a potential attacker
Preventive - Preventive controls are intended to avoid an incident from occurring
Recovery - Recovery controls are intended to bring the environment back to regular operations
Reference:
CISA Review Manual 2014 Page number 44 and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51
Topic 1
Which of the following security control is intended to bring environment back to regular operation?
D
Explanation:
Recovery controls are intended to bring the environment back to regular operations
For your exam you should know below information about different security controls
Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks
by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent
the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the
attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of
success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies,
the potential for incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential impact become
infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent,
curbing an attackers appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform
unauthorized functions, leading to unwanted events.
When users begin to understand that by authenticating into a system to perform a function, their activities are logged and
monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the
threat agent, and any potential for identification and association with their actions is avoided at all costs.
It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the
form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an
employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing
wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from
performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and
cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control
rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or
the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only
way to bypass the control is to find a flaw in the controls implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy.
Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the
required controls, there may exist other technology or processes that can supplement the existing environment, closing the
gap in controls, meeting policy requirements, and reducing overall risk.
For example, the access control policy may state that the authentication process must be encrypted when performed over
the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure
Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support
the policy statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate
for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as
authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access
controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of
least privilege. However, the detective nature of access controls can provide significant visibility into the access environment
and help organizations manage their access strategy and related security risk.
As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce
the risk exposure of the enterprises assets by limiting the capabilities that authenticated user has. However, there are few
options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a
file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established to log activity
regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when
provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful
and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective
controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the
environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or
compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls
must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation
at hand or the particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer temporary
compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that
may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown
disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls
placed on system files or even have default administrative accounts unknowingly implemented upon install.
Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding
separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially
exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.
The following answers are incorrect:
Deterrent - Deterrent controls are intended to discourage a potential attacker
Preventive - Preventive controls are intended to avoid an incident from occurring
Corrective - Corrective control fixes components or systems after an incident has occurred
Reference:
CISA Review Manual 2014 Page number 44 and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51
Topic 1
Which of the following control helps to identify an incidents activities and potentially an intruder?
C
Explanation:
Detective control helps identify an incidents activities and potentially an intruder
For your exam you should know below information about different security controls
Deterrent Controls
Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks
by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent
the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the
attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of
success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies,
the potential for incidents associated with the system is significantly reduced because an attacker will fear association with
the incident. If there are no controls for a given access path, the number of incidents and the potential impact become
infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent,
curbing an attackers appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform
unauthorized functions, leading to unwanted events.
When users begin to understand that by authenticating into a system to perform a function, their activities are logged and
monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the
threat agent, and any potential for identification and association with their actions is avoided at all costs.
It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the
form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an
employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing
wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from
performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and
cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control
rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or
the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only
way to bypass the control is to find a flaw in the controls implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy.
Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the
required controls, there may exist other technology or processes that can supplement the existing environment, closing the
gap in controls, meeting policy requirements, and reducing overall risk.
For example, the access control policy may state that the authentication process must be encrypted when performed over
the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure
Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support
the policy statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate
for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as
authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access
controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of
least privilege. However, the detective nature of access controls can provide significant visibility into the access environment
and help organizations manage their access strategy and related security risk.
As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce
the risk exposure of the enterprises assets by limiting the capabilities that authenticated user has. However, there are few
options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a
file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of
applied access controls will offer visibility into the transaction. The control environment can be established to log activity
regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when
provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful
and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective
controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the
environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or
compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls
must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation
at hand or the particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer temporary
compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that
may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown
disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls
placed on system files or even have default administrative accounts unknowingly implemented upon install.
Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding
separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially
exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable
situation must be rectified as quickly as possible and controls returned to normal operations.
The following answers are incorrect:
Deterrent - Deterrent controls are intended to discourage a potential attacker
Preventive - Preventive controls are intended to avoid an incident from occurring
Compensating - Compensating Controls provide an alternative measure of control
Reference:
CISA Review Manual 2014 Page number 44 and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51