Podcast
Questions and Answers
What characterizes transient cookies?
What characterizes transient cookies?
- Available after the session has ended.
- Sent to multiple domains if allowed.
- Stored on the machine’s hard disk drive.
- Stored in memory and discarded during session teardown. (correct)
What is a key feature of secure cookies?
What is a key feature of secure cookies?
- They can be transmitted in clear text.
- They are shared across different domains.
- They expire immediately after session teardown.
- They must be supported by the web browser to be effective. (correct)
Which type of control is designed to identify and react to incidents that have already occurred?
Which type of control is designed to identify and react to incidents that have already occurred?
- Compensating control
- Preventative control
- Detective control (correct)
- Corrective control
What results can arise from non-compliance with regulations?
What results can arise from non-compliance with regulations?
What is an essential aspect of effective patch management?
What is an essential aspect of effective patch management?
What is the primary purpose of governance in security management?
What is the primary purpose of governance in security management?
Which best describes centralized patch management?
Which best describes centralized patch management?
What is the primary purpose of sandboxing?
What is the primary purpose of sandboxing?
Which document type outlines the step-by-step instructions for completing tasks within an organization?
Which document type outlines the step-by-step instructions for completing tasks within an organization?
Which component of security governance is mainly responsible for overseeing mission fulfillment in an organization?
Which component of security governance is mainly responsible for overseeing mission fulfillment in an organization?
How does decentralized patch management function?
How does decentralized patch management function?
Which of the following methods is NOT typically part of patch management?
Which of the following methods is NOT typically part of patch management?
Which type of policy defines how an organization manages and protects its information assets?
Which type of policy defines how an organization manages and protects its information assets?
What is the focus of a Privacy Policy within an organization?
What is the focus of a Privacy Policy within an organization?
What is the role of attestation services in patch management?
What is the role of attestation services in patch management?
Which type of control provides a backup mechanism to help mitigate risks in security management?
Which type of control provides a backup mechanism to help mitigate risks in security management?
What is one potential outcome of receiving punitive actions for non-compliance?
What is one potential outcome of receiving punitive actions for non-compliance?
Which type of control is specifically aimed at preventing security incidents from occurring in the first place?
Which type of control is specifically aimed at preventing security incidents from occurring in the first place?
What is the primary objective of the Change Management procedures?
What is the primary objective of the Change Management procedures?
Which agreement establishes a comprehensive legal relationship between a service provider and a customer/client?
Which agreement establishes a comprehensive legal relationship between a service provider and a customer/client?
What is the role of the Data Privacy Officer (DPO) under GDPR?
What is the role of the Data Privacy Officer (DPO) under GDPR?
Which is NOT a data protection method mentioned in the content?
Which is NOT a data protection method mentioned in the content?
What type of data does the term 'regulated data' refer to?
What type of data does the term 'regulated data' refer to?
Which document method emphasizes actions to be performed within a project?
Which document method emphasizes actions to be performed within a project?
What characterizes a Memorandum of Understanding (MOU)?
What characterizes a Memorandum of Understanding (MOU)?
Which of the following is NOT a method for risk identification?
Which of the following is NOT a method for risk identification?
Which classification label corresponds to 'Medium' criticalness?
Which classification label corresponds to 'Medium' criticalness?
What is the typical outcome of the usage phase in the information life-cycle model?
What is the typical outcome of the usage phase in the information life-cycle model?
What is the primary purpose of offboarding procedures?
What is the primary purpose of offboarding procedures?
In the Change Management approval process, what is established during change approval?
In the Change Management approval process, what is established during change approval?
Which of the following is NOT a type of operational agreement mentioned?
Which of the following is NOT a type of operational agreement mentioned?
What is the main purpose of risk management?
What is the main purpose of risk management?
Which of these roles is NOT involved as per the data policy components?
Which of these roles is NOT involved as per the data policy components?
What is a risk register primarily used for?
What is a risk register primarily used for?
How is the likelihood in a risk matrix primarily assessed?
How is the likelihood in a risk matrix primarily assessed?
What type of risk assessment occurs on a regular schedule due to contractual or regulatory requirements?
What type of risk assessment occurs on a regular schedule due to contractual or regulatory requirements?
Which of the following describes the qualitative risk analysis?
Which of the following describes the qualitative risk analysis?
What is a disadvantage of quantitative risk analysis?
What is a disadvantage of quantitative risk analysis?
What formula represents Single Loss Expectancy (SLE)?
What formula represents Single Loss Expectancy (SLE)?
When an incident causes a building worth $1,000,000 to suffer a 70% loss, what is the Single Loss Expectancy (SLE)?
When an incident causes a building worth $1,000,000 to suffer a 70% loss, what is the Single Loss Expectancy (SLE)?
What is a key risk indicator?
What is a key risk indicator?
Which risk management approach aims to minimize loss as much as possible?
Which risk management approach aims to minimize loss as much as possible?
What does the term 'risk tolerance' refer to?
What does the term 'risk tolerance' refer to?
What happens to risks that fall below the risk threshold?
What happens to risks that fall below the risk threshold?
Which protocol is primarily used for key generation and distribution in WLAN?
Which protocol is primarily used for key generation and distribution in WLAN?
What is the frequency range used by the 802.11b protocol?
What is the frequency range used by the 802.11b protocol?
Which encryption protocol is used by WPA2 for message confidentiality?
Which encryption protocol is used by WPA2 for message confidentiality?
What is the maximum bandwidth of the 802.11ac protocol?
What is the maximum bandwidth of the 802.11ac protocol?
Which feature is specific to WPA3 compared to WPA2?
Which feature is specific to WPA3 compared to WPA2?
What modulation technique is used in 802.11n?
What modulation technique is used in 802.11n?
When does the data transference phase occur in WLAN?
When does the data transference phase occur in WLAN?
Which authentication method is part of WPA2's mutual authentication process?
Which authentication method is part of WPA2's mutual authentication process?
What is a characteristic of the Bluetooth Host Controller Interface (HCI)?
What is a characteristic of the Bluetooth Host Controller Interface (HCI)?
Which of the following protocols is NOT part of WPA3's mutual authentication?
Which of the following protocols is NOT part of WPA3's mutual authentication?
Study Notes
### Security Governance
- Organizational policies focus on information security, privacy, acceptable usage, employment, and change management.
- Regulatory compliance is verified through internal and external audits.
- Non-compliance can lead to significant consequences, including sanctions, fines, and reputational damage.
- Governance structure includes management (board and committees) and government agencies.
- Security hierarchy of documents includes policies, standards, procedures, and guidelines.
- Organizational policies include:
- Information Security policy: defines how an organization manages and protects information.
- Privacy policy: defines employee privacy expectations.
- Acceptable Use Policy (AUP): defines acceptable use of company resources.
- Employment policy: covers employee-employer lifecycle.
- Change Management policy: defines change management approach, roles, and responsibilities.
Operational Agreements
- Operational agreements include Master Service Agreements (MSA), Service-Level Agreements (SLA), Statement of Work (SoW) / Work Order (WO), Business Partnership Agreement (BPA), Non-Disclosure Agreement (NDA), Memorandum of Agreement (MOA), and Memorandum of Understanding (MOU).
Data Policy
- Data policy components include roles and responsibilities, like data owner, data custodian/steward, data controller, and data processor.
- The General Data Protection Regulation (GDPR) defines data subject, Data Privacy Officer (DPO), and their responsibilities.
- The information lifecycle model encompasses creation, processing, dissemination, usage, storage, and disposal of data.
Asset Management
- Asset management involves maintaining positive control throughout the asset's lifetime.
- Steps include:
- Acquisition and procurement
- Assignment and accountability
- Asset monitoring and tracking
- Decommissioning and disposal
Risk Management
- Risk management involves identifying, monitoring, and reducing risk to an acceptable level.
- Management establishes risk appetite, which can be expansionary, neutral, or conservative.
- Risk tolerance defines the acceptable variance in business objective performance.
- Risk Identification methods include process analysis, interviews, asset tracking, cognitive computing, and workshops.
- Risk assessment can be one-time, ad hoc, recurring, or continuous.
- Qualitative risk analysis relies on human judgment and opinions, offering insights into the impact beyond financial implications.
- Quantitative risk analysis utilizes numerical values for impact and likelihood, supporting cost-benefit analysis.
- Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE) are used to quantify financial risk.
Secure Cookies
- Secure cookies are configured to prevent them being sent to a domain other than the originator.
- Server configuration settings ensure cookies aren't sent in clear text.
- Success depends on browser support.
Patch Management
- Patch management involves updating the security baseline of firmware, applications, or operating systems to address vulnerabilities and introduce new features.
- Patches can be deployed through centralized or decentralized management systems.
- Effective patch management requires careful monitoring and tracking of deployed patches.
Sandboxing
- Sandboxing creates a controlled environment to isolate components from other operational components.
- Sandboxing restricts access to system resources like memory and storage locations.
- Sandboxing techniques include firewall ACLs, hypervisors, memory managers, and physical isolation.
Bluetooth Technology
- Laptops and controllers communicate over an ad hoc network via the Bluetooth Host Controller Interface (HCI)
- The latest versions of Bluetooth use AES-CCM for frame confidentiality and authenticity
- Bluetooth Secure Authentication uses HMAC-SHA256 with mutual authentication
Wireless Local Area Network (WLAN)
- IEEE 802.11 WLAN protocols deliver data, management, and control frames
- WLAN phases include discovery, authentication, key generation/distribution, data transference, and termination
- Discovery uses management frames like beacon and association frames
- Authentication uses protocols like 802.1X and EAP
- Data-in-transit protection protocols are used during data transference
Wireless Site Survey
- Wi-Fi analyzer, monitor mode, and signal quality assessments are used during this phase
- RFI heat maps are used for assessing radio frequency interference
Wireless Network Protocols and Frequencies
- 802.11a: 5 GHz, 54 Mbps, OFDM modulation
- 802.11b: 2.4 GHz, 11 Mbps, DSSS modulation
- 802.11g: 2.4 GHz, 54 Mbps, OFDM/DSSS modulation
- 802.11n: 2.4 GHz & 5 GHz, 600 Mbps, OFDM/DSSS modulation
- 802.11ac: 5 GHz, 3.5 Gbps, QAM/OFDM/DSSS modulation
- 802.11ax: 2.4 GHz & 5 GHz, 9.6 Gbps, QAM/OFDM/DSSS modulation
Wi-Fi Protected Access (WPA)
- WPA2 is NIST FIPS 140-2 compliant and uses CCMP with AES encryption
- CCMP uses CBC-MAC for packet authenticity and AES-128 for message confidentiality
- WPA2 supports mutual authentication through EAP protocols such as EAP-TLS, PEAP, EAP-TTLS, and EAP-FAST
- WPA3 requires Wi-Fi certification and authenticates AP and client before association
- WPA3 uses IEEE 802.11w Management Frame Protection (MFP)
- CCMP provides data origin authentication and replay protection
- WPA3 uses SAE in personal mode and 128-bit AES key size
- WPA3 enterprise mode uses 192-bit AES key size and supports EAP-TLS, PEAP, and EAP-TTLS
Network Switch Monitoring
- In order to monitor all network traffic passing through a switch, a configuration must be made to the switch to enable mirroring.
- Mirroring allows the switch to send a copy of all network traffic to a monitoring device for analysis.
- This can be used for security, troubleshooting, and performance monitoring.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz covers key concepts in security governance, including organizational policies on information security, privacy, and change management. Additionally, it highlights the importance of regulatory compliance and the hierarchical structure of security documentation. Test your knowledge on how governance impacts organizational practices and operational agreements.