712-50 EC-Council Certified CISO (CCISO) Question and Answers

The need to change accounting periods on a regular basis.

The requirement to post entries for a closed accounting period.

The need to create and modify the chart of accounts and its allocations.

The lack of policies and procedures for the proper segregation of duties.

Trusted and untrusted networks

Type of authentication

Storage encryption

Log retention

Secure the area and shut-down the computer until investigators arrive

Secure the area and attempt to maintain power until investigators arrive

Immediately place hard drive and other components in an anti-static bag

Secure the area.

It is an IPSec protocol.

It is a text-based communication protocol.

It uses TCP port 22 as the default port and operates at the application layer.

It uses UDP port 22

Containment

Recovery

Identification

Eradication

Shared key

Asynchronous

Open

None

chain of custody.

electronic discovery.

evidence tampering.

electronic review.

Your public key

The recipient's private key

The recipient's public key

Certificate authority key

Traffic Analysis

Deep-Packet inspection

Packet sampling

Heuristic analysis

Physical, Technical, Operational

Technical, Strong Password, Operational

Operational, Biometric, Physical

Strong password, Biometric, Common Access Card

Wireless Application Protocol (WAP)

Wifi Protected Access version 2 (WPA2)

Wireless Equivalence Protocol (WEP)

Extensible Authentication Protocol (EAP)

‘ o 1=1 - -

/../../../../

“DROPTABLE USERNAME”

NOPS

3DES

MD5

ECC

RSA

Enterprise Risk Assessment

Disaster recovery strategic plan

Business continuity plan

Application mapping document

Unable to control physical access to the servers

Unable to track log on activity

Unable to run anti-virus scans

Unable to patch systems as needed

Confidentiality, Availability, Integrity

Compliance, Effectiveness, Efficiency

Communication, Reliability, Cost

Confidentiality, Compliance, Cost

Comprehensive Log-Files from all servers and network devices affected during the attack

Fully trained network forensic experts to analyze all data right after the attack

Uninterrupted Chain of Custody

Expert forensics witness

Weekly

Monthly

Quarterly

Daily

The asset is more expensive than the remediation

The audit finding is incorrect

The asset being protected is less valuable than the remediation costs

The remediation costs are irrelevant; it must be implemented regardless of cost.

Nonlinearities in physical security performance metrics

Defense in depth cost enumerated costs

System hardening and patching requirements

Anti-virus for mobile devices

Procedural control

Organization control

Technical control

Management control

ISO 27001

PRINCE2

ISO 27004

ITILv3

Plan-Check-Do-Act

Plan-Do-Check-Act

Plan-Select-Implement-Evaluate

SCORE (Security Consensus Operational Readiness Evaluation)

Senior Executives

Office of the Auditor

Office of the General Counsel

All employees and users

Residual Risk

Total Risk

Post implementation risk

Transferred risk

The number of actionable items in the recommendations

How it exposes the risk tolerance of the company

How the recommendations directly support the goals of the company

The number of security controls the company has in use

Date and time of the event

Failure of the event

Originating IP-Address

Authentication type

Risk mitigation

Risk transfer

Risk tolerance

Risk acceptance

Identifying the risk

Finding economic balance between the impact of the risk and the cost of the control

Identifying the victim of any potential exploits.

Assessing the impact of potential threats

An administrator with too much time on their hands.

Putting undue time commitment on the system administrator.

Supporting the concept of layered security

Network segmentation.

Nothing, this falls outside your area of influence.

Close and chain the door shut and send a company-wide memo banning the practice.

Have a risk assessment performed.

Post a guard at the door to maintain physical security

Have internal audit conduct another audit to see what has changed.

Contract with an external audit company to conduct an unbiased audit

Review the recommendations and follow up to see if audit implemented the changes

Meet with audit team to determine a timeline for corrections

An Information Security audit standard

An audit guideline for certifying secure systems and controls

A framework for Information Technology management and governance

A set of international regulations for Information Technology governance

The auditors have not followed proper auditing processes

The CIO of the organization disagrees with the finding

The risk tolerance of the organization permits this risk

The organization has purchased cyber insurance

Document the process for the stakeholders

Monitor the effectiveness of the controls

Update the audit findings report

Perform a risk assessment

Lack of notification to the public of disclosure of confidential information.

Lack of periodic examination of access rights

Failure to notify police of an attempted intrusion

Lack of reporting of a successful denial of service attack on the network.

At the end of the day once the employee is off site

During the monthly review cycle

Immediately so the employee account(s) can be disabled

Before an audit

Control Objective for Information Technology (COBIT)

Committee of Sponsoring Organizations (COSO)

Payment Card Industry (PCI)

Information Technology Infrastructure Library (ITIL)

Number of change orders rejected

Number and length of planned outages

Number of unplanned outages

Number of change orders processed

Security certification

Security system analysis

Security accreditation

Alignment with business practices and goals.

Closed circuit television

Open circuit television

Blocked video

Local video

Obtain funding for all desired controls and then create project plans for implementation

Apply the simpler controls as quickly as possible and use a risk-based approach for the more difficult and

costly controls

Apply the least costly controls to demonstrate positive program activity

Obtain business unit buy-in through close communication and coordination

Be equal to the value of the information resource being protected

Be greater than the value of the information resource being protected

Be less than the value of the information resource being protected

Should not matter, as long as the information resource is protected

Rights collision

Excessive privileges

Privilege creep

Least privileges

Provided with a digital signature

Assured of the server’s identity

Identified by a network

Registered by the server

Poorly configured firewalls

Malware

Advanced Persistent Threat (APT)

An insider

Creates a timeline for purchasing and budgeting

Allows small companies to compete with larger companies

Clearly identifies risks and benefits before funding is spent

Informs suppliers a company is going to make a purchase

Centralized log management

Encrypted log files in transit

Each node set to local time

Log aggregation agent each node

National Institute of Standards and Technology (NIST) Special Publication 800-53

Payment Card Industry Digital Security Standard (PCI DSS)

International Organization for Standardization – ISO 27001/2

British Standard 7799 (BS7799)

Refer the vendor to the Service Level Agreement (SLA) and insist that they make the changes.

Review the Request for Proposal (RFP) for guidance.

Withhold the vendor’s payments until the issue is resolved.

Refer to the contract agreement for direction.

The existing IT environment.

The company business plan.

The present IT budget.

Other corporate technology trends.

Review time schedules

Verify budget

Verify resources

Verify constraints

File Transfer Protocol (FTP)

Virtual Local Area Network (VLAN)

Simple Mail Transfer Protocol

Virtual Private Network (VPN)

Validate the effectiveness of applied controls

Validate security program resource requirements

Report the audit findings and remediation status to business stake holders

Review security procedures to determine if they need modified according to findings

Moderate investment

Passive monitoring

Integrated security controls

Dynamic deception

Conduct background checks on individuals before hiring them

Develop an Information Security Awareness program

Monitor employee browsing and surfing habits

Set your firewall permissions aggressively and monitor logs regularly.

Validate the effectiveness of current controls

Create detailed remediation funding and staffing plans

Report the audit findings and remediation status to business stake holders

Review security procedures to determine if they need modified according to findings

Network based security preventative control

Software segmentation control

Security detective control

User segmentation control

To estimate risk and negate liability to the company

To understand the attack vectors and attack sources

To communicate risk and forecast resource needs

To forecast usage and cost per software licensing

Response

Investigation

Recovery

Follow-up

Recovery Point Objective (RPO)

Disaster Recovery Plan

Recovery Time Objective (RTO)

Business Continuity Plan

Iris scan

Retinal scan

Facial recognition scan

Signature kinetics scan

Threat analysis process

Asset configuration management process

Business Impact Analysis

Disaster Recovery plan

War driving

Operating system attacks

Social engineering

Shrink wrap attack

Cold site

Hot site

Warm site

Mobile backup site

non-repudiation

conflict resolution

strong authentication

digital rights management

Time zone differences

Compliance to local hiring laws

Encryption import/export regulations

Local customer privacy laws

Provide clear communication of security requirements throughout the organization

Demonstrate executive support with written mandates for security policy adherence

Create collaborative risk management approaches within the organization

Perform increased audits of security processes and procedures

Security alignment to business goals

Regulatory compliance effectiveness

Increased security program presence

Proper organizational policy enforcement

Ensure security budgets enable technical acquisition and resource allocation based on internal compliance requirements

Develop a culture in which users, managers and IT professionals all make good decisions about information risk

Provide clear communication of security program support requirements and audit schedules

Create security awareness programs that include clear definition of security program goals and charters

Scope creep

Deadline extension

Scope modification

Deliverable expansion

Vested in the success and/or failure of a project or initiative regardless of budget implications.

Vested in the success and/or failure of a project or initiative and is tied to the project budget.

That has budget authority.

That will ultimately use the system.

Customer demand

Cost and time to replace

Insurability tables

Risk of exposure

At the time the security services are being performed and the vendor needs access to the network

Once the agreement has been signed and the security vendor states that they will need access to the network

Once the vendor is on premise and before they perform security services

Prior to signing the agreement and before any security services are being performed

Overly restrictive management

Excessive personnel on project

Failure to meet project deadlines

Insufficient resources

Gaining access to an affiliated employee’s work email account as part of an officially sanctioned internal investigation

Sharing copyrighted material with other members of a professional organization where all members have legitimate access to the material

Copying documents from an employer’s server which you assert that you have an intellectual property claim to possess, but the company disputes

Storing client lists and other sensitive corporate internal documents on a removable thumb drive

System testing

Risk assessment

Incident response

Planning

it is completed on time or early as compared to the baseline project plan

it meets most of the specifications as outlined in the approved project definition

it comes in at or below the expenditures planned for in the baseline budget

the deliverables are accepted by the key stakeholders

Scheduling

Back-out procedures

Outage planning

Management approval

Vendors uses their own laptop and logins with same admin credentials your security team uses

Vendor uses a company supplied laptop and logins using two factor authentication with same admin credentials your security team uses

Vendor uses a company supplied laptop and logins using two factor authentication with their own unique credentials

Vendor uses their own laptop and logins using two factor authentication with their own unique credentials

When organizational resources are limited

When the benefits of outsourcing outweigh the inherent risks of outsourcing

On new, enterprise-wide security initiatives

On projects not forecasted in the yearly budget

Risk Management

Risk Assessment

System Testing

Vulnerability Assessment

Alignment with the business

Effective use of existing technologies

Leveraging existing implementations

Proper budget management

Information security should be informed of changes to applications only

Development team should tell the information security team about any application security flaws

Information security should be aware of any significant application security changes and work with developer to test for vulnerabilities before changes are deployed in production

Information security should be aware of all application changes and work with developers before changes are deployed in production

Upper management support

More frequent project milestone meetings

Stakeholder support

Extend work hours

The Security Systems Development Life Cycle

The Security Project And Management Methodology

Project Management System Methodology

Project Management Body of Knowledge

Define the risk appetite

Determine budget constraints

Review project charters

Collaborate security projects

Change management

Business continuity planning

Security Incident Response

Thought leadership

User awareness training for all employees

Installation of new firewalls and intrusion detection systems

Launch an internal awareness campaign

Integrate security requirements into project inception

Phishing exercises

Use immutable data storage

Blocking use of wireless networks

Application of multiple endpoint anti-malware solutions

Conduct a quantitative risk assessment

Conduct a hybrid risk assessment

Conduct a subjective risk assessment

Conduct a qualitative risk assessment

Reasonable, Actionable, Controlled, and Implemented

Responsible, Actors, Consult, and Instigate

Responsible, Accountable, Consulted, and Informed

Review, Act, Communicate, and Inform

Security controls group

Governance, risk, and compliance tools

Security Threat and vulnerability management process

Risk assessment process

The controls in place to secure the system

Name of the connected system

The results of a third-party audits and recommendations

Type of information used in the system

Executing

Controlling

Planning

Closing

Multiple certifications, strong technical capabilities and lengthy resume

Industry certifications, technical knowledge and program management skills

College degree, audit capabilities and complex project management

Multiple references, strong background check and industry certifications

Has a direct correlation with the CISO’s budget

Represents, in part, the savings generated by the proper acquisition and implementation of security controls

Represents the sum of all capital expenditures

Represents the percentage of earnings that could in part be used to finance future security controls

Inside the DMZ

In-line with the data center firewall

Beyond the outer perimeter firewall

As the gatekeeper to the organization’s honeynet

The Federal Risk and Authorization Management Program (FedRAMP)

ISO 27002

NIST Cybersecurity Framework

Payment Card Industry (PCI) Data Security Standard (DSS)

Public cloud

Private cloud

Community cloud

Hybrid cloud

Account management policy

Training policy

Acceptable Use policy

Remote Access policy

Inability to export the private certificate/key

It can double as physical identification at the DMV

It has the user’s photograph to help ID them

It can be used as a secure flash drive

Business Impact Analysis

Economic Impact analysis

Return on Investment

Cost-benefit analysis

Threat analyst, IT auditor, forensic analyst

Network engineer, help desk technician, system administrator

CIO, CFO, CSO

Financial analyst, payroll clerk, HR manager

Anti-phishing tools

Effective Security awareness program

Anti-malware tools

Effective Security Vulnerability Management Program

Patch management

Network monitoring

Ability to provide security services tailored to the business’ needs

24/7 tollfree number

Phishing Attacks

Misconfigurations

Social engineering

All of these

Development of KPI’s are most useful when done independently

They are a strictly quantitative measure of success

They should be standard throughout the organization versus domain-specific so they are more easily correlated

They are a strictly qualitative measure of success

It represents the sum of all capital expenditures

It represents the percentage of earnings that could in part be used to finance future security controls

It represents the savings generated by the proper acquisition and implementation of security controls

It has a direct correlation with the CISO’s budget

To force stakeholders to commit ample resources to support the project

To facilitate proper communication regarding outcomes

To assure stakeholders commit to the project start and end dates in writing

To finalize detailed scope of the project at project initiation

Governance and compliance

Auditing and security

Budget and risk tolerance

Threats and vulnerabilities

RAM and unallocated space

Unallocated space and RAM

Slack space and browser cache

Persistent and volatile data

Technology governance defines technology policies and standards while security governance does not.

Security governance defines technology best practices and Information Technology governance does not.

Technology Governance is focused on process risks whereas Security Governance is focused on business risk.

The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.

So that they will accept ownership for security within the organization.

So that employees will follow the policy directives.

So that external bodies will recognize the organizations commitment to security.

So that they can be held legally accountable.

Due Protection

Due Care

Due Compromise

Due process

it communicates management’s commitment to protecting information resources

it is formally acknowledged by all employees and vendors

it defines a process to meet compliance requirements

it establishes a framework to protect confidential information

Organizational objectives and risk tolerance

Risk assessment criteria

IT architecture complexity

Enterprise disaster recovery plans

Providing a risk program governance structure

Ensuring developers include risk control comments in code

Creating risk assessment templates based on specific threats

Allowing for the acceptance of risk for regulatory compliance requirements

Compliance to the Payment Card Industry (PCI) regulations.

Alignment with financial reporting regulations for each country where they operate.

Alignment with International Organization for Standardization (ISO) standards.

Compliance with patient data protection regulations for each country where they operate.

Security officer

Data owner

Vulnerability engineer

System administrator

security threat and vulnerability management process

risk assessment process

risk management process

governance, risk, and compliance tools

Threat identification

Risk monitoring

Risk treatment

Risk tolerance

Ensure that security policies are read.

Encourage security-conscious employee behavior.

Meet legal and regulatory requirements.

Put employees on notice in case follow-up action for noncompliance is necessary

A high threat environment

A low risk tolerance environment

I low vulnerability environment

A high risk tolerance environment

Threat times vulnerability divided by control

Advisory plus capability plus vulnerability

Asset loss times likelihood of event

Quantitative plus qualitative impact

Risk Avoidance

Risk Acceptance

Risk Transfer

Risk Mitigation

In promiscuous mode and only detect malicious traffic.

In-line and turn on blocking mode to stop malicious traffic.

In promiscuous mode and block malicious traffic.

In-line and turn on alert mode to stop malicious traffic.

Organizational budget

Distance between physical locations

Number of employees

Complexity of organizational structure

Risk = Probability x Impact

Risk = Threat x Probability

Risk = Financial Impact x Probability

Risk = Impact x Threat

Controlled mitigation effort

Risk impact comparison

Relative likelihood of event

Comparative threat analysis

Test every three years to ensure that things work as planned

Conduct periodic tabletop exercises to refine the BC plan

Outsource the creation and execution of the BC plan to a third party vendor

Conduct a Disaster Recovery (DR) exercise every year to test the plan

Policies

Procedures

Guidelines

Standards

They are objective and can express risk / cost in real numbers

They are subjective and can be completed more quickly

They are objective and express risk / cost in approximates

They are subjective and can express risk /cost in real numbers

International Organization for Standardizations – 22301 (ISO-22301)

Information Technology Infrastructure Library (ITIL)

Payment Card Industry Data Security Standards (PCI-DSS)

International Organization for Standardizations – 27005 (ISO-27005)

Chief Information Security Officer (CISO)

Security Operations Center (SO

Disaster Recovery (DR) manager

Incident Response Team (IRT)