712-50 EC-Council Certified CISO (CCISO) Questions and Answers

Execute

Read

Administrator

Public

3DES

MD5

ECC

RSA

Comprehensive Log-Files from all servers and network devices affected during the attack

Fully trained network forensic experts to analyze all data right after the attack

Uninterrupted Chain of Custody

Expert forensics witness

Trusted and untrusted networks

Type of authentication

Storage encryption

Log retention

Cold site

Hot site

Warm site

Mobile backup site

Containment

Recovery

Identification

Eradication

Well established and defined digital forensics process

Establishing Enterprise-owned Botnets for preemptive attacks

Be able to retaliate under the framework of Active Defense

Collaboration with law enforcement

Enterprise Risk Assessment

Disaster recovery strategic plan

Business continuity plan

Application mapping document

Wireless Application Protocol (WAP)

Wifi Protected Access version 2 (WPA2)

Wireless Equivalence Protocol (WEP)

Extensible Authentication Protocol (EAP)

Baseline the Environment

Maintain and Monitor

Organization Vulnerability

Define Policy

Your public key

The recipient's private key

The recipient's public key

Certificate authority key

non-repudiation

conflict resolution

strong authentication

digital rights management

Unable to control physical access to the servers

Unable to track log on activity

Unable to run anti-virus scans

Unable to patch systems as needed

If the findings impact regulatory compliance, try to apply remediation that will address the most findings for the least cost.

If the findings do not impact regulatory compliance, remediate only the high and medium risk findings.

If the findings impact regulatory compliance, remediate the high findings as quickly as possible.

If the findings do not impact regulatory compliance, review current security controls.

Perform a vulnerability scan of the network

External penetration testing by a qualified third party

Internal Firewall ruleset reviews

Implement network intrusion prevention systems

ISO 27001

PRINCE2

ISO 27004

ITILv3

Plan-Check-Do-Act

Plan-Do-Check-Act

Plan-Select-Implement-Evaluate

SCORE (Security Consensus Operational Readiness Evaluation)

Procedural control

Management control

Technical control

Administrative control

Risk metrics

Management metrics

Operational metrics

Compliance metrics

Single Loss Expectancy (SLE)

Exposure Factor (EF)

Annualized Rate of Occurrence (ARO)

Temporal Probability (TP)

Determine the annual loss expectancy (ALE)

Create a crisis management plan

Create technology recovery plans

Build a secondary hot site

Document the process for the stakeholders

Monitor the effectiveness of the controls

Update the audit findings report

Perform a risk assessment

Lack of notification to the public of disclosure of confidential information.

Lack of periodic examination of access rights

Failure to notify police of an attempted intrusion

Lack of reporting of a successful denial of service attack on the network.

The IT team is not familiar in IT audit practices

This represents a bad implementation of the Least Privilege principle

This represents a conflict of interest

The IT team is not certified to perform audits

At the end of the day once the employee is off site

During the monthly review cycle

Immediately so the employee account(s) can be disabled

Before an audit

Residual Risk

Total Risk

Post implementation risk

Transferred risk

It allows executives to more effectively monitor IT implementation costs

Implementation of it eases an organization’s auditing and compliance burden

Information Security (IS) procedures often require augmentation with other standards

It provides for a consistent and repeatable staffing model for technology organizations

Application logs

File integrity monitoring

SNMP traps

Syslog

An Information Security audit standard

An audit guideline for certifying secure systems and controls

A framework for Information Technology management and governance

A set of international regulations for Information Technology governance

Management Control

Technical Control

Training Control

Operational Control

Meet regulatory compliance requirements

Better understand the threats and vulnerabilities affecting the environment

Better understand strengths and weaknesses of the program

Meet legal requirements

Threat Level, Risk of Compromise, and Consequences of Compromise

Risk Avoidance, Threat Level, and Consequences of Compromise

Risk Transfer, Reputational Impact, and Consequences of Compromise

Reputational Impact, Financial Impact, and Risk of Compromise

Install software patch, Operate system, Maintain system

Discover software, Remove affected software, Apply software patch

Install software patch, configuration adjustment, Software Removal

Software removal, install software patch, maintain system

Systems logs

Hardware error reports

Utilization reports

Availability reports

Procedural control

Organization control

Technical control

Management control

Validate that security awareness program content includes information about the potential vulnerability

Conduct a thorough risk assessment against the current implementation to determine system functions

Determine program ownership to implement compensating controls

Send a report to executive peers and business unit owners detailing your suspicions

Rights collision

Excessive privileges

Privilege creep

Least privileges

NIST and Privacy Regulations

ISO 27000 and Payment Card Industry Data Security Standards

NIST and data breach notification laws

ISO 27000 and Human resources best practices

ITIL

Privacy Act

Sarbanes Oxley

PCI-DSS

They need to use Nessus.

They can implement Wireshark.

Snort is the best tool for their situation.

They could use Tripwire.

Peers

End Users

Executive Management

All of the above

Audits

Administration

Patching

Templates

Hire a GRC expert

Use the Find function of your word processor

Design your program to meet the strictest government standards

Develop a crosswalk

Operating expense cannot be written off while Capital expense can

Operating expenses can be depreciated over time and Capital expenses cannot

Capital expenses cannot include salaries and Operating expenses can

Capital expenditures allow for the cost to be depreciated over time and Operating does not

Easiest regulation or standard to implement

Stricter regulation or standard

Most complex standard to implement

Recommendations of your Legal Staff

Management

Operational

Technical

Administrative

Network based security preventative control

Software segmentation control

Security detective control

User segmentation control

Maintain a log of discovered risks

Track individual risk assessments

Develop plans for mitigating identified risks

Coordinate the timing of scheduled risk assessments

Poorly configured firewalls

Malware

Advanced Persistent Threat (APT)

An insider

To assure that the portfolio is aligned to the needs of the broader organization

To create executive support of the portfolio

To discover new technologies and processes for implementation within the portfolio

To provide independent 3rd party reviews of security effectiveness

To make sure they are added on after the process is completed

To make sure the costs of security is included and understood

To make sure the security process aligns with the vendor’s security process

To make sure the patching process is included with the costs

Review time schedules

Verify budget

Verify resources

Verify constraints

Centralized log management

Encrypted log files in transit

Each node set to local time

Log aggregation agent each node

Software and hardware license fees

Utilities and power costs

Network connectivity costs

New datacenter to operate from

The portfolio is used to manage and track individual projects

The portfolio is used to manage incidents and events

A portfolio typically consists of several programs

A portfolio delivers one specific service or program to the business

Security frameworks

Security policies

Security awareness

Security controls

Cite compliance with laws, statutes, and regulations – explaining the financial implications for the company for non-compliance

Understand the business and focus your efforts on enabling operations securely

Draw from your experience and recount stories of how other companies have been compromised

Cite corporate policy and insist on compliance with audit findings

Get approval from the board of directors

Screen potential vendor solutions

Verify that the cost of mitigation is less than the risk

Create a risk metrics for all unmitigated risks

Contract a third party to perform a security risk assessment

Define formal roles and responsibilities for Internal audit functions

Define formal roles and responsibilities for Information Security

Create an executive security steering committee

Configure logging on each access point

Install a firewall software on each wireless access point.

Provide IP and MAC address

Disable SSID Broadcast and enable MAC address filtering on all wireless access points.

War driving

Operating system attacks

Social engineering

Shrink wrap attack

Physical, Technical, Operational

Technical, Strong Password, Operational

Operational, Biometric, Physical

Strong password, Biometric, Common Access Card

The IT support team.

A forensic analysis.

Incident response

Physical security team.

In-line hardware keyloggers don’t require physical access

In-line hardware keyloggers don’t comply to industry regulations

In-line hardware keyloggers are undetectable by software

In-line hardware keyloggers are relatively inexpensive

‘ o 1=1 - -

/../../../../

“DROPTABLE USERNAME”

NOPS

4, 2, 5, 3, 1

2, 5, 3, 1, 4

4, 5, 2, 3, 1

4, 3, 5, 2, 1

Quarterly

Semi-annually

Annually

Bi-annually

Lack of asset management processes

Lack of change management processes

Lack of hardening standards

Lack of proper access controls

Work with the IT group and tell them to put IPS in-line and say it won’t cause any network impact

Explain to the IT group that the IPS won’t cause any network impact because it will fail open

Explain to the IT group that this is a business need and the IPS will fail open however, if there is a network failure the CISO will accept responsibility

Explain to the IT group that the IPS will fail open once in-line however it will be deployed in monitor mode for a set period of time to ensure that it doesn’t block any legitimate traffic

Upper management support

More frequent project milestone meetings

More training of staff members

Involve internal audit

Network based intrusion detection systems

A security training program for developers

A risk management process

A audit management process

When organizational resources are limited

When the benefits of outsourcing outweigh the inherent risks of outsourcing

On new, enterprise-wide security initiatives

On projects not forecasted in the yearly budget

Download open source security tools and deploy them on your production network

Download trial versions of commercially available security tools and deploy on your production network

Download open source security tools from a trusted site, test, and then deploy on production network

Download security tools from a trusted source and deploy to production network

it is completed on time or early as compared to the baseline project plan

it meets most of the specifications as outlined in the approved project definition

it comes in at or below the expenditures planned for in the baseline budget

the deliverables are accepted by the key stakeholders

Scope creep

Deadline extension

Scope modification

Deliverable expansion

Security administrators

Security mangers

Security technicians

Security analysts

Distance learning/Web seminars

Formal Class

One-One Training

Self –Study (noncomputerized)

Quarterly

Semi-annually

Bi-annually

Annually

Time zone differences

Compliance to local hiring laws

Encryption import/export regulations

Local customer privacy laws

Board of directors

Third party vendors

CISO

Help Desk

Create a comprehensive security awareness program and provide success metrics to business units

Create security consortiums, such as strategic security planning groups, that include business unit participation

Ensure security implementations include business unit testing and functional validation prior to production rollout

Ensure the organization has strong executive-level security representation through clear sponsorship or the creation of a CISO role

Terms and Conditions

Service Level Agreements (SLA)

Statement of Work

Key Performance Indicators (KPI)

Security budget augmentation

Process improvements

Real-time to remediate

Security control selection

Develop a detailed internal organization chart

Develop a telephone call tree for emergency response

Develop an isolinear response matrix with cost benefit analysis projections

Develop a Responsible, Accountable, Consulted, Informed (RACI) chart

Tell the team to do their best and respond to each alert

Tune the sensors to help reduce false positives so the team can react better

Request additional resources to handle the workload

Tell the team to only respond to the critical and high alerts

Grant her access, the employee has been adequately warned through the AUP.

Assist her with the request, but only after her supervisor signs off on the action.

Reset the employee’s password and give it to the supervisor.

Deny the request citing national privacy laws.

When the application is retired.

When the application turned over to production.

When the application reaches the maintenance phase.

After one year.

Allow the business units to decide which controls apply to their systems, such as the encryption of sensitive data

Create separate controls for the business units based on the types of business and functions they perform

Ensure business units are involved in the creation of controls and defining conditions under which they must be applied

Provide the business units with control mandates and schedules of audits for compliance validation

Vendor’s client list of reputable organizations currently using their solution

Vendor provided attestation of the detailed security controls from a reputable accounting firm

Vendor provided reference from an existing reputable client detailing their implementation

Vendor provided internal risk assessment and security control documentation

Staff

Scope

Schedule

Scan tools

Validate the business units’ suggestions as to what should be included in the scoping process

Work with a Qualified Security Assessor (QSA) to determine the scope of the PCI environment

Ensure internal scope validation is completed and that an assessment has been done to discover all credit card data

Complete the self-assessment questionnaire and work with an Approved Scanning Vendor (ASV) to determine scope

In promiscuous mode and only detect malicious traffic.

In-line and turn on blocking mode to stop malicious traffic.

In promiscuous mode and block malicious traffic.

In-line and turn on alert mode to stop malicious traffic.

Policies

Procedures

Guidelines

Standards

favorable audit findings

following the recommendations of consultants and contractors

development of relationships with organization executives

raising awareness of security issues with end users

Need to comply with breach disclosure laws

Need to transfer the risk associated with hosting PII data

Need to better understand the risk associated with using PII data

Fiduciary responsibility to safeguard credit card information

Audit and Legal

Budget and Compliance

Human Resources and Budget

Legal and Human Resources

Chief Information Security Officer (CISO)

Security Operations Center (SO

Disaster Recovery (DR) manager

Incident Response Team (IRT)

Approval from the board of directors

Cost of the mitigation is less than the risk

Metrics of mitigation method success

Mitigation method complies with PCI regulations

Protect all information resource assets equally

Establish active firewall monitoring protocols

Purchase insurance for your compliance liability

Focus your security efforts on high value assets

Persistent risk

Residual risk

Accepted risk

Non-tolerated risk

Asset value times exposure factor

Annual rate of occurrence

Annual loss expectancy minus current cost of controls

Percentage of loss experienced due to a realized threat event

Subscribe to vendor mailing list to get notification of system vulnerabilities

Deploy Intrusion Detection System (IDS) and install anti-virus on systems

Configure firewall, perimeter router and Intrusion Prevention System (IPS)

Conduct security testing, vulnerability scanning, and penetration testing

How vulnerabilities can potentially be exploited in systems that impact the organization

How the security operations team will behave to reported incidents

How the firewall and other security devices are configured to prevent attacks

How the incident management team prepares to handle an attack

Technology governance defines technology policies and standards while security governance does not.

Security governance defines technology best practices and Information Technology governance does not.

Technology Governance is focused on process risks whereas Security Governance is focused on business risk.

The effective implementation of security controls can be viewed as an inhibitor to rapid Information Technology implementations.

establish budgetary input in order to meet compliance requirements

establish acceptable systems and user behavior

define security configurations for systems

define relationships with external law enforcement agencies

Test every three years to ensure that things work as planned

Conduct periodic tabletop exercises to refine the BC plan

Outsource the creation and execution of the BC plan to a third party vendor

Conduct a Disaster Recovery (DR) exercise every year to test the plan

Strong authentication technologies

Financial reporting regulations

Credit card compliance and regulations

Local privacy laws

Controlled mitigation effort

Risk impact comparison

Relative likelihood of event

Comparative threat analysis

Organizational objectives and risk tolerance

Risk assessment criteria

IT architecture complexity

Enterprise disaster recovery plans

Escalation

Recovery

Eradication

Containment

Compliance to the Payment Card Industry (PCI) regulations.

Alignment with financial reporting regulations for each country where they operate.

Alignment with International Organization for Standardization (ISO) standards.

Compliance with patient data protection regulations for each country where they operate.

Organizational budget

Distance between physical locations

Number of employees

Complexity of organizational structure

RAM and unallocated space

Unallocated space and RAM

Slack space and browser cache

Persistent and volatile data

Phishing Attacks

Misconfigurations

Social engineering

All of these

Time, quality, and scope

Cost, quality, and time

Scope, time, and cost

Quality, scope, and cost

Real-time off-site replication

Daily incremental backup

Daily full backup

Daily differential backup

CISO

Data owner

Chief Information Officer (CIO)

Security system administrator

Multiple certifications, strong technical capabilities and lengthy resume

Industry certifications, technical knowledge and program management skills

College degree, audit capabilities and complex project management

Multiple references, strong background check and industry certifications

This makes sure the files you exchange aren’t unnecessarily flagged by the Data Loss Prevention (DLP) system

Contracting rules typically require you to have conversations with two or more groups

Discussing decisions with a very large group of people always provides a better outcome

It helps to avoid regulatory or internal compliance issues

Virtual

Dedicated

Fusion

Command

Anti-phishing tools

Effective Security awareness program

Anti-malware tools

Effective Security Vulnerability Management Program

Reasonable, Actionable, Controlled, and Implemented

Responsible, Actors, Consult, and Instigate

Responsible, Accountable, Consulted, and Informed

Review, Act, Communicate, and Inform

The project is over budget

The project budget has reserves

The project cost is in alignment with the budget

The project is under budget

Number of times third parties access critical information systems

Number of systems with known vulnerabilities

Number of users with elevated privileges

Number of websites with weak or misconfigured certificates

It represents the sum of all capital expenditures

It represents the percentage of earnings that could in part be used to finance future security controls

It represents the savings generated by the proper acquisition and implementation of security controls

It has a direct correlation with the CISO’s budget

IT Management

Internal Audit

IT Security

BOD Audit Committee

User awareness and training

Host based Intrusion Detection System (IPS)

Acceptable use guide signed by all system users

Antispam solution

Governance and compliance

Auditing and security

Budget and risk tolerance

Threats and vulnerabilities

Oversees the organization’s day-to-day operations, creating the policies and strategies that govern operations

Enlisting support from key executives the information security program budget and policies

Charged with developing and implementing policies designed to protect employees and customers’ data from unauthorized access

Responsible for the success or failure of the IT organization and setting strategic direction

A section of a contract that defines tasks to be performed under said contract

An outline of what the military will do during war

A document that outlines specific desired outcomes as part of a request for proposal

Business guidance provided by the CEO

Phishing Attacks

Misconfigurations

All of these

Social engineering

Improve discovery of valid detected events

Enhance tuning of automated tools to detect and prevent attacks

Replace existing threat detection strategies

Validate patterns of behavior related to an attack

To force stakeholders to commit ample resources to support the project

To facilitate proper communication regarding outcomes

To assure stakeholders commit to the project start and end dates in writing

To finalize detailed scope of the project at project initiation

Recovery Point Objective (RPO)

Mean Time to Delivery (MTD)

Recovery Time Objective (RTO)

Maximum Tolerable Downtime (MTD)

Executing

Controlling

Planning

Closing