lOMoARcPSD|50420516

Cs205 midterm subjective

Information Security (Virtual University of Pakistan)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by test test ([email protected])
 lOMoARcPSD|50420516

CS205 MIDTERM IMPORTANT SUBJECTIVE

Q No. 01: What is Cyber Security?

− Precautions taken to guard against unauthorized access to data (in electronic
form) or information Systems connected to the internet
Q No 02: Information security by SANS define
Ans: Protecting information and information systems from unauthorized access,
use, disclosure, disruption, modification, or destruction.
Q No .03: Three pillars of information security Implemention: ( yeh
implementation hai)
– People – Process – Technology
Q No .04: Three pillars of information security
(CIA) − Confidentiality: keeping information secret
− Integrity: keeping information in its original form
− Availability: keeping information and information systems available for use
Q No 05: Transformation model layers
Ans: 1. Security hardening 2. Vulnerability management 3. Security engineering
4. Security governance
Q No. 06: Write any five steps in information security programns:
Ans – Assessing security risks and gaps – Implementing security controls –
Monitoring, measurement, & analysis – Management reviews and internal audit
Accreditation/testing
Q No. 07: Who Are The Players In Information Security?
• Government • Industry & sectors • International organizations • Professional
associations • Academia and research organizations
Vendors and supplier

Downloaded by test test ([email protected])

 lOMoARcPSD|50420516

Q No. 08: SSh protocols versions names

Description: SSH supports 2 different and incompatible protocols: SSH1 and
SSH2. SSH1 was the original protocol & was subject to security issues. SSH2 is
more advanced and secure.
Q No. 09: What is a disaster?
– Any significant event that causes disruption of information technology
processing facilities, thus affecting the operations of the business.
Q No. 10: What is disaster recovery (DR)?
– DR is an area of security that allows an organization to maintain or quickly
resume mission critical (IT) functions following a disaster
Q No. 11: Types of security testing:
– Vulnerability assessment (VA) – Penetration testing (PT) – Other security tests
through various automated tools – Code review (initiated in test environment)
Q No 12: Topic no 118: What Are The Steps In VM Lifecycle?
VM Steps: ( also see their detail 1.
Analyze assets − 1. Examine assets to scan − Gather details on IP subnet − Look at
potential issues with network traffic − Inform asset owners and relevant
department heads
2. Prepare scanner − Set scanner parameters − Select type of scan − Look at
credentials-based scan − Explore and research plug-ins − Do a test run −
Coordinate with asset owner
3. Run vulnerability scan Run the automated scan − Monitor network performance
degradation issues − Generate report
4. Assess results − Evaluate results − Prioritize according to the risk level −
Collate results for asset owners − Communicate the results and remediation
timelines
5. Patch systems Research vulnerabilities − Evaluate fixes and remediation
method − Test the patches and fixes − Apply patches/fixes − Monitor results
6. Verify (re-scan) Re-scan to confirm that the vulnerability scanner gives a
positive report – Collate results of vulnerability scan – Report findings

Downloaded by test test ([email protected])

 lOMoARcPSD|50420516

Q No 13: What are some of the common vulnerability scanners? − Open VAS −
Nessus − Qualys − Rapid7
Q No 14: Free tool offered.
By Qualys (IMP) Browser check, SSL Q No 15 : Qualys Free Scan
1. Vulnerability –
2. 2. OWASP
3. – 3. Patch Tuesday
4. – 4. SCAP

5. Q No 16: Which team have primary ownership

Ans: Information security team

Q No 17: which team tests the patches in environment?

Ans: IT ops team
Q No 18: Info security Governance initial Block.
Initial 
Policy  Responsibility  Recourse and priority  Periodic review
Intermediate
 Change management  SOP,s  Awareness Monitoring
Mature
 Risk management  Internal audit  Incident management

Q No 19: Info sec Governance Block arrange them. (Aise table ho ga usko
arrange kerna ho ga. yad ker lo initail intermdiate and mature blocks k
Name) sari yad ker lain intial inter and maure

Q No 20: Question: Which kind of vulnerability scanner used

code-based vulnerabilities and configuration-based vulnerabilities (as

enumerated by the Common Configuration Enumeration Project). Ans: Use
a SCAP-validated vulnerability scanneR

Downloaded by test test ([email protected])

 lOMoARcPSD|50420516

Q No 21: Yeh question atta hai Responsibility ni hoti to apne activity and Detail
ko match kerna ho ga

Q No 22: What type of assets do not have a CIS/DISA STIG ?

Ans: – Software applications (ASP.NET, PHP, Other) – Other applications
such as asterisk deployments
Q No 23: Typical security tools used in an enterprise:

– Enterprise antivirus – MS Active Directory (AD – Vulnerability manager

– Logs management – Network & performance monitoring Automated backups
Q No 24: Topic No 25: Major Components:
Enterprise IT Network • Edge router • NGN FW • DMZ: • IPS & N-DLP •
Distribution switch • Data center switch & FW • Access switch • NAC

Downloaded by test test ([email protected])

 lOMoARcPSD|50420516

Q No 25: Types of activities for security engineering:

• FW granular access lists • Building an effective DMZ architecture •
Segregating the network with VLANs • Adding a security tool such as SIEM, FW,
DLP, NAC, etc • App-DB encryption
Q No 26: Comparison of CIS Vs DIS

Q No 27: CIS benchmark in profile applicability

− Profile applicability (ASA 8.X, ASA 9.X) − Description − Rationale − Audit −
Remediation − Default value − References
Q No 28: Disa STIG component/content names
STIG content: – General information (title) – Discussion – Check content – Fix
text – CCI (References)

Q No 29: Steps in Security engineering: (Repeated) – Assess risk profile –

Research security solutions – Design security architecture – Implement security
controls & solutions – Test and validate security posture
Q No 30: Security transformation project:
• Security transformation project time line: – Project initiation: 2 Mths – Layer 1:
security hardening of IT assets (6 Mths) – Layer 2: VM (1 Mth) – Layer 3:
security engineering (1 Mth) – Layer 4: Governance & ISO cert.(3 Mths

Downloaded by test test ([email protected])

 lOMoARcPSD|50420516

CCI (Control Correlation Identifier) ( for Mcqz only. CCi stands for ?)
Q No 31: OWASP Software Assurance Maturity Model (SAMM) Governance
Phase:
– Strategy & Metrics – Education & Guidance – Policy & Compliance OWASP
Software Assurance Maturity Model (SAMM)
Construction Phase: – Security Requirements – Threat Assessment Secure
Architecture

Q No 35: Bangladesh Bank SWIFT Hack – Feb 2016:

Hackers used SWIFT credentials of Bangladesh Central Bank employees to send
more than three dozen fraudulent money transfer requests. − Requests sent to the
Federal Reserve Bank of New York asking the bank to transfer millions of the
Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other
parts of Asia. − USD 81 million stolen − Total impact could have been USD 1
billion Recover 19 Million Not claim : 81 million

Downloaded by test test ([email protected])

 lOMoARcPSD|50420516

Q No 36: Topic No 198: How To Build Effective Info Sec Governance? (Imp
Repeated)
• Key success factors: (see also minor detail of all these 06 points) – Leadership
– Strategy – Structure – Reporting – Project management – Culture

Q No 37: • Who implements the security controls? – Under the Security

Transformation Model, security controls are implemented by the IT teams
Q No 38: Who conducts security validation?
– Security controls are validated by the Information Security team or by a third
party consultant following the principle of segregation of duty
Q No 39: • Why do we need to validate security controls?
– To check the completeness of the controls
– To check the correctness of the controls
– As an overall assurance

No 40: Topic No 254: CYBER SECURITY MATURITY MATRIX

I. FOUNDATION, II. II. FUNDAMENTALS, III. III. HARDENED, IV. IV.
PROTECTED, V. V. MONITORED, VI. VI. SECURED I. FOUNDATION
Edge FW With Filtering Active Directory (WS/S)

Downloaded by test test ([email protected])

 lOMoARcPSD|50420516

Licensed Enterprise AV (WS/S) Licensed Windows OS (WS/S) Or

Open Source
Q No 41: Remote exploit:
– A remote exploit works over a network and exploits the security vulnerability
without any prior access to the vulnerable system.
• Local exploit: – A local exploit requires prior access to the vulnerable system
and usually increases the privileges of the person running the exploit past those
granted by the system administrator.
Q No 42: Ensure Use of Only Fully Supported Browser & Email Clients:
Ensure that only fully supported web browsers & email clients are allowed to
execute in the org, ideally only using the latest version of the browsers & email
clients provided by the vendor.
Q No 43: This table was given and arrange this

Q No 44: Question: Mention the name of frame work against which nessus scanner
gives configuration auditing feature?
Answer: – Configuration auditing: CERT, CIS, COBIT/ITIL, DISA STIGs,
FDCC, ISO, NIST, NSA

Downloaded by test test ([email protected])

 lOMoARcPSD|50420516

Q No 45: Identify two security function from the which Asset management helps
with the following security functions:
Answer: Patch management Enterprise tracking and reporting

– Freq of backup? – Backup operator? – Backup checker

(verification)? – Backup test & security methods? – Technology & tools used for
backup
Q No 48. Yeh CAT 1,2, ya 3 wale detail oper niche ho gi arrange kerne ho gi
yeh detail

Downloaded by test test ([email protected])

 lOMoARcPSD|50420516

Q No 49: Write the Names of Common SIEM solution for

security Event detection?
A. LOgRhythm
B. IBM Q-Radar
C. Splunk

Downloaded by test test ([email protected])

 lOMoARcPSD|50420516

Security hardening is the process of configuring t asT assets to

maximize security of the IT asset and minimize security risks
Education: – Integrates all of the skills and competencies into a common
body of knowledge – E.g. a degree program
• Don’ts: – Share your password – Click on suspicious email links – Install
unlicensed software on your PC
• Do’s: – Logout when getting up from your system – Report security
incident

Downloaded by test test ([email protected])