CYBR 3100 Test 1

¡Supera tus tareas y exámenes ahora con Quizwiz!

What are the 3 stages that the CPMT (contingency planning management team) conducts the BIA (business impact analysis) in?

1. Identify recovery priorities for system resources 2. Determine mission/business processes & recovery criticality 3. Identify resource requirements

When BS 7799 first came out, several countries, including the United States, Germany, & Japan, refused to adopt it, claiming that it had fundamental problems. What were these problems?

1. The standard lacked the measurement precision associated with a technical standard. 2. It was not as complete as other frameworks. 3. The standard was hurriedly prepared given the tremendous impact its adoption could have on industry information security controls. 4. The global information security community had not defined any jurisdiction for a code of practice identified in ISO/IEC 17799. 5. There was no reason to believe that ISO/IEC 17799 was more useful than any other approach.

​What are the goals of information security governance?

1. ​Strategic alignment of info security with business strategy to support organizational objectives. 2. ​Risk management by executing appropriate measures to manage & mitigate threats to information resources. 3. Resource management by using info security knowledge & infrastructure efficiently & effectively. ​4. Performance measurement by measuring, monitoring, & reporting info security governance metrics to ensure that organizational objectives are achieved. 5. Value delivery by optimizing info security investments in support of organizational objectives.

An industry recommendation for password structure and strength that specifies password should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character

10.4 password rule

A famous study entitled "Protection Analysis: Final Report" was published in ____.

1978

False

A best practice proposed for a small to medium business will be similar to one used to help design control strategies for a large multinational company. Select one: True False

False

A champion is a project manager, who may be a departmental line manager or staff unit manager, and understands project management, personnel management, and information security technical requirements.

Subject

A computer is the ____ of an attack when it is used to conduct the attack.

Object

A computer is the ____________________ of an attack when it is the target entity.

False

A data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict the number of people who can access it. Select one: True False

Procedures

A frequently overlooked component of an IS, ____________________ are written instructions for accomplishing a specific task.

False

A hard drive feature know as "hot swap" is a RAID implementation in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails (T/F)

False

A managerial guidance SysSP is created by IT experts in a company to guide management in the implementation and configuration of technology. (T/F)

Dissemination, Review, Comprehension, Compliance, Enforcement

A policy needs what to be effective

False

A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on it. Select one: True False

c. data classification scheme

A(n) _________ is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.. Select one: a. security clearance scheme b. risk management scheme c. data classification scheme d. data recovery scheme

d. FCO

A(n) _________ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment. Select one: a. IP b. CTO c. HTTP d. FCO

Enterprise

A(n) ____________________ information security policy outlines the implementation of a security program within the organization.

Methodology

A(n) ____________________ is a formal approach to solving a problem by means of a structured sequence of procedures.

False

A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternate location. _________________________ Select one: True False

True

A(n) project team should consist of a number of individuals who are experienced in one or multiple facets of the technical and nontechnical areas.

True

A(n) qualitative assessment is based on characteristics that do not use numerical measures. _________________________ Select one: True False

false

ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly. (T/F)

A subjects ability to use, manipulate, modify =, or affect another subject or object

Access

A specification of an organization's information asset, the users who may access and use it, and their rights and privileges for using the asset.

Access Control List (ACL)

support the mission of the organization, require comprehensive and integrated approach, and be cost-effective

According to NIST SP 800-14's security principles, security should ________.

False

According to Sun Tzu, if you know your self and know your enemy you have an average chance to be successful in an engagement. Select one: True False

An attribute of information that describes how data is free or errors and has the value that the user expects

Accuracy

malware intended to provide desired marketing and advertising, including popups and banners on a users screens

Adware

An __________ is a document containing contact information for the people to be notified in the event of an incident.

Alert roster

after-action review

An _________ is a detailed examination of the events that occurred from first detection to final recovery

incident

An _________ is an adverse even that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization

framework

An information security __________ is a specification of a model to be followed during the design, section, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training

Hardware, Software, Data

An information system is the entire set of ____, people, procedures, and networks that make possible the use of information resources in the organization.

In cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy

Annualized Loss Expectancy (ALE)

In cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis

Annualized Rate of Occurrence (ARO)

False

Applications systems developed within the framework of the traditional SDLC are designed to anticipate a software attack that requires some degree of application reconstruction.

____ is the predecessor to the Internet.

Arpanet

The organizational resource being protected

Asset

World first educational and scientific computing society

Association of Computing Machinery (ACM)

Intentional or unintentional act that can damage or otherwise compromise information and systems that support it

Attack

The adoption and implementation of a business model, method, technique, resource, or technology to prevent being outperformed by a competing organization; working to keep pace with the competition through innovation, rather than falling behind.

Avoidance of competitive disadvantage

A __________ plan ensures that critical business functions continue if a catastrophic incident or disaster occurs.

BC (business continuity)

True

Baselining is the comparison of past security activities and events against the organization's current performance. Select one: True False

True

Benchmarking is the process of comparing other organizations' activities against the practices used in one's own organization to produce results it would like to duplicate._________________________ Select one: True False

True

Best business practices are often called recommended practices. Select one: True False

SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________.

Blueprint

also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system's hard drive or removable storage media.

Boot Virus

A long-term decrease in electrical power availability.

Brownout

A service __________ is an agency that provides a service for a fee.

Bureau

A plan that shows the organization's intended efforts to continue critical functions when operations at the primary site are not feasible

Business Continuity Plan

An investigation and assessment of the various adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization's core processes and recovery priorities.

Business Impact Analysis (BIA)

The industry standard for computer security since the development of the mainframe. The standard is based on three characteristics that describe the utility of information confidentiality, integrity , and avaliability

C.I.A Triad

An executive-level position that oversees the organization's computing technology and strives to create efficiency in the processing and access of the organization's information.

Chief Information Officer (CIO)

Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO.

Chief Information Security Officer (CISO)

During the ____________________ War, many mainframes were brought online to accomplish more complex and sophisticated tasks so it became necessary to enable the mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers.

Cold

A(n) _________________________ is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.

Community of Interest

a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.

Community of Interest

The history of information security begins with the history of ____________________ security.

Computer

cornerstone of many computer-related federal laws and enforcement efforts

Computer Fraud and Abuse Act of 1986

Purpose of commercial advantage Private financial gain Furtherance of a criminal act

Computer Fraud is punishable if if falls into what categories?

The UK law that makes it illegal to hack into a person's computer and to disrupt deliberately someone else's computer.

Computer Misuse Act 1990

one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices

Computer Security Act of 1987

In an organization, the value of ____________________ of information is especially high when it involves personal information about employees, customers, or patients.

Confidentiality

an attribute of informations that describes how data is protected from disclosure r exposure to unauthorized individuals or systems

Confidentiality

True

Confidentiality ensures that only those with the rights and privileges to access information are able to do so.

The instructions a system administrator codes into a server, networking device, or security device to specify how it operates.

Configuration rules

security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization

Control, safeguard, or countermeasure

Executive management's responsibility to provide strategic direction, ensure accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use

Corporate Governance

False

Cost Benefit Analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended. Select one: True False

False

Cost mitigation ​is the process of preventing the financial impact of an incident by implementing a control. _________________________ Select one: True False

​In 2014, NIST published a new Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of __________, based on vendor-neutral technologies.

Critical infrastructure services

A Web application fault that occurs when an application running on a Web server inserts commands into a user's browser session and causes information to be sent to a hostile server.

Cross-Site Scripting (XSS)

A hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

Cyberactivist/Hacktivist

Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state.

Cyberwarfare

Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, & availability of information & information assets during or just following an incident.

Damage assessment

items of fact collected by an organization

Data

Which of the following is a valid type of data ownership?

Data Users, Data Owners and Data Custodians

A subset of information security that focuses on the assessment and protection of information stored in data repositories like database management systems and storage media.

Database Security

A backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server. This server combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations.

Database Shadowing

__________ is an improvement to the process of remote journaling, in which databases are back up almost in real-time to multiple servers at local & remote sites.

Database shadowing

No particular standards, they are established as a matter of practice

De facto standards

Standards may be published, scrutinized, and ratified by a group, as in formal or ________standards.

De jure

Certified standards that actually have weight to them

De jure standards

A strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.

Defense in Depth

__________ is a strategy for the protection of information assets that uses multiple layers & different types of controls (managerial, operational, & technical) to provide optimal protection.

Defense in depth

created in 2003 from the homeland security act of 2002

Department of Homeland Security

One of the basic tenets of security architectures is the layered implementation of security, which is called defense in __________.

Depth

Integrating the need for the development team to provide iterative and rapid improvements to systems functionality and the need for the operations team to improve security and minimize the disruption from software releases

DevOps

A variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information.

Dictionary password attack

The American contribution to an effort to improve copyright protection internationally

Digital Millennium Copyright Act (DMCA)

A(n) ____ attack is a hacker using a personal computer to break into a system.

Direct

A hacker using a PC to break into a system

Direct Attack

False

Direct attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat.

The intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate internet locations. Also known as DNS spoofing

Domain Name System (DNS) cache poisoning

Within security perimeters the organization can establish security __________, each with differing levels of security, between which traffic must be screened.

Domains

Physical Design

During the ____ phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design.

The __________ is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts. Sets out requirements that must be met by the information security blueprint or framework. Shapes the philosophy of security in the environment. AKA general security policy. pg 163-164

EISP (enterprise information security policy)

False

Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization. known as a threat prioritization. _________________________ Select one: True False

prevents trade secrets from being illegally shared

Economic Espionage Act (1996)

Keep the design as simple and small as possible

Economy of mechanism

A collection of statutes that regulates the interception of wire, electronic, and oral communications

Electronic Communications Privacy Act of 1986

A backup method that uses bulk batch transfer of data to an off-site facility; this transfer is usually conducted via leased lines or secure Internet connections.

Electronic Vaulting

The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called __________.

Electronic vaulting

Another name for static electricity, which can damage chips and destroy motherboards, even though it might not be felt or seen with the naked eye. Difference of electric potential (Voltage) between two conductors.

Electrostatic Discharge (ESD)

Those whom the new system will most directly affect.

End users

True

Establishing a competitive business model, method, or technique enabled an organization to provide a product or service that was superior and created a(n) competitive advantage. _________________________ Select one: True False

The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment

Ethics

An __________ is any occurrence within the organization's operational environment.

Event

False

Every member of the organizations InfoSec department must have a formal degree or certification in information security (T/F)

__________ is the physical object or documented information that proves an action occurred or identifies the intent of a perpetrator.

Evidence

True

Exposure factor is the expected percentage of loss that would occur from a particular attack. _________________________ Select one: True False

Base access decisions on permission rather than exclusion

Fail-safe defaults

True

Failure to develop an information security system based on the organizations mission, vision, and culture guarantees the failure of the information security program (T/F)

A breach of possession always results in a breach of confidentiality.

False

A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, & the company is liable for the employee's actions.

False

An e-mail virus involves sending an e-mail message with a modified field.

False

Every member of the organization's InfoSec department must have a formal degree or certification in information security.

False

Hardware is often the most valuable asset possessed by an organization and it is the main target of intentional attacks.

False

Information has redundancy when it is free from mistakes or errors and it has the value that the end user expects.

False

Key end users should be assigned to a developmental team, known as the united application development team.

False

MULTICS stands for Multiple Information and Computing Service.

False

Risk evaluation is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization's security and to the information stored and processed by the organization.

False

The implementation phase is the longest and most expensive phase of the systems development life cycle (SDLC).

False

ACLs are more specific to the operation of a system than rule-based policies & they may or may not deal with users directly.

False, ACLs regulate: *Who* can use the system *What* authorized users can access *When* authorized users can access the system *Where* authorized users can access the system

A cold site provides many of the same services & options of a hot site, but at a lower cost.

False, cold sites provide only rudimentary services & facilities

Primary branch of US law enforcement. One of the primary missions is to investigate cyber crime

Federal Bureau of Investigation (FBI)

mandates that all federal agencies to protect their information assets

Federal Information Security Management Act (FISMA)

Regulates government agencies and holds them accountable if they release private information about individuals or businesses without permission

Federal Privacy Act of 1974

b. Unclassified

Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered 'National Security Information', __________ data is the lowest level classification. Select one: a. Confidential b. Unclassified c. Sensistive d. Public

contains many provisions that focus on facilitating affiliation among banks, securities firms, and insurance companies

Financial Services Modernization Act of 1999 Gramm-Leach Bliley Act

Redundancy can be implemented at a number of points throughout the security architecture, such as in __________.

Firewalls, proxy servers, and access controls

A security __________ is an outline of the overall information security strategy for the organization & a road map for planned changes to the information security environment of the organization.

Framework

allows any person to request access to federal agency records or information not determined to be a matter of national security.

Freedom of Information Act (FOIA)

Set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensured objectives are achieved and risks are properly managed.

Governance

protects the confidentiality and security of healthcare data by establishing and enforcing standards and by standardizing electronic data interchange

Health Insurance Portability and Accountability Act (HIPAA) Kennedy-Kassebaum Act

An alert roster in which the first person calls a few other people on the roster, who in turn call others. This method typically uses the organizational chart as a structure.

Hierarchical roster

professional association that focuses on auditing, control, and security

ISACA

non profit society of more that 10,000 information security professionals in over 100 countries

ISSA

__________, commonly referred to as fair & responsible use policies, are used to control constituents' use of a particular resource, asset, or activity. pg 164

ISSPs (issue-specific security policies)

In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to __________.

Identify & prioritize opportunities for improvement within the context of a continuous & repeatable process

False

Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets. Select one: True False

True

If the acceptance strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and portray an apathetic approach to security in general Select one: True False

Components are ordered, received, and tested

Implementation

False

In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack, with the SLE being the product of the asset's value and the annualized loss expectancy. Select one: True False

b. weighted factor analysis

In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria and then summing and ranking those scores. Select one: a. data classification scheme b. weighted factor analysis c. risk management program d. threat assessment

True

In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization, Select one: True False

Hash

In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a ____ value.

False

In general, protection is "the quality or state of being secure—to be free from danger."

False

In information security, benchmarking is the comparison of past security activities and events against the organization's current performance. _________________________ Select one: True False

True

In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that taking more would be noticed — but eventually the employee gets something complete or useable.

a plan that shows the organization's intended efforts in the event of an incident

Incident Response Plan

Response

Incident ____________________ is the set of activities taken to plan for, detect, and correct the impact of an incident on information assets.

The rapid determination of how seriously a breach of confidentiality, integrity, and availability affected information and information assets during an incident or just following one.

Incident damage assessment

A hacker compromising a system and using it to attack other systems (ie. Botnet)

Indirect Attack

The act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information.

Information Extortion

The entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization.

Information System

Integrity

Information has ____________________ when it is whole, complete, and uncorrupted.

False

Information security can be an absolute.

Protecting the organization's ability to function, protecting the data and information the organization collects and uses, whether physical or electronic, Enabling the safe operation of applications running on the organization's IT systems, safeguarding the organization's technological assets

Information security important functions

The creation, ownership, and control of original ideas as well as the representation of those ideas.

Intellectual property (IP)

A hacker attempting to break into an IS system

Intentional Attack

nonprofit organization that focuses on the development and implementation of information security certifications and credentials

International Information Systems Security Certification Consortium

A structured process in which users, managers, and analysts work together for several days in a series of intensive meetings to specify or review system requirements.

Joint Application Design (JAD)

power to make legal decisions

Jurisdiction

False

Know yourself means identifying, examining, and understanding the threats facing the organization. Select one: True False

Providing only the minimum amount of privileges necessary to perform a job or function.

Least Privilege

Minimize mechanisms (or shared variables) common to more than one user and depended on by all users.

Least common mechanism

True

Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack. _________________________ Select one: True False

The ability of a legal entity to exercise influence beyond its normal range

Long Arm Jurisdiction

A single instance of an information asset suffering damage or destruction

Loss

False

Loss event frequency is the combination of an asset's value and the percentage of it that might be lost in an attack.. _________________________ Select one: True False

____ was the first operating system to integrate security as its core functions.

MULTICS

Backdoor used by programmers to debug and test programs.

Maintenance hook

A group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner.

Man-in-the-middle

A managerial guidance SysSP document is created by __________ to guide the implementation & configuration of technology.

Management

The stated purpose of ISO/IEC 27002 is to "offer guidelines & voluntary directions for information security __________."

Management

b. All of the above

Management of classified data includes its storage and _________. Select one: a. portability b. All of the above c. distribution d. destruction

__________ controls are info security safeguards that focus on administrative planning, organizing, leading, & controlling. They're designed by strategic planners & implemented by the security administration of the organization. Includes governance & risk management.

Managerial

A systems-specific security policy that expresses management's intent for the acquisition, implementation, configuration, and management of a particular technology, written from a business perspective.

Managerial guidance SysSP

The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption. The MTD includes all impact considerations.

Maximum Tolerable Downtime (MTD)

A graphical representation of the architectural approach widely used in computer and information security.

McCumber Cube

The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.

Mean Time to Repair (MTTR)

The average amount of time until the next hardware failure.

Mean time to failure (MTTF)

____ presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems.

NSTISSI No. 4011

The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected local area ____________________.

Network

False

Network security focuses on the protection of the details of a particular operation or series of activities.

False

One advantage to benchmarking is that best practices change very little over time. Select one: True False

True

One way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed. _________________________ Select one: True False

the design of a security mechanism should be open rather than secret

Open Design

__________ controls address personnel security, physical security, and the protection of production inputs and outputs. They also guide the development of education, training, and awareness programs for users, administrators, and management.

Operational

True

Operational feasibility is also known as behavioral feasibility. _________________________ Select one: True False

hacker tools

Organizations generally have policies against installation of _____________ without written permission for the CISO

Incidence Response

Part of the logical design phase of the SecSDLC is planning for partial or catastrophic loss. ____ dictates what steps are taken when an attack occurs.

An attempt to learn or make use of information from the system that does not affect system resources

Passive Attack

Standards of performance to which participating organizations must comply. Applies to organizations that process payment cards, such as credit cards, debit cards, ATM cards, stored-value cards, gift cards, and other items.

Payment Card Industry Data Security Standard (PCI DSS)

The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.

People

A set of information that could uniquely identify an individual

Personally Identifiable Information (PII)

The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information

Pharming

the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Phishing

A hacker who manipulates the public telephone system to make free calls or disrupt services.

Phreaker

During the early years, information security was a straightforward process composed predominantly of ____________________ security and simple document classification schemes.

Physical

Specific technologies are selected to support the alternatives identified and evaluated in the logical design.

Physical Design

The protection of physical items, objects, or areas from unauthorized access and misuse.

Physical Security

False

Policies are written instructions for accomplishing a specific task.

A __________ is a plan or course of action that conveys instructions from an organization's senior management to those who make decisions, take actions, and perform other duties.

Policy

examples of actions that illustrate compliance with policies

Practices

a form of social engineering in which one individual lies to obtain confidential data about another individual

Pretexting

The unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources

Privilege Escalation

The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements to protect the asset.

Protection profile or security posture

The key components of the security perimeter include firewalls, DMZs (demilitarized zones), __________ servers, & IDPSs.

Proxy

It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly

Psychological acceptability

A security policy should begin with a clear statement of __________.

Purpose (policy)

A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password files

Rainbow Tables

a computer software designed by hackers that locks people out of their computers or files and demands payment for access.

Ransomware

The point int time prior to a disruption or system outage to which mission/business process data can be recovered

Recovery Point Objective (RPO)

The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD.

Recovery Time Objective (RTO)

firewalls, proxy servers, access controls

Redundancy can be implemented at a number of pints throughout the security architecture such as

RAID stands for a __________ array of independent disk drives that stores information across multiple units to spread out data & minimize the impact of a single drive failure.

Redundant

A system of drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure

Redundant Array of Independent Disks (RAID)

The backup of data to an off-site facility in close to real time based on transactions as they occur.

Remote Journaling

the probability of an unwanted outcome, such as an adverse event or loss

Risk

a. acceptance

Risk _________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. Select one: a. acceptance b. appetite c. avoidance d. benefit

c. control

Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems. Select one: a. identification b. management c. control d. security

Same as jailbreaking

Rooting

professional research and education cooperative organization the also awards security certificates

SANS

A managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for an organization's employees.

SETA

__________ is a managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for organizations. The end goal is to reduce accidental security breaches by employees.

SETA (security education, training, and awareness)

Seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded organizations

Sarbanes-Oxley Act

Organizations are moving toward more ____-focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product.

Security

Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint.

Security Professionals

provides guidance for the use of encryption and provide protection from government intervention

Security and Freedom through Encryption Act of 1999

The boundary in the network within which an organization attempts to maintain security controls for security information threats from untrusted network areas

Security perimeter

People who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies.

Security policy developers

Provide mechanisms that separate the privileges used for one purpose from those used for another

Separation of privileges

An alert roster in which a single contact person calls each person on the roster

Sequential roster

A level of redundancy provided by mirroring entire servers called redundant servers

Server fault tolerance

A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee.

Service Bureau

A document or part of a document that specifies the expected level of service from a service provider. Usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime.

Service Level Agreement (SLA)

The collection, analysis, and distribution of information from foreign communications networks for intelligence and counterintelligence purposes and in support of military operations.

Signals Intelligence

The ____________________ component of the IS comprises applications, operating systems, and assorted command utilities.

Software

A methodological approach to the development of software that seeks to build security into the development life cycle rather than address it at later stages. Attempts to intentionally create software free of vulnerabilities and provide effective, efficient software that users can deploy with confidence

Software Assurance

Using the DevOPs methodologies of an integrated development and the operations approach that is applied to the specification, creation, and implementation of security control systems

SpecOps

A technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.

Spoofing

Initiation, Development/Acquisition, Implementation/Assessment, Operations/Maintenance, Disposal

Stages in NIST approach to SDLC

Investigation, Analysis, Logical Design, Physical Design, Implementation, Maintenance and Change

Stages of the SDLC

__________ are more detailed statements of what must be done to comply with policy.

Standards

The organization's __________ plan documents the organization's intended long-term direction & efforts for the next several years.

Strategic

the process of defining and specifying the long tems direction to be taken by the organization

Strategic Planning

Some policies may also need a __________ clause indicating their expiration date.

Sunset

A component of policy or law that defines an expected end date for its applicability.

Sunset Clause

According to NIST SP 800-14's security principles, security should ________.

Support the mission of the organization, require a comprehensive and integrated approach, and be cost-effective.

__________ often function as standards or procedures to be used when configuring or maintaining systems. pg 168

SysSPs (system-specific security policies)

People with primary responsibility for administering systems that house the information used by the organization

Systems Administrators

A methodology for the design and implementation of an information system.

Systems Development Life Cycle (SDLC)

The most successful kind of top-down approach involves a formal development strategy referred to as a ____.

Systems Development Life Cycle (SDLC)

Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.

Systems-Specific Security Policies (SysSPs)

A form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications.

TCP hijacking

Information security safeguards focused on the application of modern technology, systems, and processes to protect information assets. These safeguards include firewalls, virtual private networks, and IDPSs.

Technical Controls

False

The Analysis phase of the SecSDLC begins with a directive from upper management.

CIA

The CNSS model of information security evolved from a concept developed by the computer security industry known as the ____________________ triangle.

True

The ISO/IEC 27000 series is derived from an earlier standard, BS7799 (T/F)

accidental

The SETA program is a control measure designed to reduce the instances of ________ security breaches by employees

False

The Security Development Life Cycle (SDLC) is a methodology for the design and implementation of an information system.

SDLC

The ____ is a methodology for the design and implementation of an information system in an organization.

CISO

The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.

a. defense

The _________ control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Select one: a. defense b. transfer c. mitigate d. termination

c. transfer

The __________ control strategy attempts to shift risk to other assets, other processes, or other organizations. Select one: a. defend b. accept c. transfer d. mitigate

c. performance gap

The __________ is the difference between an organization's observed and desired performance. Select one: a. issue delta b. objective c. performance gap d. risk assessment

c. IR

The __________ plan specifies the actions an organization can and should take while an adverse event (that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization) is in progress. Select one: a. BC b. DR c. IR d. BR

b. acceptance

The __________ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. Select one: a. transfer b. acceptance c. mitigation d. defense

Analysis

The ____________________ phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems.

False

The bottom-up approach to information security has a higher probability of success than the top-down approach.

a. loss frequency

The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range is called the __________. Select one: a. loss frequency b. benefit of loss c. likelihood d. annualized loss expectancy

True

The computer security resource center at NIST provides several useful document free of charge in it special publications area (T/F)

d. disadvantage

The concept of competitive _________ refers to falling behind the competition. Select one: a. shortcoming b. drawback c. failure d. disadvantage

d. risk identification

The first phase of risk management is _________. Select one: a. risk evaluation b. risk control c. design d. risk identification

d. CBA

The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) __________. Select one: a. ARO b. SLE c. ALE d. CBA

True

The investigation phase of the SecSDLC begins with a directive from upper management.

False

The possession of information is the quality or state of having value for some purpose or end.

true

The process of examining an incident candidate and determine whether it constitutes an actual incident is called incident classification (T/F)

True

The roles of information security professionals are aligned with the goals and mission of the information security community of interest.

Information

The senior technology officer is typically the chief ____________________ officer.

remote journaling

The transfer of live transactions in real time to an off-site facility is called ______________

True

The value of information comes from the characteristics it possesses.

a. dumpster diving

There are individuals who search trash and recycling - a practice known as _________ - to retrieve information that could embarrass a company or compromise information security. Select one: a. dumpster diving b. shoulder surfing c. corporate espionage d. pretexting

any event or circumstance that has the potential to adversely affect operations and assets

Threat

A category of objects, people, or other entities that represents the origin of danger to an asset - in other words, a category of threat agents

Threat Source

the specific instance or a component of a threat

Threat agent

An occurrence of an event caused by a threat agent

Threat event

True

To achieve balance — that is, to operate an information system that satisfies the user and the security professional — the security level must allow reasonable access, yet protect against threats.

True

To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision date. (T/F)

A capability table specifies which subjects & objects users or groups can access.

True

A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information.

True

A disaster recovery plan is a plan that shows the organization's intended efforts to restore operations at the original site in the aftermath of a disaster.

True

Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training & rehearsal.

True

Each policy should contain procedures & a timetable for periodic review.

True

Failure to develop an information security system based on the organization's mission, vision, & culture guarantees the failure of the information security program.

True

Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system.

True

Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems, which is often referred to as a bottom-up approach.

True

NIST 800-14's Principles for Securing Information Technology Systems, can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program & to produce a blueprint for an effective security architecture.

True

Of the two approaches to information security implementation, the top-down approach has a higher probability of success.

True

Recently, many states have implemented legislation making certain computer-related activities illegal.

True

Security training provides detailed information & hands-on instruction to employees to prepare them to perform their duties securely.

True

The Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area.

True

The primary threats to security during the early years of computers were physical theft of equipment, espionage against the products of the systems, and sabotage.

True

The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification.

True

To remain viable, security policies must have (1) a responsible manager, (2) a schedule of reviews, (3) a method for making recommendations for reviews, & (4) a policy issuance & revision date.

True

To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date.

True

To remain viable, security policies must have a responsible manager, a schedule of reviews, a method for making recommendations for reviews, & a policy issuance & planned revision date.

True

Located in the DHS and charged with protecting the financial sector infrastructure

US secret service

provides law enforcement agencies with broader latitude to combat terrorism related activities

USA PATRIOT ACT

A lightning strike that causes a building fire (or something like that)

Unintentional Attack

True

Using a methodology increases the probability of success.

A type of malware that is attached to other executable programs. Requires user interaction to replicate

Virus

A type of SDLC in which each phase of the process "flows from" the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.

Waterfall Model

False

When a computer is the subject of an attack, it is the entity being attacked.

c. standards of due care

When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as __________. Select one: a. best practices b. benchmarking c. standards of due care d. baselining

Maintenance and Change

Which of the following phases is the longest and most expensive phase of the systems development life cycle?

True

You can create, a single comprehensive ISSP document covering all information security issues (T/F)

b. DR

_______ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the flood waters recede. Select one: a. BR IncorrectIncorrect b. DR c. BC d. IR

d. MAC

________ addresses are sometimes called electronic serial numbers or hardware addresses. Select one: a. IP b. DHCP c. HTTP d. MAC

a. security clearance scheme

________ assigns a status level to employees to designate the maximum level of classified data they may access. Select one: a. security clearance scheme b. risk management scheme c. data recovery scheme d. data classification scheme

technical

________ controls are information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets

d. Risk

________ equals the probability of a successful attack times the expected loss from a successful attack plus an element of uncertainty. Select one: a. Loss Frequency b. Loss c. Loss Magnitude d. Risk

mangerial

_________ controls cover security processes that are designed by the strategic planners and implemented by the security administration of the organization

c. Operational

_________ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders. Select one: a. Political b. Organizational c. Operational d. Technical

a. Qualitative assessment

_________ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures. Select one: a. Qualitative assessment b. Metric-centric model c. Quantitative assessment d. Value-specific constant

a. ARO

_________ is simply how often you expect a specific type of attack to occur. Select one: a. ARO b. CBA c. ALE d. SLE

mangerial

__________ controls are security processes that are designed by strategic planners and implemented by the security administrator of the organization

Software

____________________ carries the lifeblood of information through an organization.

Availability

____________________ enables authorized users — persons or computer systems — to access information without interference or obstruction and to receive it in the required format.

Authenticity

____________________ of information is the quality or state of being genuine or original, rather than a reproduction or fabrication.

The risk control strategy that indicates the organization is willing to accept the current level of risk

acceptance risk control strategy

An integration of access control lists (focusing on assets) and capability tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings. The matrix contains ACLs in columns for a particular device or asset and capability tables in rows for a particular user

access control matrix

the perpetrator offers to share the proceeds of some large payoff with the victim if the victim will make a "good faith" deposit or provide some partial funding first.

advance fee fraud

An event with negative consequences that could threaten the organization's information assets or operations

adverse event

A detailed examination and discussion of the events that occurred, from first detection to final recovery

after-action review

Collective data that relates to a group or category of people and that has been altered to remove characteristics or components that make it possible to identify individuals within the group.

aggregate information

A scripted description of the incident that usually contains just enough information so that each person knows what portion of the IR plan to implement without slowing down the notification process

alert message

A document that contains contact information for people to be notified in the event of an incident

alert roster

in a cost-benefit analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use.

annualized cost of a safeguard (ACS)

The combination of an asset's value and the percentage of it that might be loss in an attack

asset exposure

The process of assigning financial value or worth to each information asset.

asset valuation

The number of successful attacks that are expected to occur within a specified time period.

attack success probability

An attribute of information that describes how data is genuine or original rather than reproduced or fabricated.

authenticity

____ of information is the quality or state of being genuine or original.

authenticity

An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction.

availability

An interruption in service, usually from a service provider, which causes an adverse event within an organization.

availability disruption

a malware payload that provides access to a system by bypassing normal access controls.

back door

An assessment of performance of some action or process against which future performance is assessed

baseline

The process of conducting a baseline

baselining

An examination of how well a particular solution fits within the organizations culture and the extent to which users are expected to accept the solution

behavioral feasibility

An attempt to improve information security practices by comparing an organization's effort against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate.

benchmarking

Security efforts that are considered among the best in the industry.

best business practices

A long-term interruption (outage) in electrical power availability.

blackout

an abbreviation of robot, an automated software program that executes certain commands when it receives a specific input

bot

False

bottom-up is generally more successful that top-down (T/F)

A method of establishing security policies and/or practices that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems

bottum-up approach

an attempt to guess a password by attempting every possible combination of characters and numbers in it

brute force password attack

An application error that occurs when more data is sent to a program buffer than it is designed to handle.

buffer overrun (or buffer overflow)

The actions taken by senior management to develop and implement the BC policy, plan, and continuity teams

business continuity planning

The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams

business resumption plan

In a lattice-based access control, the row of attributes associated with a particular subject (such as a user).

capabilities table

A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization

champion

An organizational policy that specifies employees must inspect their work areas and ensure that all classified information, documents, and materials are secured at the end of every work day.

clean desk policy

A facility that provides only rudimentary services, with no computer hardware or peripherals

cold site

An application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function.

command injection

The protection of all communications media, technology, and content

communications security

The adoption and implementation of an innovative business model, method, technique, resource, or technology in order to outperform competition

competitive advantage

The collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage.

competitive intelligence

The process of collecting, analyzing, and preserving computer-related evidence.

computer forensics

in the early days of computers, this term specified the need to secure the physical location of computer technology for outside threats This term later came to represent concepts of information security as the scope of protecting information in an organization has expanded.

computer security

The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization

const-benefit analysis

A plan that shows that organizations intended effort in reaction to adverse events

contingency plan

The actions taken by senior management to specify the organization's efforts and actions if an adverse events becomes an incident or disaster

contingency planning

The group of senior managers and project members organized to conduct and lead all CP efforts.

contingency planning management team (CPMT)

The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident

cost avoidance

A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.

cracker

Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software.

cracking

An organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of lie as a result of disaster

crisis mangment

fixed moral attitudes or customs of a particular group

cultural mores

Attacker whose motivation may be defined as ideological, or attacking for the sake of principles or beliefs.

cyberterrorist

Individuals who work directly with dta owners and are responsible for storage, maintenance, and protection of information

data custodians

Individuals who control (and are therefore responsible for) the security and use of a particular set of information. Data owners may rely on custodians for the practical aspects of protecting their information, specifying which users are authorized to access it, but they are ultimately responsible for it.

data owners

Commonly used as a surrogate for information security, data security is the focus of protecting data or information in its various states—at rest (in storage), in processing, and in transmission (over networks).

data security

Internal and external stakeholders (customers, suppliers, and employees) who interact with information in support of their organization's planning and operations.

data users

A collection of data organized in a manner that allows access, retrieval, and use of that data

database

The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Also known as the avoidance strategy.

defense risk control strategy

An attack that attempts to overwhelm a computer target's ability to handle incoming communications, prohibiting legitimate users from accessing those systems

denial-of-software (DoS) attack

An adverse event that could threaten the viability of the entire organization

disaster

A plan that shows the organization's intended effort in the event of a disaster

disaster recovery plan

The actions taken by senior management to specify the organization's efforts in preparation for and recovery from a disaster.

disaster recovery planning

An approach to disk mirroring in which each drive has its own controller to provide additional redundancy.

disk duplexing

A RAID implementation (typically referred to as RAID Level 1) in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails

disk mirroring

A RAID implementation (typically referred to as RAID Level 0) in which one logical volume is created by storing data across several available hard drives in segments called stripes.

disk striping

A DoS attack carried out by multiple computers.

distributed-denial-of-service (DDoS) attack

The percentage of time a particular service is not available; the opposite of uptime.

downtime

Measures that an organization takes to ensure every employee knows what is acceptable and what is not.

due care

reasonable steps taken by a person in order to satisfy a legal requirement, especially in buying or selling something.

due dilligence

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information.

dumpster diving

The high-level security policy that is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.

enterprise information security policy (EISP)

A physical object or documented information entered into a legal proceeding that proves an action occurred or identifies the intent of a perpetrator

evidence

A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information.

expert hacker

A technique used to compromise a system

exploit

State of being expose, in infosec: when a vulnerability is known to an attacker

exposure

The expected percentage of loss that would occur from a particular attack

exposure factor

A short-term interruption in electrical power availability

fault

the desired end of a planning cycle

goals

Non Mandatory recommendations the employee may use as a reference in complying with policy

guidelines

a person who uses computers to gain unauthorized access to data.

hacker

A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster

hot site

A hard drive feature that allows individual drives to be replaced without fault and without powering down the entire system

hot swap

An adverse event that could result in loss of an information asset or asset, bu does not currently threaten the viability of the entire organization

incident

The process of examining an incident candidate and determining whether it constitutes an actual incident.

incident classification

The actions taken by senior management to develop and implement IR policy, plan, anc computer security incident response team

incident response planning

The collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage.

industrial espionage

data that has been organized, structured, and presented to provide additional insights into its context, worth, and usefulness

information

Pieces of non-private data that, when combined, may create information that violates privacy.

information aggregation

The focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information.

information asset

Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.

information security

a framework or security model customized to an organization, including implementation details

information security blueprint

A specification of a model to be followed during the design, selection and initial and ongoing implementation of all subsequent security controls

information security framework

The application of the principles of corporate governance to the information security function.

information security governance

Written instructions provided by management that informs employees and others in the workplace about proper behavior regarding the use of information and information assets

information security policy

A class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers.

integer bug

An attribute of data that describes how data is whole, complete, and uncorrupted

integrity

During this phase, the objective, constraints, and scope of the project are specified

invesigation

An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.

issue-specific security policy

Escalating privileges to gain administrator-level or root access control over a smartphone

jailbreaker

rules that mandate or prohibit certain behavior and are enforced by the state

laws

Entity's legal obligation or responsibility

liability

The probability that a specific vulnerability within an organization will be the target of an attack

likelihood

In this phase, the information gained from the analysis phase is used t begin creating a systems solution for a business problem. Contains no reference to specific technologies, vendors, or products.

logical design

The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range.

loss frequency

A type of virus written in a specific macro language to target applications that use the language

maco virus

An attack designed to overwhelm the receiver with excessive quantities of e-mail.

mail bomb

longest and most expensive phase of the systems development life cycle

maintenance and change

Computer software specifically designed to perform malcious or unwanted actions

malware/malicious code/malicious software

information security safeguards that focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the organization's security administration. These safeguards include governance and risk management.

managerial controls

The average amount of time a computer repair technician needs to determine the cause of a failure.

mean time to diagnose (MTTD)

The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures

meantime between failure (MTBF)

As a subset of information assets, teh systems and networks that sore, process and transmit information

media

A virus that is capable of installing itself in a computer's operating system, starting when the computer is activated, and residing in the system's memory even after the host application is terminated.

memory-resident virus

A formal approach to solving a problem based on a structured sequence of procedures.

methodology

performance measures or metrics based on observed numerical data

metrics-based performance

The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.

mitigation risk control strategy

A continuity strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster.

mutual agreement

A subset of communications security; the protection of voice and data networking components, connections, and content.

network security

The presence of additional and disruptive signals in network communications or electrical power delivery

noise

A virus that terminates after it has been activated, infected its host system, and replicated itself.

non-memory-resident virus

A relatively unskilled hacker who uses the work of expert hackers to perform attacks.

novice hacker

the entity being attacked

object of attack

Specific, short-term statements detailing how to achieve the organization's goals.

objectives

Information security safeguards focusing on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning.

operational controls

a plan for the organization's intended operational efforts on a day-today basis for the next several months

operational plan

The action taken by management to specify the short-term goals and objective of the organization in order to obtain specified tactical goals

operational planning

An examination of how well a particular solution fits within the organizations strategic planning objectives and goals

organizational feasibility

A script kiddie who uses automated exploits to engage in denial-of-service attacks.

packet monkey

A software program or hardware appliance that can intercept, copy, and interpret network traffic.

packet sniffer

An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.

penetration tester

The difference between an organization's observed and desired performance

performance gap

____ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.

physical

Guidelines that dictate certain behavior within an organization

policy

An employee responsible for the creation, revision, distribution, and storage of a policy in an organization.

policy administrator

An examination of how well a particular solution fits within the organization's political environment

political feasibility

Malware (a virus or worm) that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.

polymorphic threat

An attribute of information that describes the data's ownership or control is legitimate or authorized

possession

The ____________________ of information is the quality or state of ownership or control of some object or item.

possession

right of individuals to keep their information from being disclosed to others

privacy

step-by-step instructions for completing a task. Designed to assist employees

procedures

Performance measures or metrics based on intangible activities

process-based measures

A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government.

professional hacker

A small functional team of people who are experienced in one or multiple facets of the required technical and nontechnical areas for the project to which they are assigned.

project team

As asset valuation approach that uses categorical or non-numeric values rather that absolute numerical measures

qualitative assesment

An asset valuation approach that attempts to assign absolute numerical measures

quantitative assessment

The use of multiple types of instances of technology that prevent the failure of one system from compromising the security of information

redundancy

The risk of information assets that remains even after current controls have been applied

residual risk

A legal requirement to make compensation or payment from a loss or injury

restitution

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility

risk appetite

A determination of the extent to which an organization's information assets are exposed to risk

risk assessment

People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.

risk assessment specialists

The application of controls that reduce the risks to an organization's information assets to an acceptable level

risk control

The recognition, enumeration, and documentation of risks to an organization's information assets.

risk identification

the process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level

risk management

A short-term decrease in electrical power availability.

sag

A hacker of limited skill who uses expertly written software to attack a system.

script kiddie

A state of being secure and free from danger or harm. Also, the actions taken to make someone or something secure

security

A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.

security clearance

An area of trust within which information assets share the same level of protection

security domain

The direct, covert observation of individual information or system use.

shoulder surfing

The calculated value associated with the most likely loss from an attack

single loss expectancy

Attackers posing as IT professionals attempt to gain access to information systems by contacting low-level employees and offering help with computer issues

social engineering password attack

unauthorized copying or distribution of copyrighted software

software piracy

unwanted e-mail (usually of a commercial nature sent out in bulk)

spam

A variation of phishing that target specific people or systems

spear phising attack

A short-term increase in electrical power availability, also known as a swell.

spike

Any technology that aids in gathering information about people or organizations without their knowledge

spyware

A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance.

standard

a plan for the organization's strategic effort over the next several years

strategic plan

the entity conducting the attack

subject of attack

A long-term increase in electrical power availability

surge

People with the primary responsibility for administering the systems that house the information used by the organization perform the ____ role.

system administrator

a plan for the organization's intended tactical efforts over the next few years

tactical plan

The actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives

tactical planning

a project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements.

team leader

An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources

technical feasibility

A systems-specific security policy that expresses technical details for the acquisition, implementation, configuration, and management of a particular technology, written from a technical perspective. Typically the policy includes details on configuration rules, systems policies, and access control.

technical specifications SysSP

The risk control strategy that eliminates all risk associated with an information asset by removing it from service

termination risk control strategy

An evaluation of the threats to information assets, including a determination of their potential to endager the organization

threat assessment

a pairing of an asset with a threat and an identification of vulnerabilities that exist between the two.

threats-vulnerabilities-assets (TVA) triples

A document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings

threats-vulnerabilities-assets (TVA) worksheet

A continuity strategy in which an organization co-leases facilities with business partner or sister organization

time-share

In the ____________________ approach, the project is initiated by upper-level managers who issue policy, procedures and processes, dictate the goals and expected outcomes, and determine accountability for each required action.

top-Down

A methodology of establishing security policies that is initiated by upper management.

top-down approach

A malware program that hides its true nature and reveals its designed behavior only when activated

torjan horse

The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations.

transference risk control strategy

Unauthorized entry into the real or virtual property of another party.

trespass

the percentage of time a particular service is available; the opposite of downtime.

uptime

An attribute of information the describes how data has value or usefulness for an end purpose

utility

A message that reports the presence of a nonexistent virus or worm and wastes valuable time as employees share the message

virus hoax

A potential weakness in an asset or its defensive control system(s).

vulnerability

A facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications

warm site

The ____ model consists of six general phases.

waterfall

The amount of effort necessary to make the business function operational after the technology element is recovered

work time recovery

A type of malware that is capable of activation and replication without being attached to an existing program

worm

An attack that makes used of malware that is not yet know by the anti-virus software

zero-day attack


Conjuntos de estudio relacionados

Psych 169 - Ch. 23: Sleep, dreams, and hypnotic states

View Set

Chapter 9: Question Types I: Foundations of Comprehension Questions

View Set

Anatomy Upper Extremity Class Questions

View Set

Dichotomous Key practice questions

View Set

Chapter 3: Analyzing the Marketing Environment

View Set