Information Security Midterm

An information security plan is developed and implemented when?

Throughout the software life cycle

Sun Tzu noted that:

You should know yourself and your opponent.

Our extended definition of information security is that Information security is

a well-informed sense of assurance that the information risks and controls are in balance.

An informed decision to not employ countermeasures.

acceptance

Once trust between parties has been achieved, what is highly desirable (and potentially necessary) to enable continued trust?

an appropriate level of verification

the realization of a threat

an attack

An effective counter-measure for combating SQL injection which can be implemented by application programmers.

complete verification of user input

Espionage is an attack against:

confidentiality

Effective information security policies are designed to be what?

constantly evolving

Ideally, countermeasures are deployed

in a manner providing multiple layers of protection for key assets.

The two basic types of risk transfer discussed in the lectures are

insurance and Service Level Agreements

A potentially effective counter-measure for detecting a successful trojan horse attack

maintaining a list of approved programs for a server, and regularly comparing that list with all running processes

Implementing daily backups of high-value information assets.

mitigation

When advocating for the adoption of new countermeasures related to an organization's information security it is advisable to frame your supporting arguments in terms of ____________?

needs of the business

In addition to societal peers, what types of organizations promote ethics in Information Technology?

professional societies

ranked vulnerability worksheet

provides a list of vulnerabilities prioritized by relative risk

best practices

selecting methods or techniques that are generally accepted as superior to alternatives

When considering multiple nationalities and ethnic groups, ethics are what?

significantly variable, leading to potential misunderstanding

A set of client/server Unix library routines useful for establishing communications between networked computer systems.

sockets library

A side-channel attack which passively monitors accoustic or electrical emissions to gain key logging or other confidential information.

tempest attack

An informed decision to discontinue particular services to customers.

termination

risk appetite

the relative amount of risk considered acceptable by an organization

residual risk

the risk remaining after a cycle of the risk management process.

According to a recent ISACA survey, the biggest knowledge gap in information security professionals today is: (select one) Correct!

understanding the "needs of the business"

The critical information characteristics (modes of protection) shown on the McCumber Cube are:

- Integrity - Confidentiality - Availability

In our course we will consider the categories of components of any information system to include

- People - Software - Networks - Data - Procedures - Hardware

Information security includes (multiple choice):

- Personal Security - Network Security - Operations Security - Communications Security - Physical Security

What are some methods discussed in lecture which are useful for addressing the people component of information systems?

- be sensitive to employee life situations - provide security awareness training - earn "buy-in"

What characteristics of organizational policies must be exhibited in order for them to be upheld in a court of law?

- formally acknowledge - readily available as a reference - must adhere to all applicable laws - distributed to all expected to comply - must have a regular review and revision process - easily understood by all affected

Which of the following were discussed in the lectures as potential sources of information to help quantify the risk assessment process?

- internal statistics - insurance companies - domain specific knowledge - surveys by professional organizations

advantages for anomaly-based IDPSes

- they can accomplish threat identification without regular signature updates - they may automatically adapt to new usage patterns - they may detect long/slow attacks

A zero-day attack is:

An attack unknown to those who would be interested in its mitigation or known and without a patch to correct it.

In March of 2019, what high-profile high-tech company laid-off 190 workers from it's self-driving car project potentially as a direct result of successful industrial espionage?

Apple

Given the level of complexity in today's information systems, the process of designing information security solutions has often been described as ____________________.

Art and Science

A primary concern for an appropriate information security plan is the balance between protection and ________.

Availability

Installing a secret account after compromising a system

Backdoor

Who said: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."

Bruce Schneier

This position is ultimately responsible for all aspects of an organization's business, including information security responsibilities.

Chief Executive Officer

An executive-level position that oversees the organization's computing technology and strives to create efficiency in the processing and access of the organization's information.

Chief Information Officer

Though sometimes not an executive level position, this person is typically the top information security professional in an organization.

Chief Information Security Officer

the historic legal meaning of "intellectual property"

Creations of the mind

Rules that mandate certain behaviors and which are enforced by the members of a society are ______.

Ethics

The unauthorized taking of personally identifiable information with the intent of committing fraud.

Identity Theft

To create an illegal policy is, in itself, an _______ act.

Illegal

An attack on information assets in which an attack agent gains or attempts to gain entry into a network or system to disrupt or cause other harm

Intrusion

The designed steps to be undertaken to restore a network or system to its normal state following an unauthorized intrusion

Intrusion Correction

When a network device fails, it should be configured to:

It depends

The challenge with the term cyber terrorism is:

It is subjective, based on your definitions and how you view the issue.

A common societal/governmental response to lack of self-regulation is _______.

Legislation

Pretending to be a legitimate wifi but allowing internet access to users

Man-in-the-middle

Rules that mandate certain behaviors and which are enforced by corporate organizations are _______.

Policies

The phases of the risk management cycle, on order, are (select one):

Risk Identification, Risk Assessment, Risk Control

National Security Letters (NSLs) were made into law by what U.S. statute?

The Patriot Act

When should new technology solutions be adopted in an information security plan?

When they demonstrably address the needs of the business

defense strategy

a deliverable document assigning countermeasures to priority vulnerabilities

A datacenter operating at "five nines" will have at most how much unscheduled down-time each year?

a few minutes

Who is Amy?

a help desk agent at Sequential Label and Supply Company.

Exploit

a technique used to compromise an information system

Attack

an act that may damage an asset, intentional or unintentional

A formalized risk assessment process is meant to be (select one):

an aid to guide our thinking when evaluating relative risk levels.

Loss

an instance of an information asset suffering damage

Threat

an object, person or other entity which represents a potential danger to assets

mitigation

any activities which intend to lessen the damage caused by a current or past successful attack.

A botnet flood attack (DDoS) is an attack against:

availability

The process of earning the support of an organization's personnel in adopting new security policies and practices by clearly describing the needs for such policies and including those personnel in the process of defining those new policies. This would be an example of creating ________ from those personnel.

buy-in

What is the first law of software development?

cost, time-to-market and quality compete with each other during the software development process

Deploying improved firewall technology to reduce DoS attack success.

defense

Quality and security considerations should optimally be

designed into software

An exception to copyright law which allows use of protected material under certain limited circumstances.

fair use

A threat due to obsolescence.

forced upgrades

benchmarking

immitating the successful processes of another organization

Defensive countermeasures which seek to prevent unauthorized network or system access

intrusion prevention

Rules mandating certain behaviors and which are enforced by government entities are _______.

laws

estimated risk

likelihood of attack * likelihood of (attack) success * magnitude of loss

The major difference between business intelligence and industrial espionage

operating within or outside of the law

Malware which frequently modifies itself to avoid detection by anti-virus software.

polymorphic attack

weighted factor analysis

provides a relative value for each organizational asset

know your enemy

risk identification - identify & prioritize threats

Know yourself

risk identification - identify, inventory & categorize assets

Outsourcing product distribution to a professional logistics organization via an SLA.

risk transfer

A device that can be attached directly to a network segment which observes and displays all network traffic.

sniffer

A significant draw-back to an open systems software design approach is

that hackers can study the code for undiscovered vulnerabilities

A device proposed by the US government to protect individual communications while allowing the government to decrypt suspect transmissions

the Clipper chip

Access

the ability to interact with a resource, legitimately or otherwise

vulnerability matrix

the final deliverable of the risk identification phase

vulnerability

the intersection of a threat with an asset

The information states shown on the McCumber Cube are:

- Processing - Storage - Transmission

The security measures (categories of countermeasures) of the McCumber Cube are:

- Technology - Policies or Procedures - Education and Training

The Cyber Kill Chain is a proposed process that demonstrates:

A generic cyber threat process.

Ransomware is viewed by most legal authorities (including the US federal government) as:

Extortion.

Primary law enforcement agency that investigates traditional crimes and cybercrimes.

FBI

The designed steps to be undertaken in the event of a detected intrusion

Intrusion reaction

The most common intellectual property breach

Software piracy

Faking an identity

Spoofing

Countermeasure

a specific mechanism or policy intended to improve security against a threat or set of threats

Asset

a specific resource of value

Vulnerability

a system weakness or fault which decreases security

When someone asks if a system is secure, your response should be:

"Secure against what?"

If software must be developed on a strictly tight time-frame and within a strictly tight budget, what is likely to suffer?

- Usability - Correctness - Quality - Security

Functions of Intrusion Detection and Prevention Systems include

- logging events - detecting malicious activities - reacting to attacks - raising alarms