Management of Info Security Midterm
a long-term decrease in electrical power availability.
Brownout
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
(ISC)^2
There are twelve categories of threats to information security. List five of them and provide an example of each.
Compromises to intellectual property: Software piracy or other copyright infringement Deviations in quality of service: Fluctuations in power, data, and other services Espionage or trespass: Unauthorized access and/or data collection Forces of nature: Fire, flood, earthquake, lightning, etc. Human error or failure: Accidents, employee mistakes Information extortion: Blackmail threat of information disclosure Sabotage or vandalism:Damage to or destruction of systems or information Software attacks: Malware: viruses, worms, macros, etc. Technical hardware failures or errors: Hardware equipment failure Technical software failures or errors: Bugs, code problems, loopholes, back doors Technological obsolescence: Antiquated or outdated technologies Theft: Illegal confiscation of equipment or information
One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.
Computer Security Act (CSA)
Focuses on enhancing the security of the critical infrastructure in the United States.
Cybersecurity Act
a hacker who attacks systems to conduct terrorist activities via networks or internet pathways.
Cyberterrorist
formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state.
Cyberwarfare
Defines socially acceptable behaviors.
Ethics
a hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information.
Expert hacker
Because it sets out general business intentions, a mission statement does not need to be concise.
False
InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals
False
Complete loss of power for a moment is known as a ____.
Fault
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is one of those reasons?
For purposes of commercial advantage; For private financial gain; In furtherance of a criminal act
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________.
Forensics
an industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character
10.4 password rule
Medium sized organizations tend to spend approximately __________ percent of the total IT budget on security.
11
Information security governance yields significant benefits. List five.
1. An increase in share value for organizations 2. Increased predictability and reduced uncertainty of business operations by lowering information-security-related risks to definable and acceptable levels 3. Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care 4. Optimization of the allocation of limited security resources 5. Assurance of effective information security policy and policy compliance 6. A firm foundation for efficient and effective risk management, process improvement, and rapid incident response 7. A level of assurance that critical decisions are not based on faulty information 8. Accountability for safeguarding information during critical business activities, such as mergers and acquisitions, business process recovery, and regulatory response.
Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) which is longer than ____ characters in Internet Explorer 4.0, the browser will crash.
256
Larger organizations tend to spend approximately __________ percent of the total IT budget on security.
5
an attempt to guess a password by attempting every possible combination of characters and numbers in it.
Brute force password attack
Which type of attack involves sending a large number of connection or information requests to a target?
Denial-of-Service (DoS)
In a ____ attack, the attacker sends a large number of connection or information requests to a target.
Denial-of-service
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past?
Descriptive ethics
the intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate Internet locations.
Domain Name System (DNS) cache poisoning
the percentage of time a particular service is not available; the opposite of uptime.
Downtime
An organization increases its liability if it refuses to take the measures a prudent organization should; this is known as the standard of _____________.
Due care
Which policy is the highest level of policy and is usually created first?
EISP
Human error or failure often can be prevented with training, ongoing awareness activities, and _______________.
Education
With policy, the most common distribution methods are hard copy and __________.
Electronic
a technique used to compromise a system
Exploit
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons?
For political advantage
Which of the following is an example of a Trojan horse program?
Happy99.exe
Contrast the vision statement with the mission statement.
If the vision statement states where the organization wants to go, the mission statement describes how it wants to get there.
The three general categories of unethical behavior that organizations and society should seek to eliminate
Ignorance, accident, and intent
Discuss the three general categories of unethical behavior that organizations should try to control.
Ignorance:Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education. Organizations must design, publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to abide by them. Reminders, training, and awareness programs support retention, and one hopes, compliance. Accident: Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident. The careful placement of controls can help prevent accidental modification to systems and data. Intent: Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A legal defense can be built upon whether the accused acted out of ignorance, by accident, or with the intent to cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution, and technical controls. Intent is only one of several factors to consider when determining whether a computer-related crime has occurred.
data that has been organized, structured, and presented to provide additional insight into its context, worth, and usefulness.
Information
the average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures.
Mean time between failure (MTBF)
the average amount of time a computer technician needs to determine the cause of a failure.
Mean time to diagnose (MTTD)
the average amount of time until the next hardware failure.
Mean time to failure (MTTF)
a relatively unskilled hacker who uses the work of expert hackers to perform attacks.
Novice hacker
Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
Operational
____ is an integrated system of software, encryption methodologies, and legal agreements that can be used to support the entire information infrastructure of an organization
PKI
a script kiddie who uses automated exploits to engage in denial-of-service attacks.
Packet monkey
the redirection of legitimate Web to illegitimate Web sites with the intent to collect personal information.
Pharming
a hacker who manipulates the public telephone system to make free calls or disrupt services.
Phreaker
a hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government.
Professional hacker
Which of these denotes the identification, analysis, evaluation, and treatment of risk to information assets?
RM process
The ____ data file contains the hashed representation of the user's password.
SAM
"4-1-9" fraud is an example of a ____ attack.
Social engineering
a highly targeted phishing attack.
Spear phishing
a short-term increase in electrical power availability, also known as a swell
Spike
a technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.
Spoofing
a long-term increase in electrical power availability.
Surge
How does tactical planning differ from strategic planning?
Tactical planning has a more short-term focus than strategic planning—usually one to three years. It breaks down each applicable strategic goal into a series of incremental objectives. Each objective should be specific and ideally will have a delivery date within a year.
Which of the following is a part of an information security program?
Technologies used by an organization to manage the risks to its information assets; activities used by an organization to manage the risks to its information assets; personnel used by an organization to manage the risks to its information assets
Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
The Electronic Communications Privacy Act of 1986
Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT:
The threat environment—threats, known vulnerabilities, attack vectors
The Secret Service is charged with the detection and arrest of any person who commits a U.S. federal offense relating to computer fraud, as well as false identification crimes.
True
the percentage of time a particular service is available; the opposite of downtime.
Uptime
In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?
Waterfall
The act of attempting to prevent an unwanted action by threatening punishment or retaliation on the instigator if the act takes place is known as ___________.
detterence
a person who accesses systems and information without authorization and often illegally.
hacker
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
issue-specific
What is the final step in the risk identification process?
ranking assets in order of importance
associated with assessing risks and then implementing or repairing controls to assure the confidentiality, integrity, and availability of information
risk management
Which type of document is a more detailed statement of what must be done to comply with a policy?
standard
the process of moving an organization towards its vision by accomplishing its mission
strategic planning
Human error or failure often can be prevented with training, ongoing awareness activities, and ______.
technical controls
Briefly describe five different types of laws.
1. Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations. 2. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. 3. Tort law is a subset of civil law that allows individuals to seek recourse against others in the event of personal, physical, or financial injury. 4. Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law. 5. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.
Access control list user privileges include all but which of these?
operate
The Risk Management Framework includes all of the following EXCEPT:
process contingency planning
Another key U.S. federal agency is _________, which is responsible for coordinating, directing, and performing highly specialized activities to protect U.S. information systems and produce foreign intelligence information.
the NSA
When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________.
the type of crime committed
A(n) ___________ attack enables an attacker to extract secrets maintained in a security system by observing the time it takes the system to respond to various queries.
timing
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
user-specific security policies
Which of the following is NOT an aspect of access regulated by ACLs?
where the system is located
a class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers.
Integer bug
Which of the following is a C.I.A. characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state?
Integrity
escalating privileges to gain administrator-level control over a smartphone operating system (typically associated with Apple iOS smartphones). See also Rooting.
Jailbreaking
Any court can impose its authority over an individual or organization if it can establish which of the following?
Jurisdiction
computer software specifically designed to perform malicious or unwanted actions.
Malware
a group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner.
Man-in-the-Middle
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
Managerial controls
the presence of additional and disruptive signals in network communications or electrical power delivery.
Noise
a virus that terminates after it has been activated, infected its host system, and replicated itself.
Non-memory-resident virus
The study of what makes actions right or wrong, also known as moral theory.
Normative ethics
Describe the foundations and frameworks of ethics.
Normative ethics—The study of what makes actions right or wrong, also known as moral theory—that is, how should people act?Meta-ethics—The study of the meaning of ethical judgments and properties—that is, what is right? Descriptive ethics—The study of the choices that have been made by individuals in the past—that is, what do others think is right? Applied ethics—An approach that applies moral codes to actions drawn from realistic situations; it seeks to define how we might use ethics in practice. Deontological ethics—The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences; also known as duty-based or obligation-based ethics. This approach seeks to define a person's ethical duty.
According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
Policy administrator
malware that over time changes the way it appears to antivirus programs, making it undetectable by techniques that look for preconfigured signatures.
Polymorphic threat
_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present.
Portable
Which of the following is NOT a primary function of Information Security Management?
Projects
Which of the following functions does information security perform for an organization?
Protecting the organization's ability to function; Enabling the safe operation of applications implemented on the organization's IT systems; Protecting the data the organization collects and uses
undesired e-mail, typically commercial advertising transmitted in bulk.
Spam
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________
Threat
___________________ is a subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury.
Tort law
Deterrence is the best method for preventing an illegal or unethical activity.
True
The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes, is known as __________.
Uncertainty
Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infractions?
Violations of Policy
a type of malware that is attached to other executable programs.
Virus
A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system is known as __________.
a security analyst
Information ____________ occurs when pieces of non-private data are combined to create information that violates privacy.
aggregation
A gathering of key reference materials is performed during which phase of the SDLC?
analysis
The most complex part of an investigation is usually __________.
analysis for potential EM
Addresses violations harmful to society and is actively enforced and prosecuted by the state.
criminal law
A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________.
e-discovery
The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as ___________.
ethics
a short-term interruption in electrical power availability
fault
To move the InfoSec discipline forward, organizations should take all of the following steps EXCEPT:
form a committee and approve suggestions from the CISO
Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?
frequency of review
Once the members of the RM framework team have been identified, the governance group should communicate all of the following for the overall RM program EXCEPT:
its personnel structure
The ______________________ phase is the last phase of SecSDLC, but perhaps the most important.
maintenance and change
Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP.
management guidance, technical specifications
as a subset of information assets, the systems and network that store, process, and transmit information.
media
Which of the following is a key step needed in order for a JAD approach to be successful?
organize workshop activities
In ____________________ testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
penetration
the impetus for a project that is the result of a carefully developed planning strategy
plan-driven
Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT __________.
properly conceived
Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
System testing
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system?
The Computer Security Act
What is a key difference between law and ethics?
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not.
Due diligence requires that an organization make a valid and ongoing effort to protect others
True
The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies
True
Which of the following is an advantage of the user support group form of training?
Usually conducted in an informal social setting
a message that reports the presence of a nonexistent virus or worm and wastes valuable time as employees share the message.
Virus hoax
a potential weakness in an asset or its defensive control system(s).
Vulnerability
a type of malware that is capable of activation and replication without being attached to an existing program.
Worm
Which of the following is a disadvantage of the one-on-one training method?
resource intensive, to the point of being inefficient
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________.
risk appetite
assigns a comparative risk rating or score to each specific information asset
risk assessment
measures that use or implement a technical solution to reduce risk of loss in an organization
technical controls
Which of the following are the two general groups into which SysSPs can be separated?
technical specifications and managerial guidance
Factors that affect the external context and impact the RM process, its goals, and its objectives include the following EXCEPT:
the organization's governance structure
a specific instance or component that represents a danger to an organization's assets
threat agent
The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization.
threat severity weighted table analysis
Digital forensics can be used for two key purposes: ________ or _________.
to investigate allegations of digital malfeasance; to perform root cause analysis
Which of the following is a key advantage of the bottom-up approach to security implementation?
utilizes the technical expertise of the individual administrators
an attack that makes use of malware that is not yet known by the anti-malware software companies.
zero-day attack
____ are machines that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack.
Zombies
A risk assessment is performed during which phase of the SecSDLC?
analysis
A ____________ overflow is an application error that occurs when the system can't handle the amount of data that is sent.
buffer
Which of the following is NOT one of the three general causes of unethical and illegal behavior?
carelessness
In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________.
identifying relevant items of evidentiary value
An understanding of the potential consequences of a successful attack on an information asset by a threat is known as __________.
impact
Which of the following is not a role of managers within the communities of interest in controlling risk?
legal management must develop corporate-wide standards
measures that deal with the functionality of security in an organization
operational controls
Which of the following is NOT one of the basic rules that must be followed when developing a policy?
policy should be focused on protecting the organization from public embarrassment
a form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer.
Advance-fee fraud (AFF)
Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?
All federal agencies are required under the Freedom of Information Act (FOIA) to disclose records requested in writing by any person. However, agencies may withhold information pursuant to nine exemptions and three exclusions contained in the statute. FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each state has its own public access laws that should be consulted for access to state and local records.
Which of the following should be included in an InfoSec governance program?
An InfoSec risk management methodology
In which phase of the SecSDLC does the risk management task occur?
Analysis
Describe the key approaches organizations are using to achieve unified ERM.
Combining physical security and InfoSec under one leader as one business function Using separate business functions that report to a common senior executive Using a risk council approach to provide a collaborative approach to risk management
an application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function.
Command injection
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
Common good
the collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage.
Competitive intelligence
Policy __________ means the employee must agree to the policy.
Compliance
Classification categories must be mutually exclusive and which of the following?
Comprehensive
The process of integrating the governance of the physical security and information security efforts is known in the industry as __________.
Convergence
a hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.
Cracker
attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software.
Cracking
a web application fault that occurs when an application running on a Web server inserts commands into a user's browser session and causes information to be sent to a hostile server.
Cross site scripting (XSS)
According to Mark Pollitt, ____ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents.
Cyberterrorism
commonly used as a surrogate for information security, data security is the focus of protecting data or information in its various states-at rest (in storage), in processing, and in transmission (over networks).
Data security
a subset of information security that focuses on the assessment and protection of information stored in data repositories like database management systems and storage media.
Database security
an attack that attempts to overwhelm a computer target's ability to handle incoming communications, prohibiting legitimate users from accessing those systems.
Denial-of-service (DoS) attack
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)?
Deontological ethics
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls.
Deterrance
a variation of the brute force attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information.
Dictionary password attack
Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis are known as _________.
Digital forensics
a form of DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots or zombies.
Distributed denial-of-service (DDoS)
A collection of statutes that regulates the interception of wire, electronic, and oral communications.
Electronic Communications Privacy Act (ECPA)
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
Establishing
The impetus to begin an SDLC-based project may be ____________________, that is, a response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders.
Event driven
Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________.
Evidentiary material
Writing a policy is not always as easy as it seems. However, the prudent security manager always scours available resources for __________ that may be adapted to the organization.
Examples
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
False
A(n) compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information.
False
ISACA is a professional association with a focus on authorization, control, and security. ___________
False
Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy.
False
It is the responsibility of InfoSec professionals to understand state laws and bills
False
Penetration testing is often conducted by contractors, who are commonly referred to as black-hats.
False
The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.
False
To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996
False
A short-term interruption in electrical power availability is known as a ________.
Fault
Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity?
Fear of humiliation
Which of the following is a requirement for laws and policies to deter illegal or unethical activity?
Fear of penalty, probability of being penalized, and probability of being caught
Laws and policies and their associated penalties only deter if three conditions are present. What are these conditions?
Fear of penalty—Threats of informal reprimand or verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of pay.Probability of being caught—There must be a strong possibility that perpetrators of illegal or unethical acts will be caught. Probability of penalty being administered—The organization must be willing and able to impose the penalty.
What is necessary for a top-down approach to the implementation of InfoSec to succeed?
For any top-down approach to succeed, high-level management must buy into the effort and provide its full support to all departments. Such an initiative must have a champion—ideally, an executive with sufficient influence to move the project forward, ensure that it is properly managed, and push for its acceptance throughout the organization.
The penalty for violating the National Information Infrastructure Protection Act of 1996 depends on the value of the information obtained and whether the offense is judged to have been committed for one of three reasons. What are those reasons?
For purposes of commercial advantage For private financial gain In furtherance of a criminal act
ISO 27014:2013 is the ISO 27000 series standard for:
Governance of Information Security
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
HIPAA
One form of online vandalism is ____ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Hacktivist
One form of online vandalism is __________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Hacktivist/Cyberactivist
a hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Hacktivist/Cyberactivist
Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
Health Information Technology for Economic and Clinical Health Act
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____.
Hoaxes
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus _______________.
Hoaxes
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
Hold regular meetings with the CIO to discuss tactical InfoSect planning
In large organizations, the InfoSec department is often located within a(n) _________ division headed by the _________, who reports directly to the _________.
IT, CISO, CIO
In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies?
Implementation
According to the ITGI, what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met?
Inculcate a culture that recognizes the criticality of information and InfoSec to the organization Verify that management's investment in InfoSec is properly aligned with organizational strategies and the organization's risk environment Assure that a comprehensive InfoSec program is developed and implemented Demand reports from the various layers of management on the InfoSec program's effectiveness and adequacy
the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage.
Industrial espionage
the focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information.
Information asset
Blackmail threat of informational disclosure is an example of which threat category?
Information extortion
the act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information. Also known as cyberextortion.
Information extortion
This collaborative support group began as a cooperative effort between the FBI's Cleveland field office and local technology professionals with a focus of protecting critical national infrastructure.
InfraGard
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
Initiating
Describe what happens during each phase of the IDEAL General governance framework.
Initiating - Lay the groundwork for a successful improvement effort. Diagnosing - Determine where you are relative to where you want to be. Establishing - Plan the specifics of how you will reach your destination. Acting - Do the work according to the plan. Learning - Learn from the experience and improve your ability to adopt new improvements in the future.
In the ______________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
Man-in-the-Middle
In the well-known ____ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
Man-in-the-Middle
the average amount of time a computer technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
Mean time to repair (MTTR)
a virus that is capable of installing itself in a computer's operating system, starting when the computer is activated, and residing in the system's memory even after the host application is terminated.
Memory-resident virus
The EISP must directly support the organization's __________.
Mission statement
Which of the following explicitly declares the business of the organization and its intended areas of operations?
Mission statement
There are generally two skill levels among hackers: expert and ____
Novice
What is the values statement and what is its importance to an organization?
One of the first positions that management must articulate is the values statement. The trust and confidence of stakeholders and the public are important factors for any organization. By establishing a formal set of organizational principles and qualities in a values statement, as well as benchmarks for measuring behavior against these published values, an organization makes its conduct and performance standards clear to its employees and the public.
a software program or hardware appliance that can intercept, copy, and interpret network traffic.
Packet sniffer
an information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.
Penetration tester
Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
People
a form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.
Phishing
_________ resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states.
Physical
What is the role of planning in InfoSec management? What are the factors that affect planning?
Planning usually involves many interrelated groups and organizational processes. The groups involved in planning represent the three communities of interest; they may be internal or external to the organization and can include employees, management, stockholders, and other outside stakeholder. Among the factors that affect planning are the physical environment, the political and legal environment, the competitive environment, and the technological environment.
A key difference between policy and law is that ignorance of policy is a viable defense. What steps must be taken to assure that an organization has a reasonable expectation that policy violations can be appropriately penalized without fear of legal retribution?
Policies must be: Effectively written Distributed to all individuals who are expected to comply with them Read by all employees Understood by all employees, with multilingual translations and translations for visually impaired or low-literacy employees Acknowledged by the employee, usually by means of a signed consent form Uniformly enforced, with no special treatment for any group (e.g., executives)
Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
Policy
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
Policy Review and Modification
a form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target's identity, but the real object is to trick the target into revealing confidential information.
Pretexting
Which subset of civil law regulates the relationships among individuals and among individuals and organizations?
Private
the unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.
Privilege escalation
The hash values for a wide variety of passwords can be stored in a database known as a(n) __________ which can be indexed and quickly searched using the hash value allowing the corresponding plaintext password to be determined.
Rainbow table
a table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.
Rainbow table
escalating privileges to gain administrator-level control over a computer system (including smartphones).
Rooting
Technology services are usually arranged with an agreement defining minimum service levels known as an
SLA
Web hosting services are usually arranged with an agreement providing minimum service levels known as a(n) ____.
SLA
a short-term decrease in electrical power availability.
Sag
a hacker of limited skill who use expertly written software to attack a system.
Script kiddie
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________.
Search warrent
This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.
Security manager
Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
Security technician
a document or part of a document that specifies the expected level of service from a service provider.
Service Level Agreement (SLA)
Which of the following is an information security governance responsibility of the Chief Security Officer?
Set security policy, procedures, programs, and training
the direct, covert observation of individual information or system use.
Shoulder surfing
the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.
Social engineering
the unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property.
Software piracy
____ is any technology that aids in gathering information about a person or organization without their knowledge.
Spyware
A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization is known as a(n)_______________.
Stakeholder
The Computer Security Act charges the National Bureau of Standards, in cooperation with the National Security Agency (NSA), with the development of five standards and guidelines establishing minimum acceptable security practices. What are three of these principles?
Standards, guidelines, and associated methods and techniques for computer systems Uniform standards and guidelines for most federal computer systems Technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in federal computer systems Guidelines for use by operators of federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice Validation procedures for, and evaluation of the effectiveness of, standards and guidelines through research and liaison with other government and private agencies
Which type of planning is the primary tool in determining the long-term direction taken by an organization?
Strategic
Which of the following is true about planning?
Strategic plans are used to create tactical plans
The ____ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network.
TCP
a form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications.
TCP hijacking
In which level of planning are budgeting, resource allocation, and manpower critical components?
Tactical
the illegal taking of another's property, which can be physical, electronic, or intellectual.
Theft
The basic outcomes of InfoSec governance should include all but which of the following?
Time management by aligning resources with personnel schedules and organizational objectives
Acts of ____ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
Trespass
unauthorized entry into the real or virtual property of another party.
Trespass
____ are software programs that hide their true nature, and reveal their designed behavior only when activated.
Trojan horses
a malware program that hides its true nature and reveals its designed behavior only when activated.
Trojan horses
A clearly directed strategy flows from top to bottom rather than from bottom to top.
True
Which law extends protection to intellectual property, which includes words published in electronic formats?
U.S. Copyright Law
Which statement defines the differences between a computer virus and a computer worm?
Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate
What are the two general approaches for controlling user authorization for the use of a technology?
access control lists and capability tables
In the __________ phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution.
analysis
an act that is an intentional or unintentional attempt to compromise the information and/or the systems that support it
attack
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
bull's-eye model
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
can suffer from poor policy dissemination, enforcement, and review
Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
centralized authentication
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
champion
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n).
chief information security officer
Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________.
create a subjective ranking based on anticipated recovery costs
Ethics are based on ___________________, which are the relatively fixed moral attitudes or customs of a societal group.
cultural mores
individual who determines the level of classification associated with data
data owner
Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
data users
usually a documented way to circumvent controls or take advantage of weaknesses in control systems
exploit
"4-1-9" is one form of a(n) __________ fraud.
Advance-fee fraud
malware intended to provided undesired marketing and advertising, including popups and banners on a user's screen.
Adware
Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________.
Affidavit
An approach that applies moral codes to actions drawn from realistic situations.
Applied ethics
an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.
Attack
an interruption of service, usually from a service provider, which causes an adverse event within an organization.
Availability disruption
Which of the following is a common element of the enterprise information security policy?
information on the structure of the InfoSec organization
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
Back door
also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system's hard drive or removable storage media.
Boot virus
A ____ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
DDoS
Which of the following is the result of a U.S. led international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?
DMCA
a collection of related data stored in a structured form and usually managed by a database management system.
Database
Ethics carry the sanction of a governing authority.
False
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.
Public law
computer software specifically designed to identify and encrypt valuable information in a victim's system in order to extort payment for the key needed to unlock the encryption.
Ransomware
To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology.
Reading level
Which of the following is compensation for a wrong committed by an individual or organization?
Restitution
Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
Risk assessment
__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty.
Risk ranking worksheet
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
Malice
a malware payload that provides access to a system by bypassing normal access controls.
Back door
a long-term interruption (outrage) in electrical power availability.
Blackout
an abbreviation of robot; an automated software program that executes certain commands when it receives a specific input. See also Zombie.
Bot
A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law.
Breach
an application error that occurs when more data is sent to a program buffer than it is designed to handle.
Buffer overrun (or buffer overflow)
Which of the following is NOT a step in the problem-solving process?
Build support among management for the candidate solution
The __________ certification, considered to be one of the most prestigious certifications for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral.
CISSP
the creation, ownership, and control of original ideas as well as the representation of those ideas.
Intellectual property(IP)
Which of the following is NOT used to categorize some types of law?
International
A detailed outline of the scope of the policy development project is created during which phase of the SDLC?
Investigation
What is the first phase of the SecSDLC?
Investigation
Which phase of the SDLC should get support from senior management?
Investigation
Which phase of the SDLC should see clear articulation of goals?
Investigation
According to Wood, which of the following are reasons the InfoSec department should report directly to top management?
It fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole
the overall rating of the probability that a specific vulnerability will be exploited or attacked.
Liklihood
Which of the following is an attribute of a network device built into the network interface?
MAC address
a type of virus written in a specific macro language to target applications that use the language.
Macro virus
an attack designed to overwhelm the receiver with excessive quantities of email.
Mail bomb