Management of Information Security Midterm
Penetration tester
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolution for vulnerabilities in those systems
availability disruption
An interruption in service, usually from a service provider which causes an adverse event within an organization
Attack
An ongoing act against an asset that could result in a loss of its value
In which phase of the SecSDLC does the risk management task occur?
Analysis
The __________ phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution.
Analysis
Why is threat identification so important in the process of risk management?
Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end. At every step, the manager is called on to exercise good judgment and draw on experience to make the process function smoothly.
An approach that applies moral codes to actions drawn from realistic situations.
Applied ethics
Describe the key approaches organizations are using to achieve unified ERM.
Combining physical security and InfoSec under one leader as one business function Using separate business functions that report to a common senior executive Using a risk council approach to provide a collaborative approach to risk management
an application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function.
Command injection
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
Common good
which of the following is NOT a step in the problem-solving process?
Build support among management for the candidate solution
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a __________.
CISO
The __________ certification, considered to be one of the most prestigious certifications for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral.
CISSP
a model of infosec that offers a comprehensive view of security for data while being stored, processed, or transmitted is the __________ security model
CNSS
Data Security
Commonly used as a surrogate for information security, the focus of protecting information in its various states- at rest, in processing, and in transmission
the collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage.
Competitive intelligence
Policy __________ means the employee must agree to the policy.
Compliance
Classification categories must be mutually exclusive and which of the following?
Comprehensive
There are twelve categories of threats to information security. List five of them and provide an example of each.
Compromises to intellectual property: Software piracy or other copyright infringement Deviations in quality of service: Fluctuations in power, data, and other services Espionage or trespass: Unauthorized access and/or data collection Forces of nature: Fire, flood, earthquake, lightning, etc. Human error or failure: Accidents, employee mistakes Information extortion: Blackmail threat of information disclosure Sabotage or vandalism:Damage to or destruction of systems or information Software attacks: Malware: viruses, worms, macros, etc. Technical hardware failures or errors: Hardware equipment failure Technical software failures or errors: Bugs, code problems, loopholes, back doors Technological obsolescence: Antiquated or outdated technologies Theft: Illegal confiscation of equipment or information
One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.
Computer Security Act (CSA)
Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
Confidentiality
What are configuration rules? Provide examples
Configuration rules are instructional codes that guide the execution of the system when information is passing through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly. Many security systems require specific configuration scripts that dictate which actions to perform on each set of information they process. Examples include firewalls, intrusion detection and prevention systems (IDPSs), and proxy servers.
The process of integrating the governance of the physical security and information security efforts is known in the industry as __________.
Convergence
a hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.
Cracker
attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software.
Cracking
Managerial Guidance SysSPs
Created by management to guide the implementation and configuration of technology • Applies to any technology that affects the confidentiality, integrity or availability of information • Informs technologists of management intent
What is a type of law that addresses violations harmful to society and that is enforced by prosecution by the state?
Criminal Law
a web application fault that occurs when an application running on a Web server inserts commands into a user's browser session and causes information to be sent to a hostile server.
Cross site scripting (XSS)
Focuses on enhancing the security of the critical infrastructure in the United States.
Cybersecurity Act
According to Mark Pollitt, ____ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents.
Cyberterrorism
a hacker who attacks systems to conduct terrorist activities via networks or internet pathways.
Cyberterrorist
formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state.
Cyberwarfare
A ____ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
DDoS
Which of the following is the result of a U.S. led international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?
DMCA
CIA Triad figure 1.3 *
Data & services: Confidentiality Integrity Availability
Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
Data Owners
commonly used as a surrogate for information security, data security is the focus of protecting data or information in its various states-at rest (in storage), in processing, and in transmission (over networks).
Data security
a collection of related data stored in a structured form and usually managed by a database management system.
Database
a subset of information security that focuses on the assessment and protection of information stored in data repositories like database management systems and storage media.
Database security
Which type of attack involves sending a large number of connection or information requests to a target?
Denial-of-Service (DoS)
In a ____ attack, the attacker sends a large number of connection or information requests to a target.
Denial-of-service
an attack that attempts to overwhelm a computer target's ability to handle incoming communications, prohibiting legitimate users from accessing those systems.
Denial-of-service (DoS) attack
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics) a. Meta-ethics b. Applied ethics c. Deontological ethics d. Normative ethics
Deontological ethics
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)?
Deontological ethics
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past?
Descriptive ethics
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls.
Deterrance
a variation of the brute force attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information.
Dictionary password attack
Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis are known as _________.
Digital forensics
a form of DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots or zombies.
Distributed denial-of-service (DDoS)
the intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate Internet locations.
Domain Name System (DNS) cache poisoning
the percentage of time a particular service is not available; the opposite of uptime.
Downtime
An organization increases its liability if it refuses to take the measures a prudent organization should; this is known as the standard of _____________.
Due care
In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is this important?
During the implementation phase, the team must create a plan to distribute and verify the distribution of the policies. Members of the organization must explicitly acknowledge that they have received and read the policy. Otherwise, an employee can claim never to have seen a policy, and unless the manager can produce strong evidence to the contrary, any enforcement action, such as dismissal for inappropriate use of the Web, can be overturned and punitive damages might be awarded to the former employee.
Maintenance Phase
During the maintenance phase, the policy development team monitors, maintains, and modifies the policy as needed to ensure that it remains effective as a tool to meet changing threats • The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously • Periodic review should be built in to the process
Which policy is the highest level of policy and is usually created first?
EISP
Identifying Threats
Each threat presents a unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent's attack strategy • Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset • In general, this process is referred to as a threat assessment
Human error or failure often can be prevented with training, ongoing awareness activities, and _______________.
Education
With policy, the most common distribution methods are hard copy and __________.
Electronic
A collection of statutes that regulates the interception of wire, electronic, and oral communications.
Electronic Communications Privacy Act (ECPA)
Which of the following is usually conducted via leased lines or secure Internet connections whereby the receiving server archives the data as it is received
Electronic vaulting
Enterprise information security program policy (EISP)
Enterprise information security policy (EISP) is that high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts • An EISP is also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy
three types of information security policy
Enterprise information security program policy (EISP) Issue-specific information security policies (ISSP) Systems-specific policies (SysSPs)
Rooting
Escalating privileges to gain administrator-level control over a computer system (including smartphones)
Jailbreaking
Escalating privileges to gain administrator-level control over a smartphone operating system (typically associated with Apple iOS smartphones)
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
Establishing
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? a. enterprise information security policy b. user-specific security policies c. issue-specific security policies d. system-specific security policies
b
Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy.
False
InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals
False
It is the responsibility of InfoSec professionals to understand state laws and bills
False
MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.
False
Penetration testing is often conducted by contractors, who are commonly referred to as black-hats.
False
The "Authorized Uses" section of an ISSP specifies what the identified technology cannot be used for.
False
The IT community often takes on the leadership role in addressing risk.
False
The information security blueprint build's on top of an organizations information security standards.
False
The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.
False
To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996
False
The information technology management community of interest often takes on the leadership role in addressing risk. __________
False - InfoSec
Technology is the essential foundation of an effective information security program. _____________
False - Policy
Risk identification, risk analysis, and risk evaluation are part of a single function known as risk protection. __________
False - assessment
A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. __________
False - classification
The degree to which a current control can reduce risk is also subject to calculation error. __________
False - estimation
Nonmandatory recommendations that the employee may use as a reference in complying with a policy are known as regulations. ____________
False - guidelines
The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk control. __________
False - identification
The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ___________
False - likelihood
The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and decentralization. ____________
False - maintenance
Examples of actions that illustrate compliance with policies are known as laws.
False - practices
6. When operating any kind of organization, a certain amount of debt is always involved. __________
False - risk
An evaluation of the threats to information assets, including a determination of their potential to endanger the organization, is known as exploit assessment. __________
False - threat
A prioritized list of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. __________
False - vulnerabilities
Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. __________
False - vulnerabilities
A short-term interruption in electrical power availability is known as a ________.
Fault
Complete loss of power for a moment is known as a ____.
Fault
Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity?
Fear of humiliation
Which of the following is a requirement for laws and policies to deter illegal or unethical activity?
Fear of penalty, probability of being penalized, and probability of being caught
An example of a stakeholder of a company includes all of the following except: a) employees b) the general public c) stockholders d) management
b) the general public
In information security governance who is responsible for policy, procedures, and training?
Chief Information Officer
The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.
Chief Information Security Officer(CISO)
Due diligence requires that an organization make a valid and ongoing effort to protect others
True
Information security is the protection of the confidentiality, integrity, and availability of information assets, in storage, processing, and transmission via the application of policy, education, training, awareness, and technology.
True
Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________
True
Likelihood is the overall rating of the probability that a specific vulnerability will be exploited or attacked.
True
A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system is known as __________.
a security analyst
Treating risk begins with which of the following?
an understanding of risk treatment strategies
A gathering of key reference materials is performed during which phase of the SDLC?
analysis
A risk assessment is performed during which phase of the SDLC?
analysis
A risk assessment is performed during which phase of the SecSDLC?
analysis
In the __________ phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution.
analysis
Organizational feasibility
analysis examines how well the proposed information security alternatives will contribute to efficiency, effectiveness, and overall operation of an organization
The most complex part of an investigation is usually __________.
analysis for potential EM
the most complex part of an investigation is usually
analysis for potential evidenttiary material
In addition to specifying the penalties for unacceptable behavior, what else must the policy specify?
appeals process
In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?
appeals progress
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited availability is known as risk __________.
appetite
Force majeure includes all of the following EXCEPT: a. acts of war b. forces of nature c. armed robbery d. civil disorder
armed robbery
General business
articulates and communicates organizational policy and objectives and allocates resources to the other groups
An evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack, is known as threat __________.
assessment
Risk __________ is an approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.
assessment
The process of assigning financial value or worth to each information asset is known as __________.
asset valuation
Which of the following activities is part of the risk identification process?
assigning a value to each information asset
An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it is known as a(n) __________.
attack
an act that is an intentional or unintentional attempt to compromise the information and/or the systems that support it
attack
The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
authentication
Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area?
authentication
behavioral types of leaders
autocratic democratic laissez-faire
Which of the following is a C.I.A. triad characteristic that ensures only those with sufficient privileges and a demonstrated need may access certain information? authentication b. confidentiality c. integrity d. availability
confidentiality
Which of the following are instructional codes that guide the execution of the system when information is passing through it?
configuration rules
Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an event?
contingency planning
Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems.
control
In order to ensure effort is spent protecting information that needs protecting, organizations implement _____.
data classification schemes
individual who determines the level of classification associated with data
data owner
Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
data users
organization's information assets
data, hardware, software, procedures, people
Honey pots
decoy systems designed to lure potential attackers away from critical systems.
Application of training and education among other approach elements is a common method of which risk treatment strategy?
defense
Political feasibility
defines what can and cannot occur based on the consensus and relationships between the communities of interest, especially given that the budget allocation decisions can be politically charged
Which type of attack involves sending a large nyumber of connection or information requests to a target?
denial of service (DoS)
which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?
descriptive ethics
The _________ phase of the SecSDLC, has team members create and develop the blueprint for security and develop critical contingency plans for incident response.
design
Technical feasibility
determines whether or not the organization has or can acquire the technology and expertise to implement, support and manage the new safeguards
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls. a. remediation b. rehabilitation c. deterrence d. persecution
deterrence
The act of attempting to prevent an unwanted action by threatening punishment or retaliation on the instigator if the act takes place is known as ___________.
detterence
investigations involving the preservation, identification extraction documentation and interpretation of computer media for evidentiary and rooat cause analysis is known as __________
digital forensics
a __________ is an attack in which a coordinated stream of requests is launched against a target form many locations at the same time
distributed denial-of-service
Remains even after the current control has been applied.
i. residual risk
A section of policy that should specify users' and systems administrators' responsibilities.
i. systems management
The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk __________.
identification
The organization can perform risk determination using certain risk elements, including all but which of the following?
legacy cost of recovery
Which of the following is not a role of managers within the communities of interest in controlling risk?
legal management must develop corporate-wide standards
The probability that a specific vulnerability within an organization will be attacked by a threat is known as __________.
likelihood
The probability that a specific vulnerability within an organization will be the target of an attack is known as _____.
likelihood
Assessing risks includes determining the __________ that vulnerable systems will be attacked by specific threats.
likelihood probability
Damage, destruction, modification, disclosure, denial of use refers to data ___________.
loss
The _____ phase is the last phase of SecSDLC, but perhaps the most important.
maintenance and change
The ______________________ phase is the last phase of SecSDLC, but perhaps the most important.
maintenance and change
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? a. accident b. ignorance c. malice d. intent
malice
there are three general categories of unethical behavior that organizations and society should seek to eliminate. which of the following is not one of them?
malice
Risk __________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
management
Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP.
management guidance, technical specifications
System-specific policies can be organized into two general groups: ____ and _____.
managerial guidance, technical specifications
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
manufacturer's model or part number
The InfoSec needs of an organization are unique to all but which one of the following organizational characteristics?
market
as a subset of information assets, the systems and network that store, process, and transmit information.
media
Communications security involves the protection of which of the following?
media, technology, and content
Which of the following risk treatment strategies describes an organization's efforts to reduce damage caused by a realized incident or disaster?
mitigation
The protection of voice and data components, connections, and content is known as _________ security.
network
In the bull's-eye model, the ___________ layer is the place where threats from public networks meet the organization's networking infrastructure.
networks
In the bull's-eye model, the ____________________ layer is the place where threats from public networks meet the organization's networking infrastructure.
networks
Access control list user privileges include all but which of these?
operate
measures that deal with the functionality of security in an organization
operational controls
Which of the following determines how well a proposed treatment will address user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders?
operational feasibility
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
organization
Which of the following variables is the most influential in determining how to structure an information security program?
organizational culture
Which of the following is a key step needed in order for a JAD approach to be successful?
organize workshop activities
Which of the following is an example of a technological obsolescence threat?
outdated servers
In which contingency plan strategy do individuals act as if an actual incident occurred, and begin performing their required tasks and executing the necessary procedures, without interfering with the normal operations of the business?
parallel testing
In ____________________ testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
penetration
an information securitry professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a __________
penetration tester
A set of security tests and evaluations that simulate attacks by a malicious external source is known as
penetration testing
testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
penetration testing
the impetus for a project that is the result of a carefully developed planning strategy
plan-driven
Which of the following is the process that develops, creates, and implements strategies for the accomplishment of objectives?
planning
six ps
planning policy programs protection people project management
A __________ is simply a manager's or other governing body's statement of intent regarding employee behavior with respect to the workplace.
policy
A good information security program begins and ends with __________.
policy
The document designed to regulate organizational efforts related to the identification, assessment, and treatment of risk to information assets is known as the RM __________.
policy
Which of the following functions of information security management seeks to dictate certain behavior within the organization through a set of organizational guidelines? a. programs b. planning c. people d. policy
policy
The champion and manager of the information security policy is called the _______.
policy administrator
The champion and manager of the information security policy is called the ____________________.
policy administrator
Which individual is responsible for the creation, revision, distribution, and storage of the policy?
policy administrator
Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
policy should be agreed upon by all employees and managemen
Which of the following is NOT one of the basic rules that must be followed when developing a policy?
policy should be focused on protecting the organization from public embarrassment
__________ are examples of actions that illustrate compliance with policies.
practices
Which of the following is NOT a unique function of Information Security Management?
principles
What is the last stage of the business impact analysis?
prioritize resources associated with the business processes
Step-by-step instructions designed to assist employees in following policies, standards, and guidelines.
procedures
The Risk Management Framework includes all of the following EXCEPT:
process contingency planning
For an organization to manage its InfoSec risk properly, managers should understand how information is __________.
processed collected transmitted
Which of the following attributes does NOT apply to software information assets?
product dimensions
What should you be armed with to adequately assess potential weaknesses in each information asset?
properly classified inventory
Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT __________.
properly conceived
Communications securtity
protection of all communications media, technology and content
cyber (computer) Security
protection of computerized information processing systems
operations security
protection of details of an organizations operations
Physical security
protection of physical objects
network security
protection of voice and data networking componets
Which type of device exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server?
proxy server
What is the final step in the risk identification process?
ranking assets in order of importance
an attack that uses phishing techniques along with specialized forms of malware to encrypt the victm's data files is known as __________
ransomware
What is the SETA program designed to do?
reduce the occurrence of accidental security breaches
Operational feasibility
refers to user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders - User acceptance and support can be achieved by means of communication, education, and involvement
SP 800-18, Rev.1: Guide for Developing Security Plans for Federal Information Systems
reinforces a business process centered approach to policy management
As each information asset is identified, categorized, and classified, a __________ value must also be assigned to it.
relative
Once an information asset is identified, categorized, and classified, what must also be assigned to it?
relative value
Which of the following is NOT one of the administrative challenges to the operation of firewalls?
replacement
What is the risk to information assets that remains even after current controls have been applied?
residual risk
Which of the following is a disadvantage of the one-on-one training method?
resource intensive, to the point of being inefficient
which of the following is compensation for a wrong committed by an individual or organization?
restitution
________ equals the probability of a successful attack times the expected loss from a successful attack plus an element of uncertainty
risk
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________.
risk appetite
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
risk appetite
The identification, analysis, and evaluation of risk in an organization describes which of the following?
risk assessment
assigns a comparative risk rating or score to each specific information asset
risk assessment
associated with assessing risks and then implementing or repairing controls to assure the confidentiality, integrity, and availability of information
risk management
What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?
risk tolerance
behavioral feasibility
same as operational feasibility
permission to search for evidentiary material at a specified locaiton and/or to seize items to return to the investirgators lab for examination is know as a
search warrant
Qualified individuals who are tasked with configuring security technologies and operating other technical control systems are known as a(n) ___________.
security technician
Data classification schemes should categorize information assets based on which of the following?
sensitivity and security needs
is an agency that provides, in the case of DR/BC planning, physical facilities for a fee.
service bureau
Which contingency plan strategy do individuals work on their own tasks and are responsible for identifying the faults in their own procedures?
simulation
Which of the following is NOT a task performed by the governance group during the framework design phase, in cooperation with the framework team?
specifying who will supervise and perform the RM process
Which type of document is a more detailed statement of what must be done to comply with a policy?
standard
type of document is a more detailed statement of what must be done to comply with a policy
standard
the process of moving an organization towards its vision by accomplishing its mission
strategic planning
The first priority of the CISO and the InfoSec management team should be the __________. a. development of a security policy b. implementation of a risk management program c. adoption of an incident response plan d. structure of a strategic plan
structure of a strategic plan
The first priority of the CISO and the InfoSec management team should be the _____________.
structure of a strategic plan
IT
supports the business objectives of the organization by supplying and supporting IT appropriate to the business' needs
The three types of information security policies include the enterprise information security policy, the issue-specific security policy, and the ____________________ security policy.
system-specific
The three types of information security policies include the enterprise security policy, the issue-specific security policy, and the _____________ security policy.
system-specific
The responsibilities of both the users and the systems administrators with regard to specific technology rules should be specified in the ____________________ section of the ISSP.
systems management
Which of the following breaks down each applicable strategic goal into a series of incremental objectives?
tactical
A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ___________.
team leader
Human error or failure often can be prevented with training and awareness programs, policy, and __________. ISO 27000 b. technical controls c. outsourcing d. hugs
technical controls
Human error or failure often can be prevented with training, ongoing awareness activities, and ______.
technical controls
measures that use or implement a technical solution to reduce risk of loss in an organization
technical controls
Which of the following are the two general groups into which SysSPs can be separated?
technical specifications and managerial guidance
Another key U.S. federal agency is _________, which is responsible for coordinating, directing, and performing highly specialized activities to protect U.S. information systems and produce foreign intelligence information.
the NSA
Single Lose Expectancy(SLE)
the calculation value associated with the most likely loss from an attack
which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees whoare involved with the management, use, or operation of each federal computer system?
the computer security act
In the area of risk management, process communications is the necessary information flow within and between all of the following EXCEPT:
the corporate change control officer
Authorization
the matching of an authenticated entity to a list of information assets and corresponding access levels
Factors that affect the external context and impact the RM process, its goals, and its objectives include the following EXCEPT:
the organization's governance structure
In addition to specifying acceptable and unacceptable behavior, what else must a policy specify?
the penalties for violation of the policy
when an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________
the type of crime commited
When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________.
the type of crime committed
When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________. a. the network provider the hacker used b. how many perpetrators were involved c. what kind of computer the hacker used d. the type of crime committed
the type of crime committed
Which of the 12 categories of threats best describes a situation where the adversary removes data from a victim's computer? a. information extortion b. espionage or trespass c. theft d. sabotage or vandalism
theft
which of the 12 categories of threats best describes a situation where the adversary removes data from a vitctim's comptuer?
theft
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________ a. threat b. vulnerability c. exploit d. attack
threat
any event or circumstance that has the potential to adversely affect operations and assets is known as a
threat
a specific instance or component that represents a danger to an organization's assets
threat agent
The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization.
threat severity weighted table analysis
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
threats-vulnerabilities-assets worksheet
A(n) ___________ attack enables an attacker to extract secrets maintained in a security system by observing the time it takes the system to respond to various queries.
timing
The goal of InfoSec is not to bring residual risk to __________; rather, it is to bring residual risk in line with an organization's risk appetite.
zero
an attack that makes use of malware that is not yet known by the anti-malware software companies.
zero-day attack
Defense
—Applying safeguards that eliminate or reduce the remaining uncontrolled risk The defense risk control strategy attempts to prevent the exploitation of the vulnerability • This is the preferred approach and is accomplished by means of countering threats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards • This approach is sometimes referred to as "avoidance". • Three common methods of risk defense are: - Application of policy - Application of training and education - Implementation of technology
Access Control Lists (ACLs)
• Include the user access lists, matrices, and capability tables that govern the rights and privileges • A capability table specifies which subjects and objects that users or groups can access • These specifications are frequently complex matrices, rather than simple lists or tables • In general ACLs enable administrations to restrict access according to user, computer, time, duration, or even a particular file In general ACLs regulate: - Who can use the system - What authorized users can access - When authorized users can access the system - Where authorized users can access the system from - How authorized users can access the system
NIST Risk Management Framework
• National Institute for Standards and Technology (NIST) has modified its fundamental approach to systems management and certification/ accreditation to one that follows the industry standard of effective risk management • As discussed in "Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View" The first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made • The risk frame establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations • Establishing a realistic and credible risk frame requires that organizations identify: (i) risk assumptions (ii) risk constraints (iii) risk tolerance; and (iv) priorities and tradeoffs
Blackout
A long-term interruption in electrical power availability
Confidentiality
"An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems" Limiting access to information only to those who need it, and preventing access by those who don't To protect the confidentiality of information, a number of measures are used: - Information classification - Secure document (and data) storage - Application of general security policies - Education of information custodians and end users - Cryptography (encryption)
Availability
"An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction" Availability of information means that users, either people or other systems, have access to it in a usable format Availability does not imply that the information is accessible to any user; rather, it means it can be accessed when needed by authorized users
Authentication
"The access control mechanism that requires the validation and verification of an unauthenticated entity's purported identity" It is the process by which a control establishes whether a user (or system) has the identity it claims to have Individual users may disclose a personal identification number (PIN), a password, or a passphrase to authenticate their identities to a computer system
Integrity
"an attribute of information that describes how data is whole, complete, and uncorrupted" integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state Corruption can occur while information is being entered, stored, or transmitted
Privacy
"in the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality" information that is collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected
Accountability
"the access control mechanism that ensures all actions on a system authorized or unauthorized—can be attributed to an authenticated identity. Also known as auditability"
Identification
"the access control mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system" An information system possesses the characteristic of identification when it is able to recognize individual users Identification and authentication are essential to establishing the level of access or authorization that an individual is granted Identification is typically performed by means of a user name or other ID
which of the following organizations put forth a code of ethics designed primarily for infosec professionals who have earned their cetifications? the code includes the canon: provide diligent and competent service to principals
(ISC)2
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
(ISC)^2
Script kiddie
A hacker of limited skill who uses expertly written software to attack a system
What are the four elements that an EISP document should include?
- An overview of the corporate philosophy on security - Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role - Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) - Fully articulated responsibilities for security that are unique to each role within the organization
What are the included tasks in the identification of risks?
- Creating an inventory of information assets - Classifying and organizing those assets meaningfully - Assigning a value to each information asset - Identifying threats to the cataloged assets - Pinpointing vulnerable assets by tying specific threats to specific assets
What should an effective ISSP accomplish?
- It articulates the organization's expectations about how its technology-based system should be used. - It documents how the technology-based system is controlled and identifies the processes and authorities that provide this control. - It indemnifies the organization against liability for an employee's inappropriate or illegal use of the system.
Information Security Roles and Titles
-Chief Information Security Officer (CISO) or Chief Security Officer (CSO) - Security managers - Security administrators and analysts - Security technicians - Security staffers and watchstanders - Security consultants - Security officers and investigators - Help desk personnel
4 steps FDIC: SLA
-Determining objectives - Defining requirements - Setting measurements - Establishing accountability
List the major components of the ISSP.
-Statement of Purpose -Authorized Uses -Prohibited Uses -Systems Management -Violations of Policy -Policy Review and Modification -Limitations of Liability
professional hacker
A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government
Information security governance yields significant benefits. List five.
1. An increase in share value for organizations 2. Increased predictability and reduced uncertainty of business operations by lowering information-security-related risks to definable and acceptable levels 3. Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care 4. Optimization of the allocation of limited security resources 5. Assurance of effective information security policy and policy compliance 6. A firm foundation for efficient and effective risk management, process improvement, and rapid incident response 7. A level of assurance that critical decisions are not based on faulty information 8. Accountability for safeguarding information during critical business activities, such as mergers and acquisitions, business process recovery, and regulatory response.
Briefly describe five different types of laws.
1. Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations. 2. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. 3. Tort law is a subset of civil law that allows individuals to seek recourse against others in the event of personal, physical, or financial injury. 4. Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law. 5. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.
Cracker
A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use
12 category of threat
1. compromises to intellectual property 2. Deviations in quality of service 3.Espionage or Trespass 4.Forces of Nature 5.Human Error or Failure 6.Information Extortion 7.Sabotage or Vandalism 8. Software Attacks 9. Technical Hardware Failures 10. Technical Software Failure 11.Technological obsolenscence 12. Theft
Phreaker
A hacker who manipulates the public telephone system to make free calls or disrupt services
Expert hacker
A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information
Brownout
A long-term decrease in electrical power availability
Surge
A long-term increase in electrical power availability
an industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character
10.4 password rule
Medium sized organizations tend to spend approximately __________ percent of the total IT budget on security.
11
Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) which is longer than ____ characters in Internet Explorer 4.0, the browser will crash.
256
Larger organizations tend to spend approximately __________ percent of the total IT budget on security.
5
Service level agreement
A document or part of a document that specifies the expected level of service from a service provider. Usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime
A content filter
A network filter that allows administrators to restrict access to external content from within a network is known as a _____.
Threat agent
A person or other entity that may cause a loss in an asset's value
Hacker
A person who accesses systems and information without authorization and often illegally
Threat
A potential risk of an asset's loss of value
Vulnerability
A potential weakness in an asset or its defensive control system
Novice Hacker
A relatively unskilled hacker who uses the work of expert hackers to perform attacks
Packet Monkey
A script kiddie who uses automated exploits to engage in denial-of-service attacks
Sag
A short-term decrease in electrical power availability
Spike
A short-term increase in electrical power availability, also known as a swell
Fault
A short-term interruption in electrical power availability
Database security
A subset of information security that focuses on the assessment and protection of information stored in repositories
Rainbow Table
A table of has values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file
dictionary password attack
A variation of the brute force password attack that attempts to narrow the possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information
Exploit
A vulnerability that can be used to cause a loss to an asset
Issue-specific information security policies (ISSP)
An Issue-specific security policy (ISSP) is - An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies • An issue-specific security policy (ISSP) is designed to regulate the use of some technology or resource issue within the organization • In some organizations, ISSPs are referred to as fair and responsible use policies, describing the intent of the policy to regulate appropriate use • The ISSP should assure members of the organization that its purpose is not to establish a foundation for administrative enforcement or legal prosecution but rather to provide a common understanding of the purposes for which an employee can and cannot use the resource Every organization's ISSPs should: - Address specific technology-based systems - Require frequent updates - Contain an issue statement on the organization's position on an issue
Help Desk Personnel
An important part of the information security team is the help desk, which enhances the security team's ability to identify potential problems • When a user calls the help desk with a complaint about his or her computer, the network, or an Internet connection, the user's problem may turn out to be related to a bigger problem, such as a hacker, denial-ofservice attack, or a virus • Because help desk technicians perform a specialized role in information security, they have a need for specialized training
10.3 password rule
An industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character
The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees.
Accidental
Which of the following is a responsibility of the crisis management team?
Activating the alert roster
"4-1-9" is one form of a(n) __________ fraud.
Advance-fee fraud
a form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer.
Advance-fee fraud (AFF)
malware intended to provided undesired marketing and advertising, including popups and banners on a user's screen.
Adware
Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________.
Affidavit
Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?
All federal agencies are required under the Freedom of Information Act (FOIA) to disclose records requested in writing by any person. However, agencies may withhold information pursuant to nine exemptions and three exclusions contained in the statute. FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each state has its own public access laws that should be consulted for access to state and local records.
The management of human resources must address many complicating factors; which of the following is NOT among them?
All workers operate at approximately the same level of efficiency
Why is policy so important?
Among other reasons, policy may be one of the very few controls or safeguards protecting certain information. Also, properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace. Policy also serves to protect both the employee and the organization from inefficiency and ambiguity.
Which of the following should be included in an InfoSec governance program?
An InfoSec risk management methodology
A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law.
Breach
a long-term decrease in electrical power availability.
Brownout
an attempt to guess a password by attempting every possible combination of characters and numbers in it.
Brute force password attack
an application error that occurs when more data is sent to a program buffer than it is designed to handle.
Buffer overrun (or buffer overflow)
Which of the following is NOT a step in the problem-solving process?
Build support among management for the candidate solution
Threat Assessment
Armed with a properly classified inventory, you can assess potential weaknesses in each information asset—a process known as threat assessment • Any organization typically faces a wide variety of threats; if you assume that every threat can and will attack every information asset, then the project scope becomes too complex • To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end
Risk Assessment
Assessing the relative risk for each vulnerability is accomplished via a process called risk assessment • Risk assessment assigns a risk rating or score to each specific vulnerability • While this number does not mean anything in absolute terms, it enables you to gauge the relative risk associated with each vulnerable information asset, and it facilitates the creation of comparative ratings later in the risk control process
_____ is a respected professional society founded in 1947 as "the world's first educational and scientific computing society."
Association of Computing Machinery (ACM)
an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.
Attack
cracking
Attempting to reverse-engineer, remove, or bypass password or other access control protection, such as copyright protection software.
an interruption of service, usually from a service provider, which causes an adverse event within an organization.
Availability disruption
Which of the following is NOT a threat to information security systems?
Availibility
If operations at the primary site cannot be quickly restored, the ____________________ occurs concurrently with the DR plan, enabling the business to continue at an alternate site.
BCP BC plan business continuity plan
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
Back door
a malware payload that provides access to a system by bypassing normal access controls.
Back door
Risk Appetite
Before the organization can or should proceed, it needs to understand whether the current level of controls identified at the end of the risk assessment process results in a level of risk management it can accept • The amount of risk that remains after all current controls are implemented is residual risk • The organization may very well reach this point in the risk management process, examine the documented residual risk, simply state, "Yes, we can live with that," and then document everything for the next risk management review cycle • What is difficult is the process of formalizing exactly what the organization "can live with"; this process is the heart of risk appetite
Alternatives to Feasibility Analysis
Benchmarking • Due care and due diligence • Best business practices • Gold standard • Government recommendations and best practices • Baseline
a long-term interruption (outrage) in electrical power availability.
Blackout
also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system's hard drive or removable storage media.
Boot virus
an abbreviation of robot; an automated software program that executes certain commands when it receives a specific input. See also Zombie.
Bot
Assessing Risk
Estimating risk is not an exact science; thus some practitioners use calculated values for risk estimation, whereas others rely on broader methods of estimation • The goal is to develop a repeatable method to evaluate the relative risk of each of the vulnerabilities that have been identified and added to the list
Defines socially acceptable behaviors.
Ethics
The impetus to begin an SDLC-based project may be ____________________, that is, a response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders.
Event driven
Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________.
Evidentiary material
Writing a policy is not always as easy as it seems. However, the prudent security manager always scours available resources for __________ that may be adapted to the organization.
Examples
a hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information.
Expert hacker
a technique used to compromise a system
Exploit
In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.
F
In most organizations, the COO is responsible for creating the IR plan
F
The authorization process takes place before the authentication process.
F
The first step in solving problems is to gather facts and make assumptions.
F
The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses
F
Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster
F
When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.
F
Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex. TRUE OR FALSE
FALSE
What is one of the most frequently cited failures in project management?
Failure to meet project deadlines
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
False
A(n) compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information.
False
Access control lists regulate who, what, when, where, and why authorized users can access a system.
False
All traffic exiting from the trusted network should be filtered.
False
Because it sets out general business intentions, a mission statement does not need to be concise.
False
Because most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered because it makes the process too complex. a. True b. False
False
Corruption of information can occur only while information is being stored.
False
Ethics carry the sanction of a governing authority.
False
Having an established risk management program means that an organization's assets are completely protected.
False
ISACA is a professional association with a focus on authorization, control, and security. ___________
False
Laws and policies and their associated penalties only deter if three conditions are present. What are these conditions?
Fear of penalty—Threats of informal reprimand or verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of pay.Probability of being caught—There must be a strong possibility that perpetrators of illegal or unethical acts will be caught. Probability of penalty being administered—The organization must be willing and able to impose the penalty.
What is necessary for a top-down approach to the implementation of InfoSec to succeed?
For any top-down approach to succeed, high-level management must buy into the effort and provide its full support to all departments. Such an initiative must have a champion—ideally, an executive with sufficient influence to move the project forward, ensure that it is properly managed, and push for its acceptance throughout the organization.
Which of the following is NOT a knowledge area in the Project Management knowledge body?
Technology
Guidelines for Effective Policy
For policies to be effective, they must be properly: 1. Developed using industry-accepted practices, and formally approved by management 2. Distributed using all appropriate methods 3. Read by all employees 4. Understood by all employees 5. Formally agreed to by act or affirmation 6. Uniformly applied and enforced
List the significant guidelines used in the formulation of effective information security policy.
For policies to be effective, they must be properly: 1. Developed using industry-accepted practices 2. Distributed or disseminated using all appropriate methods 3. Reviewed or read by all employees 4. Understood by all employees 5. Formally agreed to by act or assertion 6. Uniformly applied and enforced
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons?
For political advantage
The penalty for violating the National Information Infrastructure Protection Act of 1996 depends on the value of the information obtained and whether the offense is judged to have been committed for one of three reasons. What are those reasons?
For purposes of commercial advantage For private financial gain In furtherance of a criminal act
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is one of those reasons?
For purposes of commercial advantage; For private financial gain; In furtherance of a criminal act
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________.
Forensics
The law that provides any person with the right to request access to federal agency records is the _____.
Freedom of Information Act
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset identification using this attribute difficult?
IP address
In large organizations, the InfoSec department is often located within a(n) _________ division headed by the _________, who reports directly to the _________.
IT, CISO, CIO
Contrast the vision statement with the mission statement.
If the vision statement states where the organization wants to go, the mission statement describes how it wants to get there.
The three general categories of unethical behavior that organizations and society should seek to eliminate
Ignorance, accident, and intent
the unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.
Privilege escalation
ISO 27014:2013 is the ISO 27000 series standard for ________________.
Governance of Information Security
ISO 27014:2013 is the ISO 27000 series standard for:
Governance of Information Security
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
HIPAA
One form of online vandalism is ____ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Hacktivist
One form of online vandalism is __________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Hacktivist/Cyberactivist
a hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Hacktivist/Cyberactivist
Which of the following is an example of a Trojan horse program?
Happy99.exe
Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
Health Information Technology for Economic and Clinical Health Act
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____.
Hoaxes
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus _______________.
Hoaxes
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
Hold regular meetings with the CIO to discuss tactical InfoSect planning
Discuss the three general categories of unethical behavior that organizations should try to control.
Ignorance:Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education. Organizations must design, publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to abide by them. Reminders, training, and awareness programs support retention, and one hopes, compliance. Accident: Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident. The careful placement of controls can help prevent accidental modification to systems and data. Intent: Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A legal defense can be built upon whether the accused acted out of ignorance, by accident, or with the intent to cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution, and technical controls. Intent is only one of several factors to consider when determining whether a computer-related crime has occurred.
In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies?
Implementation
Review Schedule
In a changing environment, policies can retain their effectiveness only if they are periodically reviewed for currency and accuracy, and modified to keep them updated • Any policy document should contain a properly organized schedule of reviews • Generally, a policy should be reviewed at least annually
Security in Small Organizations
In a small organization, InfoSec often becomes the responsibility of a jack-of-all-trades, a single security administrator with perhaps one or two assistants for managing the technical components • It is not uncommon in smaller organizations to have the systems or network administrators play these many roles • Because resources are often limited in smaller organizations, the security administrator frequently turns to freeware or open source software to lower the costs of assessing and implementing security • In small organizations, security training and awareness is most commonly conducted on a one-on-one basis, with the security administrator providing advice to users as needed Some feel that small organizations, to their advantage, avoid some threats precisely because of their small size • Threats from insiders are also less likely in an environment where every employee knows every other employee • In general, the less anonymity an employee has, the less likely he or she feels able to get away with abuse or misuse of company assets • Smaller organizations typically have either one individual who has full-time duties in InfoSec or, more likely, one individual who manages or conducts InfoSec duties in addition to those of other functional areas, most likely IT, possibly with one or two assistants
Policy and Revision Date
In some organizations, policies are drafted and published without a date, leaving users of the policy unaware of its age or status • This practice can create problems, including legal ones, if employees are complying with an out-of-date policy • Ideally, the policy document should include its date of origin, along with the dates, if any, of revisions • Some policies may need a "sunset clause," particularly if they govern information use for a short-term association with second-party businesses or agencies
Implementation Phase
In the implementation phase, the team must create a plan to distribute and verify the distribution of the policies • Members of the organization must explicitly acknowledge that they have received and read the policy (compliance) • The simplest way to document acknowledgment of a written policy is to attach a cover sheet that states "I have received, read, understood, and agreed to this policy" - The employee's signature and date provide a paper trail of his or her receipt of the policy
Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident
Incident classification
contingency planning
Incident response Disaster recovery Business continuity
a person who accesses systems and information without authorization and often illegally.
hacker
According to the ITGI, what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met?
Inculcate a culture that recognizes the criticality of information and InfoSec to the organization Verify that management's investment in InfoSec is properly aligned with organizational strategies and the organization's risk environment Assure that a comprehensive InfoSec program is developed and implemented Demand reports from the various layers of management on the InfoSec program's effectiveness and adequacy
the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage.
Industrial espionage
What strategic role do the InfoSec and IT communities play in risk management? Explain.
InfoSec - Because members of the InfoSec community best understand the threats and attacks that introduce risk, they often take a leadership role in addressing risk. IT - This group must help to build secure systems and ensure their safe operation. For example, IT builds and operates information systems that are mindful of operational risks and have proper controls implemented to reduce risk.
data that has been organized, structured, and presented to provide additional insight into its context, worth, and usefulness.
Information
the focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information.
Information asset
Blackmail threat of informational disclosure is an example of which threat category?
Information extortion
the act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information. Also known as cyberextortion.
Information extortion
This collaborative support group began as a cooperative effort between the FBI's Cleveland field office and local technology professionals with a focus of protecting critical national infrastructure.
InfraGard
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
Initiating
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
Initiating
Describe what happens during each phase of the IDEAL General governance framework.
Initiating - Lay the groundwork for a successful improvement effort. Diagnosing - Determine where you are relative to where you want to be. Establishing - Plan the specifics of how you will reach your destination. Acting - Do the work according to the plan. Learning - Learn from the experience and improve your ability to adopt new improvements in the future.
a class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers.
Integer bug
Which of the following is a C.I.A. characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state?
Integrity
the creation, ownership, and control of original ideas as well as the representation of those ideas.
Intellectual property(IP)
Which of the following is NOT used to categorize some types of law?
International
A detailed outline of the scope of the policy development project is created during which phase of the SDLC?
Investigation
The _________ phase of the secSDLC begins with a directive from upper management specifying the process, outcomes, and goals of a project as well as its budget and other constraints.
Investigation
What is the first phase of the SecSDLC?
Investigation
Which phase of the SDLC should get support from senior management?
Investigation
Which phase of the SDLC should see clear articulation of goals?
Investigation
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource
Issue-Specific Security Policy
A(n) _____ addresses specific areas of technology, requires frequent updates, and contains a statement on the organization's position on a specific issue.
Issue-specific Security Policy (ISSP)
Which of the following is true about a hot site?
It duplicates computing resources, peripherals, phone systems, applications, and workstations.
According to Wood, which of the following are reasons the InfoSec department should report directly to top management?
It fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole
A well-defined risk appetite should have the following characteristics EXCEPT:
It is not limited by stakeholder expectations.
escalating privileges to gain administrator-level control over a smartphone operating system (typically associated with Apple iOS smartphones). See also Rooting.
Jailbreaking
Any court can impose its authority over an individual or organization if it can establish which of the following?
Jurisdiction
Policy Administrator
Just as information systems and InfoSec projects must have a champion and a manager, so must policies • The policy champion position combined with the manager position is called the policy administrator • Typically, this person is a mid-level staff member who is responsible for the creation, revision, distribution, and storage of the policy
The __________ phase of the SecSDLC has team members create and develop the blueprint for security and develop critical contingency plans for incident response.
Justification
Policy Development and Implementation Using the SecSDLC
Like any major project, a policy development or redevelopment project should be well planned, properly funded, and aggressively managed to ensure that it is completed on time and within budget • One way to accomplish this goal is to use a systems development life cycle (SDLC)
Likelihood
Likelihood is the overall rating - a numerical value on a defined scale - of the probability that a specific vulnerability will be exploited • Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset, i.e. 1- 100, low-med-high, etc. • Whatever rating system you employ for assigning likelihood, use professionalism, experience, and judgment to determine the rating—and use it consistently • Whenever possible, use external references for likelihood values, after reviewing and adjusting them for your specific circumstances
the overall rating of the probability that a specific vulnerability will be exploited or attacked.
Liklihood
Which of the following is an attribute of a network device built into the network interface?
MAC address
a type of virus written in a specific macro language to target applications that use the language.
Macro virus
an attack designed to overwhelm the receiver with excessive quantities of email.
Mail bomb
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
Managerial controls
Information Aggregation
Many organizations collect, swap, and sell personal information as a commodity
the average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures.
Mean time between failure (MTBF)
the average amount of time a computer technician needs to determine the cause of a failure.
Mean time to diagnose (MTTD)
the average amount of time until the next hardware failure.
Mean time to failure (MTTF)
the average amount of time a computer technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
Mean time to repair (MTTR)
Intellectual property
The creation, ownership and control of original ideas as well as the representation of those ideas
Describe the foundations and frameworks of ethics.
Normative ethics—The study of what makes actions right or wrong, also known as moral theory—that is, how should people act?Meta-ethics—The study of the meaning of ethical judgments and properties—that is, what is right? Descriptive ethics—The study of the choices that have been made by individuals in the past—that is, what do others think is right? Applied ethics—An approach that applies moral codes to actions drawn from realistic situations; it seeks to define how we might use ethics in practice. Deontological ethics—The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences; also known as duty-based or obligation-based ethics. This approach seeks to define a person's ethical duty.
___________are malware programs that hide their true nature, and reveal their designed behavior only when activated.
Trojan Horses
What does it mean to "know the enemy" with respect to risk management?
Once an organization becomes aware of its weaknesses, managers can take up Sun Tzu's second dictum: Know the enemy. This means identifying, examining, and understanding the threats facing the organization's information assets. Managers must be fully prepared to identify those threats that pose risks to the organization and the security of its information assets.
What is the values statement and what is its importance to an organization?
One of the first positions that management must articulate is the values statement. The trust and confidence of stakeholders and the public are important factors for any organization. By establishing a formal set of organizational principles and qualities in a values statement, as well as benchmarks for measuring behavior against these published values, an organization makes its conduct and performance standards clear to its employees and the public.
Classifying and Categorizing Information Assets
Once the initial inventory is assembled, determine whether its asset categories are meaningful to the risk managementprogram • Inventory should also reflect sensitivity and security priority assigned to each information asset • A data classification scheme categorizes these information assets based on their sensitivity and security needs • Each of these categories designates the level of protection needed for a particular information asset • Some asset types, such as personnel, may require an alternative classification scheme that would identify the clearance needed to use the asset type • Classification categories must be comprehensive and mutually exclusive
a form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target's identity, but the real object is to trick the target into revealing confidential information.
Pretexting
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
Malice
computer software specifically designed to perform malicious or unwanted actions.
Malware
In the ______________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
Man-in-the-Middle
In the well-known ____ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
Man-in-the-Middle
a group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner.
Man-in-the-Middle
All network devices are assigned a unique number by the hardware at the network interface layer called the _____.
Media Access Control (MAC) address
Security in Medium-Sized Organizations
Medium-sized organizations may still be large enough to implement the multi-tiered approach to security described for large organizations, though perhaps with fewer dedicated groups and more functions assigned to each group • In a medium-sized organization, more of the functional areas are assigned to other departments within IT but outside the InfoSec department, especially the central authentication function • The medium-sized organization only have one full-time security person, with perhaps three individuals with part-time InfoSec responsibilities
a virus that is capable of installing itself in a computer's operating system, starting when the computer is activated, and residing in the system's memory even after the host application is terminated.
Memory-resident virus
the presence of additional and disruptive signals in network communications or electrical power delivery.
Noise
A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective is known as a ____________.
Methodology
Microsoft Risk Management Approach
Microsoft Corp. also promotes a risk management approach • Four phases in the MS InfoSec risk management process: - Assessing risk - Conducting decision support - Implementing controls - Measuring program effectiveness
A statement explicitly declaring the business of the organization and its intended areas of operations is a ____________.
Mission statement
The EISP must directly support the organization's __________.
Mission statement
Which of the following explicitly declares the business of the organization and its intended areas of operations?
Mission statement
a virus that terminates after it has been activated, infected its host system, and replicated itself.
Non-memory-resident virus
The study of what makes actions right or wrong, also known as moral theory.
Normative ethics
Ethics
Principles/codes that define acceptable behavior
There are generally two skill levels among hackers: expert and ____
Novice
a relatively unskilled hacker who uses the work of expert hackers to perform attacks.
Novice hacker
Security Officers and Investigators
Occasionally, the physical security and InfoSec programs are blended into a single, converged functional unit • When that occurs, several roles are added to the pure IT security program, including physical security officers and investigators • Sometimes referred to as the guards, gates, and guns (GGG) aspect of security, these roles are often closely related to law enforcement and may rely on employing persons trained in law enforcement and/or criminal justice
Security Awareness
One of the least frequently implemented, but most effective security methods is the security awareness program • Security awareness programs: - set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure - remind users of the procedures to be followed When developing an awareness program: - Focus on people - Refrain from using technical jargon - Use every available venue - Define learning objectives, state them clearly, and provide sufficient detail and coverage - Keep things light - Don't overload the users - Help users understand their roles in InfoSec - Take advantage of in-house communications media - Make the awareness program formal; plan and document all actions. - Provide good information early, rather than perfect information late.
The type of planning that is used to organize the ongoing, day-to-day performance of tasks is ____________?
Operational
Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
Operational
Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
Operational
Common law, case law, and precedent
Originates from a judicial branch or oversight board and involves the interpretation of law based on the actions of a previous and/or higher court or board
Statutory law
Originates from a legislative branch specifically tasked with the creation and publication of laws and statutes
Regulatory or administrative law
Originates from an executive branch or authorized regulatory agency, and includes executive orders and regulations
Annualized Loss Expectancy(ALE)
Overall loss potential per risk
Which of the following was originally developed in the late 1950s to meet the need of the rapidly expanding engineering projects associated with government acquisitions such as weapons systems?
PERT
____ is an integrated system of software, encryption methodologies, and legal agreements that can be used to support the entire information infrastructure of an organization
PKI
a script kiddie who uses automated exploits to engage in denial-of-service attacks.
Packet monkey
a software program or hardware appliance that can intercept, copy, and interpret network traffic.
Packet sniffer
an information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.
Penetration tester
Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
People
the redirection of legitimate Web to illegitimate Web sites with the intent to collect personal information.
Pharming
a form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.
Phishing
a hacker who manipulates the public telephone system to make free calls or disrupt services.
Phreaker
_________ resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states.
Physical
resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states
Physical
Specialized areas of security
Physical security Operations security Communications security Cyber (or computer)security Network security
Which subset of civil law regulates the relationships among individuals and among individuals and organizations?
Private
What is the role of planning in InfoSec management? What are the factors that affect planning?
Planning usually involves many interrelated groups and organizational processes. The groups involved in planning represent the three communities of interest; they may be internal or external to the organization and can include employees, management, stockholders, and other outside stakeholder. Among the factors that affect planning are the physical environment, the political and legal environment, the competitive environment, and the technological environment.
_____ direct how issues should be addressed and technologies used.
Policies
A key difference between policy and law is that ignorance of policy is a viable defense. What steps must be taken to assure that an organization has a reasonable expectation that policy violations can be appropriately penalized without fear of legal retribution?
Policies must be: Effectively written Distributed to all individuals who are expected to comply with them Read by all employees Understood by all employees, with multilingual translations and translations for visually impaired or low-literacy employees Acknowledged by the employee, usually by means of a signed consent form Uniformly enforced, with no special treatment for any group (e.g., executives)
Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
Policy
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
Policy Review and Modification
According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
Policy administrator
malware that over time changes the way it appears to antivirus programs, making it undetectable by techniques that look for preconfigured signatures.
Polymorphic threat
_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present.
Portable
a hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government.
Professional hacker
Information security project managers often follow methodologies based on what methodology promoted by the Project Management Institute?
Project Management Body of Knowledge (PMBoK)
Which of the following is NOT a primary function of Information Security Management?
Projects
Information security is needed to:
Protect the ability to function, protect data and information, enable operations of applications, and safeguarding the organization's IT assets
Which of the following functions does information security perform for an organization?
Protecting the organization's ability to function; Enabling the safe operation of applications implemented on the organization's IT systems; Protecting the data the organization collects and uses
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.
Public law
7 steps to Implement Training
Step 1: Identify program scope, goals, and objectives Step 2: Identify training staff Step 3: Identify target audiences Step 4: Motivate management and employees Step 5: Administer the program Step 6: Maintain the program Step 7: Evaluate the program
Solving Problems
Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions Step 4: Analyze and Compare Possible Solutions (Feasibility analyses) Step 5: Select, Implement, and Evaluate a solution
Which type of planning is the primary tool in determining the long-term direction taken by an organization?
Strategic
Which of the following is true about planning?
Strategic plans are used to create tactical plans
Termination
Removing or discontinuing the information asset from the organization's operating environment Like acceptance, the termination risk management strategy is based on the organization's need or choice not to protect an asset; - Here, however, the organization does not wish the information asset to remain at risk and so removes it from the environment that represents risk • The cost of protecting an asset may outweigh its value, or, it may be too difficult or expensive to protect an asset, compared to the value or advantage that asset offers the company • In either case, termination must be a conscious business decision, not simply the abandonment of an asset, which would technically qualify as acceptance
Which of the following is compensation for a wrong committed by an individual or organization?
Restitution
Risk identification is performed within a larger process of identifying and justifying risk controls, which is called ____.
Risk Management
Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
Risk assessment
For the purposes of relative risk assessment, how is risk calculated?
Risk equals likelihood of vulnerability occurrence multiplied by value (or impact), minus percentage risk already controlled, plus an element of uncertainty.
The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts.
Risk management policy
__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty.
Risk ranking worksheet
escalating privileges to gain administrator-level control over a computer system (including smartphones).
Rooting
The ____ data file contains the hashed representation of the user's password.
SAM
Technology services are usually arranged with an agreement defining minimum service levels known as an
SLA
Web hosting services are usually arranged with an agreement providing minimum service levels known as a(n) ____.
SLA
_____ is an excellent reference for security managers involved in the routine management of information security.
SP 800-12, An Introduction to Computer Security: The NIST Handbook
a short-term decrease in electrical power availability.
Sag
____ are software programs that hide their true nature, and reveal their designed behavior only when activated.
Trojan horses
a document or part of a document that specifies the expected level of service from a service provider.
Service Level Agreement (SLA)
Which of the following is an information security governance responsibility of the Chief Security Officer?
Set security policy, procedures, programs, and training
a malware program that hides its true nature and reveals its designed behavior only when activated.
Trojan horses
A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization is known as a(n)_______________.
Stakeholder
_____ are detailed statements of what must be done to comply with policy.
Standards
The Computer Security Act charges the National Bureau of Standards, in cooperation with the National Security Agency (NSA), with the development of five standards and guidelines establishing minimum acceptable security practices. What are three of these principles?
Standards, guidelines, and associated methods and techniques for computer systems Uniform standards and guidelines for most federal computer systems Technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in federal computer systems Guidelines for use by operators of federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice Validation procedures for, and evaluation of the effectiveness of, standards and guidelines through research and liaison with other government and private agencies
A clearly directed strategy flows from top to bottom rather than from bottom to top.
True
Systems-specific policies (SysSPs)
Systems-Specific Security Policies (SysSPs) sometimes have a different look and may seem more like procedures to some readers • They may often function as standards or procedures to be used when configuring or maintaining systems • SysSPs can be separated into: - Managerial guidance - Technical specifications Or combined in a single unified SysSP document
Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts?
RM Framework
Which of these denotes the identification, analysis, evaluation, and treatment of risk to information assets?
RM process
What is the system most often used to authenticate the credentials of users who are trying to access an organization's network via a dial-up connection?
Radius
The hash values for a wide variety of passwords can be stored in a database known as a(n) __________ which can be indexed and quickly searched using the hash value allowing the corresponding plaintext password to be determined.
Rainbow table
a table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.
Rainbow table
computer software specifically designed to identify and encrypt valuable information in a victim's system in order to extort payment for the key needed to unlock the encryption.
Ransomware
To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology.
Reading level
Which of the following is the first step in the problem-solving process?
Recognize and define the problem
Mitigation
Reducing the impact to information assets should an attacker successfully exploit a vulnerability The mitigation risk control strategy is the control approach that attempts to reduce, by means of planning and preparation, the damage caused by a realized incident or disaster • This approach includes three types of plans: - Disaster recovery (DR) plan - Incident response (IR) plan - Business continuity (BC) plan • Mitigation depends upon the ability to detect and respond to an attack as quickly as possible
a hacker of limited skill who use expertly written software to attack a system.
Script kiddie
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________.
Search warrent
This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.
Security manager
Security Managers
Security managers are accountable for the day-to-day operations of the InfoSec program • They accomplish objectives identified by the CISO, to whom they and they resolve issues identified by technicians, administrators, analysts, or staffers whom they supervise • Managing security requires an understanding of technology but not necessarily technical mastery
Security Staffers and Watchstanders
Security staffer is a catchall title that applies to those who perform routine watchstanding or administrative activities • The term "watchstander" includes the people who watch intrusion consoles, monitor e-mail accounts, and perform other routine yet critical roles that support the mission of the InfoSec department • Security watchstanders are often entry-level InfoSec professionals responsible for monitoring some aspect of the organization's security posture, whether technical or managerial • In this position, new InfoSec professionals have the opportunity to learn more about the organization's InfoSec program before becoming critical components of its administration
Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
Security technician
Security Technician
Security technicians are the technically qualified individuals who configure firewalls and IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented • A security technician is usually an entry-level position, but one that requires strong technical skills, which can make this job challenging for those who are new to the field, given that it is difficult to get the job without experience and yet experience comes with the job • Security technicians who want to move up in the corporate hierarchy must expand their technical knowledge horizontally, gaining an understanding of the general organizational issues of InfoSec as well as all technical areas
Security Training
Security training involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely • Management can either develop customized training or outsource all or part of the training program • There are two methods for customizing training for users by functional background or skill level - Functional background: • General user • Managerial user • Technical user - Skill level: • Novice • Intermediate • Advanced
A project can have more than one critical path.
T
The ____ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network.
TCP
a form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications.
TCP hijacking
Deterrence is the best method for preventing an illegal or unethical activity.
True
Transference
Shifting risks to other areas or to outside entities The transference risk control strategy attempts to shift risk to another entity • This goal may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers • When an organization does not have adequate security management and administration experience, it should hire individuals or firms that provide expertise in those areas (outsourcing)
the direct, covert observation of individual information or system use.
Shoulder surfing
"4-1-9" fraud is an example of a ____ attack.
Social engineering
the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.
Social engineering
the unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property.
Software piracy
Security Education
Some organizations may have employees within the InfoSec department who are not prepared by their background or experience for the InfoSec roles they are supposed to perform • When tactical circumstances allow and/or strategic imperatives dictate, these employees may be encouraged to use a formal education method • Local and regional resources might also provide information and services in educational areas
undesired e-mail, typically commercial advertising transmitted in bulk.
Spam
a highly targeted phishing attack.
Spear phishing
a short-term increase in electrical power availability, also known as a swell
Spike
a technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.
Spoofing
____ is any technology that aids in gathering information about a person or organization without their knowledge.
Spyware
In which level of planning are budgeting, resource allocation, and manpower critical components?
Tactical
How does tactical planning differ from strategic planning?
Tactical planning has a more short-term focus than strategic planning—usually one to three years. It breaks down each applicable strategic goal into a series of incremental objectives. Each objective should be specific and ideally will have a delivery date within a year.
Which of the following is a part of an information security program?
Technologies used by an organization to manage the risks to its information assets; activities used by an organization to manage the risks to its information assets; personnel used by an organization to manage the risks to its information assets
a long-term increase in electrical power availability.
Surge
What is a SysSP and what is one likely to include?
SysSPs often function as standards or procedures to be used when configuring or maintaining systems—for example, to configure and operate a network firewall. Such a document could include: a statement of managerial intent; guidance to network engineers on selecting, configuring, and operating firewalls; and an access control list that defines levels of access for each authorized user.
Technical Specifications SysSPs
System administrators directions on implementing managerial policy • Each type of equipment has its own type of policies • There are two general methods of implementing such technical controls: - access control lists - configuration rules
Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
System testing
_____ are frequently codified as standards and procedures to be used when configuring or maintaining systems.
System-specific security policies (SysSP)
A methodology for the design and implementation of an information system that is a formal development strategy is referred to as a __________.
Systems Development Life Cycle(SDLC)
The responsibilities of users and systems administrators with regard to systems administration duties should be specified in the ____________________ section of the ISSP.
Systems Management
Privilege escalation
Th unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources
Analysis Phase
The Analysis phase should include the following activities: - A new or recent risk assessment or IT audit documenting the current InfoSec needs of the organization - The gathering of key reference materials—including any existing policies
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system?
The Computer Security Act
Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
The Electronic Communications Privacy Act of 1986
FAIR Approach
The Factor Analysis of Information Risk (FAIR) framework includes: - A taxonomy for information risk - Standard nomenclature for information risk terms - A framework for establishing data collection criteria - Measurement scales for risk factors - A computational engine for calculating risk - A modeling construct for analyzing complex risk scenarios Basic FAIR analysis is comprised of ten steps in four stages: Stage 1 - Identify scenario components: 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2 - Evaluate Loss Event Frequency (LEF): 3. Estimate the probable Threat Event Frequency (TEF) 4. Estimate the Threat Capability (TCap) 5. Estimate Control strength (CS) 6. Derive Vulnerability (Vuln) 7. Derive Loss Event Frequency (LEF) Stage 3 - Evaluate Probable Loss Magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4—Derive and articulate Risk 10. Derive and articulate Risk • Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low
ISO 27005 Standard for InfoSec Risk Management
The ISO 27000 series includes a standard for the performance of Risk Management, ISO 27005 (http://www.27000.org/iso-27005.htm) • The 27005 document includes five-stage a risk management methodology: 1. Risk Assessment 2. Risk Treatment 3. Risk Acceptance 4. Risk Communication 5. Risk Monitoring and Review
Security Consultants
The InfoSec consultant is typically an independent expert in some aspect of InfoSec • He or she is usually brought in when the organization makes the decision to outsource one or more aspects of its security program • While it is usually preferable to involve a formal security services company, qualified individual consultants are available for hire
Cost Benefit Analysis (CBA)
The criterion most commonly used when evaluating a project that implements InfoSec controls and safeguards is economic feasibility • Organizations can begin this type of economic feasibility analysis by valuing the information assets and determining the loss in value if those information assets became compromised • This decision-making process is called a cost benefit analysis or an economic feasibility study
Shoulder surfing
The direct, covert observation of individual information or system use
The OCTAVE Methods
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation • By following the OCTAVE Method, an organization can make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets • The operational or business units and the IT department work together to address the information security needs of the organization There are three variations of the OCTAVE Method: - The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge, and which was designed for larger organizations (300 or more users) - OCTAVE-S, for smaller organizations of about 100 users - OCTAVE-Allegro, a streamlined approach for information security assessment and assurance
Risk Identification
The Risk Management project should be well organized and funded, with a clear champion, a statement of work, and all needed support. • Risk identification begins with the process of self-examination • Managers: - Identify the organization's information assets - Classify and categorize them into useful groups - Prioritize them by overall importance
Implementing Security Education, Training, and Awareness Programs
The SETA program is designed to reduce accidental security breaches by members of the organization • SETA programs offer three major benefits: - They can improve employee behavior - They can inform members of the organization about where to report violations of policy - They enable the organization to hold employees accountable for their actions • The purpose of SETA is to enhance security: - By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems - By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely - By improving awareness of the need to protect system resources Management of Info
List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.
The advantages of the modular ISSP policy are: - Often considered an optimal balance between the individual ISSP and the comprehensive ISSP approaches - Well controlled by centrally managed procedures, assuring complete topic coverage - Clear assignment to a responsible department Written by those with superior subject matter expertise for technology-specific systems The disadvantages of the modular ISSP policy are: - May be more expensive than other alternatives - Implementation can be difficult to manage
Chief Information Security Officer (CISO) or Chief Security Officer (CSO)
The chief information security officer (CISO), or in some cases, the CSO, is primarily responsible for the assessment, management, and implementation of the program that secures the organization's information • The senior executive responsible for security may also be called the director of security, senior security manager, or some similar title • The CISO usually reports directly to the CIO, although in larger organizations one or more additional layers of management may separate the two officers
Competitive intelligence
The collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage
industrial espionage
The collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage
unauthorized entry into the real or virtual property of another party.
Trespass
What is the final component of the design and implementation of effective policies? Describe this component.
The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination—organizations must establish high standards of due care with regard to policy management.
Prioritizing (Rank Ordering) Information Assets
The final step in the risk identification process is to prioritize, or rank order, the assets • This goal can be achieved by using a weighted table analysis
Design Phase
The first task in the design phase is the drafting of the actual policy document • While this task can be done by a committee, it is most commonly done by a single author - There are a number of references and resources available on the Web, through professional literature and from peers and consultants • Next, the development team or committee reviews the work of the primary author and makes recommendations about its revision • Once the committee approves the document, it goes to the approving manager or executive for sign-off
How should the initial inventory be used when classifying and categorizing assets?
The inventory should reflect the sensitivity and security priority assigned to each information asset. A classification scheme should be developed (or reviewed, if already in place) that categorizes these information assets based on their sensitivity and security needs.
What is a key difference between law and ethics?
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not.
In the WBS approach, the project plan is first broken down into tasks placed on the WBS task list. The minimum attributes that should be identified for each task include all but which of the following?
The number of people and other resources needed for each task
Uptime
The percentage of time a particular service is available; the opposite of downtime
Downtime
The percentage of time a particular service is not available
Investigation Phase
The policy development team should attain: - Support from senior management, - Support and active involvement of IT management, specifically the CIO - Clear articulation of goals - Participation of the correct individuals from the communities of interest affected by the policies • Be composed from Legal, Human Resources and end-users • Assign a project champion with sufficient stature and prestige • Acquire a capable project manager - A detailed outline of the scope of the policy development project and sound estimates for the cost and scheduling of the project
Noise
The presence of additional and disruptive signals in network communications or electrical power delivery
Annual Rate of Occurence(ARO)
The probability of the specific attack per year
Identification and Prioritization of Information Assets
The risk identification process begins with the identification of information assets, including people, procedures, data and information, software, hardware, and networking elements • This step should be done without pre-judging the value of each asset; values will be assigned later in the process
Security Administrators and Analysts
The security administrator is a hybrid of a security technician and a security manager, with both technical knowledge and managerial skill • The security analyst is a specialized security administrator that, in addition to performing security administration duties, must analyze and design security solutions within a specific domain • Security analysts must be able to identify users' needs and understand the technological complexities and capabilities of the security systems they design
Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT:
The threat environment—threats, known vulnerabilities, attack vectors
software piracy
The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property
the illegal taking of another's property, which can be physical, electronic, or intellectual.
Theft
Project Management Tools
There are many tools that support the management of the diverse resources in complex projects - Most project managers combine software tools that implement one or more of the dominant modeling approaches • Projectitis occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work prjectlibre libreplan openproject project-open redmine agilefant
Describe the use of an IP address when deciding which attributes to track for each information asset.
This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a relational database and track software instances on specific servers or networking devices. Many larger organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification process very difficult.
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________
Threat
The process of examining how each threat will affect an organization is called a(n) _____.
Threat assessment
The basic outcomes of InfoSec governance should include all but which of the following?
Time management by aligning resources with personnel schedules and organizational objectives
PMBoK Knowledge Areas
To apply project management to InfoSec, you must first identify an established project management methodology • While other project management approaches exist, the PMBoK, promoted by the Project Management Institute (PMI) is considered the industry best practice
How should a policy administrator facilitate policy reviews?
To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation. Recommendation methods could include e-mail, office mail, or an anonymous drop box.
___________________ is a subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury.
Tort law
Acts of ____ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
Trespass
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
True
People of differing nationalities profess varying points of view on the ethical practices with the use of information technology.
True
Policies must specify penalties for unacceptable behavior and define an appeals process.
True
Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. a. True b. False
True
The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies
True
The Secret Service is charged with the detection and arrest of any person who commits a U.S. federal offense relating to computer fraud, as well as false identification crimes.
True
The commonly used name for an intermediate area between a trusted network and an untrusted network is the DMZ.
True
The cornerstone of many current federal computer-related criminal laws is the Computer Fraud and Abuse Act of 1986.
True
The purpose of a weighted factor analysis is to list assets in order of their importance to the organization.
True
Specifications of authorization that govern the rights and privileges of users to a particular information asset.
h. access control lists
Which law extends protection to intellectual property, which includes words published in electronic formats?
U.S. Copyright Law
Which law extends protection to intellectual property, which includes words published in electronic formats? a. Security and Freedom through Encryption Act b. Freedom of Information Act c. U.S. Copyright Law d. Sarbanes-Oxley Act
U.S. Copyright Law
which law extends protection to intellectual property, which includes words published in electronic formats?
U.S. Copyright law
Trespass
Unauthorized entry into the real or virtual property of another party
The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes, is known as __________.
Uncertainty
Acceptance
Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control The acceptance risk control strategy is the decision to do nothing to protect an information asset from risk, and to accept the outcome from any resulting exploitation • It may or may not be a conscious business decision. • Unconscious acceptance of risk is not a valid approach to risk control • An organization that decides on acceptance as a strategy for every identified risk of loss may in fact be unable to conduct proactive security activities and may have an apathetic approach to security in general
the percentage of time a particular service is available; the opposite of downtime.
Uptime
Which of the following is an advantage of the user support group form of training?
Usually conducted in an informal social setting
Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infractions?
Violations of Policy
a type of malware that is attached to other executable programs.
Virus
a message that reports the presence of a nonexistent virus or worm and wastes valuable time as employees share the message.
Virus hoax
a potential weakness in an asset or its defensive control system(s).
Vulnerability
In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?
Waterfall
It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity. Which of the following is NOT one of them?
What other activities require the same resources as this activity?
Which of the following is NOT a valid rule of thumb on risk treatment strategy selection?
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls.
All of the following are rules of thumb for selecting a risk treatment strategy EXCEPT:
When the likelihood of an attack is high and the impact is great, outsource security efforts so that any resulting loss is fiscally someone else's responsibility.
a type of malware that is capable of activation and replication without being attached to an existing program.
Worm
Which statement defines the differences between a computer virus and a computer worm?
Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate
____ are machines that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack.
Zombies
authentication
____ is the process of validating a supplicant's purported identity.
Enterprise information security policy(EISP)
a general security policy
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.
h. qualitative assessment
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? a. Policy Review and Modification b. Limitations of Liability c. Systems Management d. Statement of Purpose
a. Policy Review and Modification
Specifies the subjects and objects that users or groups can access.
a. capability table
The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.
a. risk management
4. A useful tool for resolving the issue of what business function is the most critical, based on criteria selected by the organization, is the __________. a. weighted table analysis or weighted factor analysis b. threats-vulnerability-assets worksheet or TVA c. business impact assessment or BIA d. critical patch method assessment or CPMA
a. weighted table analysis or weighted factor analysis
The __________ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
acceptance
The method by which systems determine whether and how to admit a user into a trusted area of the organization is known as _____.
access control
_______________ include the user access lists, matrices, and capability tables that govern the rights and privileges of users.
access control lists
____________________ include the user access lists, matrices, and capability tables that govern the rights and privileges of users.
access control lists
What are the two general approaches for controlling user authorization for the use of a technology?
access control lists and capability tables
What are the two general methods for implementing technical controls?
access control lists and configuration rules
What do audit logs that track user activity on an information system provide?
accountability
Footprinting
activities that gather information about the organization and its network activities and assets.
The policy champion and manager is called the policy ____________________.
administrator
When dealing with an incident, the incident response team must conduct a(n) ____________________, which entails a detailed examination of the events that occurred from first detection to final recovery.
after action review
Information ____________ occurs when pieces of non-private data are combined to create information that violates privacy.
aggregation
is a document containing contact information of the individuals to notify in the event of an actual incident.
alert roster
Brute force password attack
an attempt to guess a password by attempting every possible combination of characters and numbers in it
Contract employees—or simply contractors—should not be allowed to do what? a. Work on the premises. b. Wander freely in and out of facilities. c. Visit the facility without an escort. d. Be compensated based on hourly rates.
b. Wander freely in and out of facilities.
A gathering of key reference materials is performed during which phase of the SDLC? a. implementation b. analysis c. design d. investigation
b. analysis
Which of the following is NOT a task that must be performed if an employee is terminated? a. former employee must return all media b. former employee's home computer must be audited c. former employee's office computer must be secured d. former employee should be escorted from the premises
b. former employee's home computer must be audited
An approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.
b. risk assessment
A clear declaration that outlines the scope and applicability of a policy
b. statement of purpose
_____is the analysis of measures against established standards.
baselining
A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law a. compromise b. spill c. notification d. breach
breach
a more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. This is commonly known as a __________ law.
breach
A ____________ overflow is an application error that occurs when the system can't handle the amount of data that is sent.
buffer
overflow is an application error that occurs when the system can't handle the amount of data that is sent.
buffer
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
bull's-eye model
In the event of an incident or disaster, which team sets up and starts off-site operations?
business continuity
When a disaster renders the current business location unusable, which plan is put into action?
business continuity
A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the ____________ while offering opportunities to lower costs.
business mission
The purpose of SETA is to enhance security in all but which of the following ways?
by adding barriers
Which of the following is NOT one of the basic rules that must be followed when developing a policy? a. policy should never conflict with law b. policy must be able to stand up in court if challenged c. policy should be focused on protecting the organization from public embarrassment d. policy must be properly supported and administered
c
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? a. on-target model b. Wood's model c. bull's-eye model d. Bergeron and Berube model
c
Which of the following should be included in an InfoSec governance program? a) All of these are components of the InfoSec governance program b) An InfoSec project management assessment c) An InfoSec risk management methodology d) An InfoSec maintenance methodology
c) An InfoSec risk management methodology
When issues are addressed by moving from the general to the specific, always starting with policy
c. bull's eye model
Labels that must be comprehensive and mutually exclusive.
c. classification categories
Workers typically hired to perform specific services for the organization and hired via a third-party organization are known as __________. a. temporary workers b. consultants c. contract employees d. business partners
c. contract employees
Which of the following is the first step in the process of implementing training? a. identify training staff b. identify target audiences c. identify program scope, goals, and objectives d. motivate management and employees
c. identify program scope, goals, and objectives
Which of the following policies makes it difficult for an individual to violate InfoSec and is quite useful in monitoring financial affairs?
c. separation of duties
Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access. a. bypass b. theft c. trespass d. security
c. trespass
Which of the following activities is part of the risk evaluation process?
calculating the severity of risks to which assets are exposed in their current setting
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
can suffer from poor policy dissemination, enforcement, and review
Which of the following is a disadvantage of the individual policy organization approach?
can suffer from poor policy enforcement
Which of the following is NOT one of the three general causes of unethical and illegal behavior?
carelessness
Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
centralized authentication
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
champion
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n).
chief information security officer
In which type of site are no computer hardware or peripherals provided?
cold site
which ethical standard is based on the notion that life in community yields a positive outcome for the individual requiring each individual to contribute to that community?
common good
Classification categories must be __________ and mutually exclusive.
comprehensive
components of info sec figure 1.1 *
computer security data security network security
After an incident, but before returning to its normal duties, the CSIRT must do which of the following?
conduct an after-action review
According to the C.I.A. triad, which of the following is the most desirable characteristic for privacy
confidentiality
According to the CIA triad, which of the following is the most desirable characteristic for privacy?
confidentiality
The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________.
cost avoidance
a hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use is known as a
cracker
Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________.
create a subjective ranking based on anticipated recovery costs
Addresses violations harmful to society and is actively enforced and prosecuted by the state.
criminal law
Using the Program Evaluation and Review Technique, which of the following identifies the sequence of events or activities that requires the longest duration to complete, and that therefore cannot be delayed without delaying the entire project?
critical path
Ethics are based on ___________________, which are the relatively fixed moral attitudes or customs of a societal group.
cultural mores
For an organization to manage its InfoSec risk properly, managers should understand how information is __________. a. collected b. processed c. transmitted d. all of these are needed
d
In addition to specifying acceptable and unacceptable behavior, what else must a policy specify? a. appeals process b. legal recourse c. individual responsible for approval d. the penalties for violation of the policy
d
Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP
d
Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP
d. EISP
When an information security team is faced with a new technology, which of the following is NOT a recommended approach? a. Determine if the benefits of the proposed technology justify the expected costs. b. Include costs for any additional risk control requirements that are mandated by the new technology. c. Consider how the proposed solution will affect the organization's risk exposure. d. Evaluate how the new technology will enhance employee skills.
d. Evaluate how the new technology will enhance employee skills.
. Which of the following is NOT a stage in the NIST Cybersecurity Framework (CSF)? a. Identify b. Detect c. Recover d. React
d. React
Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.
d. SysSP
What is the final step in the risk identification process? a. assessing values for information assets b. classifying and categorizing assets c. identifying and inventorying assets d. ranking assets in order of importance
d. ranking assets in order of importance
Which of the following is a disadvantage of the one-on-one training method? a. inflexible scheduling b. may not be responsive to the needs of all the trainees c. content may not be customized to the needs of the organization d. resource intensive, to the point of being inefficient
d. resource intensive, to the point of being inefficient
The recognition, enumeration, and documentation of risks to an organization's information assets.
d. risk identification
Which of the following is NOT a consideration when selecting recommended best practices? a. threat environment is similar b. resource expenditures are practical c. organization structure is similar d. same certification and accreditation agency or standard
d. same certification and accreditation agency or standard
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring
due diligence
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
due diligence
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is ensuring?
due dilligence
A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________.
e-discovery
a process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as __________
e-discovery
Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.
e. field change order
The bulk batch-transfer of data to an off-site facility is known as
electronic vaulting
A(n) ____________________, which is usually presented on a screen to the user during software installation, spells out fair and responsible use of the software being installed.
end user license agreement EULA
The evaluation and reaction to risk to the entire organization is known as __________.
enterprise risk management (ERM)
The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as ___________.
ethics
compromises to intellectual property
ex Piracy, copyright infringement
Human Error or Failure
ex accidents, employee mistakes
Information Extortion
ex blackmail, information disclosure
Sabotage or Vandalism
ex destruction of systems or information
Technical Hardware Failures
ex equipment failure
Forces of Nature
ex fire, floods, earthquakes, lightning
Deviations in quality of service
ex internet service provider(ISP), power, or WAN service problems
technological obsolenscence
ex antiquated or outdated technologies
Technical Software Failure
ex bugs, code problems, unknown loopholes
theft
ex illegal confiscation of equipment or information
Software Attacks
ex viruses, worms, macros, denial of service
__________ is the set of responsibilities and practices exercised by the board and execiutive management with the goal of prvoiding strategic direction ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises resources are used responsibly
governance
usually a documented way to circumvent controls or take advantage of weaknesses in control systems
exploit
The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.
f. InfoSec policy
An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization.
f. threat assessment
As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted __________ worksheet.
factor analysis table analysis
Rule-based policies are less specific to the operation of a system than access control lists.
false
Rule-based policies are less specific to the operation of a system than access control lists. (T/F)
false
Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex. (T/F)
false
Users have the right to use an organization's information systems to browse the Web, even if this right is not specified in the ISSP.
false
Users have the right to use an organization's information systems to browse the Web, even if this right is not specified in the ISSP. (T/F)
false
a short-term interruption in electrical power availability
fault
Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity? a. probability of being caught b. probability of being penalized c. fear of penalty d. fear of humiliation
fear of humiliation
To move the InfoSec discipline forward, organizations should take all of the following steps EXCEPT:
form a committee and approve suggestions from the CISO
Which of the following is a generic model for a security program?
framework
44. Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?
frequency of review
Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?
frequency of review
testing of contingency plans, the individuals follow each and every procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals.
full-interruption
The quantity and nature of risk that organizations are willing to accept.
g. risk appetite
A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance.
g. standard
The _____ community of interest must ensure sufficient resources are allocated to the risk management process
general management
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are manages appropriately, and verifying that the enterprise's resources are used responsibly is known as _____________.
governance
Non-mandatory recommendations the employee may use as a reference in complying with a policy are known as
guidelines
In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________.
identifying relevant items of evidentiary value
in digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with __________
identifying relevant items of evidentiary value
An understanding of the potential consequences of a successful attack on an information asset by a threat is known as __________.
impact
plan is a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets
incident response
__________ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization.
information asset value weighted table analysis
blackmail threat of informational disclosure is an example of which threat category?
information extortion
Which of the following is a common element of the enterprise information security policy?
information on the structure of the InfoSec organization
Which of the following is an element of the enterprise information security policy?
information on the structure of the InfoSec organization
Which of the following is NOT used to categorize some types of law? a. constitutional b. regulatory c. statutory d. international
international
which of the following is NOT an origin used ot categorize types of law?
international
A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC
investigation
A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?
investigation
The __________ phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints.
investigation
Information Security
is about identifying, measuring and mitigating the risk associated with operating information assets
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
issue-specific
Once the members of the RM framework team have been identified, the governance group should communicate all of the following for the overall RM program EXCEPT:
its personnel structure
An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.
j. ISSP
Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.
j. risk rating worksheet
Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?
joint application design
Digital forensics can be used for two key purposes: ________ or _________.
to investigate allegations of digital malfeasance; to perform root cause analysis
Digital forensics can be used for two key purposes: ________ or _________. a. to investigate allegations of digital malfeasance; to solicit testimony b. e-discovery; to perform root cause analysis c. to solicit testimony; to perform root cause analysis d. to investigate allegations of digital malfeasance; to perform root cause analysis.
to investigate allegations of digital malfeasance; to perform root cause analysis
The assessment of the amount of risk an organization is willing to accept for a particular information asset is known as risk __________.
tolerance
Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?
traditional waterfall
Acts of __________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to access.
trespass
__________ are malware programs that hide their true nature and reveal their designed behavior only when activated
trojan horses
One of the goals of an issue-specific security policy is to idemnify the organization against liability for an employee's inappropriate or illegal use of the system. (T/F)
true
One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system
true
An estimate made by the manager using good judgment and experience can account for which factor of risk assessment?
uncertainty
Which of the following is NOT among the typical columns in the risk rating worksheet?
uncertainty percentage
The final component of the design and implementation of effective policies is __________.
uniform and impartial enforcement
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
user-specific security policies
Which of the following is NOT among the three types of InfoSex policies based on NIST's Special Publication 800-14?
user-specific security policies
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14
user-specific security policy
Which of the following is a key advantage of the bottom-up approach to security implementation?
utilizes the technical expertise of the individual administrators
Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?
violation of policy
What is defined as specific avenues that threat agents can exploit to attack an information asset?
vulnerabilities
A potential weakness in an asset or its defensive control system(s) is known as a(n) __________
vulnerability
The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as.
vulnerability assessment
Which of the following is a tool that can be useful in resolving the issue of what business function is the most critical?
weighted analysis tool
_____ is the process of assigning scores for critical factors, each of which is weighted in importance by the organization.
weighted factor analysis
Which of the following is NOT an aspect of access regulated by ACLs?
where the system is located
Which of the following is NOT an aspect of access regulated by ACLS?
why authorized users need access to the system
Which of the following is NOT an aspect of access regulated by ACLs
why authorized users need access to the system
Delivery Methods
• Selection of the training delivery method is not always based on the best outcome for the trainee • Often other factors — budget, scheduling, and needs of the organization — come first - One-on-One - Formal Class - Computer-Based Training (CBT) - Distance Learning/Web Seminars - User Support Group - On-the-Job Training - Self-Study (Noncomputerized)
Automated Tools
• The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and maintenance • Tools like Vigilent Policy Center (VPC) keep policies confidential, behind password-protected intranets, and generate periodic reports indicating which employees have and have not read and acknowledged the policies • Tools such as VPC also make it clear which manager was responsible for the policy, as his or her name is prominently displayed on the policy, along with the date of approval
Review Procedures and Practices
• To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation • Recommendation methods could include e-mail, office mail, or an anonymous drop box • Once the policy has come up for review, all comments should be examined and management-approved changes should be implemented