Midterm Exam 1
Threat Source
A category of objects, people, or other entities that represents a danger to an asset
Loss
A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use.
Advantages of the top-down approach to information security implementation
A: strong upper-management support, a dedicated champion, dedicated funding, clear planning, & the opportunity to influence organizational culture.
Advantages/Disadvantages of the bottom-up approach to information security implementation
A: technical expertise of the individual administrators D: lacks a number of critical features such as participant support & organizational staying power
For information security purposes, which of the following terms is used to describe the systems that use, store, and transmit information?
Assets
Using a known or previously installed access mechanism is known as which of the following?
Back Door
What is a security?
Being secure and free from danger or harm
Which of the following terms best describes comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate?
Benchmarking
ex of Senior Management positions
CIO/Chief Information Officer: senior technology officer, primarily responsible for advising the CEO on the strategic planning that affects the management of information in the org. CISO/Chief Information Security Officer: primarily responsible for the assessment, management, & implementation of securing the information in the org. Usually reports directly to the CIO.
What title is given to the person with primary responsibility for assessment, management, and implementation fo InfoSec in the org?
CISO/ Chief Information Security Officer
________ ensures that only users with the rights, privileges, and need to access information are able to do so.
Confidentiality
CIA Triad
Confidentiality, Integrity, Availability
the value of information comes from the characteristic it possesses; they are:
Confidentiality, Integrity, Availability, Accuracy, Authenticity, Utility, Possession (CIAAcAuUP)
What is the term called for which actions taken by management specify the organization's efforts and actions if an adverse event becomes an incident or disaster?
Contingency Planning
Which of the following is a primary responsibility of the CPMT (Crisis Management Planning Team)?
Coordinating with emergency services in the event someone is injured or killed.
Which type of attacker will hack systems to conduct terrorist activities via network or Internet pathways? (
Cyberterrorists
Which group in the organization is appointed by data owners to oversee the management of a particular set of information and to coordinate with data custodians for its storage, protection, and use?
Data Trustee
Security Professionals
Dedicated, trained, and well-educated specialists in all aspects of information security from both technical and nontechnical standpoints.
As indicated earlier, one of the foundations of security architectures is the requirement to implement security in layers. This layered approach is referred to as which of the following?
Defense in Depth
Availability
Enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format.
According to the text and the information security governance roles and responsibilities graphic, who is responsible for policy implementation, reporting security vulnerabilities, and breaches?
Enterprise staff/employees
Email is the most private form of communication and it is safe to sue with personal information?
False
It is important to reply to phishing emails in order to verify that they come from an official source?
False
It is safe to leave your devices unlocked as long as you are in an environment with people you trust?
False
Passwords should only be shared with trusted people and IT Security Department?
False
The three communities of interest are general management, operations management, and information security management.
False
True or False: ISO 27014:2021 is the ISO 27000 series standard for Governance of Information Security.
False
True or False: The information technology community of interest must ensure sufficient resources are allocated to the risk management process.
False
True or False: The process an organization uses to assign a risk rating or score to each information asset is a risk evaluation.
False
When looking at forces of nature that could cause destruction or damage to information systems, electrostatic discharge (ESD) is not considered to be one of them.
False
Which of the following is NOT part of the disaster recovery policy?
Financing (purpose, exercise & testing schedules, scope)
Accuracy
Free from mistake or error and having the value that the end user expects. If information contains a value different from the user's expectations due to the intentional or unintentional modification of its content, it is no longer accurate.
Data Users
Have access to information & thus an information security role.
Security Policy Developers
Individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies.
Which of the following terms best describes a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls?
Information Security Framework
Founder of the internet; led to the development of the ARPANET.
Larry Roberts
The probability that a specific vulnerability within an organization will be the target of an attack is known as which of the following?
Likelihood
Data Owners
Members of senior management who are responsible for the security & use of a particular set of information. -Determine the level of data classification, as well as the changes to that classification required by organizational change. -Work with subordinate managers to oversee the day-to-day administration of the data.
Providing customer billing as mentioned in the text is an example of what?
Mission/Business Process
Which risk control strategy attempts to reduce the impact of a successful attack through planning and preparation?
Mitigation
Early research on computer security research centered on a system called
Multiplexed Information & Computing Service (MULTICS)
What type of data acquisition is done where information is taken off as a protected copy while a system is actively live for the purpose of business continuity?
Online
Risk Assessment Specialists
People who understand financial risk assessment techniques, the value of organizational assets, & the security methods to be used.
Systems Administrators
People with the primary responsibility for administering the systems that house the information used by the org.
Digital forensics involves the _____, identification, extraction, documentation, and interpretation of digital media.
Preservation
Paper that started the study of computer security and information security
RAND Report R-609; it identified the role of management and issues in it
The application of controls that reduce the risks to an organization's information assets to an acceptable level is known as which of the following?
Risk Control
Risk identification is performed within a larger process of identifying and justifying risk controls that is called which of the following?
Risk Management
Which document is an excellent reference for security managers involved in the routine management of information security?
SP 800-12, "An Introduction to Computer Security"
ex of Vulnerability
SQL injection in online database web interface
Which of the following defines the edge between the outer limit of an organization's security and the beginning of the outside world?
Security Perimeter
In a ________, the organization creates a role-playing exercise in which the CP (Contingency Planning) team is presented with a scenario of an actual incident or disaster and is expected to react as if it had occurred.
Simulation
Team Leader
Someone who understands project management, personnel management, and information security technical requirements. Typically- a project manager, who may be a departmental line manager or staff unit manager.
What is another name for a man-in-the-middle attack?
TCP hijacking
Top-Down Approach
The initiation, support, and direction come from top management; work their way through middle management; and then reach staff members.
Authenticity
The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.
Integrity
The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.
Possession
The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.
Utility
The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.
Confidentiality
The quality or state of preventing disclosure or exposure to unauthorized individuals or systems.
End Users
Those whom the new system will most directly impact. Ideally, a selection of users from various departments, levels, & degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.
When projects are initiated at the highest levels of an organization and then pushed to all levels, they are said to follow which approach?
Top-down
Which risk control strategy attempts to shift residual risk to other assets, other processes, or other organizations?
Transference
A SQL injection occurs when developers fail to properly validate user input before using it to query a relational database.
True
Everyone has responsibility to protect company confidential and sensitive information?
True
Keeping computers up to date with software/security updates and patches can help prevent attacks?
True
T/F: Information Security Project Team are a number of individuals who are experienced in one or multiple requirements of both the technical and nontechnical areas.
True
T/F: It is impossible to obtain perfect security because it is not an absolute rather a process. Security should be considered a balance between protection and availability.
True
T/F: Primary purpose of UNIX was text processing
True
The Domain Name System (DNS) is a function of the World Wide Web that converts a URL (Uniform Resource Locator) such as www.course.com into the IP address of the Web server host.
True
The person responsible for the storage, maintenance, and protection of the information is the data custodian.
True
True or False: An alert roster often is done one of two ways: sequentially or hierarchically.
True
True or False: An example of a disaster classification plan is a scale that has Minor, Moderate, Severe, and Critical categories.
True
True or False: Remote journaling is the process in which an organization can transfer live transactions to an off-site facility.
True
True or False: SP 800-18, "Guide for Developing Security Plans for Federal Information Systems," is considered the foundation for a comprehensive security blueprint and framework.
True
True or False: Strategic planning sets the long-term direction to be taken by the organization and each of its component parts. It should also guide organizational efforts and focus resources toward specific, clearly defined goals.
True
True or False: The information technology community of interest must assist in risk management by configuring and operating information systems in a secure fashion.
True
Unexpected bills arriving at your house might indicate that your identity has been stolen?
True
Upper Management's role in the Top-Down Approach
Upper management are the ones who issue policies, procedures, and processes; dictate the goals and expected outcomes of the project; and determine who is accountable for each of the required actions.
Subjects and Objects
a computer can be either an agent entity used to conduct an attack or the target entity
Exposure
a condition or state of being exposed
Bottom-Up Approach
a grassroots effort in which systems administrators attempt to improve the security of their systems.
Champion
a senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the org.
Access
a subject or object's ability to use, manipulate, modify, or affect another subject or object
Exploit
a technique used to compromise a system.
Senior Management benefits
a wide range of professionals are required to support diverse information security programs that start at the 'top'/ CEO. Senior Management support is a key component to develop and execute specific security policies and procedures, additional administrative support & technical expertise.
Attack
an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.
Data Trustees
appointed by data owners to oversee the management of a particular set of information & to coordinate w/ data custodians for its storage, protection, & use.
Which of the following is an application error that occurs when more data is sent to a program buffer than it is designed to handle?
buffer overrun
ex of Asset
companies(HAL Inc) customer database
ex of Loss
download of customer data
Who are the weakest link in the security chain?
end users that need the very information the security personnel are trying to protect
Protection profile or security posture
entire set of controls and safeguards that the organization implements to protect the asset
Social Science
examines the behavior of individuals interacting with systems.
Which of the following occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it?
information extortion
Information System
is the entire set of hardware, software data, people, procedures, and networks that enable a business to use information
The ________ process entails the review and assessment of organizational information security performance toward goals and objectives by the governing body.
monitor
Data Custodian
responsible for information & systems that process, transmit, & store it. -work directly with data owners -are responsible for the information & the systems that process, transmit, & store it -duties include overseeing data storage and backups, implementing the specific procedures & policies laid out in the security policies & plans, & reporting to the data owner
ex of Exploit
script from MadHackz web site
Hackers of limited skill who use expertly written software to attack a system are known as which of the following?
script kiddies
Control, safeguard, or countermeasure
security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization
ex of Attack
someone who allows the hacking by downloading exploit from MadHackz web site, then accesses companies web site(HAL Inc) and applies script, results in loss
ex of Threat Agent
someone who is allowing the hacking to occur (intentional or not)
What type of planning occurs where the actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals are followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives?
tactical
Asset
the organizational resource that is being protected
Security begins and ends with...
the people inside the org and the people that interact w/ the system
Risk
the probability of an unwanted occurrence
Threat Agent
the specific instance or a component of a threat
ex of Threat
theft
Vulnerability
weaknesses or faults in a system or protection mechanism that expose information to attack or damage