Midterm Exam 1

Threat Source

A category of objects, people, or other entities that represents a danger to an asset

Loss

A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use.

Advantages of the top-down approach to information security implementation

A: strong upper-management support, a dedicated champion, dedicated funding, clear planning, & the opportunity to influence organizational culture.

Advantages/Disadvantages of the bottom-up approach to information security implementation

A: technical expertise of the individual administrators D: lacks a number of critical features such as participant support & organizational staying power

For information security purposes, which of the following terms is used to describe the systems that use, store, and transmit information?

Assets

Using a known or previously installed access mechanism is known as which of the following?

Back Door

What is a security?

Being secure and free from danger or harm

Which of the following terms best describes comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate?

Benchmarking

ex of Senior Management positions

CIO/Chief Information Officer: senior technology officer, primarily responsible for advising the CEO on the strategic planning that affects the management of information in the org. CISO/Chief Information Security Officer: primarily responsible for the assessment, management, & implementation of securing the information in the org. Usually reports directly to the CIO.

What title is given to the person with primary responsibility for assessment, management, and implementation fo InfoSec in the org?

CISO/ Chief Information Security Officer

________ ensures that only users with the rights, privileges, and need to access information are able to do so.

Confidentiality

CIA Triad

Confidentiality, Integrity, Availability

the value of information comes from the characteristic it possesses; they are:

Confidentiality, Integrity, Availability, Accuracy, Authenticity, Utility, Possession (CIAAcAuUP)

What is the term called for which actions taken by management specify the organization's efforts and actions if an adverse event becomes an incident or disaster?

Contingency Planning

Which of the following is a primary responsibility of the CPMT (Crisis Management Planning Team)?

Coordinating with emergency services in the event someone is injured or killed.

Which type of attacker will hack systems to conduct terrorist activities via network or Internet pathways? (

Cyberterrorists

Which group in the organization is appointed by data owners to oversee the management of a particular set of information and to coordinate with data custodians for its storage, protection, and use?

Data Trustee

Security Professionals

Dedicated, trained, and well-educated specialists in all aspects of information security from both technical and nontechnical standpoints.

As indicated earlier, one of the foundations of security architectures is the requirement to implement security in layers. This layered approach is referred to as which of the following?

Defense in Depth

Availability

Enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format.

According to the text and the information security governance roles and responsibilities graphic, who is responsible for policy implementation, reporting security vulnerabilities, and breaches?

Enterprise staff/employees

Email is the most private form of communication and it is safe to sue with personal information?

False

It is important to reply to phishing emails in order to verify that they come from an official source?

False

It is safe to leave your devices unlocked as long as you are in an environment with people you trust?

False

Passwords should only be shared with trusted people and IT Security Department?

False

The three communities of interest are general management, operations management, and information security management.

False

True or False: ISO 27014:2021 is the ISO 27000 series standard for Governance of Information Security.

False

True or False: The information technology community of interest must ensure sufficient resources are allocated to the risk management process.

False

True or False: The process an organization uses to assign a risk rating or score to each information asset is a risk evaluation.

False

When looking at forces of nature that could cause destruction or damage to information systems, electrostatic discharge (ESD) is not considered to be one of them.

False

Which of the following is NOT part of the disaster recovery policy?

Financing (purpose, exercise & testing schedules, scope)

Accuracy

Free from mistake or error and having the value that the end user expects. If information contains a value different from the user's expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Data Users

Have access to information & thus an information security role.

Security Policy Developers

Individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies.

Which of the following terms best describes a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls?

Information Security Framework

Founder of the internet; led to the development of the ARPANET.

Larry Roberts

The probability that a specific vulnerability within an organization will be the target of an attack is known as which of the following?

Likelihood

Data Owners

Members of senior management who are responsible for the security & use of a particular set of information. -Determine the level of data classification, as well as the changes to that classification required by organizational change. -Work with subordinate managers to oversee the day-to-day administration of the data.

Providing customer billing as mentioned in the text is an example of what?

Mission/Business Process

Which risk control strategy attempts to reduce the impact of a successful attack through planning and preparation?

Mitigation

Early research on computer security research centered on a system called

Multiplexed Information & Computing Service (MULTICS)

What type of data acquisition is done where information is taken off as a protected copy while a system is actively live for the purpose of business continuity?

Online

Risk Assessment Specialists

People who understand financial risk assessment techniques, the value of organizational assets, & the security methods to be used.

Systems Administrators

People with the primary responsibility for administering the systems that house the information used by the org.

Digital forensics involves the _____, identification, extraction, documentation, and interpretation of digital media.

Preservation

Paper that started the study of computer security and information security

RAND Report R-609; it identified the role of management and issues in it

The application of controls that reduce the risks to an organization's information assets to an acceptable level is known as which of the following?

Risk Control

Risk identification is performed within a larger process of identifying and justifying risk controls that is called which of the following?

Risk Management

Which document is an excellent reference for security managers involved in the routine management of information security?

SP 800-12, "An Introduction to Computer Security"

ex of Vulnerability

SQL injection in online database web interface

Which of the following defines the edge between the outer limit of an organization's security and the beginning of the outside world?

Security Perimeter

In a ________, the organization creates a role-playing exercise in which the CP (Contingency Planning) team is presented with a scenario of an actual incident or disaster and is expected to react as if it had occurred.

Simulation

Team Leader

Someone who understands project management, personnel management, and information security technical requirements. Typically- a project manager, who may be a departmental line manager or staff unit manager.

What is another name for a man-in-the-middle attack?

TCP hijacking

Top-Down Approach

The initiation, support, and direction come from top management; work their way through middle management; and then reach staff members.

Authenticity

The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Integrity

The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.

Possession

The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.

Utility

The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Confidentiality

The quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

End Users

Those whom the new system will most directly impact. Ideally, a selection of users from various departments, levels, & degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.

When projects are initiated at the highest levels of an organization and then pushed to all levels, they are said to follow which approach?

Top-down

Which risk control strategy attempts to shift residual risk to other assets, other processes, or other organizations?

Transference

A SQL injection occurs when developers fail to properly validate user input before using it to query a relational database.

True

Everyone has responsibility to protect company confidential and sensitive information?

True

Keeping computers up to date with software/security updates and patches can help prevent attacks?

True

T/F: Information Security Project Team are a number of individuals who are experienced in one or multiple requirements of both the technical and nontechnical areas.

True

T/F: It is impossible to obtain perfect security because it is not an absolute rather a process. Security should be considered a balance between protection and availability.

True

T/F: Primary purpose of UNIX was text processing

True

The Domain Name System (DNS) is a function of the World Wide Web that converts a URL (Uniform Resource Locator) such as www.course.com into the IP address of the Web server host.

True

The person responsible for the storage, maintenance, and protection of the information is the data custodian.

True

True or False: An alert roster often is done one of two ways: sequentially or hierarchically.

True

True or False: An example of a disaster classification plan is a scale that has Minor, Moderate, Severe, and Critical categories.

True

True or False: Remote journaling is the process in which an organization can transfer live transactions to an off-site facility.

True

True or False: SP 800-18, "Guide for Developing Security Plans for Federal Information Systems," is considered the foundation for a comprehensive security blueprint and framework.

True

True or False: Strategic planning sets the long-term direction to be taken by the organization and each of its component parts. It should also guide organizational efforts and focus resources toward specific, clearly defined goals.

True

True or False: The information technology community of interest must assist in risk management by configuring and operating information systems in a secure fashion.

True

Unexpected bills arriving at your house might indicate that your identity has been stolen?

True

Upper Management's role in the Top-Down Approach

Upper management are the ones who issue policies, procedures, and processes; dictate the goals and expected outcomes of the project; and determine who is accountable for each of the required actions.

Subjects and Objects

a computer can be either an agent entity used to conduct an attack or the target entity

Exposure

a condition or state of being exposed

Bottom-Up Approach

a grassroots effort in which systems administrators attempt to improve the security of their systems.

Champion

a senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the org.

Access

a subject or object's ability to use, manipulate, modify, or affect another subject or object

Exploit

a technique used to compromise a system.

Senior Management benefits

a wide range of professionals are required to support diverse information security programs that start at the 'top'/ CEO. Senior Management support is a key component to develop and execute specific security policies and procedures, additional administrative support & technical expertise.

Attack

an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.

Data Trustees

appointed by data owners to oversee the management of a particular set of information & to coordinate w/ data custodians for its storage, protection, & use.

Which of the following is an application error that occurs when more data is sent to a program buffer than it is designed to handle?

buffer overrun

ex of Asset

companies(HAL Inc) customer database

ex of Loss

download of customer data

Who are the weakest link in the security chain?

end users that need the very information the security personnel are trying to protect

Protection profile or security posture

entire set of controls and safeguards that the organization implements to protect the asset

Social Science

examines the behavior of individuals interacting with systems.

Which of the following occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it?

information extortion

Information System

is the entire set of hardware, software data, people, procedures, and networks that enable a business to use information

The ________ process entails the review and assessment of organizational information security performance toward goals and objectives by the governing body.

monitor

Data Custodian

responsible for information & systems that process, transmit, & store it. -work directly with data owners -are responsible for the information & the systems that process, transmit, & store it -duties include overseeing data storage and backups, implementing the specific procedures & policies laid out in the security policies & plans, & reporting to the data owner

ex of Exploit

script from MadHackz web site

Hackers of limited skill who use expertly written software to attack a system are known as which of the following?

script kiddies

Control, safeguard, or countermeasure

security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization

ex of Attack

someone who allows the hacking by downloading exploit from MadHackz web site, then accesses companies web site(HAL Inc) and applies script, results in loss

ex of Threat Agent

someone who is allowing the hacking to occur (intentional or not)

What type of planning occurs where the actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals are followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives?

tactical

Asset

the organizational resource that is being protected

Security begins and ends with...

the people inside the org and the people that interact w/ the system

Risk

the probability of an unwanted occurrence

Threat Agent

the specific instance or a component of a threat

ex of Threat

theft

Vulnerability

weaknesses or faults in a system or protection mechanism that expose information to attack or damage