Cyber Security - Ch1
True
A breach of possession may not always result in a breach of confidentiality
False
A champion is a project manager, who may be a departmental line manager or staff unit manager, and has expertise in project management and information security technical requirements
subject
A computer is the ______ of an attack when it is used to conduct the attack
object
A computer is the _______ of an attack when it is the target entity
True
A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information
1978
A famous study entitled "Protection Analysis: Final Report" was published in ________
procedures
A frequently overlooked component of an IS, _________ are written instructions for accomplishing a specific task
True
A frequently overlooked component of an information system, procedures are the written instructions for accomplishing a specific task
direct attack
A server would experience a _______ when a hacker compromises it to acquire information via a remote location using a network connection
waterfall
A type of SDLC in which each phase has results that flow into the next phase is called the ______ model
direct
A(n) ________ attack is a hacker using a personal computer to break into a system.
Enterprise
A(n) ________ information security policy outlines the implementation of a security program within the organization
Methodology
A(n) ________ is a formal approach to solving a problem by means of a structured sequence of procedures
community of interest
A(n) _____________ is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.
True
A(n) project team should consist of a number of individuals who are experienced in one or multiple facets of the technical and nontechnical areas
True
According to the CNSS, information security is "the protection of information and its critical elements."
False
An e-mail virus involves sending an e-mail message with a modified field
DevOps
An emerging methodology to integrate the effort of the development team and the operations team to improve the functionality and security of applications is known as ________
hardware, software, data, people, procedures, and networks
An information system is the entire set of _________, __________, ___________, __________, __________, and __________that make possible the use of information resources in the organization
threat
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) ________
False
Applications systems developed within the framework of the traditional SDLC are designed to anticipate a software attack that requires some degree of application reconstruction
False
Computer assets are the focus of information security and are the information that has value to the organization, as well as the systems that store, process, and transmit the information
True
Confidentiality ensures that only those with the rights and privileges to access information are able to do so
Network security- protect the contents of the network Operations security- protect the activities of an operation Information security- protect the information assets of an organization it is in storage, being processed, or in transmission Personnel security- project the people who are allowed to access the organization and its assets Communications security- protect the media and communications technology Physical security- protect the objects and areas of the organization from misuse
Describe the multiple types of security systems present in many organizations
the Cold War
During _________, many mainframes were brought online to accomplish more complex and sophisticated tasks, so it became necessary to enable the mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers
Physical Design
During the _________ phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design
physical
During the early years, information security was a straightforward process composed predominantly of _________ security and simple document classification schemes
False
Hardware is often the most valuable asset possessed by an organization and is the main target of intentional attacks
True
Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system
confidentiality
In an organization, the value of __________ of information is especially high when it involves personal information about employees, customers, or patients.
hash
In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a ______ value
False
In general, protection is "the quality or state of being secure—to be free from danger."
True
In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that taking more would be noticed — but eventually the employee gets something complete or usable
top-down
In the ______ approach, the project is initiated by upper-level managers who issue policy, procedures, and processes, dictate the goals and expected outcomes, and determine the accountability for each required action
True
In the physical design phase, specific technologies are selected
integrity
Information has _______ when it is whole, complete, and uncorrupted
False
Information has redundancy when it is free from mistakes or errors and it has the value that the end user expects
False
Information security can be an absolute
True
Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems, which is often referred to as a bottom-up approach
False
Key end users should be assigned to a developmental team, known as the united application development team
False
MULTICS stands for Multiple Information and Computing Service
False
Network security focuses on the protection of physical items, objects, or area from unauthorized access and misuse
False
Network security focuses on the protection of the details of a particular operation or series of activities
True
Of the two approaches to information security implementation, the top-down approach has a higher probability of success
security
Organizations are moving toward more ___________ focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product.
Data owners: responsible for the security and use of a certain set of information Data custodians: responsible for the processing, transmissions, and storage of data Data users: individuals with an information security role
Outline types of data ownership and their respective responsibilities
Incident response
Part of the logical design phase of the SecSDLC is planning for partial or catastrophic loss. _____________ dictates what steps are taken when an attack occurs
System Administrator
People with the primary responsibility for administering the systems that house the information used by the organization perform the __________ role
False
Policies are written instructions for accomplishing a specific task
True
Recently, many states have implemented legislation making certain computer-related activities illegal
False
Risk evaluation is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization's security and to the information stored and processed by the organization
False
SecOps focuses on integrating the need for the development team to provide iterative and rapid improvements to system functionality and the need for the operations team to improve security and minimize the disruption from software release cycles
project
Software is often created under the constraints of _____ management, placing limits on time, cost, and manpower
False
The Analysis phase of the SDLC begins with a directive from upper management.
False
The Analysis phase of the SDLC examines the event or plan that initiates the process and specifies the objectives, constraints, and scope of the project
CIA
The CNSS model of information security evolved from a concept developed by the computer security industry known as the ____ triad
True
The Internet brought connectivity to virtually all computers that could reach a phone line or an internet connected local area network
False
The Security Development Life Cycle (SDLC) is a methodology for the design and implementation of an information system
CISO (chief information security officer)
The ______ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.
possession
The ______ of information is the quality or state of ownership or control of some object or item
analysis
The _______ phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems
waterfall
The _________ model consists of six general phases
software
The ___________ component of the IS comprises applications, operating systems, and assorted command utilities.
False
The bottom-up approach to information security has a higher probability of success than the top-down approach
vulnerabilities
The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect _________ in operating systems security
computer
The history of information security begins with the history of ________ security
False
The implementation phase is the longest and most expensive phase of the systems development life cycle (SDLC)
True
The information security function in an organization safeguards its technology assets
True
The investigation phase of the SecSDLC begins with a directive from upper management
Systems Development life cycle
The most successful kind of top-down approach involves a formal development strategy referred to as a _______________________
False
The physical design the the blueprint for the desired solution
False
The possession of information is the quality or state of having value for some purpose or end
True
The primary threats to security during the early years of computers were physical theft of equipment, espionage against the products of the systems, and sabotage
Information Security
The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________.
True
The roles of information security professionals are almost always aligned with the goals and mission of the information security community of interest
information
The senior technology officer is typically the chief _______ officer
True
The software component of an information system comprises applications, operating systems, and assorted command utilities
True
The value of information comes from the characteristics it possesses
True
To achieve balance-that is, to operate an information system that satisfies the user and the security professional-the security level must allow reasonable access, yet protect against threats
True
Using a methodology increases the probability of success.
False
Using a methodology will usually have no effect on the probability of success
False
When a computer is the subject of an attack, it is the entity being attacked
True
When unauthorized individuals or systems can view information, confidentiality is breached
Maintenance and change
Which phase is often considered the longest and most expensive phase of the systems development life cycle?
Arpanet
_____ is the predecessor to the Internet
Uptime
______ is the percentage of time a particular service is available
Authenticity
______ of information is the quality or state of being genuine or original, rather than a reproduction or fabrication
Indirect attacks
______ originate from a compromised system or resource that is malfunctioning or working under the control of a threat
Software
________ carries the lifeblood of information through an organization
Availability
________ enables authorized users — persons or computer systems — to access information without interference or obstruction and to receive it in the required format
Physical
_________ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse
NSTISSI No. 4011
____________ presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems
MULTICS
____________ was the first operating system to integrate security as its core functions