Final Exam Review IS 613

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Which of the following is NOT a method employed by IDPSs to prevent an attack from succeeding?

sending DoS packets to the source

Which contingency plan strategy do individuals work on their own tasks and are responsible for identifying the faults in their own procedures?

simulation

By multiplying the asset value by the exposure factor, you can calculate which of the following?

single loss expectancy

Which of the following is NOT among the four types of authentication mechanisms?

something you see

IP ____ is the falsification of the source IP address in a packet's header so that it appears to have come from a trusted or legitimate sender. routing switching spoofing snooping

spoofing

During Phase 1 of the NIST performance measures development process, the organization identifies relevant ____ and their interests in information security measurement.

stakeholders

A(n) ____ tracks the state and context of each packet in the conversation by recording which station sent what packet and when. context table routing table state table jump rule

state table

Which type of firewall keeps track of each network connection established between internal and external systems?

stateful inspection

A ____ intrusion detection and prevention system is also known as a behavior-based intrusion detection system.

statistical anomaly-based

What are the three general categories of policy?

- Enterprise information security policy (EISP) - Issue-specific security policy (ISSP) - System-specific policies (SysSPs)

The core components of PMBok project plan development

- Work time, resources, and project deliverables - Changing one element affects the other two

Every organization's (ISSP) Issue-Specific Security Policy should

-Address specific technology-based systems -Require frequent updates -Contain an issue statement on the organization's position on an issue

Types of attacks:Malicious code:

-includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information

A firewall uses its ____ to decide whether or not to allow packets into the network.

...

Which of the following is NOT a goal of the NIST System Certification and Accreditation Project:

...

What is the range of the well-known ports used by TCP and UDP?

0-1023

The Six Ps of information security

- Planning - Policy - Programs - Protection - People - Project Management

Three questions of PERT

- How long will this activity take? - What activity occurs immediately before this activity can take place? - What activity occurs immediately after this activity?

Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.

(ISC)2

Footprinting is the organized research of the Internet addresses owned or controlled by a target organization, using public Internet data.

True

In the modular approach to creating the ISSP, each of the modules is created and updated by the individuals who are responsible for a specific issue.

True

It is advisable to deny all ICMP data in order to limit the number of attacks to a network as the protocol is a common method for hacker reconnaissance and can be used for snooping.

True

Knowledge-based intrusion detection and prevention systems examine data traffic for signatures which may comprise preconfigured, predetermined attack patterns.

True

Mitigation depends on the ability to detect and respond to an attack as quickly as possible .

True

OCTAVE is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detective controls.

True

One of the goals of an issue-specific security policy (ISSP) is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

True

One of the most popular of the many references that support the development of process improvement and performance measures is The Capability Maturity Model Integrated (CMMI) designed specifically to integrate an organization's process improvement activities across disciplines.

True

SysSPs often function as standards or procedures to be used when configuring or maintaining systems

True

Types of information security planning

- Incident response planning - Business continuity planning - Disaster recovery planning - Policy planning - Personnel planning - Technology rollout planning - Risk management planning

The final choice of a risk control strategy may call for a balanced mixture of controls that provides the greatest value for as many asset-threat pairs as possible.

True

The goal of information security is to bring residual risk in line with an organization's risk appetite.

True

Describe characteristics of leaders

- Influence employees to accomplish objectives - Lead by example; demonstrating personal traits that instill a desire in others to follow - Provide purpose, direction, and motivation to those that follow

Information security performs four important functions for an organization:

- Protects ability to function - Enables safe operation of applications implemented on its IT systems - Protects data the organization collects and uses - Safeguards technology assets in use

Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? a. Enterprise info sec policy b. User-specific sec policies c. Issue-specific sec policies d. System-specific sec policies

B. User-specific sec policies pg. 128

define authorization

Assures that the user has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset

structured review

At the end of each phase of the security systems development life cycle (SecSDLC), a ____ takes place.

Kerberos' ____ is an interacting application that validates clients and servers.

Authentication Server

____________________ is the determination of actions that an entity can perform in a physical or logical area.

Authorization

The ____ section of an ISSP explains who can use the technology governed by the policy and for what purposes.

Authorized Access and Usage of Equipment

Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an event? A. Risk Management B. Contingency planning C. Business response D. Disaster readiness

B. Contingency planning pg. 75

At what point in the incident life cycle is the IR plan initiated? a. Before an incident takes place b. When an incident is detected c. Once the DRP is activated d. Once the BCP is activated

B. When an incident is detected pg. 85

If operations at the primary site cannot be quickly restored, the ____________________ occurs concurrently with the DR plan, enabling the business to continue at an alternate site.

BCP BC plan business continuity plan

Problems with benchmarking include all but which of the following?

Baseline data provides little value to evaluating progress in improving security

A policy acknowledgment screen that does not require any unusual action on the part of the user to move past it is a ____.

Blow-by screen

Which notable Bluetooth attack allows a nearby attacker to issue commands to an unsuspecting target phone? Bluesnarf BlueBug Evil twin Bluejacking

BlueBug

____ is an attack that accesses unauthorized information from a wireless device through a Bluetooth connection, often between cell phones and laptop computers. Bluecracking Bluetalking Bluesnarfing Bluejacking

Bluesnarfing

The IEEE 802.15.1-2005 Wireless Personal Area Network standard was based on the ____ specifications. Bluetooth v2.1 Bluetooth v 1.0 Bluetooth v1.2 Bluetooth v 1.1

Bluetooth v1.2

tactical

Budgeting, resource allocation, and manpower are critical components of the ____ plan.

Category of Threat: Technical Software Failures or Errors Provide an Example:

Bugs, code problems, unknown loopholes

Which of the following is NOT a step in the problem-solving process?

Build support among management for the candidate solution

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?

Building executive consensus

The ____ model describes the layers at which marginal assessment of security controls can be performed and is proven mechanism for prioritizing complex changes.

Bull's-eye

Determining the critical path using PERT

By identifying the slowest path through the various activities

How is security often achieved

By means of sever strategies undertaken simultaneously or used in combination with one another.

Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? A. On-target model b. Wood's model c. Bull's-eye model d. Bergeron and Berube model

C. Bull's-eye model pg. 126

Many organizations create a single document that combines elements of both the management guidance SysSP and the technical specifications SysSP, know as a(n) ____.

Combination SysSP

When can corruption of information occur?

Compilation, storage, or transmission

Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?

Confidentiality

That makes up the CIA triangle

Confidentiality, integrity, availability

Configuration codes entered into security systems to guide the execution of the system when information is passing through it are called ____.

Configuration rules

Technical Specifications SysSPs

Configuration rules -Specific configuration codes entered into security systems -Guide the execution of the system when information is passing through it Rule policies are more specific to system operation than ACLs -May or may not deal with users directly

target

Considerations for selecting best practices: Does your organization resemble the identified ___ organization of the best practice? Are you in a similar industry as the target? Do you face similar challenges as the target? Is your organizational structure similar to the target? Are the resources you can expend similar to those called for by the best practice? Are you in a similar threat environment as the one assumed by the best practice?

define project communications management

Conveys details of project activities to all involved. Includes communications planning, information distribution, performance reporting and administrative closure

A(n) password protection mechanism is a plain-language phrase, from which a virtual password is derived.

False

A(n) temporal key is a symmetric key used for limited-use temporary communications by a hybrid encryption system.

False

Access control lists can only be used to restrict access according to the user.

False

All rule-based policies must deal with user directly.

False

An ISSP will typically not cover the use of e-mail or the Internet.

False

An individual approach to creating the ISSPs is well controlled by centrally managed procedures assuring complete topic coverage.

False

Today, most EULAs are presented on blow-by screens.

False

logical design

In the ____ phase of the security systems development life cycle (SecSDLC), the information obtained during the analysis phase is used to develop a proposed system-based solution for the business problem.

Information security is defined in the ____ component of an EISP.

Information Technology Security Elements

Which of the following is a network device attribute that is tied to the network interface?

MAC address

During the ____ phase of the SecSDLC, the information security policy is monitored, maintained, and modified as needed.

Maintenance

False

Penetration testing is often conducted by consultants or outsourced contractors, who are commonly referred to as hackers, ninja teams or black teams.

define WBS(work breakdown structure)

Planning tool where project plan is first broken down into a few major tasks, and the minimum attributes for each task are determined with additional attributes added as needed

Which connectivity model uses a single access point that provides connectivity for a number of clients within a BSS? Point-to-point Mesh multipoint Point-to-multipoint Roaming

Point-to-multipoint

Which wireless modulation technique combines digital and analog signaling to encode data into radio signals? QPSK BPSK Spread-spectrum transmission QAM

QAM

Managing Risk (cont)

Risk control involves selecting one of the four risk control strategies For the vulnerabilities present If the loss is within the range of losses the organization can absorb, or if the attacker's gain is less than expected costs of the attack, the organization may choose to accept the risk Otherwise, one of the other control strategies will have to be selected

What is the mccumber cube

Security model that provides a more detailed perspective on security

The Gold Standard

Some organizations prefer to implement the most protective, supportive, and yet fiscally responsible standards they can. This is called___.

define manager

Someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals

The ISSP should begin with a ____ .

Statement of Purpose

Example Enterprise information security program policy (ESIP)

Statement of purpose -What the policy is for Information technology security elements -Defines information security Need for information technology security - Justifies importance of information security in the organization Information technology security responsibilities and roles -Defines organizational structure

A disadvantage of creating a number of independent ISSP documents is that the results may ____.

Suffer from poor policy dissemination

Some policies incorporate a ____ indicating a specific date the policy will expire.

Sunset clause

project planning

Tactical planning is also referred to as ____.

False

Tactical planning is the basis for the long-term direction taken by the organization.

operational

Tactical plans are used to develop ____________________ plans.

To be certain the employees understand the policy, the document must be written at a reasonable reading level within minimal ____.

Technical jargon and management terminology

Hold regular meetings with the CIO to discuss tactical InfoSect planning

The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?

A single loss expectancy

The calculation of the value associated with the most likely loss from an attack SLE is based on the value of the asset and the expected percentage of loss that would occur from a particular attack SLE = asset value (AV) x exposure factor (EF) Where EF is the percentage loss that would occur from a given vulnerability being exploited This information is usually estimated

Economic feasibility

The criterion most commonly used when evaluating a project that implements information security controls and safeguards

Managing Risk

The goal of information security is not to bring residual risk to zero Bring it in line with an organization's risk appetite If decision makers have been informed of uncontrolled risks and the proper authority groups within the communities of interest decide to leave residual risk in place, then the information security program has accomplished its primary goal Once a control strategy has been selected and implemented: The effectiveness of controls should be monitored and measured on an ongoing basis To determine its effectiveness and the accuracy of the estimate of the residual risk

(T/F) The ability to restrict specific services is a common practice in most modern routers, and is invisible to the user.

True

(T/F) The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.

True

(T/F) Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.

True

A dual-homed host firewall is able to translate between the protocols of two different data link layers.

True

A dumb card is a category that includes ID and ATM cards with magnetic strips containing the digital PIN against which a user's input is compared.

True

A policy should be "signed into law" by a high-level manager before the collection and review of employee input.

True

A(n) ____________________ token uses a challenge-response system in which the server challenges the user with a number, that when entered into the token provides a response that provides access.

asynchronous

Types of attacks: Man-in-the-middle

attacker monitors network packets, modifies them, and inserts them back into network

The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?

authentication

Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area?

authentication

accreditation

authorization of an IT system to process, store, or transmit information

Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?

cost of prevention

What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?

cost-benefit analysis

benchmarking

creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing

It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of ____________________.

due diligence

Maintaining an acceptable level of secure controls over time indicates that an organization has met the standard of ____.

due diligence

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? policy administration certification and accreditation due diligence adequate security measures

due diligence

An organization increases its _____________ if it refuses to take measures—due care—to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions

liability

Two examples of security best practices include: "Decision paper on use of screen warning banner", and "Sample warning banner from the NLRB". Under which best security practice area do these two examples fall?

logical access controls

Two examples of security best practices include: "Decision paper on use of screen warning banner", and "Sample warning banner from the NLRB". Under which best security practice area do these two examples fall? policy and procedures logical access controls personnel security identification and authentication

logical access controls

Which of the following affects the cost of a control?

maintenance

phase is the last phase of SecSDLC, but perhaps the most important.

maintenance and change

Because "organizations ____________________ what they measure," it is important to ensure that individual metrics are prioritized in the same manner as the performance they measure.

manage

Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.

management

A problem with benchmarking is that recommended practices are a(n) ____________________; that is, knowing what happened a few years ago does not necessarily tell you what to do next.

moving target

Collecting project metrics may be even more challenging. Unless the organization is satisfied with a simple tally of who spent how many hours doing which tasks, it needs some mechanism to link the ____ of each project, in terms of loss control or risk reduction, to the resources consumed.

outcome

Which of the following is an example of a technological obsolescence threat?

outdated servers

What tool would you use if you want to collect information as it is being transmitted on the network and analyze the contents for the purpose of solving network problems?

packet sniffer

In which contingency plan strategy do individuals act as if an actual incident occurred, and begin performing their required tasks and executing the necessary procedures, without interfering with the normal operations of the business?

parallel testing

Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?

people

Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program? projects people policy protection

people

The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?

risk determination

process of discovering the risks to an organization's operations

risk identification

Once an information asset is identified, categorized, and classified, what must also be assigned to it?

relative value

remains even after the existing control has been applied

residual risk

Which of the following is compensation for a wrong committed by an employee acting with or without authorization?

restitution

The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability is the definition of which of the following?

risk assessment factors

process that identifies vulnerabilities in an organization's information system

risk management

The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge was designed for large organizations with 300 or more users, while OCTAVE-Allegro was designed for smaller organizations of about 100 users.

True

To be effective, policy must be uniformly applied to all employees, including executives.

True

packet sniffer

What tool would you use if you want to collect information as it is being transmitted on the network and analyze the contents for the purpose of solving network problems?

uses a secret key to encrypt and decrypt

Which of the following is true about symmetric encryption?

Which company offers a free firewall that provides basic ingress and egress filtering? ZoneAlarm IBM Barracuda Check Point

ZoneAlarm

Measures

___ are data points or computed trends that indicate the effectiveness of security countermeasures or controls.

A software program is no substitute for

a skilled and experienced project manager

baseline

a value or profile of a performance metric against which changes in the performance metric can be usefully compared

A ____ commonly combines a separate dedicated firewall such as an application proxy server with a packet filtering router.

screened-host firewall

Which type of document grants formal permission for an investigation to occur?

search warrant

best security practices

security efforts that balance the need for information access with the need for adequate protection

Which of the following is NOT an alternative to using CBA to justify risk controls?

selective risk avoidance

Types of attacks: Dictionary

selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses

Asset classification schemes should categorize information assets based on which of the following?

sensitivity and security needs

is an agency that provides, in the case of DR/BC planning, physical facilities for a fee.

service bureau

____ forensics involves capturing a point-in-time picture of a process. Cartwheeling Bit-stream Trigger Snapshot

snapshot

Which type of planning is the primary tool in determining the long-term direction taken by an organization?

strategic

describe the three levels of planning

strategic, tactical, operational

A goal of 100 percent employee InfoSec training as an objective for the training program is an example of a performance __________.

target

Types of attacks: Spoofing

technique used to gain unauthorized access; intruder assumes a trusted IP address

due diligence

the actions that demonstrate that an organization has made a valid effort to protect others

A firewall should never be directly accessible from ____.

the public network

The __________ level and an asset's value should be a major factor in the risk control strategy selection

threat

The improved Bluetooth 2.0 increased the data rate to around ____ Mbps. six five four three

three

The improved Bluetooth 2.0 increased the data rate to around ____ Mbps. six five three four

three

Which of the following is true about symmetric encryption?

uses a secret key to encrypt and decrypt

Which of the following is a key advantage of the bottom-up approach to security implementation?

utilizes the technical expertise of the individual administrators

What is defined as specific avenues that threat agents can exploit to attack an information asset?

vulnerabilities

Standards of due care/due diligence Best practices

2 Categories of benchmarks

Which port number is commonly used for the Simple Mail Transfer Protocol service?

25

denial-of-service (DoS)

A ____ attack involves sending a large number of connection or information requests to a target.

threat agent

A(n) ____ damages or steals an organization's information or physical asset.

exploit

A(n) ____ is a technique or mechanism used to compromise a system.

attack

A(n) ____ is an act or event that exploits a vulnerability.

Which of the following explicitly declares the business of the organization and its intended areas of operations? A. mission statement B. Vision statement C. Values statement D. Business statement

A. mission statement pg. 40

Category of Threat: Technological obsolescence Provide an Example:

Antiquated or outdated echnologies

When the attacker's potential gain is greater than the costs of attack

Apply technical or managerial controls to increase the attacker's cost, or reduce his gain

Avoidance

Applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability Avoidance is accomplished through: Application of policy Application of training and education Countering threats Implementation of technical security controls and safeguards

The ISSP sections Authorized Access and Usage of Equipment and Prohibited Usage of Equipment may be combined into a section called ____ .

Appropriate Use Policy

The role of the Non-technical general business community

Articulates and communicates organizational policy and objectives and allocates resources to the other groups

define project risk management

Assesses, mitigates, manages, and reduces the impact of adverse occurrences on the project. Includes risk identification, risk quantification, risk response development and risk response control

____ is the process of assigning financial value or worth to each information component.

Asset valuation

In the event of an incident or disaster, which team sets up and starts off-site operations? a. Project management b. Business continuity c. Disaster recovery d. Incident response

B. Business continuity pg. 78

Problems with benchmarking include all but which of the following?

Benchmarking doesn't help in determining the desired outcome of the security process

gold standard

Best practices include a sub-category of practices, called the ___, that are generally regarded as "the best of the best".

Category of Threat: Information Extortion Provide an Example:

Blackmail, information disclosure

To ensure ____, an organization must demonstrate that it is continuously attempting to meet the requirements of the market in which it operates.

Due diligence

define project human resource management

Ensures personnel assigned to project are effectively employed. Includes organizational planning, staff acquisition and team development

define project cost management

Ensures that a project is completed within the resource constraints. Includes resource planning, cost estimating, cost budgeting, and cost control.

define accountability

Exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process

Because it sets out general business intentions, a mission statement does not need to be concise.

F

In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.

F

In most organizations, the COO is responsible for creating the IR plan

F

In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.

False

In most organizations, the COO is responsible for creating the IR plan.

False

Once policies are created, they should not be changed

False

The first phase in the NIST performance measures methodology is to collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets.

False

OCTAVE-S

For smaller organizations of about 100 users

Category of Threat: Theft Provide an Example:

Illegal confiscation of equipment or information

The role of the information technology community

Supports the business objectives of the org by supplying and supporting the appropriate information technology

The ____ is a Kerberos interacting service that exchanges information with the client and server by using secret keys.

Key Distribution Center

define Leading

Leadership encourages the implementation of the planning and organizing functions. Leadership generally addresses the direction and motivation of the human resource

An organization may include a set of disclaimers in the ____ section of the ISSP.

Limitations of Liability

Category of Threat: Missing, inadequate, or incomplete controls Provide an Example:

Network compromised because no firewall security controls

____________________ converts external IP addresses to internal IP addresses on a one-to-one basis.

Network-address translation

define availabilitiy

The characteristic of information that enables user access to information in a required format, without interference or obstruction

define confidentality

The characteristic of information whereby only those with sufficient privileges may access certain information

define policy

The set of organizational guidelines that dictates certain behavior within the organization

blueprint

To generate a security ___,Organizations usually draw from established security models and practices. Another way is to look at the paths taken by organizations similar to the one for which you are developing the plan.

Describe the two basic approaches to management

Traditional: POSDC (planning organizing staffing directing controlling) Popular: POLC (planning organizing leading controlling)

A popular extension to the TCP/IP protocol suite is Secure Shell (SSH), which provides security for remote access connections over public networks by creating a secure and persistent connection.

True

A system's exploitable vulnerabilities are usually determined after the system is designed.

True

A(n) baseline is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared."

True

Access control lists can be used to control access to file storage systems

True

According to the Microsoft Risk Management Approach, risk management is not a stand-alone subject and should be part of a general governance program to allow the organization's management to evaluate the organization's operations and make better, more informed decisions.

True

Accreditation is the authorization of an IT system to process, store, or transmit information.

True

Although literally hundreds of variations exist, four architectural implementations of firewalls are especially common: packet filtering routers, screened-host firewalls, dual-homed host firewalls, and screened-subnet firewalls.

True

An automated policy management system is able to assess readers' understanding of the policy and electronically record reader acknowledgments.

True

Any firewall device must have its own set of configuration rules that controls its actions.

True

Behavioral feasibility refers to user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders.

True

Economic feasibility is a standard that is commonly used when evaluating a project that implements information security safeguards.

True

digital signature

What is most commonly used for the goal of nonrepudiation in cryptography?

It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity. Which of the following is NOT one of them?

What other activities require the same resources as this activity?

use of dormant accounts

Which of the following is a definite indicator of an actual incident?

legal liability

Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence?

Strategic plans are used to create tactical plans

Which of the following is true about planning?

stateful inspection

Which type of firewall keeps track of each network connection established between internal and external systems?

A standard is built from a ____.

Policy

In the Cost-Benefit Analysis Formula presented in the text, ALE is calculated by ____.

SLE * ARO

The Annualized Loss Expectancy in the CBA formula is determined as ____.

SLE * ARO

____ architecture makes use of a demilitarized zone between the trusted and untrusted network.

Screened-Subnet firewall system

describe the decisional role

Selecting from among alternative approaches, and resolving conflicts, dilemmas, or challenges

Which of the following biometric authentication systems is considered to be the least secure?

Signature recognition

Port number ____ is commonly used for the Simple Mail Transfer Protocol service.

25

NIST Special Publication 800-18, Rev. 1

: Guide for Developing Security Plans for Federal Information Systems reinforces a business process-centered approach to policy management Policies are living documents These documents must be properly disseminated (distributed, read, understood and agreed to), and managed Good management practices for policy development and maintenance make for a more resilient organization Policy requirements An individual responsible for reviews A schedule of reviews A method for making recommendations for reviews An indication of policy and revision date

plan-driven

A SDLC-based project that is the result of a carefully developed strategy is said to be ____.

Developing Information Security Policy Implementation phase includes

Writing the policies Making certain the policies are enforceable as written Policy distribution is not always straightforward Effective policy is written at a reasonable reading level, and attempts to minimize technical jargon and management terminology

Which company offers a free firewall that provides basic ingress and egress filtering? Barracuda IBM Check Point ZoneAlarm

ZoneAlarm

Gold standard

___is a model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information. Implementation requires a great deal of financial and personnel support.

Accreditation

___is the authorization of an IT system to process, store, or transmit information. It is issued by a management official and serves as a means of assuring that systems are of adequate quality. Challenges managers and technical staff to find the best methods to assure security, given technical constraints, operational constraints, and mission requirements.

When dealing with an incident, the incident response team must conduct a(n) ____________________, which entails a detailed examination of the events that occurred from first detection to final recovery.

after action review

Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?

back door

overflow is an application error that occurs when the system can't handle the amount of data that is sent.

buffer

The ____ model describes the layers at which marginal assessment of security controls can be performed and is a proven mechanism for prioritizing complex changes.

bull's-eye

In the event of an incident or disaster, which team sets up and starts off-site operations?

business continuity

When a disaster renders the current business location unusable, which plan is put into action?

business continuity

Which is the first step in the contingency planning process?

business impact analysis

A ____ specifies which subjects and objects users or groups can access.

capability table

According to NIST SP 800-37, which of the following is the first step in the security controls selection process?

categorize the information system and the information processed

Which document must be changed when evidence changes hands or is stored?

chain of custody

Which of the following InfoSec measurement specifications makes it possible to define success in the security program?

establishing targets

Which of the following is a step in Stage 2 - Evaluate Loss Event Frequency of the FAIR risk management framework?

estimate control strength

A single loss expectancy is calculated by multiplying the asset value by the ____.

exposure factor

The ____ is a criteria used to compare and evaluate biometric technologies.

false reject rate

Ad hoc wireless models rely on the existence of ____ to provide connectivity. keys tunnels formal access points multiple stations

multiple stations

One of the most popular reference for developing process improvement and performance measures is the ____ model from the Software Engineering Institute at Carnegie Mellon University.

none of these

InfoSec measurements collected from production statistics depend greatly on which of the following factors?

number of systems and users of those systems

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?

organization

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives? leading planning controlling organization

organization

A ____ is NOT an example of the "something you have" authentication mechanism.

password

A ____ is an example of the "something you know" authentication mechanism.

password

managers must recognize the crucial role of

people in the information security program

Which type of law regulates the relationships among individuals and among individuals and organizations?

private

Which type of law regulates the relationships among individuals and among individuals and organizations? criminal private tort public

private

recommended business practices

procedures that provide a superior level of security for an organization's information

Which of the following is NOT a consideration when selecting recommended best practices?

product or service is the same

Types of attacks: Sniffers

program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network

Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any ____ organization would do in similar circumstances.

prudent

Types of attacks: Pharming

redirection of legitimate Web traffic (e.g., browser requests) to illegitimate site for the purpose of obtaining private information

As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.

relative

Types of attacks: Timing attack

relatively new; works by exploring contents of a Web browser's cache to create malicious cookie

Bastion host is also referred to as a(n) ____________________ host.

sacrificial

assessment of potential weaknesses in each information asset

threat identification

Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?

uncertainty percentage

The primary drawback associated with ad hoc networks is that they are inherently ____. unreliable complex expensive an older technology

unreliable

Types of attacks: Spam

unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks

An attacker can use a(n) ____________________ device to locate the connection points on dial-up lines.

war-dialer

In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?

waterfall

Which of the following is a tool that can be useful in resolving the issue of what business function is the most critical?

weighted analysis tool

Category of Threat: Technical Software Failures or Errors

• Purchased software that contains unrevealed faults • Combinations of certain software and hardware can reveal new software bugs • Entire Web sites dedicated to documenting bugs

Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP

D. EISP pg. 128

Which technology works by taking the original data stream and breaking it up into small bits, then transmitting each of those on a different frequency channel simultaneously? Direct-Sequence Spread Spectrum (DSSS) Orthogonal frequency-division multiplexing (OFDM) Quadrature Phase Shift Keying (QPSK) Frequency Hopping Spread Spectrum (FHSS)

Direct-Sequence Spread Spectrum (DSSS)

Who is responsible for information security?

Every employee, especially managers

Organizational feasibility analysis

Examines how well the proposed information security alternatives will contribute to the operation of an organization

When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.

F

A system that is secret is safe.

False

Category of Threat: Forces of Nature Provide an Example:

Fire, flood, earthquake, lightning

Which of the following is true about firewalls and their ability to adapt in a network?

Firewalls deal strictly with defined patterns of measured observation.

Which of the following is the last phase in the NIST process for performance measures implementation?

Apply corrective actions

When potential loss is substantial

Apply design controls to limit the extent of the attack, thereby reducing the potential for loss

According to Charles Cresson Wood "policies are important reference documents for internal ____ and for the resolution of legal disputes about management's due diligence; policy documents can act as a clear statement of management's intent".

Audits

In reporting InfoSec performance measures, the CISO must also consider ____.

Both of these

What are the managerial roles?

Informational, interpersonal, decisional

According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?

Initiating

A(n) ____ security policy provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems.

Issue-specific

Which of the following is true about a hot site?

It duplicates computing resources, peripherals, phone systems, applications, and workstations.

____________________ Ticket Granting Service (TGS) provides tickets to clients who request services.

Kerberos

Which of the following is a Kerberos service that initially exchanges information with the client and server by using secret keys

Key Distribution Center

A quality information security program begins and ends with policy.

True

The ____ handles certain cases involving credit card fraud and identity theft. Securities and Exchange Commission FBI U.S. Treasury Department U.S. Secret Service

U.S. Secret Service

Which of the following sections of the ISSP should provide instructions on how to report observed or suspected violations?

Violations of Policy

A computer ____ is malicious computer code that reproduces itself on the same computer. worm adware virus spyware

Virus

________ recognition authentication captures the analog waveforms of human speech.

Voice

define authentication

Occurs when a control proves that a user possesses the identity that he or she claims

define projectitis

Occurs when the project manager spends more time doing project planning than meaningful project work

Which of the following is the first phase in the NIST process for performance measurement implementation?

Prepare for data collection

False

Some companies refer to operational planning as intermediate planning.

Basic FAIR analysis is comprised of ten steps in four stages

Stage 1 - Identify scenario components 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2 - Evaluate loss event frequency 3. Estimate the probable threat event frequency 4. Estimate the threat capability (TCap) Stage 2 - Evaluate loss event frequency (cont'd.) 5. Estimate Control strength (CS) 6. Derive Vulnerability (Vuln) 7. Derive Loss Event Frequency (LEF) Stage 3 - Evaluate probable loss magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4 - Derive and articulate Risk 10. Derive and articulate Risk Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low

False

Strategic planning has a more short-term focus than tactical planning.

Which of the following is true about planning?

Strategic plans are used to create tactical plans

True

Strategic plans are used to create tactical plans.

NIST SP 800-37

a common approach to a Risk Management Framework (RMF) for InfoSec practice

The four categories of controlling risk include avoidance, mitigation, transference and _____.

acceptance

Types of attacks: Password crack

attempting to reverse calculate a password

Security efforts that seek to provide a superior level of performance in the protection of information are called ____.

best business practices

The Authorize step of the NIST six-step approach to the risk management framework involves all but which of the following tasks? determine the risk to organizational operations determine if the cost/benefit ratio is acceptable prepare the plan of action and develop milestones assemble the security authorization package

determin if the cost/benefit ratio is acceptable

The Authorize step of the NIST six-step approach to the risk management framework involves all but which of the following tasks?

determine if the cost/benefit ratio is acceptable

Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.

deterrence

What is most commonly used for the goal of nonrepudiation in cryptography?

digital signature

Strategies to limit losses before and during a disaster is covered by which of the following plans in the mitigation control approach?

disaster recovery plan

At a minimum, each information asset-threat pair should have a(n) ____ that clearly identifies any residual risk that remains after the proposed strategy has been executed.

documented control strategy

What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?

documented control strategy

True

In a(n) methodology, a problem is solved based on a structured sequence of procedures.

PMBok Project Integration management

Includes the processes required to coordinate occurs between components of a project

The Single Loss Expectancy (SLE) is the result of the asset's value (AV) multiplied by the ____________________ factor.

esposure

An ____ is an AP that is set up by an attacker. evil twin active twin internal replica authorized twin

evil twin

define protection

executed through risk management activities including risk assessment and control, protection mechanisms, technologies, and tools

When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.

exploited

Which of the following characteristics currently used today for authentication purposes is NOT considered truly unique?

face representation

occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises

field change order

A ____ is an example of the "something you are" authentication mechanism.

fingerprint

Category of Threat: Password Attacks

• 10.3 Password Rule • Brute force password attacks • Cracking • Dictionary attack • Rainbow table • Social Engineering password attacks

Category of Threat: Technical Hardware Failures or Errors

• Occur when manufacturer distributes equipment containing flaws to users • Can cause system to perform outside of expected parameters, resulting in unreliable or poor service • Some errors are terminal; some are intermittent

An organization must thoroughly define its

goals and objectives

IDEAL

he Carnegie Mellon University ____________________ information security governance model begins with a stimulus for change and loops through proposals for future actions.

What is the final step in the risk identification process?

listing assets in order of importance

A standard is built from a

policy

many missed deadlines are caused by

poor planning

"Something you are" and "something you ____________________" are considered to be biometric.

produce

performed using categories instead of specific values to determine risk

qualitative risk assessment

identification and assessment of levels of risk in the organization

risk analysis

The ____ authentication mechanism is considered to be biometric.

something you are

In which level of planning are budgeting, resource allocation, and manpower critical components?

tactical

Types of attacks: Social engineering

using social skills to convince people to reveal access credentials or other valuable information to attacker

(T/F) Ethics carry the sanction of a governing authority.

False

When does authorization occur?

After authentication

describe project management

- Identifying and controlling the resources applied to the project - Measuring progress - Adjusting the process as progress is made

Avoidance of risk is the choice to forgo the use of security measures and accept loss in the event of an attack.

False

Three variations of the OCTAVE method

-The original OCTAVE method, (forms the basis for the OCTAVE body of knowledge) -OCTAVE-S -OCTAVE-Allegro

Issue-Specific Security Policy (ISSP) Components

1. Statement of Purpose -Scope and applicability -Definition of technology addressed -Responsibilities 2. Authorized Access and Usage of Equipment. -User access -Fair and responsible use -Protection of privacy 3. Prohibited Usage of Equipment -Disruptive use or misuse -Criminal use -Offensive or harassing materials -Copyrighted, licensed or other intellectual property -Other restrictions 4. Systems management Management of stored materials -Employer monitoring -Virus protection -Physical security -Encryption 5. Violations of policy -Procedures for reporting violations -Penalties for violations 6. Policy review and modification Scheduled review of policy and -procedures for modification 7. Limitations of liability -Statements of liability or disclaimers

A(n) ____ acts as the "base station" for the wireless network. WMM ad-hoc peer endpoint AP

AP

Which of the following should be included in an InfoSec governance program?

An InfoSec risk management methodology

attack

An act or event that exploits a vulnerability is known as a(n) ____________________.

vulnerability

An identified weakness of a controlled system is known as a ____.

program

An information security measures ___ must be able to demonstrate value to the organization.

define identification

An information system possesses the characteristic of identification when it is able to recognize individual users

Risk Control Strategies

An organization must choose one of four basic strategies to control risks Avoidance Transference Mitigation Acceptance

Which of the following is NOT one of the basic rules that must be followed when shaping a policy? A. Policy should never conflict with law B. Policy must be able to stand up in court if challenged C. Policy should be agreed upon by all employees and management D. Policy must be properly supported and administered

C. Policy should be agreed upon by all employees and management pg. 125

ISPME checklist

Convince management that it is advisable to have documented information security policies Identify the top management staff who will be approving the final information security document and all influential reviewers Collect, read and summarize all existing internal information security awareness material

compromises to intellectual property

Copyright infringement is an example of the ____ category of threat.

Measuring program effectiveness: ongoing assessment of the effectiveness of the risk management program

Develop risk scoreboard - understand risk posture and progress Measure program effectiveness - evaluate the risk management program for opportunities to improve

what is the precursor to projectitis

Developing an overly elegant, microscopically detailed plan before gaining consensus for the work required

Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?

Executive management must develop corporate-wide policies

A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.

F

Penetration testing is often conducted by contractors, who are commonly referred to as black-hats.

F

The authorization process takes place before the authentication process.

F

The first step in solving problems is to gather facts and make assumptions.

F

What is among the most frequently cited failures in project management

Failure to meet project deadlines

Cryptology is the process of deciphering the original message also known as plaintext from an encrypted message.

False

Digital key infrastructure is the entire set of hardware, software, and cryptosystems necessary to implement asymmetric key encryption in online commerce.

False

Policies should be published without a date of origin.

False

Users have the right to use an organization's information systems to browse the Web, even if this right is not specified in the ISSP.

False

When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.

False

T or F In most organizations, the COO is responsible for creating the IR plan.

False Pg. 87

____ uses "speckling" and different colors so that no two spam e-mails appear to be the same. Word splitting Layer variance GIF layering Geometric variance

Geometric variance

Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?

HIPAA

Which technology has two modes of operation: transport and tunnel?

IP Security

True

Information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide strategic direction, verification that risk management practices are appropriate, and validation that the organization's assets are used properly.

Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?

Manufacturer's part number

For instance, if policy mandates that all employees wear identification badges in a clearly visible location, and select members of management decide they are not require to follow this policy, any actions taken against other employees will ____.

Not withstand legal challenge.

Policy

Policies are the least expensive means of control and often the most difficult to implement A plan or course of action that influences decisions For policies to be effective they must be properly disseminated, read, understood, agreed-to, and uniformly enforced Policies require constant modification and maintenance Policies exist, first and foremost, to inform employees of what is and is not acceptable behavior in the organization Policy seeks to improve employee productivity, and prevent potentially embarrassing situations

The policy champion and manager is called the ____.

Policy administrator

strategic

The long-term direction taken by the organization is based on ____ planning

define organizing

The management function dedicated to the structuring of resources to support the accomplishment of objectives: determining what is to be done, in what order, by whom, by which methods, and according to what timeline

define people

The most critical link in the information security program. Include security of personal, SETA.

In the WBS approach, the project plan is first broken down into tasks placed on the WBS task list. The minimum attributes that should be identified for each task include all but which of the following?

The number of people and other resources needed for each task

define management

The process of achieving objectives using a given set of resources

Asset valuation

The process of assigning financial value or worth to each information asset The value of information differs within and between organizations Based on the characteristics of information and the perceived value of that information Involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against loss and litigation

To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function

This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data These objectives are met via the application of the principles of risk management

When a policy is created and distributed without software automation tools, it is often not clear which manager has approved it.

True

T or F One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.

True pg. 128

T or F Policies must specify penalties for unacceptable behavior and define an appeals process.

True pg. 128

T or F A clearly directed strategy flows from top to bottom rather than from bottom to top.

True pg. 41

The steps outline in guideline must meet the requirements of the standards from which they were created

True or False, Unable to answer but within chapter 4. Sorry...

authentication

Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area?

something you see

Which of the following is NOT among the four types of authentication mechanisms?

Benchmarking

___ is following the existing practices of a similar organization, or industry-developed standards. Can help to determine which controls should be considered. Cannot determine how those controls should be implemented in your organization.

Due diligence

___ is implementing controls at this minimum standard. Requires that an organization ensure that the implemented standards continue to provide the required level of protection.

Capability Maturity Model Integrated (CMMI)

___ is one of the most popular references that support the development of process improvement and performance measures. Developed by The Software Engineering Institute at Carnegie Mellon.

Standard of due care

___ is when organizations adopt minimum levels of security for legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances.

Baseline

___ measurements of security activities and events are used to evaluate the organization's future security performance. Can provide the foundation for internal benchmarking i.e. Information gathered for an organization's first risk assessment becomes the ___ for future comparisons.

Major activities

___ refers to the identification and definition of the current information security program. Development and selection of specific measures to gauge the implementation, effectiveness, efficiency, and impact of the security controls.

Operational

____ controls deal with managerial functions and lower-level planning such as disaster recovery and incident response planning.

Managerial

____ controls set the direction and scope of the security process and provide detailed instructions for its conduct

Best security practices balance the need for information ____________________ with the need for adequate protection while simultaneously demonstrating fiscal responsibility.

access

Best security practices balance the need for user _____________ to information with the need for adequate protection while simultaneously demonstrating fiscal responsibility.

access

What do audit logs that track user activity on an information system provide?

accountability

In security management, ____________________ is the authorization of an IT system to process, store, or transmit information.

accreditation

In security management, which of the following is issued by a management official and serves as a means of assuring that systems are of adequate quality?

accreditation

is a document containing contact information of the individuals to notify in the event of an actual incident.

alert roster

A ____ is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared.".

baseline

A practice related to benchmarking is ____________, which is a measurement against a prior assessment or an internal goal.

baseline

Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following?

benchmarking

In security management, ____ is "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

certification

According to NIST SP 800-37, the first step in the security controls selection process is to ____.

characterize the system

must be comprehensive and mutually exclusive

classification categories

In which type of site are no computer hardware or peripherals provided?

cold site

Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an event?

contingency planning

The second step in the NIST SP 800-37 model for security certification and accreditation is to select the appropriate minimum security ____________________ for the system.

controls

Types of attacks: Distributed denial-of-service (DDoS)

coordinated stream of requests is launched against target from many locations simultaneously

Using the Program Evaluation and Review Technique, which of the following identifies the sequence of events or activities that requires the longest duration to complete, and that therefore cannot be delayed without delaying the entire project?

critical path

Using the Program Evaluation and Review Technique, which of the following identifies the sequence of events or activities that requires the longest duration to complete, and that therefore cannot be delayed without delaying the entire project? crucial factor set critical function critical path program path

critical path

Ethics,are based on ___________________, which are the relatively fixed moral attitudes or customs of a societal group.

cultural mores

Application of training and education is a common method of which risk control strategy?

defense

a manager must understand how to

define tasks, allocate scarce resources, and manage assigned resources

The intermediate area between trusted and untrusted networks is referred to as which of the following?

demilitarized zone

Which type of attack involves sending a large number of connection or information requests to a target?

denial-of-service (DoS)

Which type of attack involves sending a large number of connection or information requests to a target? malicious code brute force spear fishing denial-of-service (DoS)

denial-of-service (DoS)

When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? policy administration due diligence adequate security measures certification and accreditation

due diligence

____________________ encompasses a requirement that the implemented standards continue to provide the required level of protection.

due diligence

The bulk batch-transfer of data to an off-site facility is known as

electronic vaulting

A collection of BSSs connected by one or more DSs is referred to as an ____ service set (ESS). elaborate eccentric electric extended

extended

As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.

factor analysis

Which of the following is a criteria used to compare and evaluate biometric technologies?

false reject rate

describe a physical security program

fire, physical access, gates, guards, etc.

A(n) ____ is an ideal endpoint for VPN, which connects two companies' networks over the Internet. firewall DMZ intranet extranet

firewall

is an agency that provides, in the case of DR/BC planning, physical facilities for a fee.

full-interruption

Types of attacks: Back door

gaining access to system or network using known or previously unknown/newly discovered access mechanism

Cost-Benefit Analysis Benefit

he value to the organization of using controls to prevent losses associated with a specific vulnerability Usually determined by valuing the information assets exposed by the vulnerability and then determining how much of that value is at risk and how much risk there is for the asset This is expressed as the annualized loss expectancy (ALE)

The NIST risk management approach includes all but which of the following elements?

inform

Which of the following is NOT one of the basic rules that must be followed when shaping a policy? policy should never conflict with law policy should be agreed upon by all employees and management policy must be properly supported and administered policy must be able to stand up in court if challenged

policy should be agreed upon by all employees and management

Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.

political feasibility

Which tool can identify active computers on a network?

port scanner

Which of the following is NOT an aspect of access regulated by ACLs? what authorized users can access why authorized users need access to the system when authorized users can access the system how authorized users can access the system

why authorized users need access to the system

Software Assurance and the SA Common Body of Knowledge

• National effort underway to create common body of knowledge focused on secure software development • US Department of Defense and Department of Homeland Security supported Software Assurance Initiative, which resulted in publication of Secure Software Assurance (SwA) Common Body of Knowledge (CBK) • SwA CBK serves as a strongly recommended guide to developing more secure applications

Enabling the Safe Operation of Applications

• Organization needs environments that safeguard applications using IT systems • Management must continue to oversee infrastructure once in place—not relegate to IT department

Protecting Data that Organizations Collect and Use

• Organization, without data, loses its record of transactions and/or ability to deliver value to customers • Protecting data in motion and data at rest are both critical aspects of information security

Safeguarding Technology Assets in Organizations

• Organizations must have secure infrastructure services based on size and scope of enterprise • Additional security services may be needed as organization grows • More robust solutions may be needed to replace security programs the organization has outgrown

Software Development Security Problems

• Problem areas in software development: - Buffer overruns - Command injection - Cross-site scripting - Failure to handle errors - Failure to protect network traffic - Failure to store and protect data securely - Failure to use cryptographically strong random numbers • Problem areas in software development (cont'd.): - Format string problems - Neglecting change control - Improper file access - Improper use of SSL - Information leakage - Integer bugs (overflows/underflows) - Race conditions - SQL injection • Problem areas in software development (cont'd.): - Trusting network address resolution - Unauthenticated key exchange - Use of magic URLs and hidden forms - Use of weak password-based systems - Poor usability

Steps to solving problems

• Step 1: Recognize and define the problem • Step 2: Gather facts and make assumptions • Step 3: Develop possible solutions • Step 4: Analyze and compare possible solutions • Step 5: Select, implement, and evaluate a solution

Threats

• Threat: an object, person, or other entity that represents a constant danger to an asset • Management must be informed of the different threats facing the organization • Overall security is improving • The 2009 CSI/FBI survey found - 64 percent of organizations had malware infections - 14 percent indicated system penetration by an outsider

Category of Threat: Sabotage or Vandalism

• Threats can range from petty vandalism to organized sabotage • Web site defacing can erode consumer confidence, dropping sales and organization's net worth • Threat of hacktivist or cyberactivist operations rising • Cyberterrorism: much more sinister form of hacking

Typically, the information security policy administrator is ____. a. the CEO b. the COO c. a mid-level staff member d. the CIO

A mid-level staff member. (Unsure of answer)

Standards

A more detailed statement of what must be done to comply with policy

Which of the following would not necessarily be a good reference or resource in writing good policy documents from scratch?

A public bookstore

Which of the following would not necessarily be good reference or resource in writing good policy documents from scratch?

A public bookstore

OCTAVE-Allegro

A streamlined approach for information security assessment and assurance

The Factor Analysis of Information Risk (FAIR) framework includes

A taxonomy for information risk Standard nomenclature for information risk terms A framework for establishing data collection criteria Measurement scales for risk factors A computational engine for calculating risk A modeling construct for analyzing complex risk scenarios

exploit

A technique or mechanism that is used to compromise a system is called a(n) ____________________.

threat

A(n) ____________________ is an object, person, or other entity that represents a constant danger to an asset of an organization.

True

A(n) vulnerability is an identified weakness of a controlled information asset and is the result of absent or inadequate controls.

In addition to specifying the penalties for unacceptable behavior, what else must a policy specify? a. Appeals process b. Legal recourse c. Must be done to comply d. The proper operation of equipment

A. Appeals process pg. 128

Which type of planning is used to organize the ongoing, day-to-day performance of tasks? A. Operational B. Organizational C. Tactical D. Strategic

A. Operational Pg. 43

Which of the following is true about planning? A. Strategic plans are used to create tactical plans B. Tactical plans are used to create strategic plans C. Operational plans are used to create tactical plans D. Operational plans are used to create strategic plans

A. Strategic plans are used to create tactical plans pg. 42

A(n) ____ acts as the "base station" for the wireless network. ad-hoc peer AP WMM endpoint

AP

The ____ is the indication of how often you expect a specific type of attack to occur.

ARO

What is the largest area of concern with regard to security in ZigBee? Rogue access points ARP poisoning Weak encryption method Accidental key reuse

Accidental Key reuse

Category of Threat: Human Error or Failure Provide an Example:

Accidents, employee mistakes

availability

According to the C.I.A. triangle, which of the following is a desirable characteristic for computer security?

Acting

According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization do the work according to the plan?

What do audit logs that track user activity on an information system provide? identification accountability authorization authentication

Accountability

define project procurement

Acquiring needed project resources. Includes procurement planning, solicitation planning, solicitation, source selection, contract administration and contract closeout.

Which of the following is a responsibility of the crisis management team?

Activating the alert roster

Operational feasibility

Addresses user and management acceptance and support Addresses the overall requirements of the organization's stakeholders

A typical EULA screen may require the user to ____. a. click a button on the screen b. type specific words c. press a function key d. All of these

All of these

Asset valuation must account for value _____.

All of these

The management of human resources must address many complicating factors; which of the following is NOT among them?

All workers operate at approximately the same level of efficiency

Which of the following is a tool that can be useful in resolving the issue of what business function is the most critical? a. BIA questionnaire b. Weighted analysis tool c. Recovery time organizer d. MTD comparison

B Weighted tool analysis pg. 82

Feasibility and Cost-Benefit Analysis

Before deciding on the strategy for a specific vulnerability All readily accessible information about the consequences of the vulnerability must be explored Ask "what are the advantages of implementing a control as opposed to the disadvantages of implementing the control?" There are a number of ways to determine the advantage or disadvantage of a specific control The primary means are based on the value of the information assets that it is designed to protect

False

Benefits of Information Security Governance include optimization of the allocation of limited security safeguards.

When prioritizing collected evidence, which term refers to the likelihood that the information will be useful? Forensics Analysis Volatility Value

Value

Asset valuation components

Value retained from the cost of creating the information asset Value retained from past maintenance of the information asset Value implied by the cost of replacing the information Value from providing the information Value acquired from the cost of protecting the information Value to owners Value of intellectual property Value to adversaries Loss of productivity while the information assets are unavailable Loss of revenue while information assets are unavailable

Category of Threat: Software Attack Provide an Example:

Viruses, worms, macros, DoS

ambitious

Vision statements are meant to be ____.

____ are scanning and analysis tools that are capable of scanning networks for very detailed information.

Vulnerability scanners

The ___________ wireless security protocol was replaced by stronger protocols due to several vulnerabilities found in the early 2000s.

WEP

____________________ presents a threat to wireless communications, a practice that makes it prudent to use a wireless encryption protocol to prevent unauthorized use of your Wi-Fi network.

War driving

The original OCTAVE method, (forms the basis for the OCTAVE body of knowledge)

Was designed for larger organizations with 300 or more users

Which of the following is NOT a question a CISO should be prepared to answer, about a performance measures program, according to Kovacich?

What affect will measurement collection have on efficiency?

investigation

What is the first phase of the SecSDLC?

0-1023

What is the range of the well-known ports used by TCP and UDP?

Which of the following is NOT a valid rule of thumb on risk control strategy selection?

When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.

Which of the following is NOT a step in the problem-solving process? Gather facts and make assumptions Analyze and compare possible solutions Build support among management for the candidate solution Select, implement and evaluate a solution

Build support among management for the candidate solution

Which of the following is NOT a step in the problem-solving process? Build support among management for the candidate solution Gather facts and make assumptions Analyze and compare possible solutions

Build support amoung management for the candidate solution

describe the informational role

Collecting, processing, and using information that can affect the completion of the objective

safeguards

Controls or ____________________ are used to protect information from attacks by threats; the terms are also often used interchangeably.

This decision-making process is called

Cost-benefit analysis or economic feasibility study

Managerial Guidance SysSPs

Created by management to guide the implementation and configuration of technology Applies to any technology that affects the confidentiality, integrity or availability of information Informs technologists of management intent

Which is the first step in the contingency planning process? a. Business continuity training b. Disaster recovery planning c. Incident response planning d. Business impact analysis

D. Business impact analysis pg. 79

What is the last stage of the business impact analysis? a. Identify resource requirements b. Analysis and prioritization of business processes c. Collect critical information about each business unit d. Prioritize resources associated with the business processes

D. Prioritize resources associated with the business processes pg. 84

In which level of planning are budgeting, resource allocation, and manpower critical components? A. Strategic B. Operational C. Organizational D. Tactical

D. Tactical Pg. 43

Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?

DMCA

You might put a proxy server in the __________________, which is exposed to the outside world, neither in the trusted nor untrusted network.

DMZ

owners

Data ____________________ are responsible for the security and use of a particular set of information.

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method

Defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation Allows an organization to make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets The operational or business units and the IT department work together to address the information security needs of the organization

Political feasibility

Defines what can and cannot occur based on the consensus and relationships between the communities of interest

In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?

Delphi

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics? Deontological ethics Applied ethics Normative ethics Meta-ethics

Denotological ethics

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?

Deontological ethics

Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics? Deontological ethics Meta-ethics Applied ethics Normative ethics

Deontological ethics

Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?

Descriptive ethics

During the ____ phase of the SecSDLC, the team must create a plan to distribute, and verify the distribution of, the policies.

Design

Category of Threat: Sabotage or Vandalism Provide an Example:

Destruction of systems or information

The only use of the acceptance strategy that industry practices recognize as valid occurs when the organization has done all but which of the following?

Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset

PERT disadvantages

Diagrams can be awkward and cumbersome, expensive. Difficulty in estimating task durations

A(n) ____ packet contains a field that indicates the function of the packet and an identifier field used to match requests and responses. RADIUS TKIP ICMP EAP

EAP

A(n) ____ packet contains a field that indicates the function of the packet and an identifier field used to match requests and responses. TKIP ICMP RADIUS EAP

EAP

define Gantt chart

Easier to design and implement than PERT diagrams w/ same info. List activities on vertical axis, timeline on horizontal

Which of the following is usually conducted via leased lines or secure Internet connections whereby the receiving server archives the data as it is received

Electronic vaulting

Which material presents a gray area of ownership? An employee's personal belongings The employee's physical personhood Cell phones provided by the employer for the employee's use Employee-purchased briefcases used to transfer work

Employee-purchased briefcase used to transfer work

define project quality management

Ensures project meets project specifications. Includes quality planning, quality assurance and quality control.

define project time management

Ensures that project is finished by identified completion date while meeting objectives

PMBok project scope management

Ensures that project plan includes only those activities necessary to complete it

define scope

Ensures that project plan includes only those activities necessary to complete it

Which Amendment to the U.S. Constitution starts with: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated?

Fourth

Which Amendment to the U.S. Constitution starts with: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated? Second Fourth First Third

Fourth

Which group was created to certify the interoperability of 802.11b products? IEEE ITU ANSI Wi-Fi Alliance

Wi-Fi Alliance

How does the planning process begin?

With the creation of strategic plans for the entire organization

Best Practices

___ are security efforts that seek to provide a superior level of performance in the protection of information. Considered among the best in the industry.

Which of the following is a type of information security policy that deals with entirety of an organization's information security efforts?

Enterprise information security policy

Types of information security policy

Enterprise information security program policy (EISP) Issue-specific information security policies Systems-specific policies

Category of Threat: Technical failures or errors Provide an Example:

Equipment failure

According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? Initiating Learning Acting Establishing

Establishing

Begin a cost-benefit analysis by:

Evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised

Technical feasibility

Examines whether or not the organization has or can acquire the technology to implement and support the alternatives

The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses

F

Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster

F

____________________ is a risk management framework developed to help organizations to understand, analyze, and measure information risk.The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.

Factor Analysis of Information Risk

due care or due diligence

Failure to demonstrate ___or___ can expose an organization to legal liability. If it can be shown that the organization was negligent in its information protection methods.

What is one of the most frequently cited failures in project management?

Failure to meet project deadlines

(T/F) A company deemed to be using 'best security practices' establishes high-quality security in every area of their security program.

False

(T/F) Attaining certification in security management is a long and difficult process, but once attained, an organization remains certified for the life of the organization.

False

(T/F) Having an established risk management program means that an organization's assets are completely protected.

False

(T/F) MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.

False

(T/F) Technical controls alone, when properly configured, can secure an IT environment.

False

(T/F) The "something you have" authentication mechanism takes advantage of something inherent in the user that is evaluated using biometrics.

False

(T/F) The current law regarding nationwide search warrants for e-mail requires the government to use a search warrant to compel a provider to disclose unopened e-mail that is more than six months old.

False

(T/F) The defense risk control strategy may be accomplished by rethinking how services are offered and outsourcing to other organizations, among other strategies.

False

(T/F) The first phase in the NIST performance measurement process is to identify and document InfoSec performance goals and objectives.

False

(T/F) Using a practice called benchmarking, you are able to develop an acceptable use policy based on the typical practices of the industry in which you are working.

False

(T/F) Using standard digital forensics methodology, the first step is to analyze the EM data without risking modification or unauthorized access.

False

An intrusion detection and prevention device denies access to a system by default.

False

Another problem with benchmarking is that no two organizations are similar.

False

Avoidance of risk is accomplished through the application of procedures, training and education and the implementation of technical security controls and safeguards.

False

Best security practices (BSPs) balance the need for information access with the need for adequate protection while simultaneously demonstrating social responsibility.

False

Biometric technologies are generally evaluated according to three basic criteria: False Reject Rate, False Accept Rate and Authentication Error Rate.

False

Common sense dictates that an organization should spend more to protect an asset than its value.

False

Corruption of information can occur only while information is being stored.

False

Cost Benefit Analysis is determined by calculating the single loss expectancy before new controls minus the annualized loss expectancy after controls are implemented minus the annualized cost of the safeguard.

False

Economic and non-economic effects of a weakness must be evaluated after a strategy for dealing with a particular vulnerability has been selected.

False

If multiple audiences exists for information security policies, different documents must be created for each audience.

False

In some organizations, the terms metrics and best practices are interchangeable.

False

In the Flesch Reading Ease scales, the higher the score, the harder it is to understand the writing.

False

Information security policies do not require a champion

False

Mitigation of risk involves applying safeguards that eliminate or reduce the remaining uncontrolled risks.

False

NIST recommends the documentation of each performance measure in a customized format to ensure repeatability of measures development, tailoring, collection, and reporting activities.

False

Once developed, information security performance measures must be implemented and integrated into ongoing information security management operations. For the most part, it is sufficient to collect these measures once.

False

One of the three goals of System Certification and Accreditation as defined by NIST is to: define essential maximum security controls for federal IT systems.

False

Rule-based policies are less specific to the operation of a system than access control lists

False

Scanning and analysis tools ensure confidentiality by concealing private information from unauthorized parties.

False

SysSPs focus on the proper handling of issues in the organization, like the use of technologies.

False

Technical controls alone are adequately equipped to ensure a secure IT environment.

False

The Data Encryption Standard (DES) is a popular symmetric encryption system and uses a 64-bit block size and a(n) 64-bit key.

False

The ISSP is not a binding agreement between the organization and its members.

False

The Internet is an example of a trusted network.

False

The goal of information security is to bring residual risk to zero.

False

The policy administrator must be technically oriented.

False

The risk control strategy of avoidance means understanding the consequences and avoiding risk by not placing a system in a situation that could result in a loss..

False

Which law addresses privacy and security concerns associated with the electronic transmission of PHI?

Health Information Technology for Economic and Clinical Health Act

Which of the following is NOT a factor critical to the success of an information security performance program?

High level of employee buy-in to performance measurements

The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?

Hold regular meetings with the CIO to discuss tactical InfoSect planning

An organization must be able to place a dollar value on each information asset it owns, based on:

How much did it cost to create or acquire? How much would it cost to recreate or recover? How much does it cost to maintain? How much is it worth to the organization? How much is it worth to the competition?

Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?

IP address

Category of Threat: Deviations in quality of service Provide an Example:

ISP, power, or WAN service issues from service providers

In digital forensics, all investigations follow the same basic methodology. Which of the following should be performed first in a digital forensics investigation?

Identify relevant items of evidentiary value (EM)

In digital forensics, all investigations follow the same basic methodology. Which of the following should be performed first in a digital forensics investigation? Analyze the data without risking modification or unauthorized access Report the findings to the proper authority Acquire (seize) the evidence without alteration or damage Identify relevant items of evidentiary value (EM)

Identify relevant items of evidentiary value (EM)

When is information integrity threatened?

If exposed to corruption, damage, destruction, or other disruption of its authentic state

When a vulnerability exists

Implement security controls to reduce the likelihood of a vulnerability being exercised

During the ____ phase, the information security policy development team must provide for policy distribution.

Implementation

The information security policy is written during the ____ phase of the SecSDLC.

Implementation

phishing

In a(n) ____________________ attack, the attacker uses an e-mail or forged Web site to attempt to extract personal information from a user.

Cost-Benefit Analysis cont.

In most cases, the probability of a threat occurring is the probability of loss from an attack within a given time frame This value is commonly referred to as the annualized rate of occurrence (ARO) ALE = SLE * ARO

A ____ is more detailed statement identifying a measurement of behavior and specifies what must be done to comply with a policy.

Standard

Technical Specifications SysSPs

System administrators' directions on implementing managerial policy Each type of equipment has its own type of policies General methods of implementing technical controls -Access control lists -Configuration rules

The ____ section of the ISSP should specify users' and systems administrators' responsibilities.

Systems Management

A project can have more than one critical path.

T

the prioritized list of threats is placed along the vertical axis

TVA worksheet

The two groups of SysSPs are managerial guidance and ____.

Technical specifications

Which of the following is NOT a knowledge area in the Project Management knowledge body?

Technology

Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?

The Computer Security Act

Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system? Computer Fraud and Abuse Act The Telecommunications Deregulation and Competition Act National Information Infrastructure Protection Act The Computer Security Act

The Computer Security Act

Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?

The Electronic Communications Privacy Act of 1986

Place information security at the top of the board's agenda

The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?

maintenance

The ____ phase is typically the most important phase of the security systems development life cycle (SecSDLC).

analysis

The ____ phase of the security systems development life cycle (SecSDLC) assesses the organization's readiness, its current systems status, and its capability to implement and then support the proposed systems.

values

The ____ statement contains a formal set of organizational principles, standards, and qualities.

Chief Risk Officer

The ____________________ has the primary responsibility for independent annual audit coordination.

values

The ____________________ statement contains a formal set of organizational principles, standards, and qualities.

brute force

The application of computing and network resources to try every possible combination of characters to crack a password is known as a ____ attack.

define project management

The application of knowledge, skills, tools, and techniques to project activities to meet project requirements

Resource management by executing appropriate measures to manage and mitigate risks to information technologies

The basic outcomes of information security governance should include all but which of the following?

True

The basic outcomes of information security governance should include risk management by executing appropriate measures to manage and mitigate threats to information resources.

talk

The biggest barrier to benchmarking is when organizations don't___ to each other. A successful attack is viewed as an organizational failure, and is kept secret, insofar as possible.

define planning

The process that develops, creates, and implements strategies for the accomplishment of objectives

define information security

The protection of information and its critical elements (confidentiality, integrity, availability), including the systems and hardware that use/store/transmit the information

define security

The quality or state of being secure, to be free from danger.

define integrity

The quality or state of being whole, complete, and uncorrupted

describe information technology

The vehicle that stores and transports information from one business unit to another. Capable of breaking down

Which of the following is NOT one of the three types of performance measures used by organizations?

Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy

How is information security performed?

Through the application of policy, technology, and training/awareness programs.

Which of the following provides an identification card of sorts to clients who request services in a Kerberos system?

Ticket Granting Service

Hybrid assessment

Tries to improve upon the ambiguity of qualitative measures without using an estimating process

A ____ is a program advertised as performing one activity but actually does something else. worm virus Trojan script

Trojan

(T/F) An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official.

True

(T/F) One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?"

True

(T/F) Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.

True

(T/F) Secure Shell (SSH) provides security for remote access connections over public networks by creating a secure and persistent connection..

True

(T/F) Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.

True

(T/F) The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.

True

(T/F) The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.

True

(T/F) The InfoSec community often takes on the leadership role in addressing risk

True

(T/F) The KDC component of Kerberos knows the secret keys of all clients and servers on the network.

True

(T/F) The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.

True

Encryption uses algorithms to manipulate plaintext into ciphertext before transmission.

True

Implementing controls at an acceptable standard—and maintaining them—demonstrates that an organization has performed due diligence.

True

In some systems, capability tables are known as user profiles.

True

In the case of the man-in the-middle attack, an attacker pretends to be the second party in a conversation and routes traffic to the actual second party.

True

Industries that are regulated by governmental agencies are required to meet government guidelines in their security practices.

True

One of the priorities in building an information security measures program is determining whether these measures will be macro-focus or micro-focus.

True

Performance measurement is an ongoing, continuous improvement operation.

True

Policies must note the existence of penalties for unacceptable behavior and define an appeals process.

True

Public key encryption is also known as asymmetric encryption.

True

Risk appetite (also known as risk tolerance) is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

True

Secure Sockets Layer (SSL) was developed to provide security for online electronic commerce transactions.

True

The Flesch-Kincaid Grade Level score evaluates writing on a U.S. grade-school level.

True

Unless a particular use is clearly prohibited, the organization cannot penalize employees for it.

True

Unless a policy actually reaches the end users, it cannot be enforced.

True

When performing parallel testing, normal operations of the business are not impacted.

True

T or F When performing parallel testing, normal operations of the business are not impacted.

True pg. 116

Which law extends protection to intellectual property, which includes words published in electronic formats?

U.S. Copyright Law

According to Confucius, "Tell me, and I forget; show me and, and I remember; let me do and I ____."

Understand

Acceptance

Understanding the consequences and accepting the risk without control or mitigation To accept the loss when it occurs This control, or lack of control, assumes that it may be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the security expenditure Before using the acceptance strategy, the organization must: -Determine the level of risk to the information asset -Assess the probability of attack and the likelihood of a --successful exploitation of a vulnerability -Approximate the ARO of the exploit -Estimate the potential loss from attacks -Perform a thorough cost benefit analysis -Evaluate controls using each appropriate type of feasibility -Decide that the particular asset did not justify the cost of protection

Category of Threat: Espionage or trespass Provide an Example:

Unothorized access and/or data collection

Capability tables are also known as ____ .

User policies or User profiles

Best Practices

___ balance the need for information access with the need for adequate protection. Demonstrate fiscal responsibility. Companies with best practices may not be the best in every area.

Operational

____ plans are used to organize the ongoing, day-to-day performance of tasks.

Baselining

___is a value or profile of a performance metric against which changes in the performance metric can be usefully compared. Process of measuring against established standards.

Certification

___is the comprehensive evaluation of the technical and nontechnical security controls of an IT system. Supports the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

Information security performance management

___is the process of designing, implementing and managing the use of collected data elements called measures. To determine the effectiveness of the overall security program

gold standard

a model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information

Some organizations document the outcome of the control strategy for each information asset-threat pair in a(n) _____, which includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual.

action plan

standard of due care

adopting minimum levels of security to establish a future legal defense

The purpose of NIST SP 800-53 (R3) as part of the NIST System C&A Project is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for ____.

all of these

A best practice in the configuration of a firewall is all traffic from the trusted network is ____________________.

allowed out

Types of attacks: Mail bombing

also a DoS; attacker routes large quantities of e-mail to target

Types of attacks: Phishing

an attempt to gain personal/financial information from individual, usually by posing as legitimate entity

define goals

an end result of the planning process

Voice recognition authentication mechanism captures the ____________________ waveforms of human speech.

analog

A risk assessment is performed during which phase of the SecSDLC? design implementation investigation analysis

analysis

A cost-benefit analysis is conducted by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy

annualized cost of the safeguard

Which type of IDPS is also known as a behavior-based intrusion detection system?

anomaly-based

Risk ____________________ defines the quantity and nature of risk that an organization is willing to accept.

appetite

The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.

appetite

Types of attacks: Denial-of-service (DoS)

attacker sends large number of connection or information requests to a target

According to Charles Cresson Wood "policies are important reference documents for internal ____ and for the resolution of legal disputes about management's due diligence; policy documents can act as a clear statement of management's intent".

audits

EAP request packets are issued by the ____. authenticator authentication server proxy supplicant

authenticator

In an economic feasibility study, the ____________________ is the value to the organization of using controls that prevent losses related to a particular vulnerability.

benefit

Which of the following is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk, and how much risk exists for the asset

benefit

Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?

common good

Classification categories must be ____________________ and mutually exclusive.

comprehensive

Classification categories must be mutually exclusive and which of the following?

comprehensive

After an incident, but before returning to its normal duties, the CSIRT must do which of the following?

conduct an after-action review

The last phase in the NIST performance measures implementation process is to apply ______________ actions which closes the gap found in Phase 2.

corrective

The last phase in the NIST performance measures implementation process is to apply ____________________ actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls.

corrective

In cryptology, an encrypted message is in a ____ form.

cryptext

The Authorize step of the NIST six-step approach to the risk management framework involves all but which of the following tasks? determine if the cost/benefit ratio is acceptable prepare the plan of action and develop milestones determine the risk to organizational operations assemble the security authorization package

determine if the cost/benefit ratio is acceptable

Which type of device allows only specific packets with a particular source, destination, and port address to pass through it.

dynamic packet filtering firewalls

Organizations typically use three types of performance measures, including those that assess the impact of a(n) ____________________ or other security event on the organization or its mission.

incident

plan is a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets

incident response

An organization's ____ policy must spell out the procedures for initiating the investigative process, including management approvals. organizational business continuity incident response (IR) contingency planning

incident response (IR)

The first component of the analysis phase is ___________, which allows the investigator to quickly and easily search for a specific type of file.

indexing

describe the measures used to protect confidentality

information classification, secure document storage, application of general security policies, education of information custodians and end users

The concept of computer security has been replaced by the concept of

information security

Information security decisions should involve what three groups?

information security managers/professionals, information technology managers/professionals, non-technical business managers/professionals

define programs

information security operations specifically managed as separate entities. Ex: SETA

Which of the following is Tier 3 (indicating tactical risk) of the tiered risk management approach?

information system

Designing the performance measures collection process requires thoughtful consideration of the ____ of the metric along with a thorough knowledge of how production services are delivered.

intent

define objectives

intermediate points that allow you to measure progress toward the goal

A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC? implementation design analysis investigation

investigation

A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC? implementation investigation design analysis

investigation

What is the first phase of the SecSDLC?

investigation

One of the most common methods of obtaining user acceptance and support is via user

involvement

Potential loss

is that which could occur from the exploitation of vulnerability or a threat occurrence

Any court can impose its authority over an individual or organization if it can establish which of the following?

jurisdiction

Which of the following is used in conjunction with an algorithm to make computer data secure from anybody except the intended recipient of the data?

key

Which of the following biometric authentication systems is the most accepted by users?

keystroke pattern recognition

Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence?

legal liability

Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.

likelihood

Which of the following is the process that develops, creates, and implements strategies for the accomplishment of objectives?

planning

In InfoSec, most operations focus on __________, which are those documents that provide managerial guidance for ongoing implementation and operations.

policies

Standards are created from

policies

The ____ layer is the outermost layer of the bull's-eye model, hence the first to be assessed for marginal improvement.

policies

____ comprise a set of rules that dictates acceptable and unacceptable behavior within an organization.

policies

Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?

policy

A ____ is a network channel connection point in a data communications system.

port

A ____ is a network subaddress (assigned a number between 0 and 65,535) through which a particular type of data is allowed to pass. datagram socket port header

port

Which technology employs sockets to map internal private network addresses to a public address using a one-to-many mapping?

port-address translation

A cost benefit analysis (CBA) result is obtained from the difference between the pre-control and the ____________________ annualized loss expectancy (ALE).

post-control

Which of the following is NOT a unique function of Information Security Management?

principles

Which of the following is NOT a unique function of Information Security Management? principles planning project management protection

principles

What is the last stage of the business impact analysis?

prioritize resources associated with the business processes

Information security is a _, not a _

process, not a project

What should you be armed with to adequately assess potential weaknesses in each information asset?

properly classified inventory

Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____ organization would do in similar circumstances.

prudent

Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____________________ organization would do in similar circumstances.

prudent

What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?

qualitative assessment of many risk components

One of the critical tasks in the measurement process is to assess and ____________________ what will be measured.

quantify

columns include asset impact, vulnerability, and risk-rating factor

ranked vulnerability risk worksheet

In information security, two categories of benchmarks are used: standards of due care and due diligence and ____ practices.

recommended

Mitigation

reduce the damage caused by the exploitation of vulnerability Reducing the impact if the vulnerability is exploited Using planning and preparation Depends upon the ability to detect and respond to an attack as quickly as possible Types of mitigation plans Disaster recovery plan (DRP) Incident response plan (IRP) Business continuity plan (BCP)

NIST recommends the documentation of performance measures in a format to ensure ____ of measures development, tailoring, collection, and reporting activities.

repeatability

The element of remaining risk after vulnerabilities have been controlled is referred to as ____________________ risk.

residual

Which of the following biometric authentication systems is considered to be the most secure?

retina pattern recognition

Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?

risk appetite

A ____ access point is an unauthorized AP that allows an attacker to bypass many of the network security configurations and opens the network and its users to attacks. rogue legitimate random sanctioned

rogue

Risk appetite

(also known as risk tolerance) The quantity and nature of risk that organizations are willing to accept As they evaluate the trade-offs between perfect security and unlimited accessibility The reasoned approach to risk is one that balances the expense (in terms of finance and the usability of information assets) against the possible losses if exploited

Project time management processes

- Activity definition - Activity sequencing - Activity duration estimating - Schedule development - Schedule control

Attacks

- Acts or actions that exploits vulnerability (i.e., an identified weakness) in controlled system - Accomplished by threat agent that damages or steals organization's information

Describe the job of a manager

- Administers the resources of the organization - Creates budgets, authorizes expenditures and hires employees

What are the type of leadership behaviors?

- Autocratic - Democratic - Laissez-faire

define slack time in PERT

- How much time is available for starting a noncritical task without delaying the project as a whole - Tasks which have slack time are logical candidates for accepting a delay

what is the work phase of the WBS

- Phase in which the project deliverables are prepared - Occurs after the project manager has completed the WBS

Conducting Decision Support: Identify and evaluate available controls

-Define functional requirements - create the necessary requirements to mitigate risks -Select possible control solutions - outline approach to identify mitigation solutions -Review solution - evaluate proposed controls against functional requirements -Estimate risk reduction - endeavor to understand reduced exposure or probability of risks -Estimate solution cost - evaluate direct and indirect costs associated with mitigation solutions -Select mitigation strategy - complete cost-benefit analysis to identify the most cost-effective mitigation solution

ISPME checklist

-Gather ideas that stakeholders believe should be included in a new or updated information security policy -Examine other policies issued by your organization to identify prevailing format, style, tone, length, and cross-references -Identify the audience and distribution method of information security policy materials -Determine the extent to which the audience is literate, computer knowledgeable, and receptive to security messages -Decide whether some other awareness efforts must take place before information security policies are issued -Using ideas from the risk assessment, prepare a list of absolutely essential policy messages that must be communicated

Developing Information Security Policy Design phase includes

-How the policies will be distributed -How verification of the distribution will be accomplished -Specifications for any automated tools -Revisions to feasibility analysis reports based on improved costs and benefits as the design is clarified

ISPME checklist

-If there is more than one audience, match the audiences with the bottom-line messages to be communicated through a coverage matrix -Determine how the policy material will be disseminated, noting the constraints and implications of each medium of communication -Review the compliance checking process, disciplinary process, and enforcement process to ensure that they all can work smoothly with the new policy document Determine whether the number of messages is too large to be handled all at one time If so, identify different categories of material to be issued at different times

Technical Specifications SysSPs Access control lists

-Include the user access lists, matrices, and capability tables that govern the rights and privileges -A similar method that specifies which subjects and objects users or groups can access is called a capability table -These specifications are frequently complex matrices, rather than simple lists or tables Enable administrations to restrict access according to user, computer, time, duration, or even a particular file

Developing Information Security Policy Investigation phase

-Obtain support from senior management, and active involvement of IT management, specifically the CIO -Clearly articulate the goals of the policy project -Gain participation of correct individuals affected by the recommended policies -Involve legal, human resources and end-users -Assign a project champion with sufficient stature and prestige -Acquire a capable project manager -Develop a detailed outline of and sound estimates for project cost and scheduling

ISPME checklist

-Outline the topics to be included in the first document reviewed by several stakeholders -Based on comments from the stakeholders, revise the initial outline and prepare a first draft -Have the first draft reviewed by stakeholders for initial reactions, suggestions, and implementation ideas -Revise the draft in response to comments from stakeholders -Request top management approval on the policy -Prepare extracts of the policy document for selected purposes -Develop an awareness plan that uses the policy document as a source of ideas and requirements

Technical Specifications SysSPs Access control lists regulate

-Who can use the system -What authorized users can access -When authorized users can access the system -Where authorized users can access the system from -How authorized users can access the system -Restricting what users can access, e.g. printers, files, communications, and applications

Implementing the (ISSP) Issue-Specific Security Policy

1. Common approaches -Several independent ISSP documents -A single comprehensive ISSP document -A modular ISSP document that unifies policy creation and administration 2. The recommended approach is the modular policy -Provides a balance between issue orientation and policy management

People Processes Technology

3 areas of self-assessment for best security practices

For most corporate documents, a score of ____ is preferred on the Flesch Reading Ease scale.

60 to 70

For most corporate documents, a score of ____ is preferred as a Flesch-Kincaid Grade Level score.

7.0 to 8.0

Port number ____ is commonly used for the Hypertext Transfer Protocol service.

80

Which port number is commonly used for the Hypertext Transfer Protocol service.

80

back door

A ____ is a feature left behind by system designers or maintenance staff.

Enterprise information security program policy, EISP documents should provide

An overview of the corporate philosophy on security Information about information security organization and information security roles -Responsibilities for security that are shared by all members of the organization -Responsibilities for security that are unique to each role within the organization

A risk assessment is performed during the ____ phase of the SecSDLC.

Analysis

NIST SP 800 - 55 R1

Another popular approach to measures programs is___: Performance Measurement for Information Security The identification and definition of the current information security program Development and selection of specific measures to gauge the implementation, effectiveness, efficiency, and impact of the security controls

Policies must also specify the penalties for unacceptable behavior and define a(n) ____.

Appeals Process

When a vulnerability can be exploited

Apply layered controls to minimize the risk or prevent occurrence

Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people?

Are the user accounts of former employees immediately removed on termination?

Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people? Would the typical employee know how to report a security issue to the right people? Do you perform background checks on all employees with access to sensitive data, areas, or access points? Are the user accounts of former employees immediately removed on termination? Would the typical employee recognize a security issue?

Are the user accounts of former employees immediately removed on termination?

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?

Assigning a value to each information asset

Which type of planning is the primary tool in determining the long-term direction taken by an organization? A. Tactical B. Operational C. Strategic D. Managerial

C. Strategic Pg. 41

Cost-benefit analysis formula

CBA = ALE(prior) - ALE(post) - ACS ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control ALE (post-control) is the ALE examined after the control has been in place for a period of time ACS is the annual cost of the safeguard

Cost-Benefit Analysis

CBA determines whether or not a control alternative is worth its associated cost CBAs may be calculated before a control or safeguard is implemented To determine if the control is worth implementing Or calculated after controls have been implemented and have been functioning for a time

True

CISOs use the operational plan to organize, prioritize, and acquire resources for major projects.

____ is designed to detect any changes in a packet, whether accidental or intentional. CRC TKIP AES CBC

CRC

Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?

Calculating the risks to which assets are exposed in their current setting

Technical controls ____.

Can be implemented using access control lists or configurations rules.

A ____ specifies which subjects and objects users or groups can access.

Capability Table

____________________ is defined as "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements."

Certification

"security control assessment"

Certification is being replaced by the term "___".

guidelines

Choosing which recommended practices to implement can pose a challenge for some organizations. In industries that are regulated by governmental agencies, government ___ are often requirements. For other organizations, government guidelines are excellent sources of information and can inform their selection of best practices.

T or F In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.

False pg. 109

T or F Users have the right to use an organization's information systems to browse the Web, even if this right is not specified in the ISSP.

False pg. 135

T or F Rule-based policies are less specific to the operation of a system than access control lists.

False pg. 142

T or F Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex

False pg. 155

T or F Because it sets out general business intentions, a mission statement does not need to be concise.

False pg. 40

T or F A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.

False pg. 53

T or F The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.

False pg. 66

T or F Penetration testing is often conducted by contractors, who are commonly referred to as black-hats

False pg. 67

T or F When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.

False pg. 76

The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following? For private financial gain For purposes of commercial advantage For political advantage In furtherance of a criminal act

For political advantage

champion

For any top-down approach to security implementation to succeed, the initiative must have a(n) ____ with influence to move the project forward.

Policies are important reference documents

For internal audits For the resolution of legal disputes about management's due diligence Policy documents can act as a clear statement of management's intent

Guidelines for Effective Policy

For policies to be effective, they must be properly: -Developed using industry-accepted practices -Distributed or disseminated using all appropriate methods -Reviewed or read by all employees -Understood by all employees -Formally agreed to by act or assertion -Uniformly applied and enforced

The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?

For political advantage

waterfall

In the security systems development life cycle (SecSDLC), the work products of each phase fall into the next phase to serve as its starting point, which is known as the ____ model.

permutation

In which cipher method are values rearranged within a block to create the ciphertext?

waterfall

In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?

Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident

Incident classification

The benefits of using information security performance measures include all but which of the following?

Increasing efficiency for InfoSec performance

The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?

InfoSec community analysis

The ____ component of an EISP defines the organizational structure designed to support information security within the organization.

Information Technology Security Responsibilities and Roles

define privacy

Information collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected

Which of the following is not an example of a disaster recovery plan?

Information gathering procedures

performance measures, once

Information security ___ must be implemented and integrated into ongoing information security management operations. It is insufficient to simply collect these measures ___. Performance measurement is an ongoing, continuous improvement operation.

objectives

Information security ____ must be addressed at the highest levels of an organization's management team in order to be effective and offer a sustainable approach.

The 27005 document includes a five-stage risk management methodology

Information security risk assessment (ISRA) Information security risk treatment Information security risk acceptance Information security risk communication Information security risk monitoring and review

According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? Learning Acting Initiating Establishing

Initiating

PMBoK project plan development

Integrating all project elements into a cohesive plan: Complete goal within the allotted time using only the allotted resources.

describe the interpersonal role

Interacting with superiors, subordinates, outside stakeholders, and other parties that influence or are influenced by the completion of the task

A detailed outline of the scope of the policy development project is created during the ____ phase of the SecSDLC.

Investigation

Cost-Benefit Analysis

It is difficult to determine the value of information It is also difficult to determine the cost of safeguarding it Factors that affect the cost of a safeguard Cost of development or acquisition of hardware, software, and services Training fees Cost of implementation Service and maintenance costs

Developing Information Security Policy

It is often useful to view policy development as a two-part project -First, design and develop the policy (or redesign and rewrite an outdated policy) -Second, establish management processes to perpetuate the policy within the organization The former is an exercise in project management, while the latter requires adherence to good business practices

Category of Threat: Missing, inadequate, or incomplete Provide an Example:

Loss of access to information systems due to disk in place drive failure without proper backup and recovery plan organizational policy or planning

Developing Information Security Policy

Maintenance Phase Maintain and modify the policy as needed to ensure that it remains effective as a tool to meet changing threats The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously Periodic review should be built in to the process

accreditation, certification

Organizations pursue ___ or ___ to gain a competitive advantage. Also provides assurance to customers

A disadvantage of creating a modular ISSP document is that it ____.

May be more expensive than other alternatives.

A disadvantage of creating a single comprehensive ISSP document is that such a document ____ .

May overgeneralize the issues and skip over vulnerabilities.

Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?

Measurements must be useful for tracking non-compliance by internal personnel

Microsoft Risk Management Approach

Microsoft Corporation also promotes a risk management approach Four phases in the Microsoft InfoSec risk management process: Assessing risk Conducting decision support Implementing controls Measuring program effectiveness

It is recommended that the ____ approach(es) to creating and managing ISSPs be used.

Modular

professional associations, lessons learned

More and more security administrators are joining ___ and societies like ISSA and sharing their stories and lessons learned. An alternative to this direct dialogue is the publication of ___.

Security Certification & Accreditation offers several benefits. Which of the following is NOT one of them?

More consistent, comparable, and repeatable certifications of InfoSec programs

Program Evaluation and Review Technique(PERT)

Most popular, originally developed in the 1950s for government driven engineering projects

Developing Information Security Policy Analysis phase should produce

New or recent risk assessment or IT audit documenting the current information security needs of the organization Key reference materials Including any existing policies

NIST, authorization

Newer ___ documents focus less upon certification and accreditation strategy. And more on a holistic risk management strategy incorporating an ___ strategy rather than accreditation.

____ comprise a set of rules that dictates acceptable and unacceptable behavior within a organization.

Policies

Does privacy signify freedom from observation?

No, it means that information will be used only in ways known to the person providing it

The ____________________ Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.

OCTAVE

An alternate set of possible risk control strategies includes all but which of the following?

Obscurity: Hiding critical security assets in order to protect them from attack

Describe the edges of the mccumber cube

One one side: confidentiality, integrity, availability. On the second side: storage, processing, transmission. On the last side: policy, education, technology

Which type of planning is used to organize the ongoing, day-to-day performance of tasks?

Operational

managers

Operational plans are used by ____.

False

Organizations following the IDEAL Governance framework would determine where you are relative to where you want to be in the evaluation phase.

In cryptology, an original message is in a ____ form.

plaintext

Recommended Risk Control Practices

Organizations typically look for a more straightforward method of implementing controls This preference has prompted an ongoing search for ways to design security architectures that go beyond the direct application of specific controls for specific information asset vulnerability

____ is considered a more flexible EAP scheme because it creates an encrypted channel between the client and the authentication server. LEAP TKIP PEAP ICMP

PEAP

Which of the following was originally developed in the late 1950s to meet the need of the rapidly expanding engineering projects associated with government acquisitions such as weapons systems?

PERT

Which of the following was originally developed in the late 1950s to meet the need of the rapidly expanding engineering projects associated with government acquisitions such as weapons systems? GANTT PERT CPM WBS

PERT

The industry best practice for management methodology

PMBoK

ISPME checklist

Perform a risk assessment or information technology audit To determine your organization's unique information security needs Clarify the meaning of "policy" within your organization Ensure clear roles and responsibilities related to information security Including responsibility for issuing and maintaining policies

Quantitative assessment

Performs asset valuation with actual values or estimates May be difficult to assign specific values Use scales instead of specific estimates

Bluetooth is a ____ technology designed for data communication over short distances. Personal Area Network Private Area Network Limited Area Network Small Area Network

Personal Area Network

In which phase of the NIST performance measures development process will the organization identify and document the InfoSec performance goals and objectives?

Phase 2

resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states

Physical

Which of the following attributes does NOT apply to software information assets?

Physical location

What are the specialized areas of security?

Physical, operations, communications, network

Category of Threat: Compromises to intellectual property Provide an Example:

Piracy, copyright infringement

Assessing Risk: Identification and prioritization of risks facing the organization

Plan data gathering - discuss keys to success and preparation guidance Gather risk data - outline the data collection process and analysis Prioritize risks - outline prescriptive steps to qualify and quantify risks

The ____ layer is the outermost layer of the bull's-eye model, hence the first to be assessed for marginal improvement.

Policies

Which of the following is NOT a guideline that may help in the formulation of information technology (IT) policy as well as information security policy?

Policies must be reviewed and approved by legal council before administration.

Bulls-eye model layers

Policies: first layer of defense Networks: threats first meet the organization's network Systems: computers and manufacturing systems Applications: all applications systems

Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? Policy Review and Modification Statement of Purpose Systems Management Limitations of Liability

Policy Review and Modification

Developing Information Security Policy

Policy development projects should be Well planned Properly funded Aggressively managed to ensure that it is completed on time and within budget

rules for shaping a policy

Policy should never conflict with law Policy must be able to stand up in court if challenged Policy must be properly supported and administered

___ feasibility determines acceptable practices based on consensus and relationships among the communities of interest.

Political

ISPME next steps

Post polices to intranet or equivalent Develop a self-assessment questionnaire Develop revised user ID issuance form Develop agreement to comply with information security policies form Develop tests to determine if workers understand policies Assign information security coordinators Train information security coordinators

Which of the following is NOT a factor critical to the success of an information security performance program?

Practical InfoSec budgets and resources for the program

Which of the following is the first phase in the NIST process for performance measures implementation?

Prepare for data collection

Practices

Procedures and guidelines explain how employees will comply with policy

Information security project managers often follow methodologies based on what methodology promoted by the Project Management Institute?

Project Management Body of Knowledge (PMBoK)

true

Project scope management ensures that the project plan includes only those activities that are necessary to complete it.

Which two approaches are available to an organization when employing digital forensics?

Protect and forget; Apprehend and prosecute

Which two approaches are available to an organization when employing digital forensics? Patch and proceed; Protect and forget Protect and forget; Apprehend and prosecute Pursue and prosecute; Identify and apprehend Protect and defend; Apprehend and pursue

Protect and forget; Apprehend and prosecute

The role of the information security community

Protects the organization's information assets from the threats they face

Issue-Specific Security Policy (ISSP)

Provides detailed, targeted guidance -Instructs the organization in secure use of a technology systems -Begins with introduction to fundamental technological philosophy of the organization Protects organization from inefficiency and ambiguity -Documents how the technology-based system is controlled Protects organization from inefficiency and ambiguity (cont'd.) -Identifies the processes and authorities that provide this control. Indemnifies the organization against liability for an employee's inappropriate or illegal system use

Administrators set user privileges

Read, write, create, modify, delete, compare, copy

Which of the following is the first step in the problem-solving process?

Recognize and define the problem

define Network scheduling

Refers to the web of possible pathways to project completion

____________________ is a is a combined function of (1) a threat less the effect of threat-reducing safeguards; (2) a vulnerability less the effect of vulnerability-reducing safeguards; and (3) an asset less the effect of asset value-reducing safeguards.

Residual risk

Residual risk is a combined function of all but which of the following?

Residual risk less a factor of error

Which of the following biometric authentication system is considered to be the most secure?

Retina pattern recognition

The identification and assessment of levels of risk in an organization describes which of the following?

Risk analysis

Which firewall architecture combines the packet-filtering router with a separate, dedicated firewall, such as an application proxy server? Proxy server Dual-homed host Screened host firewall Screened subnet firewall

Screened host firewall

Implementing controls: deployment and operation of the controls selected from the cost-benefit analyses and other mitigating factors from the previous step

Seek holistic approach - incorporate people, process, and technology in mitigation solution Organize by defense-in-depth - arrange mitigation solutions across the business

background checks

Self-assessment for best security practices: People- Do you perform ___ on all employees with access to sensitive data, areas, or access points? Would the average employee recognize a security issue? Would they choose to report it? Would they know how to report it to the right people?

annual

Self-assessment for best security practices: Processes- Are enterprise security policies updated on at least an ___ basis, employees educated on changes, and consistently enforced? Does your enterprise follow a patch/update management and evaluation process to prioritize and mediate new security vulnerabilities? Are the user accounts of former employees immediately removed on termination? Are security group representatives involved in all stages of the project life cycle for new projects?

firewall

Self-assessment for best security practices: Technology- Is every possible route to the Internet protected by a properly configured___? Is sensitive data on laptops and remote systems encrypted? Do you regularly scan your systems and networks, using a vulnerability analysis tool, for security exposures? Are malicious software scanning tools deployed on all workstations and servers?

Enterprise information security program policy (EISP)

Sets strategic direction, scope, and tone for organization's security efforts Assigns responsibilities for various areas of information security Guides development, implementation, and management requirements of information security program

Transference

Shifting the risk to other areas or to outside entities, assets, other processes, or other organizations May be accomplished by rethinking how services are offered Revising deployment models Outsourcing to other organizations Purchasing insurance Implementing service contracts with providers

____ is when an attacker tricks users into giving out information or performing a compromising action. Reverse engineering Phreaking Hacking Social engineering

Social engineering

Residual risk

When vulnerabilities have been controlled as much as possible, there is often remaining risk that has not been completely removed, shifted, or planned for Residual Risk is a combined function of: Threats, vulnerabilities and assets, less the effects of the safeguards in place

Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the ____ consequences of the vulnerability.

economic and non-economic

What is the next phase of the preattack data gathering process after the attacker has collected all of an organization's Internet addresses?

fingerprinting

A(n) ____________________ is any device that prevents a specific type of information from moving between an untrusted network and a trusted network.

firewall

The ____ of the wireless network is the area the radio signal reaches. basic service area usage pattern spectrum footprint

footprint

In large organizations, ____ know operating systems and networks as well as how to interpret the information gleaned by the examiners. forensic examiners incident managers forensic analysts application programmers

forensic analysts

Which of the following allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental?

forensics

System-Specific Security Policy (SysSPs)

frequently do not look like other types of policy They may function as standards or procedures to be used when configuring or maintaining systems SysSPs can be separated into: -Management guidance -Technical specifications -Or combined in a single policy document

testing of contingency plans, the individuals follow each and every procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals.

full-interruption

In the NIST performance measures implementation process, the comparison of observed measurements with target values is known as a ____ analysis.

gap

During Phase 2 of the NIST performance measures development process, the organization will identify and document the information security performance ____ that would guide security control implementation for the information security program of a specific information system.

goals and objectives

The ____________________ assessment, tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures.

hybrid

Access control encompasses four processes beginning with ____________________, checking a client requesting access.

idenification

PERT advantages

makes planning large projects easier (pre/post activity identification), determines probability, anticipates system changes, no formal reading

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?

malice

There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? ignorance accident intent malice

malice

Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?

managerial controls

In most cases, simply listing the measurements collected does not adequately convey their ____.

meaning

Communications security involves the protection of which of the following?

media, technology, and content

While the terms may be interchangeable in some organizations, typically the term ____ is used for more granular, detailed measurement, while the term ____ is used for aggregate, higher-level results.

metrics; measures

Typically, the information security policy administrator is ____.

mid-level staff member

Which of the following explicitly declares the business of the organization and its intended areas of operations?

mission statement

Reducing the impact of a successful attack on an organization's system falls under the ____ risk control strategy.

mitgation

The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ____________________ .

mitigation

Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?

mitigation

The effectiveness of controls should be ____________________ and measured regularly once a control strategy has been selected.

monitored

Once a control strategy has been selected and implemented, controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk.

monitored and measured

Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?

monitoring and measurement

define Controlling

monitoring progress toward completion and making necessary adjustments to achieve the desired objectives

Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives? organization planning leading controlling

organization

A(n) ____________________ is a private word or combination of characters known only by the user.

password

A(n) ____________________ is a secret word or combination of characters known only by the user.

password

testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.

penetration testing

Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program?

performance management

Information security ____ is the process of designing, implementing, and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program.

performance measurement

In which cipher method are values rearranged within a block to create the ciphertext?

permutation

Bluetooth networks are referred to as ____. piconets econets honeynets ultra-wideband networks

piconets

certification

the comprehensive evaluation of the technical and nontechnical security controls of an IT system

What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?

threats-vulnerabilities-assets worksheet

___________________ is a subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury.

tort law

The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.

transferal

An organization that chooses to outsource its risk management practice to independent consultants is taking the ____ control approach.

transference

Types of attacks: Hoaxes

transmission of a virus hoax with a real virus attached; more devious form of attack

Types of attacks: Brute force

trying every possible combination of options of a password

An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?

uncertainty

At what point in the incident lifecycle is the IR plan initiated?

when an incident is detected

Benchmarking can help to determine ____ controls should be considered, but it cannot determine ____ those controls should be implemented in your organization.

which, how

Category of Threat: Espionage or Trespass

• Access of protected information by unauthorized individuals • Competitive intelligence (legal) vs. industrial espionage (illegal) • Shoulder surfing can occur anywhere a person accesses confidential information • Controls let trespassers know they are encroaching on organization's cyberspace • Hackers use skill, guile, or fraud to bypass controls protecting others' information • Expert hacker - Develops software scripts and program exploits - Usually a master of many skills - Will often create attack software and share with others • Unskilled hacker - Many more unskilled hackers than expert hackers - Use expertly written software to exploit a system - Do not usually fully understand the systems they hack • Other terms for system rule breakers: - Cracker: "cracks" or removes software protection designed to prevent unauthorized duplication - Phreaker: hacks the public telephone network

Category of Threat: Technological Obsolescence

• Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems • Proper managerial planning should prevent technology obsolescence • IT plays large role

Category of Threat: Information Extortion

• Attacker steals information from computer system and demands compensation for its return or nondisclosure • Commonly done in credit card number theft

Category of Threat: Forces of Nature

• Forces of nature are among the most dangerous threats • Disrupt not only individual lives, but also storage, transmission, and use of information • Organizations must implement controls to limit damage and prepare contingency plans for continued operations • Fire • Floods • Earthquakes • Lightning • Landslides or Mudslides • Tornados or Severe Windstorms • Hurricanes, Typhoons and tropical depressions • Tsunamis • Electrostatic discharge (ESD) • Dust Contamination

Software Design Principles

• Good software development results in secure products that meet all design specifications • Some commonplace security principles: - Keep design simple and small - Access decisions by permission not exclusion - Every access to every object checked for authority - Design depends on possession of keys/passwords - Protection mechanisms require two keys to unlock - Programs/users utilize only necessary privileges • Some commonplace security principles (cont'd.): - Minimize mechanisms common to multiple users - Human interface must be easy to use so users routinely/automatically use protection mechanisms

Category of Threat: Theft

• Illegal taking of another's physical, electronic, or intellectual property • Physical theft is controlled relatively easily • Electronic theft is more complex problem; evidence of crime not readily apparent

Category of Threat: Missing, Inadequate, or Incomplete

• In policy or planning, can make organizations vulnerable to loss, damage, or disclosure of information assets • With controls, can make an organization more likely to suffer losses when other threats lead to attacks

Category of Threat: Human Error or Failure

• Includes acts performed without malicious intent • Causes include: - Inexperience - Improper training - Incorrect assumptions • Employees are among the greatest threats to an organization's data • Employee mistakes can easily lead to: - Revelation of classified data - Entry of erroneous data - Accidental data deletion or modification - Data storage in unprotected areas - Failure to protect information • Many of these threats can be prevented with controls

Category of Threat: Deviations in Quality of Service

• Includes situations where products or services are not delivered as expected • Information system depends on many interdependent support systems • Internet service, communications, and power irregularities dramatically affect availability of information and systems • Internet service issues - Internet service provider (ISP) failures can considerably undermine availability of information - Outsourced Web hosting provider assumes responsibility for all Internet services as well as hardware and Web site operating system software • Communications and other service provider issues - Other utility services affect organizations: telephone, water, wastewater, trash pickup, etc. - Loss of these services can affect organization's ability to function • Power irregularities - Commonplace - Organizations with inadequately conditioned power are susceptible - Controls can be applied to manage power quality - Fluctuations (short or prolonged) • Excesses (spikes or surges) - voltage increase • Shortages (sags or brownouts) - low voltage • Losses (faults or blackouts) - loss of power

Category of Threat: Compromises to Intellectual Property

• Intellectual property (IP): "ownership of ideas and control over the tangible or virtual representation of those ideas" • The most common IP breaches involve software piracy • Two watchdog organizations investigate software abuse: - Software & Information Industry Association (SIIA) - Business Software Alliance (BSA) • Enforcement of copyright law has been attempted with technical security mechanisms

Deliberate Software Attacks

• Malicious software (malware) designed to damage, destroy, or deny service to target systems • Includes: - Viruses - Worms - Trojan horses - Logic bombs - Back door or trap door - Polymorphic threats - Virus and worm hoaxes

Protecting the Functionality of an Organization

• Management (general and IT) responsible for implementation • Information security is both management issue and people issue • Organization should address information security in terms of business impact and cost

Secure Software Development

• Many information security issues discussed here are caused by software elements of system • Development of software and systems is often accomplished using methodology such as Systems Development Life Cycle (SDLC) • Many organizations recognize need for security objectives in SDLC and have included procedures to create more secure software • This software development approach known as Software Assurance (SA)


Kaugnay na mga set ng pag-aaral

MGMT 371: Exam 3 Quiz 7-10 Questions

View Set

MK 410 Chapter 8, MK 410 (Quizzes 9, 10, 11, 13, 15) (MK 410 Final)

View Set

Ch. 8 Sociology: Race and Ethnicity

View Set

Anatomy and Physiology Chapter 9: Joints

View Set

Stereotypes Prejudice and Discrimination

View Set