Final Exam Review IS 613
Which of the following is NOT a method employed by IDPSs to prevent an attack from succeeding?
sending DoS packets to the source
Which contingency plan strategy do individuals work on their own tasks and are responsible for identifying the faults in their own procedures?
simulation
By multiplying the asset value by the exposure factor, you can calculate which of the following?
single loss expectancy
Which of the following is NOT among the four types of authentication mechanisms?
something you see
IP ____ is the falsification of the source IP address in a packet's header so that it appears to have come from a trusted or legitimate sender. routing switching spoofing snooping
spoofing
During Phase 1 of the NIST performance measures development process, the organization identifies relevant ____ and their interests in information security measurement.
stakeholders
A(n) ____ tracks the state and context of each packet in the conversation by recording which station sent what packet and when. context table routing table state table jump rule
state table
Which type of firewall keeps track of each network connection established between internal and external systems?
stateful inspection
A ____ intrusion detection and prevention system is also known as a behavior-based intrusion detection system.
statistical anomaly-based
What are the three general categories of policy?
- Enterprise information security policy (EISP) - Issue-specific security policy (ISSP) - System-specific policies (SysSPs)
The core components of PMBok project plan development
- Work time, resources, and project deliverables - Changing one element affects the other two
Every organization's (ISSP) Issue-Specific Security Policy should
-Address specific technology-based systems -Require frequent updates -Contain an issue statement on the organization's position on an issue
Types of attacks:Malicious code:
-includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information
A firewall uses its ____ to decide whether or not to allow packets into the network.
...
Which of the following is NOT a goal of the NIST System Certification and Accreditation Project:
...
What is the range of the well-known ports used by TCP and UDP?
0-1023
The Six Ps of information security
- Planning - Policy - Programs - Protection - People - Project Management
Three questions of PERT
- How long will this activity take? - What activity occurs immediately before this activity can take place? - What activity occurs immediately after this activity?
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
(ISC)2
Footprinting is the organized research of the Internet addresses owned or controlled by a target organization, using public Internet data.
True
In the modular approach to creating the ISSP, each of the modules is created and updated by the individuals who are responsible for a specific issue.
True
It is advisable to deny all ICMP data in order to limit the number of attacks to a network as the protocol is a common method for hacker reconnaissance and can be used for snooping.
True
Knowledge-based intrusion detection and prevention systems examine data traffic for signatures which may comprise preconfigured, predetermined attack patterns.
True
Mitigation depends on the ability to detect and respond to an attack as quickly as possible .
True
OCTAVE is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detective controls.
True
One of the goals of an issue-specific security policy (ISSP) is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
True
One of the most popular of the many references that support the development of process improvement and performance measures is The Capability Maturity Model Integrated (CMMI) designed specifically to integrate an organization's process improvement activities across disciplines.
True
SysSPs often function as standards or procedures to be used when configuring or maintaining systems
True
Types of information security planning
- Incident response planning - Business continuity planning - Disaster recovery planning - Policy planning - Personnel planning - Technology rollout planning - Risk management planning
The final choice of a risk control strategy may call for a balanced mixture of controls that provides the greatest value for as many asset-threat pairs as possible.
True
The goal of information security is to bring residual risk in line with an organization's risk appetite.
True
Describe characteristics of leaders
- Influence employees to accomplish objectives - Lead by example; demonstrating personal traits that instill a desire in others to follow - Provide purpose, direction, and motivation to those that follow
Information security performs four important functions for an organization:
- Protects ability to function - Enables safe operation of applications implemented on its IT systems - Protects data the organization collects and uses - Safeguards technology assets in use
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14? a. Enterprise info sec policy b. User-specific sec policies c. Issue-specific sec policies d. System-specific sec policies
B. User-specific sec policies pg. 128
define authorization
Assures that the user has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset
structured review
At the end of each phase of the security systems development life cycle (SecSDLC), a ____ takes place.
Kerberos' ____ is an interacting application that validates clients and servers.
Authentication Server
____________________ is the determination of actions that an entity can perform in a physical or logical area.
Authorization
The ____ section of an ISSP explains who can use the technology governed by the policy and for what purposes.
Authorized Access and Usage of Equipment
Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an event? A. Risk Management B. Contingency planning C. Business response D. Disaster readiness
B. Contingency planning pg. 75
At what point in the incident life cycle is the IR plan initiated? a. Before an incident takes place b. When an incident is detected c. Once the DRP is activated d. Once the BCP is activated
B. When an incident is detected pg. 85
If operations at the primary site cannot be quickly restored, the ____________________ occurs concurrently with the DR plan, enabling the business to continue at an alternate site.
BCP BC plan business continuity plan
Problems with benchmarking include all but which of the following?
Baseline data provides little value to evaluating progress in improving security
A policy acknowledgment screen that does not require any unusual action on the part of the user to move past it is a ____.
Blow-by screen
Which notable Bluetooth attack allows a nearby attacker to issue commands to an unsuspecting target phone? Bluesnarf BlueBug Evil twin Bluejacking
BlueBug
____ is an attack that accesses unauthorized information from a wireless device through a Bluetooth connection, often between cell phones and laptop computers. Bluecracking Bluetalking Bluesnarfing Bluejacking
Bluesnarfing
The IEEE 802.15.1-2005 Wireless Personal Area Network standard was based on the ____ specifications. Bluetooth v2.1 Bluetooth v 1.0 Bluetooth v1.2 Bluetooth v 1.1
Bluetooth v1.2
tactical
Budgeting, resource allocation, and manpower are critical components of the ____ plan.
Category of Threat: Technical Software Failures or Errors Provide an Example:
Bugs, code problems, unknown loopholes
Which of the following is NOT a step in the problem-solving process?
Build support among management for the candidate solution
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
Building executive consensus
The ____ model describes the layers at which marginal assessment of security controls can be performed and is proven mechanism for prioritizing complex changes.
Bull's-eye
Determining the critical path using PERT
By identifying the slowest path through the various activities
How is security often achieved
By means of sever strategies undertaken simultaneously or used in combination with one another.
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes? A. On-target model b. Wood's model c. Bull's-eye model d. Bergeron and Berube model
C. Bull's-eye model pg. 126
Many organizations create a single document that combines elements of both the management guidance SysSP and the technical specifications SysSP, know as a(n) ____.
Combination SysSP
When can corruption of information occur?
Compilation, storage, or transmission
Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
Confidentiality
That makes up the CIA triangle
Confidentiality, integrity, availability
Configuration codes entered into security systems to guide the execution of the system when information is passing through it are called ____.
Configuration rules
Technical Specifications SysSPs
Configuration rules -Specific configuration codes entered into security systems -Guide the execution of the system when information is passing through it Rule policies are more specific to system operation than ACLs -May or may not deal with users directly
target
Considerations for selecting best practices: Does your organization resemble the identified ___ organization of the best practice? Are you in a similar industry as the target? Do you face similar challenges as the target? Is your organizational structure similar to the target? Are the resources you can expend similar to those called for by the best practice? Are you in a similar threat environment as the one assumed by the best practice?
define project communications management
Conveys details of project activities to all involved. Includes communications planning, information distribution, performance reporting and administrative closure
A(n) password protection mechanism is a plain-language phrase, from which a virtual password is derived.
False
A(n) temporal key is a symmetric key used for limited-use temporary communications by a hybrid encryption system.
False
Access control lists can only be used to restrict access according to the user.
False
All rule-based policies must deal with user directly.
False
An ISSP will typically not cover the use of e-mail or the Internet.
False
An individual approach to creating the ISSPs is well controlled by centrally managed procedures assuring complete topic coverage.
False
Today, most EULAs are presented on blow-by screens.
False
logical design
In the ____ phase of the security systems development life cycle (SecSDLC), the information obtained during the analysis phase is used to develop a proposed system-based solution for the business problem.
Information security is defined in the ____ component of an EISP.
Information Technology Security Elements
Which of the following is a network device attribute that is tied to the network interface?
MAC address
During the ____ phase of the SecSDLC, the information security policy is monitored, maintained, and modified as needed.
Maintenance
False
Penetration testing is often conducted by consultants or outsourced contractors, who are commonly referred to as hackers, ninja teams or black teams.
define WBS(work breakdown structure)
Planning tool where project plan is first broken down into a few major tasks, and the minimum attributes for each task are determined with additional attributes added as needed
Which connectivity model uses a single access point that provides connectivity for a number of clients within a BSS? Point-to-point Mesh multipoint Point-to-multipoint Roaming
Point-to-multipoint
Which wireless modulation technique combines digital and analog signaling to encode data into radio signals? QPSK BPSK Spread-spectrum transmission QAM
QAM
Managing Risk (cont)
Risk control involves selecting one of the four risk control strategies For the vulnerabilities present If the loss is within the range of losses the organization can absorb, or if the attacker's gain is less than expected costs of the attack, the organization may choose to accept the risk Otherwise, one of the other control strategies will have to be selected
What is the mccumber cube
Security model that provides a more detailed perspective on security
The Gold Standard
Some organizations prefer to implement the most protective, supportive, and yet fiscally responsible standards they can. This is called___.
define manager
Someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals
The ISSP should begin with a ____ .
Statement of Purpose
Example Enterprise information security program policy (ESIP)
Statement of purpose -What the policy is for Information technology security elements -Defines information security Need for information technology security - Justifies importance of information security in the organization Information technology security responsibilities and roles -Defines organizational structure
A disadvantage of creating a number of independent ISSP documents is that the results may ____.
Suffer from poor policy dissemination
Some policies incorporate a ____ indicating a specific date the policy will expire.
Sunset clause
project planning
Tactical planning is also referred to as ____.
False
Tactical planning is the basis for the long-term direction taken by the organization.
operational
Tactical plans are used to develop ____________________ plans.
To be certain the employees understand the policy, the document must be written at a reasonable reading level within minimal ____.
Technical jargon and management terminology
Hold regular meetings with the CIO to discuss tactical InfoSect planning
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
A single loss expectancy
The calculation of the value associated with the most likely loss from an attack SLE is based on the value of the asset and the expected percentage of loss that would occur from a particular attack SLE = asset value (AV) x exposure factor (EF) Where EF is the percentage loss that would occur from a given vulnerability being exploited This information is usually estimated
Economic feasibility
The criterion most commonly used when evaluating a project that implements information security controls and safeguards
Managing Risk
The goal of information security is not to bring residual risk to zero Bring it in line with an organization's risk appetite If decision makers have been informed of uncontrolled risks and the proper authority groups within the communities of interest decide to leave residual risk in place, then the information security program has accomplished its primary goal Once a control strategy has been selected and implemented: The effectiveness of controls should be monitored and measured on an ongoing basis To determine its effectiveness and the accuracy of the estimate of the residual risk
(T/F) The ability to restrict specific services is a common practice in most modern routers, and is invisible to the user.
True
(T/F) The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
True
(T/F) Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
True
A dual-homed host firewall is able to translate between the protocols of two different data link layers.
True
A dumb card is a category that includes ID and ATM cards with magnetic strips containing the digital PIN against which a user's input is compared.
True
A policy should be "signed into law" by a high-level manager before the collection and review of employee input.
True
A(n) ____________________ token uses a challenge-response system in which the server challenges the user with a number, that when entered into the token provides a response that provides access.
asynchronous
Types of attacks: Man-in-the-middle
attacker monitors network packets, modifies them, and inserts them back into network
The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
authentication
Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area?
authentication
accreditation
authorization of an IT system to process, store, or transmit information
Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
cost of prevention
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
cost-benefit analysis
benchmarking
creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing
It is no longer sufficient to simply assert effective information security; an organization must demonstrate that it is taking effective measures in the spirit of ____________________.
due diligence
Maintaining an acceptable level of secure controls over time indicates that an organization has met the standard of ____.
due diligence
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? policy administration certification and accreditation due diligence adequate security measures
due diligence
An organization increases its _____________ if it refuses to take measures—due care—to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions
liability
Two examples of security best practices include: "Decision paper on use of screen warning banner", and "Sample warning banner from the NLRB". Under which best security practice area do these two examples fall?
logical access controls
Two examples of security best practices include: "Decision paper on use of screen warning banner", and "Sample warning banner from the NLRB". Under which best security practice area do these two examples fall? policy and procedures logical access controls personnel security identification and authentication
logical access controls
Which of the following affects the cost of a control?
maintenance
phase is the last phase of SecSDLC, but perhaps the most important.
maintenance and change
Because "organizations ____________________ what they measure," it is important to ensure that individual metrics are prioritized in the same manner as the performance they measure.
manage
Risk ____________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
management
A problem with benchmarking is that recommended practices are a(n) ____________________; that is, knowing what happened a few years ago does not necessarily tell you what to do next.
moving target
Collecting project metrics may be even more challenging. Unless the organization is satisfied with a simple tally of who spent how many hours doing which tasks, it needs some mechanism to link the ____ of each project, in terms of loss control or risk reduction, to the resources consumed.
outcome
Which of the following is an example of a technological obsolescence threat?
outdated servers
What tool would you use if you want to collect information as it is being transmitted on the network and analyze the contents for the purpose of solving network problems?
packet sniffer
In which contingency plan strategy do individuals act as if an actual incident occurred, and begin performing their required tasks and executing the necessary procedures, without interfering with the normal operations of the business?
parallel testing
Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
people
Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program? projects people policy protection
people
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
risk determination
process of discovering the risks to an organization's operations
risk identification
Once an information asset is identified, categorized, and classified, what must also be assigned to it?
relative value
remains even after the existing control has been applied
residual risk
Which of the following is compensation for a wrong committed by an employee acting with or without authorization?
restitution
The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability is the definition of which of the following?
risk assessment factors
process that identifies vulnerabilities in an organization's information system
risk management
The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge was designed for large organizations with 300 or more users, while OCTAVE-Allegro was designed for smaller organizations of about 100 users.
True
To be effective, policy must be uniformly applied to all employees, including executives.
True
packet sniffer
What tool would you use if you want to collect information as it is being transmitted on the network and analyze the contents for the purpose of solving network problems?
uses a secret key to encrypt and decrypt
Which of the following is true about symmetric encryption?
Which company offers a free firewall that provides basic ingress and egress filtering? ZoneAlarm IBM Barracuda Check Point
ZoneAlarm
Measures
___ are data points or computed trends that indicate the effectiveness of security countermeasures or controls.
A software program is no substitute for
a skilled and experienced project manager
baseline
a value or profile of a performance metric against which changes in the performance metric can be usefully compared
A ____ commonly combines a separate dedicated firewall such as an application proxy server with a packet filtering router.
screened-host firewall
Which type of document grants formal permission for an investigation to occur?
search warrant
best security practices
security efforts that balance the need for information access with the need for adequate protection
Which of the following is NOT an alternative to using CBA to justify risk controls?
selective risk avoidance
Types of attacks: Dictionary
selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses
Asset classification schemes should categorize information assets based on which of the following?
sensitivity and security needs
is an agency that provides, in the case of DR/BC planning, physical facilities for a fee.
service bureau
____ forensics involves capturing a point-in-time picture of a process. Cartwheeling Bit-stream Trigger Snapshot
snapshot
Which type of planning is the primary tool in determining the long-term direction taken by an organization?
strategic
describe the three levels of planning
strategic, tactical, operational
A goal of 100 percent employee InfoSec training as an objective for the training program is an example of a performance __________.
target
Types of attacks: Spoofing
technique used to gain unauthorized access; intruder assumes a trusted IP address
due diligence
the actions that demonstrate that an organization has made a valid effort to protect others
A firewall should never be directly accessible from ____.
the public network
The __________ level and an asset's value should be a major factor in the risk control strategy selection
threat
The improved Bluetooth 2.0 increased the data rate to around ____ Mbps. six five four three
three
The improved Bluetooth 2.0 increased the data rate to around ____ Mbps. six five three four
three
Which of the following is true about symmetric encryption?
uses a secret key to encrypt and decrypt
Which of the following is a key advantage of the bottom-up approach to security implementation?
utilizes the technical expertise of the individual administrators
What is defined as specific avenues that threat agents can exploit to attack an information asset?
vulnerabilities
Standards of due care/due diligence Best practices
2 Categories of benchmarks
Which port number is commonly used for the Simple Mail Transfer Protocol service?
25
denial-of-service (DoS)
A ____ attack involves sending a large number of connection or information requests to a target.
threat agent
A(n) ____ damages or steals an organization's information or physical asset.
exploit
A(n) ____ is a technique or mechanism used to compromise a system.
attack
A(n) ____ is an act or event that exploits a vulnerability.
Which of the following explicitly declares the business of the organization and its intended areas of operations? A. mission statement B. Vision statement C. Values statement D. Business statement
A. mission statement pg. 40
Category of Threat: Technological obsolescence Provide an Example:
Antiquated or outdated echnologies
When the attacker's potential gain is greater than the costs of attack
Apply technical or managerial controls to increase the attacker's cost, or reduce his gain
Avoidance
Applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability Avoidance is accomplished through: Application of policy Application of training and education Countering threats Implementation of technical security controls and safeguards
The ISSP sections Authorized Access and Usage of Equipment and Prohibited Usage of Equipment may be combined into a section called ____ .
Appropriate Use Policy
The role of the Non-technical general business community
Articulates and communicates organizational policy and objectives and allocates resources to the other groups
define project risk management
Assesses, mitigates, manages, and reduces the impact of adverse occurrences on the project. Includes risk identification, risk quantification, risk response development and risk response control
____ is the process of assigning financial value or worth to each information component.
Asset valuation
In the event of an incident or disaster, which team sets up and starts off-site operations? a. Project management b. Business continuity c. Disaster recovery d. Incident response
B. Business continuity pg. 78
Problems with benchmarking include all but which of the following?
Benchmarking doesn't help in determining the desired outcome of the security process
gold standard
Best practices include a sub-category of practices, called the ___, that are generally regarded as "the best of the best".
Category of Threat: Information Extortion Provide an Example:
Blackmail, information disclosure
To ensure ____, an organization must demonstrate that it is continuously attempting to meet the requirements of the market in which it operates.
Due diligence
define project human resource management
Ensures personnel assigned to project are effectively employed. Includes organizational planning, staff acquisition and team development
define project cost management
Ensures that a project is completed within the resource constraints. Includes resource planning, cost estimating, cost budgeting, and cost control.
define accountability
Exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process
Because it sets out general business intentions, a mission statement does not need to be concise.
F
In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.
F
In most organizations, the COO is responsible for creating the IR plan
F
In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.
False
In most organizations, the COO is responsible for creating the IR plan.
False
Once policies are created, they should not be changed
False
The first phase in the NIST performance measures methodology is to collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets.
False
OCTAVE-S
For smaller organizations of about 100 users
Category of Threat: Theft Provide an Example:
Illegal confiscation of equipment or information
The role of the information technology community
Supports the business objectives of the org by supplying and supporting the appropriate information technology
The ____ is a Kerberos interacting service that exchanges information with the client and server by using secret keys.
Key Distribution Center
define Leading
Leadership encourages the implementation of the planning and organizing functions. Leadership generally addresses the direction and motivation of the human resource
An organization may include a set of disclaimers in the ____ section of the ISSP.
Limitations of Liability
Category of Threat: Missing, inadequate, or incomplete controls Provide an Example:
Network compromised because no firewall security controls
____________________ converts external IP addresses to internal IP addresses on a one-to-one basis.
Network-address translation
define availabilitiy
The characteristic of information that enables user access to information in a required format, without interference or obstruction
define confidentality
The characteristic of information whereby only those with sufficient privileges may access certain information
define policy
The set of organizational guidelines that dictates certain behavior within the organization
blueprint
To generate a security ___,Organizations usually draw from established security models and practices. Another way is to look at the paths taken by organizations similar to the one for which you are developing the plan.
Describe the two basic approaches to management
Traditional: POSDC (planning organizing staffing directing controlling) Popular: POLC (planning organizing leading controlling)
A popular extension to the TCP/IP protocol suite is Secure Shell (SSH), which provides security for remote access connections over public networks by creating a secure and persistent connection.
True
A system's exploitable vulnerabilities are usually determined after the system is designed.
True
A(n) baseline is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared."
True
Access control lists can be used to control access to file storage systems
True
According to the Microsoft Risk Management Approach, risk management is not a stand-alone subject and should be part of a general governance program to allow the organization's management to evaluate the organization's operations and make better, more informed decisions.
True
Accreditation is the authorization of an IT system to process, store, or transmit information.
True
Although literally hundreds of variations exist, four architectural implementations of firewalls are especially common: packet filtering routers, screened-host firewalls, dual-homed host firewalls, and screened-subnet firewalls.
True
An automated policy management system is able to assess readers' understanding of the policy and electronically record reader acknowledgments.
True
Any firewall device must have its own set of configuration rules that controls its actions.
True
Behavioral feasibility refers to user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders.
True
Economic feasibility is a standard that is commonly used when evaluating a project that implements information security safeguards.
True
digital signature
What is most commonly used for the goal of nonrepudiation in cryptography?
It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity. Which of the following is NOT one of them?
What other activities require the same resources as this activity?
use of dormant accounts
Which of the following is a definite indicator of an actual incident?
legal liability
Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence?
Strategic plans are used to create tactical plans
Which of the following is true about planning?
stateful inspection
Which type of firewall keeps track of each network connection established between internal and external systems?
A standard is built from a ____.
Policy
In the Cost-Benefit Analysis Formula presented in the text, ALE is calculated by ____.
SLE * ARO
The Annualized Loss Expectancy in the CBA formula is determined as ____.
SLE * ARO
____ architecture makes use of a demilitarized zone between the trusted and untrusted network.
Screened-Subnet firewall system
describe the decisional role
Selecting from among alternative approaches, and resolving conflicts, dilemmas, or challenges
Which of the following biometric authentication systems is considered to be the least secure?
Signature recognition
Port number ____ is commonly used for the Simple Mail Transfer Protocol service.
25
NIST Special Publication 800-18, Rev. 1
: Guide for Developing Security Plans for Federal Information Systems reinforces a business process-centered approach to policy management Policies are living documents These documents must be properly disseminated (distributed, read, understood and agreed to), and managed Good management practices for policy development and maintenance make for a more resilient organization Policy requirements An individual responsible for reviews A schedule of reviews A method for making recommendations for reviews An indication of policy and revision date
plan-driven
A SDLC-based project that is the result of a carefully developed strategy is said to be ____.
Developing Information Security Policy Implementation phase includes
Writing the policies Making certain the policies are enforceable as written Policy distribution is not always straightforward Effective policy is written at a reasonable reading level, and attempts to minimize technical jargon and management terminology
Which company offers a free firewall that provides basic ingress and egress filtering? Barracuda IBM Check Point ZoneAlarm
ZoneAlarm
Gold standard
___is a model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information. Implementation requires a great deal of financial and personnel support.
Accreditation
___is the authorization of an IT system to process, store, or transmit information. It is issued by a management official and serves as a means of assuring that systems are of adequate quality. Challenges managers and technical staff to find the best methods to assure security, given technical constraints, operational constraints, and mission requirements.
When dealing with an incident, the incident response team must conduct a(n) ____________________, which entails a detailed examination of the events that occurred from first detection to final recovery.
after action review
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
back door
overflow is an application error that occurs when the system can't handle the amount of data that is sent.
buffer
The ____ model describes the layers at which marginal assessment of security controls can be performed and is a proven mechanism for prioritizing complex changes.
bull's-eye
In the event of an incident or disaster, which team sets up and starts off-site operations?
business continuity
When a disaster renders the current business location unusable, which plan is put into action?
business continuity
Which is the first step in the contingency planning process?
business impact analysis
A ____ specifies which subjects and objects users or groups can access.
capability table
According to NIST SP 800-37, which of the following is the first step in the security controls selection process?
categorize the information system and the information processed
Which document must be changed when evidence changes hands or is stored?
chain of custody
Which of the following InfoSec measurement specifications makes it possible to define success in the security program?
establishing targets
Which of the following is a step in Stage 2 - Evaluate Loss Event Frequency of the FAIR risk management framework?
estimate control strength
A single loss expectancy is calculated by multiplying the asset value by the ____.
exposure factor
The ____ is a criteria used to compare and evaluate biometric technologies.
false reject rate
Ad hoc wireless models rely on the existence of ____ to provide connectivity. keys tunnels formal access points multiple stations
multiple stations
One of the most popular reference for developing process improvement and performance measures is the ____ model from the Software Engineering Institute at Carnegie Mellon University.
none of these
InfoSec measurements collected from production statistics depend greatly on which of the following factors?
number of systems and users of those systems
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
organization
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives? leading planning controlling organization
organization
A ____ is NOT an example of the "something you have" authentication mechanism.
password
A ____ is an example of the "something you know" authentication mechanism.
password
managers must recognize the crucial role of
people in the information security program
Which type of law regulates the relationships among individuals and among individuals and organizations?
private
Which type of law regulates the relationships among individuals and among individuals and organizations? criminal private tort public
private
recommended business practices
procedures that provide a superior level of security for an organization's information
Which of the following is NOT a consideration when selecting recommended best practices?
product or service is the same
Types of attacks: Sniffers
program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network
Organizations that adopt minimum levels of security to establish a future legal defense may need to verify that they have done what any ____ organization would do in similar circumstances.
prudent
Types of attacks: Pharming
redirection of legitimate Web traffic (e.g., browser requests) to illegitimate site for the purpose of obtaining private information
As each information asset is identified, categorized, and classified, a ________ value must also be assigned to it.
relative
Types of attacks: Timing attack
relatively new; works by exploring contents of a Web browser's cache to create malicious cookie
Bastion host is also referred to as a(n) ____________________ host.
sacrificial
assessment of potential weaknesses in each information asset
threat identification
Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
uncertainty percentage
The primary drawback associated with ad hoc networks is that they are inherently ____. unreliable complex expensive an older technology
unreliable
Types of attacks: Spam
unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks
An attacker can use a(n) ____________________ device to locate the connection points on dial-up lines.
war-dialer
In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?
waterfall
Which of the following is a tool that can be useful in resolving the issue of what business function is the most critical?
weighted analysis tool
Category of Threat: Technical Software Failures or Errors
• Purchased software that contains unrevealed faults • Combinations of certain software and hardware can reveal new software bugs • Entire Web sites dedicated to documenting bugs
Which policy is the highest level of policy and is usually created first? a. SysSP b. USSP c. ISSP d. EISP
D. EISP pg. 128
Which technology works by taking the original data stream and breaking it up into small bits, then transmitting each of those on a different frequency channel simultaneously? Direct-Sequence Spread Spectrum (DSSS) Orthogonal frequency-division multiplexing (OFDM) Quadrature Phase Shift Keying (QPSK) Frequency Hopping Spread Spectrum (FHSS)
Direct-Sequence Spread Spectrum (DSSS)
Who is responsible for information security?
Every employee, especially managers
Organizational feasibility analysis
Examines how well the proposed information security alternatives will contribute to the operation of an organization
When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.
F
A system that is secret is safe.
False
Category of Threat: Forces of Nature Provide an Example:
Fire, flood, earthquake, lightning
Which of the following is true about firewalls and their ability to adapt in a network?
Firewalls deal strictly with defined patterns of measured observation.
Which of the following is the last phase in the NIST process for performance measures implementation?
Apply corrective actions
When potential loss is substantial
Apply design controls to limit the extent of the attack, thereby reducing the potential for loss
According to Charles Cresson Wood "policies are important reference documents for internal ____ and for the resolution of legal disputes about management's due diligence; policy documents can act as a clear statement of management's intent".
Audits
In reporting InfoSec performance measures, the CISO must also consider ____.
Both of these
What are the managerial roles?
Informational, interpersonal, decisional
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
Initiating
A(n) ____ security policy provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems.
Issue-specific
Which of the following is true about a hot site?
It duplicates computing resources, peripherals, phone systems, applications, and workstations.
____________________ Ticket Granting Service (TGS) provides tickets to clients who request services.
Kerberos
Which of the following is a Kerberos service that initially exchanges information with the client and server by using secret keys
Key Distribution Center
A quality information security program begins and ends with policy.
True
The ____ handles certain cases involving credit card fraud and identity theft. Securities and Exchange Commission FBI U.S. Treasury Department U.S. Secret Service
U.S. Secret Service
Which of the following sections of the ISSP should provide instructions on how to report observed or suspected violations?
Violations of Policy
A computer ____ is malicious computer code that reproduces itself on the same computer. worm adware virus spyware
Virus
________ recognition authentication captures the analog waveforms of human speech.
Voice
define authentication
Occurs when a control proves that a user possesses the identity that he or she claims
define projectitis
Occurs when the project manager spends more time doing project planning than meaningful project work
Which of the following is the first phase in the NIST process for performance measurement implementation?
Prepare for data collection
False
Some companies refer to operational planning as intermediate planning.
Basic FAIR analysis is comprised of ten steps in four stages
Stage 1 - Identify scenario components 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2 - Evaluate loss event frequency 3. Estimate the probable threat event frequency 4. Estimate the threat capability (TCap) Stage 2 - Evaluate loss event frequency (cont'd.) 5. Estimate Control strength (CS) 6. Derive Vulnerability (Vuln) 7. Derive Loss Event Frequency (LEF) Stage 3 - Evaluate probable loss magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4 - Derive and articulate Risk 10. Derive and articulate Risk Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low
False
Strategic planning has a more short-term focus than tactical planning.
Which of the following is true about planning?
Strategic plans are used to create tactical plans
True
Strategic plans are used to create tactical plans.
NIST SP 800-37
a common approach to a Risk Management Framework (RMF) for InfoSec practice
The four categories of controlling risk include avoidance, mitigation, transference and _____.
acceptance
Types of attacks: Password crack
attempting to reverse calculate a password
Security efforts that seek to provide a superior level of performance in the protection of information are called ____.
best business practices
The Authorize step of the NIST six-step approach to the risk management framework involves all but which of the following tasks? determine the risk to organizational operations determine if the cost/benefit ratio is acceptable prepare the plan of action and develop milestones assemble the security authorization package
determin if the cost/benefit ratio is acceptable
The Authorize step of the NIST six-step approach to the risk management framework involves all but which of the following tasks?
determine if the cost/benefit ratio is acceptable
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
deterrence
What is most commonly used for the goal of nonrepudiation in cryptography?
digital signature
Strategies to limit losses before and during a disaster is covered by which of the following plans in the mitigation control approach?
disaster recovery plan
At a minimum, each information asset-threat pair should have a(n) ____ that clearly identifies any residual risk that remains after the proposed strategy has been executed.
documented control strategy
What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
documented control strategy
True
In a(n) methodology, a problem is solved based on a structured sequence of procedures.
PMBok Project Integration management
Includes the processes required to coordinate occurs between components of a project
The Single Loss Expectancy (SLE) is the result of the asset's value (AV) multiplied by the ____________________ factor.
esposure
An ____ is an AP that is set up by an attacker. evil twin active twin internal replica authorized twin
evil twin
define protection
executed through risk management activities including risk assessment and control, protection mechanisms, technologies, and tools
When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.
exploited
Which of the following characteristics currently used today for authentication purposes is NOT considered truly unique?
face representation
occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises
field change order
A ____ is an example of the "something you are" authentication mechanism.
fingerprint
Category of Threat: Password Attacks
• 10.3 Password Rule • Brute force password attacks • Cracking • Dictionary attack • Rainbow table • Social Engineering password attacks
Category of Threat: Technical Hardware Failures or Errors
• Occur when manufacturer distributes equipment containing flaws to users • Can cause system to perform outside of expected parameters, resulting in unreliable or poor service • Some errors are terminal; some are intermittent
An organization must thoroughly define its
goals and objectives
IDEAL
he Carnegie Mellon University ____________________ information security governance model begins with a stimulus for change and loops through proposals for future actions.
What is the final step in the risk identification process?
listing assets in order of importance
A standard is built from a
policy
many missed deadlines are caused by
poor planning
"Something you are" and "something you ____________________" are considered to be biometric.
produce
performed using categories instead of specific values to determine risk
qualitative risk assessment
identification and assessment of levels of risk in the organization
risk analysis
The ____ authentication mechanism is considered to be biometric.
something you are
In which level of planning are budgeting, resource allocation, and manpower critical components?
tactical
Types of attacks: Social engineering
using social skills to convince people to reveal access credentials or other valuable information to attacker
(T/F) Ethics carry the sanction of a governing authority.
False
When does authorization occur?
After authentication
describe project management
- Identifying and controlling the resources applied to the project - Measuring progress - Adjusting the process as progress is made
Avoidance of risk is the choice to forgo the use of security measures and accept loss in the event of an attack.
False
Three variations of the OCTAVE method
-The original OCTAVE method, (forms the basis for the OCTAVE body of knowledge) -OCTAVE-S -OCTAVE-Allegro
Issue-Specific Security Policy (ISSP) Components
1. Statement of Purpose -Scope and applicability -Definition of technology addressed -Responsibilities 2. Authorized Access and Usage of Equipment. -User access -Fair and responsible use -Protection of privacy 3. Prohibited Usage of Equipment -Disruptive use or misuse -Criminal use -Offensive or harassing materials -Copyrighted, licensed or other intellectual property -Other restrictions 4. Systems management Management of stored materials -Employer monitoring -Virus protection -Physical security -Encryption 5. Violations of policy -Procedures for reporting violations -Penalties for violations 6. Policy review and modification Scheduled review of policy and -procedures for modification 7. Limitations of liability -Statements of liability or disclaimers
A(n) ____ acts as the "base station" for the wireless network. WMM ad-hoc peer endpoint AP
AP
Which of the following should be included in an InfoSec governance program?
An InfoSec risk management methodology
attack
An act or event that exploits a vulnerability is known as a(n) ____________________.
vulnerability
An identified weakness of a controlled system is known as a ____.
program
An information security measures ___ must be able to demonstrate value to the organization.
define identification
An information system possesses the characteristic of identification when it is able to recognize individual users
Risk Control Strategies
An organization must choose one of four basic strategies to control risks Avoidance Transference Mitigation Acceptance
Which of the following is NOT one of the basic rules that must be followed when shaping a policy? A. Policy should never conflict with law B. Policy must be able to stand up in court if challenged C. Policy should be agreed upon by all employees and management D. Policy must be properly supported and administered
C. Policy should be agreed upon by all employees and management pg. 125
ISPME checklist
Convince management that it is advisable to have documented information security policies Identify the top management staff who will be approving the final information security document and all influential reviewers Collect, read and summarize all existing internal information security awareness material
compromises to intellectual property
Copyright infringement is an example of the ____ category of threat.
Measuring program effectiveness: ongoing assessment of the effectiveness of the risk management program
Develop risk scoreboard - understand risk posture and progress Measure program effectiveness - evaluate the risk management program for opportunities to improve
what is the precursor to projectitis
Developing an overly elegant, microscopically detailed plan before gaining consensus for the work required
Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
Executive management must develop corporate-wide policies
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
F
Penetration testing is often conducted by contractors, who are commonly referred to as black-hats.
F
The authorization process takes place before the authentication process.
F
The first step in solving problems is to gather facts and make assumptions.
F
What is among the most frequently cited failures in project management
Failure to meet project deadlines
Cryptology is the process of deciphering the original message also known as plaintext from an encrypted message.
False
Digital key infrastructure is the entire set of hardware, software, and cryptosystems necessary to implement asymmetric key encryption in online commerce.
False
Policies should be published without a date of origin.
False
Users have the right to use an organization's information systems to browse the Web, even if this right is not specified in the ISSP.
False
When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.
False
T or F In most organizations, the COO is responsible for creating the IR plan.
False Pg. 87
____ uses "speckling" and different colors so that no two spam e-mails appear to be the same. Word splitting Layer variance GIF layering Geometric variance
Geometric variance
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
HIPAA
Which technology has two modes of operation: transport and tunnel?
IP Security
True
Information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide strategic direction, verification that risk management practices are appropriate, and validation that the organization's assets are used properly.
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
Manufacturer's part number
For instance, if policy mandates that all employees wear identification badges in a clearly visible location, and select members of management decide they are not require to follow this policy, any actions taken against other employees will ____.
Not withstand legal challenge.
Policy
Policies are the least expensive means of control and often the most difficult to implement A plan or course of action that influences decisions For policies to be effective they must be properly disseminated, read, understood, agreed-to, and uniformly enforced Policies require constant modification and maintenance Policies exist, first and foremost, to inform employees of what is and is not acceptable behavior in the organization Policy seeks to improve employee productivity, and prevent potentially embarrassing situations
The policy champion and manager is called the ____.
Policy administrator
strategic
The long-term direction taken by the organization is based on ____ planning
define organizing
The management function dedicated to the structuring of resources to support the accomplishment of objectives: determining what is to be done, in what order, by whom, by which methods, and according to what timeline
define people
The most critical link in the information security program. Include security of personal, SETA.
In the WBS approach, the project plan is first broken down into tasks placed on the WBS task list. The minimum attributes that should be identified for each task include all but which of the following?
The number of people and other resources needed for each task
define management
The process of achieving objectives using a given set of resources
Asset valuation
The process of assigning financial value or worth to each information asset The value of information differs within and between organizations Based on the characteristics of information and the perceived value of that information Involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against loss and litigation
To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function
This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data These objectives are met via the application of the principles of risk management
When a policy is created and distributed without software automation tools, it is often not clear which manager has approved it.
True
T or F One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
True pg. 128
T or F Policies must specify penalties for unacceptable behavior and define an appeals process.
True pg. 128
T or F A clearly directed strategy flows from top to bottom rather than from bottom to top.
True pg. 41
The steps outline in guideline must meet the requirements of the standards from which they were created
True or False, Unable to answer but within chapter 4. Sorry...
authentication
Which of the following access control processes confirms the identity of the entity seeking access to a logical or physical area?
something you see
Which of the following is NOT among the four types of authentication mechanisms?
Benchmarking
___ is following the existing practices of a similar organization, or industry-developed standards. Can help to determine which controls should be considered. Cannot determine how those controls should be implemented in your organization.
Due diligence
___ is implementing controls at this minimum standard. Requires that an organization ensure that the implemented standards continue to provide the required level of protection.
Capability Maturity Model Integrated (CMMI)
___ is one of the most popular references that support the development of process improvement and performance measures. Developed by The Software Engineering Institute at Carnegie Mellon.
Standard of due care
___ is when organizations adopt minimum levels of security for legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances.
Baseline
___ measurements of security activities and events are used to evaluate the organization's future security performance. Can provide the foundation for internal benchmarking i.e. Information gathered for an organization's first risk assessment becomes the ___ for future comparisons.
Major activities
___ refers to the identification and definition of the current information security program. Development and selection of specific measures to gauge the implementation, effectiveness, efficiency, and impact of the security controls.
Operational
____ controls deal with managerial functions and lower-level planning such as disaster recovery and incident response planning.
Managerial
____ controls set the direction and scope of the security process and provide detailed instructions for its conduct
Best security practices balance the need for information ____________________ with the need for adequate protection while simultaneously demonstrating fiscal responsibility.
access
Best security practices balance the need for user _____________ to information with the need for adequate protection while simultaneously demonstrating fiscal responsibility.
access
What do audit logs that track user activity on an information system provide?
accountability
In security management, ____________________ is the authorization of an IT system to process, store, or transmit information.
accreditation
In security management, which of the following is issued by a management official and serves as a means of assuring that systems are of adequate quality?
accreditation
is a document containing contact information of the individuals to notify in the event of an actual incident.
alert roster
A ____ is a "value or profile of a performance metric against which changes in the performance metric can be usefully compared.".
baseline
A practice related to benchmarking is ____________, which is a measurement against a prior assessment or an internal goal.
baseline
Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following?
benchmarking
In security management, ____ is "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.
certification
According to NIST SP 800-37, the first step in the security controls selection process is to ____.
characterize the system
must be comprehensive and mutually exclusive
classification categories
In which type of site are no computer hardware or peripherals provided?
cold site
Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an event?
contingency planning
The second step in the NIST SP 800-37 model for security certification and accreditation is to select the appropriate minimum security ____________________ for the system.
controls
Types of attacks: Distributed denial-of-service (DDoS)
coordinated stream of requests is launched against target from many locations simultaneously
Using the Program Evaluation and Review Technique, which of the following identifies the sequence of events or activities that requires the longest duration to complete, and that therefore cannot be delayed without delaying the entire project?
critical path
Using the Program Evaluation and Review Technique, which of the following identifies the sequence of events or activities that requires the longest duration to complete, and that therefore cannot be delayed without delaying the entire project? crucial factor set critical function critical path program path
critical path
Ethics,are based on ___________________, which are the relatively fixed moral attitudes or customs of a societal group.
cultural mores
Application of training and education is a common method of which risk control strategy?
defense
a manager must understand how to
define tasks, allocate scarce resources, and manage assigned resources
The intermediate area between trusted and untrusted networks is referred to as which of the following?
demilitarized zone
Which type of attack involves sending a large number of connection or information requests to a target?
denial-of-service (DoS)
Which type of attack involves sending a large number of connection or information requests to a target? malicious code brute force spear fishing denial-of-service (DoS)
denial-of-service (DoS)
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring? policy administration due diligence adequate security measures certification and accreditation
due diligence
____________________ encompasses a requirement that the implemented standards continue to provide the required level of protection.
due diligence
The bulk batch-transfer of data to an off-site facility is known as
electronic vaulting
A collection of BSSs connected by one or more DSs is referred to as an ____ service set (ESS). elaborate eccentric electric extended
extended
As part of the risk identification process, listing the assets in order of importance can be achieved by using a weighted ____________________ worksheet.
factor analysis
Which of the following is a criteria used to compare and evaluate biometric technologies?
false reject rate
describe a physical security program
fire, physical access, gates, guards, etc.
A(n) ____ is an ideal endpoint for VPN, which connects two companies' networks over the Internet. firewall DMZ intranet extranet
firewall
is an agency that provides, in the case of DR/BC planning, physical facilities for a fee.
full-interruption
Types of attacks: Back door
gaining access to system or network using known or previously unknown/newly discovered access mechanism
Cost-Benefit Analysis Benefit
he value to the organization of using controls to prevent losses associated with a specific vulnerability Usually determined by valuing the information assets exposed by the vulnerability and then determining how much of that value is at risk and how much risk there is for the asset This is expressed as the annualized loss expectancy (ALE)
The NIST risk management approach includes all but which of the following elements?
inform
Which of the following is NOT one of the basic rules that must be followed when shaping a policy? policy should never conflict with law policy should be agreed upon by all employees and management policy must be properly supported and administered policy must be able to stand up in court if challenged
policy should be agreed upon by all employees and management
Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
political feasibility
Which tool can identify active computers on a network?
port scanner
Which of the following is NOT an aspect of access regulated by ACLs? what authorized users can access why authorized users need access to the system when authorized users can access the system how authorized users can access the system
why authorized users need access to the system
Software Assurance and the SA Common Body of Knowledge
• National effort underway to create common body of knowledge focused on secure software development • US Department of Defense and Department of Homeland Security supported Software Assurance Initiative, which resulted in publication of Secure Software Assurance (SwA) Common Body of Knowledge (CBK) • SwA CBK serves as a strongly recommended guide to developing more secure applications
Enabling the Safe Operation of Applications
• Organization needs environments that safeguard applications using IT systems • Management must continue to oversee infrastructure once in place—not relegate to IT department
Protecting Data that Organizations Collect and Use
• Organization, without data, loses its record of transactions and/or ability to deliver value to customers • Protecting data in motion and data at rest are both critical aspects of information security
Safeguarding Technology Assets in Organizations
• Organizations must have secure infrastructure services based on size and scope of enterprise • Additional security services may be needed as organization grows • More robust solutions may be needed to replace security programs the organization has outgrown
Software Development Security Problems
• Problem areas in software development: - Buffer overruns - Command injection - Cross-site scripting - Failure to handle errors - Failure to protect network traffic - Failure to store and protect data securely - Failure to use cryptographically strong random numbers • Problem areas in software development (cont'd.): - Format string problems - Neglecting change control - Improper file access - Improper use of SSL - Information leakage - Integer bugs (overflows/underflows) - Race conditions - SQL injection • Problem areas in software development (cont'd.): - Trusting network address resolution - Unauthenticated key exchange - Use of magic URLs and hidden forms - Use of weak password-based systems - Poor usability
Steps to solving problems
• Step 1: Recognize and define the problem • Step 2: Gather facts and make assumptions • Step 3: Develop possible solutions • Step 4: Analyze and compare possible solutions • Step 5: Select, implement, and evaluate a solution
Threats
• Threat: an object, person, or other entity that represents a constant danger to an asset • Management must be informed of the different threats facing the organization • Overall security is improving • The 2009 CSI/FBI survey found - 64 percent of organizations had malware infections - 14 percent indicated system penetration by an outsider
Category of Threat: Sabotage or Vandalism
• Threats can range from petty vandalism to organized sabotage • Web site defacing can erode consumer confidence, dropping sales and organization's net worth • Threat of hacktivist or cyberactivist operations rising • Cyberterrorism: much more sinister form of hacking
Typically, the information security policy administrator is ____. a. the CEO b. the COO c. a mid-level staff member d. the CIO
A mid-level staff member. (Unsure of answer)
Standards
A more detailed statement of what must be done to comply with policy
Which of the following would not necessarily be a good reference or resource in writing good policy documents from scratch?
A public bookstore
Which of the following would not necessarily be good reference or resource in writing good policy documents from scratch?
A public bookstore
OCTAVE-Allegro
A streamlined approach for information security assessment and assurance
The Factor Analysis of Information Risk (FAIR) framework includes
A taxonomy for information risk Standard nomenclature for information risk terms A framework for establishing data collection criteria Measurement scales for risk factors A computational engine for calculating risk A modeling construct for analyzing complex risk scenarios
exploit
A technique or mechanism that is used to compromise a system is called a(n) ____________________.
threat
A(n) ____________________ is an object, person, or other entity that represents a constant danger to an asset of an organization.
True
A(n) vulnerability is an identified weakness of a controlled information asset and is the result of absent or inadequate controls.
In addition to specifying the penalties for unacceptable behavior, what else must a policy specify? a. Appeals process b. Legal recourse c. Must be done to comply d. The proper operation of equipment
A. Appeals process pg. 128
Which type of planning is used to organize the ongoing, day-to-day performance of tasks? A. Operational B. Organizational C. Tactical D. Strategic
A. Operational Pg. 43
Which of the following is true about planning? A. Strategic plans are used to create tactical plans B. Tactical plans are used to create strategic plans C. Operational plans are used to create tactical plans D. Operational plans are used to create strategic plans
A. Strategic plans are used to create tactical plans pg. 42
A(n) ____ acts as the "base station" for the wireless network. ad-hoc peer AP WMM endpoint
AP
The ____ is the indication of how often you expect a specific type of attack to occur.
ARO
What is the largest area of concern with regard to security in ZigBee? Rogue access points ARP poisoning Weak encryption method Accidental key reuse
Accidental Key reuse
Category of Threat: Human Error or Failure Provide an Example:
Accidents, employee mistakes
availability
According to the C.I.A. triangle, which of the following is a desirable characteristic for computer security?
Acting
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization do the work according to the plan?
What do audit logs that track user activity on an information system provide? identification accountability authorization authentication
Accountability
define project procurement
Acquiring needed project resources. Includes procurement planning, solicitation planning, solicitation, source selection, contract administration and contract closeout.
Which of the following is a responsibility of the crisis management team?
Activating the alert roster
Operational feasibility
Addresses user and management acceptance and support Addresses the overall requirements of the organization's stakeholders
A typical EULA screen may require the user to ____. a. click a button on the screen b. type specific words c. press a function key d. All of these
All of these
Asset valuation must account for value _____.
All of these
The management of human resources must address many complicating factors; which of the following is NOT among them?
All workers operate at approximately the same level of efficiency
Which of the following is a tool that can be useful in resolving the issue of what business function is the most critical? a. BIA questionnaire b. Weighted analysis tool c. Recovery time organizer d. MTD comparison
B Weighted tool analysis pg. 82
Feasibility and Cost-Benefit Analysis
Before deciding on the strategy for a specific vulnerability All readily accessible information about the consequences of the vulnerability must be explored Ask "what are the advantages of implementing a control as opposed to the disadvantages of implementing the control?" There are a number of ways to determine the advantage or disadvantage of a specific control The primary means are based on the value of the information assets that it is designed to protect
False
Benefits of Information Security Governance include optimization of the allocation of limited security safeguards.
When prioritizing collected evidence, which term refers to the likelihood that the information will be useful? Forensics Analysis Volatility Value
Value
Asset valuation components
Value retained from the cost of creating the information asset Value retained from past maintenance of the information asset Value implied by the cost of replacing the information Value from providing the information Value acquired from the cost of protecting the information Value to owners Value of intellectual property Value to adversaries Loss of productivity while the information assets are unavailable Loss of revenue while information assets are unavailable
Category of Threat: Software Attack Provide an Example:
Viruses, worms, macros, DoS
ambitious
Vision statements are meant to be ____.
____ are scanning and analysis tools that are capable of scanning networks for very detailed information.
Vulnerability scanners
The ___________ wireless security protocol was replaced by stronger protocols due to several vulnerabilities found in the early 2000s.
WEP
____________________ presents a threat to wireless communications, a practice that makes it prudent to use a wireless encryption protocol to prevent unauthorized use of your Wi-Fi network.
War driving
The original OCTAVE method, (forms the basis for the OCTAVE body of knowledge)
Was designed for larger organizations with 300 or more users
Which of the following is NOT a question a CISO should be prepared to answer, about a performance measures program, according to Kovacich?
What affect will measurement collection have on efficiency?
investigation
What is the first phase of the SecSDLC?
0-1023
What is the range of the well-known ports used by TCP and UDP?
Which of the following is NOT a valid rule of thumb on risk control strategy selection?
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
Which of the following is NOT a step in the problem-solving process? Gather facts and make assumptions Analyze and compare possible solutions Build support among management for the candidate solution Select, implement and evaluate a solution
Build support among management for the candidate solution
Which of the following is NOT a step in the problem-solving process? Build support among management for the candidate solution Gather facts and make assumptions Analyze and compare possible solutions
Build support amoung management for the candidate solution
describe the informational role
Collecting, processing, and using information that can affect the completion of the objective
safeguards
Controls or ____________________ are used to protect information from attacks by threats; the terms are also often used interchangeably.
This decision-making process is called
Cost-benefit analysis or economic feasibility study
Managerial Guidance SysSPs
Created by management to guide the implementation and configuration of technology Applies to any technology that affects the confidentiality, integrity or availability of information Informs technologists of management intent
Which is the first step in the contingency planning process? a. Business continuity training b. Disaster recovery planning c. Incident response planning d. Business impact analysis
D. Business impact analysis pg. 79
What is the last stage of the business impact analysis? a. Identify resource requirements b. Analysis and prioritization of business processes c. Collect critical information about each business unit d. Prioritize resources associated with the business processes
D. Prioritize resources associated with the business processes pg. 84
In which level of planning are budgeting, resource allocation, and manpower critical components? A. Strategic B. Operational C. Organizational D. Tactical
D. Tactical Pg. 43
Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?
DMCA
You might put a proxy server in the __________________, which is exposed to the outside world, neither in the trusted nor untrusted network.
DMZ
owners
Data ____________________ are responsible for the security and use of a particular set of information.
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method
Defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation Allows an organization to make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets The operational or business units and the IT department work together to address the information security needs of the organization
Political feasibility
Defines what can and cannot occur based on the consensus and relationships between the communities of interest
In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
Delphi
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics? Deontological ethics Applied ethics Normative ethics Meta-ethics
Denotological ethics
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
Deontological ethics
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics? Deontological ethics Meta-ethics Applied ethics Normative ethics
Deontological ethics
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?
Descriptive ethics
During the ____ phase of the SecSDLC, the team must create a plan to distribute, and verify the distribution of, the policies.
Design
Category of Threat: Sabotage or Vandalism Provide an Example:
Destruction of systems or information
The only use of the acceptance strategy that industry practices recognize as valid occurs when the organization has done all but which of the following?
Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
PERT disadvantages
Diagrams can be awkward and cumbersome, expensive. Difficulty in estimating task durations
A(n) ____ packet contains a field that indicates the function of the packet and an identifier field used to match requests and responses. RADIUS TKIP ICMP EAP
EAP
A(n) ____ packet contains a field that indicates the function of the packet and an identifier field used to match requests and responses. TKIP ICMP RADIUS EAP
EAP
define Gantt chart
Easier to design and implement than PERT diagrams w/ same info. List activities on vertical axis, timeline on horizontal
Which of the following is usually conducted via leased lines or secure Internet connections whereby the receiving server archives the data as it is received
Electronic vaulting
Which material presents a gray area of ownership? An employee's personal belongings The employee's physical personhood Cell phones provided by the employer for the employee's use Employee-purchased briefcases used to transfer work
Employee-purchased briefcase used to transfer work
define project quality management
Ensures project meets project specifications. Includes quality planning, quality assurance and quality control.
define project time management
Ensures that project is finished by identified completion date while meeting objectives
PMBok project scope management
Ensures that project plan includes only those activities necessary to complete it
define scope
Ensures that project plan includes only those activities necessary to complete it
Which Amendment to the U.S. Constitution starts with: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated?
Fourth
Which Amendment to the U.S. Constitution starts with: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated? Second Fourth First Third
Fourth
Which group was created to certify the interoperability of 802.11b products? IEEE ITU ANSI Wi-Fi Alliance
Wi-Fi Alliance
How does the planning process begin?
With the creation of strategic plans for the entire organization
Best Practices
___ are security efforts that seek to provide a superior level of performance in the protection of information. Considered among the best in the industry.
Which of the following is a type of information security policy that deals with entirety of an organization's information security efforts?
Enterprise information security policy
Types of information security policy
Enterprise information security program policy (EISP) Issue-specific information security policies Systems-specific policies
Category of Threat: Technical failures or errors Provide an Example:
Equipment failure
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination? Initiating Learning Acting Establishing
Establishing
Begin a cost-benefit analysis by:
Evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised
Technical feasibility
Examines whether or not the organization has or can acquire the technology to implement and support the alternatives
The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses
F
Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster
F
____________________ is a risk management framework developed to help organizations to understand, analyze, and measure information risk.The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.
Factor Analysis of Information Risk
due care or due diligence
Failure to demonstrate ___or___ can expose an organization to legal liability. If it can be shown that the organization was negligent in its information protection methods.
What is one of the most frequently cited failures in project management?
Failure to meet project deadlines
(T/F) A company deemed to be using 'best security practices' establishes high-quality security in every area of their security program.
False
(T/F) Attaining certification in security management is a long and difficult process, but once attained, an organization remains certified for the life of the organization.
False
(T/F) Having an established risk management program means that an organization's assets are completely protected.
False
(T/F) MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.
False
(T/F) Technical controls alone, when properly configured, can secure an IT environment.
False
(T/F) The "something you have" authentication mechanism takes advantage of something inherent in the user that is evaluated using biometrics.
False
(T/F) The current law regarding nationwide search warrants for e-mail requires the government to use a search warrant to compel a provider to disclose unopened e-mail that is more than six months old.
False
(T/F) The defense risk control strategy may be accomplished by rethinking how services are offered and outsourcing to other organizations, among other strategies.
False
(T/F) The first phase in the NIST performance measurement process is to identify and document InfoSec performance goals and objectives.
False
(T/F) Using a practice called benchmarking, you are able to develop an acceptable use policy based on the typical practices of the industry in which you are working.
False
(T/F) Using standard digital forensics methodology, the first step is to analyze the EM data without risking modification or unauthorized access.
False
An intrusion detection and prevention device denies access to a system by default.
False
Another problem with benchmarking is that no two organizations are similar.
False
Avoidance of risk is accomplished through the application of procedures, training and education and the implementation of technical security controls and safeguards.
False
Best security practices (BSPs) balance the need for information access with the need for adequate protection while simultaneously demonstrating social responsibility.
False
Biometric technologies are generally evaluated according to three basic criteria: False Reject Rate, False Accept Rate and Authentication Error Rate.
False
Common sense dictates that an organization should spend more to protect an asset than its value.
False
Corruption of information can occur only while information is being stored.
False
Cost Benefit Analysis is determined by calculating the single loss expectancy before new controls minus the annualized loss expectancy after controls are implemented minus the annualized cost of the safeguard.
False
Economic and non-economic effects of a weakness must be evaluated after a strategy for dealing with a particular vulnerability has been selected.
False
If multiple audiences exists for information security policies, different documents must be created for each audience.
False
In some organizations, the terms metrics and best practices are interchangeable.
False
In the Flesch Reading Ease scales, the higher the score, the harder it is to understand the writing.
False
Information security policies do not require a champion
False
Mitigation of risk involves applying safeguards that eliminate or reduce the remaining uncontrolled risks.
False
NIST recommends the documentation of each performance measure in a customized format to ensure repeatability of measures development, tailoring, collection, and reporting activities.
False
Once developed, information security performance measures must be implemented and integrated into ongoing information security management operations. For the most part, it is sufficient to collect these measures once.
False
One of the three goals of System Certification and Accreditation as defined by NIST is to: define essential maximum security controls for federal IT systems.
False
Rule-based policies are less specific to the operation of a system than access control lists
False
Scanning and analysis tools ensure confidentiality by concealing private information from unauthorized parties.
False
SysSPs focus on the proper handling of issues in the organization, like the use of technologies.
False
Technical controls alone are adequately equipped to ensure a secure IT environment.
False
The Data Encryption Standard (DES) is a popular symmetric encryption system and uses a 64-bit block size and a(n) 64-bit key.
False
The ISSP is not a binding agreement between the organization and its members.
False
The Internet is an example of a trusted network.
False
The goal of information security is to bring residual risk to zero.
False
The policy administrator must be technically oriented.
False
The risk control strategy of avoidance means understanding the consequences and avoiding risk by not placing a system in a situation that could result in a loss..
False
Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
Health Information Technology for Economic and Clinical Health Act
Which of the following is NOT a factor critical to the success of an information security performance program?
High level of employee buy-in to performance measurements
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
Hold regular meetings with the CIO to discuss tactical InfoSect planning
An organization must be able to place a dollar value on each information asset it owns, based on:
How much did it cost to create or acquire? How much would it cost to recreate or recover? How much does it cost to maintain? How much is it worth to the organization? How much is it worth to the competition?
Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
IP address
Category of Threat: Deviations in quality of service Provide an Example:
ISP, power, or WAN service issues from service providers
In digital forensics, all investigations follow the same basic methodology. Which of the following should be performed first in a digital forensics investigation?
Identify relevant items of evidentiary value (EM)
In digital forensics, all investigations follow the same basic methodology. Which of the following should be performed first in a digital forensics investigation? Analyze the data without risking modification or unauthorized access Report the findings to the proper authority Acquire (seize) the evidence without alteration or damage Identify relevant items of evidentiary value (EM)
Identify relevant items of evidentiary value (EM)
When is information integrity threatened?
If exposed to corruption, damage, destruction, or other disruption of its authentic state
When a vulnerability exists
Implement security controls to reduce the likelihood of a vulnerability being exercised
During the ____ phase, the information security policy development team must provide for policy distribution.
Implementation
The information security policy is written during the ____ phase of the SecSDLC.
Implementation
phishing
In a(n) ____________________ attack, the attacker uses an e-mail or forged Web site to attempt to extract personal information from a user.
Cost-Benefit Analysis cont.
In most cases, the probability of a threat occurring is the probability of loss from an attack within a given time frame This value is commonly referred to as the annualized rate of occurrence (ARO) ALE = SLE * ARO
A ____ is more detailed statement identifying a measurement of behavior and specifies what must be done to comply with a policy.
Standard
Technical Specifications SysSPs
System administrators' directions on implementing managerial policy Each type of equipment has its own type of policies General methods of implementing technical controls -Access control lists -Configuration rules
The ____ section of the ISSP should specify users' and systems administrators' responsibilities.
Systems Management
A project can have more than one critical path.
T
the prioritized list of threats is placed along the vertical axis
TVA worksheet
The two groups of SysSPs are managerial guidance and ____.
Technical specifications
Which of the following is NOT a knowledge area in the Project Management knowledge body?
Technology
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?
The Computer Security Act
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system? Computer Fraud and Abuse Act The Telecommunications Deregulation and Competition Act National Information Infrastructure Protection Act The Computer Security Act
The Computer Security Act
Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
The Electronic Communications Privacy Act of 1986
Place information security at the top of the board's agenda
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
maintenance
The ____ phase is typically the most important phase of the security systems development life cycle (SecSDLC).
analysis
The ____ phase of the security systems development life cycle (SecSDLC) assesses the organization's readiness, its current systems status, and its capability to implement and then support the proposed systems.
values
The ____ statement contains a formal set of organizational principles, standards, and qualities.
Chief Risk Officer
The ____________________ has the primary responsibility for independent annual audit coordination.
values
The ____________________ statement contains a formal set of organizational principles, standards, and qualities.
brute force
The application of computing and network resources to try every possible combination of characters to crack a password is known as a ____ attack.
define project management
The application of knowledge, skills, tools, and techniques to project activities to meet project requirements
Resource management by executing appropriate measures to manage and mitigate risks to information technologies
The basic outcomes of information security governance should include all but which of the following?
True
The basic outcomes of information security governance should include risk management by executing appropriate measures to manage and mitigate threats to information resources.
talk
The biggest barrier to benchmarking is when organizations don't___ to each other. A successful attack is viewed as an organizational failure, and is kept secret, insofar as possible.
define planning
The process that develops, creates, and implements strategies for the accomplishment of objectives
define information security
The protection of information and its critical elements (confidentiality, integrity, availability), including the systems and hardware that use/store/transmit the information
define security
The quality or state of being secure, to be free from danger.
define integrity
The quality or state of being whole, complete, and uncorrupted
describe information technology
The vehicle that stores and transports information from one business unit to another. Capable of breaking down
Which of the following is NOT one of the three types of performance measures used by organizations?
Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy
How is information security performed?
Through the application of policy, technology, and training/awareness programs.
Which of the following provides an identification card of sorts to clients who request services in a Kerberos system?
Ticket Granting Service
Hybrid assessment
Tries to improve upon the ambiguity of qualitative measures without using an estimating process
A ____ is a program advertised as performing one activity but actually does something else. worm virus Trojan script
Trojan
(T/F) An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official.
True
(T/F) One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?"
True
(T/F) Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
True
(T/F) Secure Shell (SSH) provides security for remote access connections over public networks by creating a secure and persistent connection..
True
(T/F) Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
True
(T/F) The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.
True
(T/F) The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.
True
(T/F) The InfoSec community often takes on the leadership role in addressing risk
True
(T/F) The KDC component of Kerberos knows the secret keys of all clients and servers on the network.
True
(T/F) The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.
True
Encryption uses algorithms to manipulate plaintext into ciphertext before transmission.
True
Implementing controls at an acceptable standard—and maintaining them—demonstrates that an organization has performed due diligence.
True
In some systems, capability tables are known as user profiles.
True
In the case of the man-in the-middle attack, an attacker pretends to be the second party in a conversation and routes traffic to the actual second party.
True
Industries that are regulated by governmental agencies are required to meet government guidelines in their security practices.
True
One of the priorities in building an information security measures program is determining whether these measures will be macro-focus or micro-focus.
True
Performance measurement is an ongoing, continuous improvement operation.
True
Policies must note the existence of penalties for unacceptable behavior and define an appeals process.
True
Public key encryption is also known as asymmetric encryption.
True
Risk appetite (also known as risk tolerance) is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
True
Secure Sockets Layer (SSL) was developed to provide security for online electronic commerce transactions.
True
The Flesch-Kincaid Grade Level score evaluates writing on a U.S. grade-school level.
True
Unless a particular use is clearly prohibited, the organization cannot penalize employees for it.
True
Unless a policy actually reaches the end users, it cannot be enforced.
True
When performing parallel testing, normal operations of the business are not impacted.
True
T or F When performing parallel testing, normal operations of the business are not impacted.
True pg. 116
Which law extends protection to intellectual property, which includes words published in electronic formats?
U.S. Copyright Law
According to Confucius, "Tell me, and I forget; show me and, and I remember; let me do and I ____."
Understand
Acceptance
Understanding the consequences and accepting the risk without control or mitigation To accept the loss when it occurs This control, or lack of control, assumes that it may be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the security expenditure Before using the acceptance strategy, the organization must: -Determine the level of risk to the information asset -Assess the probability of attack and the likelihood of a --successful exploitation of a vulnerability -Approximate the ARO of the exploit -Estimate the potential loss from attacks -Perform a thorough cost benefit analysis -Evaluate controls using each appropriate type of feasibility -Decide that the particular asset did not justify the cost of protection
Category of Threat: Espionage or trespass Provide an Example:
Unothorized access and/or data collection
Capability tables are also known as ____ .
User policies or User profiles
Best Practices
___ balance the need for information access with the need for adequate protection. Demonstrate fiscal responsibility. Companies with best practices may not be the best in every area.
Operational
____ plans are used to organize the ongoing, day-to-day performance of tasks.
Baselining
___is a value or profile of a performance metric against which changes in the performance metric can be usefully compared. Process of measuring against established standards.
Certification
___is the comprehensive evaluation of the technical and nontechnical security controls of an IT system. Supports the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.
Information security performance management
___is the process of designing, implementing and managing the use of collected data elements called measures. To determine the effectiveness of the overall security program
gold standard
a model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information
Some organizations document the outcome of the control strategy for each information asset-threat pair in a(n) _____, which includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual.
action plan
standard of due care
adopting minimum levels of security to establish a future legal defense
The purpose of NIST SP 800-53 (R3) as part of the NIST System C&A Project is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for ____.
all of these
A best practice in the configuration of a firewall is all traffic from the trusted network is ____________________.
allowed out
Types of attacks: Mail bombing
also a DoS; attacker routes large quantities of e-mail to target
Types of attacks: Phishing
an attempt to gain personal/financial information from individual, usually by posing as legitimate entity
define goals
an end result of the planning process
Voice recognition authentication mechanism captures the ____________________ waveforms of human speech.
analog
A risk assessment is performed during which phase of the SecSDLC? design implementation investigation analysis
analysis
A cost-benefit analysis is conducted by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy
annualized cost of the safeguard
Which type of IDPS is also known as a behavior-based intrusion detection system?
anomaly-based
Risk ____________________ defines the quantity and nature of risk that an organization is willing to accept.
appetite
The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.
appetite
Types of attacks: Denial-of-service (DoS)
attacker sends large number of connection or information requests to a target
According to Charles Cresson Wood "policies are important reference documents for internal ____ and for the resolution of legal disputes about management's due diligence; policy documents can act as a clear statement of management's intent".
audits
EAP request packets are issued by the ____. authenticator authentication server proxy supplicant
authenticator
In an economic feasibility study, the ____________________ is the value to the organization of using controls that prevent losses related to a particular vulnerability.
benefit
Which of the following is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk, and how much risk exists for the asset
benefit
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
common good
Classification categories must be ____________________ and mutually exclusive.
comprehensive
Classification categories must be mutually exclusive and which of the following?
comprehensive
After an incident, but before returning to its normal duties, the CSIRT must do which of the following?
conduct an after-action review
The last phase in the NIST performance measures implementation process is to apply ______________ actions which closes the gap found in Phase 2.
corrective
The last phase in the NIST performance measures implementation process is to apply ____________________ actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls.
corrective
In cryptology, an encrypted message is in a ____ form.
cryptext
The Authorize step of the NIST six-step approach to the risk management framework involves all but which of the following tasks? determine if the cost/benefit ratio is acceptable prepare the plan of action and develop milestones determine the risk to organizational operations assemble the security authorization package
determine if the cost/benefit ratio is acceptable
Which type of device allows only specific packets with a particular source, destination, and port address to pass through it.
dynamic packet filtering firewalls
Organizations typically use three types of performance measures, including those that assess the impact of a(n) ____________________ or other security event on the organization or its mission.
incident
plan is a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets
incident response
An organization's ____ policy must spell out the procedures for initiating the investigative process, including management approvals. organizational business continuity incident response (IR) contingency planning
incident response (IR)
The first component of the analysis phase is ___________, which allows the investigator to quickly and easily search for a specific type of file.
indexing
describe the measures used to protect confidentality
information classification, secure document storage, application of general security policies, education of information custodians and end users
The concept of computer security has been replaced by the concept of
information security
Information security decisions should involve what three groups?
information security managers/professionals, information technology managers/professionals, non-technical business managers/professionals
define programs
information security operations specifically managed as separate entities. Ex: SETA
Which of the following is Tier 3 (indicating tactical risk) of the tiered risk management approach?
information system
Designing the performance measures collection process requires thoughtful consideration of the ____ of the metric along with a thorough knowledge of how production services are delivered.
intent
define objectives
intermediate points that allow you to measure progress toward the goal
A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC? implementation design analysis investigation
investigation
A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC? implementation investigation design analysis
investigation
What is the first phase of the SecSDLC?
investigation
One of the most common methods of obtaining user acceptance and support is via user
involvement
Potential loss
is that which could occur from the exploitation of vulnerability or a threat occurrence
Any court can impose its authority over an individual or organization if it can establish which of the following?
jurisdiction
Which of the following is used in conjunction with an algorithm to make computer data secure from anybody except the intended recipient of the data?
key
Which of the following biometric authentication systems is the most accepted by users?
keystroke pattern recognition
Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence?
legal liability
Assessing risks includes determining the ____________________ that vulnerable systems will be attacked by specific threats.
likelihood
Which of the following is the process that develops, creates, and implements strategies for the accomplishment of objectives?
planning
In InfoSec, most operations focus on __________, which are those documents that provide managerial guidance for ongoing implementation and operations.
policies
Standards are created from
policies
The ____ layer is the outermost layer of the bull's-eye model, hence the first to be assessed for marginal improvement.
policies
____ comprise a set of rules that dictates acceptable and unacceptable behavior within an organization.
policies
Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
policy
A ____ is a network channel connection point in a data communications system.
port
A ____ is a network subaddress (assigned a number between 0 and 65,535) through which a particular type of data is allowed to pass. datagram socket port header
port
Which technology employs sockets to map internal private network addresses to a public address using a one-to-many mapping?
port-address translation
A cost benefit analysis (CBA) result is obtained from the difference between the pre-control and the ____________________ annualized loss expectancy (ALE).
post-control
Which of the following is NOT a unique function of Information Security Management?
principles
Which of the following is NOT a unique function of Information Security Management? principles planning project management protection
principles
What is the last stage of the business impact analysis?
prioritize resources associated with the business processes
Information security is a _, not a _
process, not a project
What should you be armed with to adequately assess potential weaknesses in each information asset?
properly classified inventory
Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____ organization would do in similar circumstances.
prudent
Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____________________ organization would do in similar circumstances.
prudent
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
qualitative assessment of many risk components
One of the critical tasks in the measurement process is to assess and ____________________ what will be measured.
quantify
columns include asset impact, vulnerability, and risk-rating factor
ranked vulnerability risk worksheet
In information security, two categories of benchmarks are used: standards of due care and due diligence and ____ practices.
recommended
Mitigation
reduce the damage caused by the exploitation of vulnerability Reducing the impact if the vulnerability is exploited Using planning and preparation Depends upon the ability to detect and respond to an attack as quickly as possible Types of mitigation plans Disaster recovery plan (DRP) Incident response plan (IRP) Business continuity plan (BCP)
NIST recommends the documentation of performance measures in a format to ensure ____ of measures development, tailoring, collection, and reporting activities.
repeatability
The element of remaining risk after vulnerabilities have been controlled is referred to as ____________________ risk.
residual
Which of the following biometric authentication systems is considered to be the most secure?
retina pattern recognition
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
risk appetite
A ____ access point is an unauthorized AP that allows an attacker to bypass many of the network security configurations and opens the network and its users to attacks. rogue legitimate random sanctioned
rogue
Risk appetite
(also known as risk tolerance) The quantity and nature of risk that organizations are willing to accept As they evaluate the trade-offs between perfect security and unlimited accessibility The reasoned approach to risk is one that balances the expense (in terms of finance and the usability of information assets) against the possible losses if exploited
Project time management processes
- Activity definition - Activity sequencing - Activity duration estimating - Schedule development - Schedule control
Attacks
- Acts or actions that exploits vulnerability (i.e., an identified weakness) in controlled system - Accomplished by threat agent that damages or steals organization's information
Describe the job of a manager
- Administers the resources of the organization - Creates budgets, authorizes expenditures and hires employees
What are the type of leadership behaviors?
- Autocratic - Democratic - Laissez-faire
define slack time in PERT
- How much time is available for starting a noncritical task without delaying the project as a whole - Tasks which have slack time are logical candidates for accepting a delay
what is the work phase of the WBS
- Phase in which the project deliverables are prepared - Occurs after the project manager has completed the WBS
Conducting Decision Support: Identify and evaluate available controls
-Define functional requirements - create the necessary requirements to mitigate risks -Select possible control solutions - outline approach to identify mitigation solutions -Review solution - evaluate proposed controls against functional requirements -Estimate risk reduction - endeavor to understand reduced exposure or probability of risks -Estimate solution cost - evaluate direct and indirect costs associated with mitigation solutions -Select mitigation strategy - complete cost-benefit analysis to identify the most cost-effective mitigation solution
ISPME checklist
-Gather ideas that stakeholders believe should be included in a new or updated information security policy -Examine other policies issued by your organization to identify prevailing format, style, tone, length, and cross-references -Identify the audience and distribution method of information security policy materials -Determine the extent to which the audience is literate, computer knowledgeable, and receptive to security messages -Decide whether some other awareness efforts must take place before information security policies are issued -Using ideas from the risk assessment, prepare a list of absolutely essential policy messages that must be communicated
Developing Information Security Policy Design phase includes
-How the policies will be distributed -How verification of the distribution will be accomplished -Specifications for any automated tools -Revisions to feasibility analysis reports based on improved costs and benefits as the design is clarified
ISPME checklist
-If there is more than one audience, match the audiences with the bottom-line messages to be communicated through a coverage matrix -Determine how the policy material will be disseminated, noting the constraints and implications of each medium of communication -Review the compliance checking process, disciplinary process, and enforcement process to ensure that they all can work smoothly with the new policy document Determine whether the number of messages is too large to be handled all at one time If so, identify different categories of material to be issued at different times
Technical Specifications SysSPs Access control lists
-Include the user access lists, matrices, and capability tables that govern the rights and privileges -A similar method that specifies which subjects and objects users or groups can access is called a capability table -These specifications are frequently complex matrices, rather than simple lists or tables Enable administrations to restrict access according to user, computer, time, duration, or even a particular file
Developing Information Security Policy Investigation phase
-Obtain support from senior management, and active involvement of IT management, specifically the CIO -Clearly articulate the goals of the policy project -Gain participation of correct individuals affected by the recommended policies -Involve legal, human resources and end-users -Assign a project champion with sufficient stature and prestige -Acquire a capable project manager -Develop a detailed outline of and sound estimates for project cost and scheduling
ISPME checklist
-Outline the topics to be included in the first document reviewed by several stakeholders -Based on comments from the stakeholders, revise the initial outline and prepare a first draft -Have the first draft reviewed by stakeholders for initial reactions, suggestions, and implementation ideas -Revise the draft in response to comments from stakeholders -Request top management approval on the policy -Prepare extracts of the policy document for selected purposes -Develop an awareness plan that uses the policy document as a source of ideas and requirements
Technical Specifications SysSPs Access control lists regulate
-Who can use the system -What authorized users can access -When authorized users can access the system -Where authorized users can access the system from -How authorized users can access the system -Restricting what users can access, e.g. printers, files, communications, and applications
Implementing the (ISSP) Issue-Specific Security Policy
1. Common approaches -Several independent ISSP documents -A single comprehensive ISSP document -A modular ISSP document that unifies policy creation and administration 2. The recommended approach is the modular policy -Provides a balance between issue orientation and policy management
People Processes Technology
3 areas of self-assessment for best security practices
For most corporate documents, a score of ____ is preferred on the Flesch Reading Ease scale.
60 to 70
For most corporate documents, a score of ____ is preferred as a Flesch-Kincaid Grade Level score.
7.0 to 8.0
Port number ____ is commonly used for the Hypertext Transfer Protocol service.
80
Which port number is commonly used for the Hypertext Transfer Protocol service.
80
back door
A ____ is a feature left behind by system designers or maintenance staff.
Enterprise information security program policy, EISP documents should provide
An overview of the corporate philosophy on security Information about information security organization and information security roles -Responsibilities for security that are shared by all members of the organization -Responsibilities for security that are unique to each role within the organization
A risk assessment is performed during the ____ phase of the SecSDLC.
Analysis
NIST SP 800 - 55 R1
Another popular approach to measures programs is___: Performance Measurement for Information Security The identification and definition of the current information security program Development and selection of specific measures to gauge the implementation, effectiveness, efficiency, and impact of the security controls
Policies must also specify the penalties for unacceptable behavior and define a(n) ____.
Appeals Process
When a vulnerability can be exploited
Apply layered controls to minimize the risk or prevent occurrence
Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people?
Are the user accounts of former employees immediately removed on termination?
Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people? Would the typical employee know how to report a security issue to the right people? Do you perform background checks on all employees with access to sensitive data, areas, or access points? Are the user accounts of former employees immediately removed on termination? Would the typical employee recognize a security issue?
Are the user accounts of former employees immediately removed on termination?
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
Assigning a value to each information asset
Which type of planning is the primary tool in determining the long-term direction taken by an organization? A. Tactical B. Operational C. Strategic D. Managerial
C. Strategic Pg. 41
Cost-benefit analysis formula
CBA = ALE(prior) - ALE(post) - ACS ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control ALE (post-control) is the ALE examined after the control has been in place for a period of time ACS is the annual cost of the safeguard
Cost-Benefit Analysis
CBA determines whether or not a control alternative is worth its associated cost CBAs may be calculated before a control or safeguard is implemented To determine if the control is worth implementing Or calculated after controls have been implemented and have been functioning for a time
True
CISOs use the operational plan to organize, prioritize, and acquire resources for major projects.
____ is designed to detect any changes in a packet, whether accidental or intentional. CRC TKIP AES CBC
CRC
Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
Calculating the risks to which assets are exposed in their current setting
Technical controls ____.
Can be implemented using access control lists or configurations rules.
A ____ specifies which subjects and objects users or groups can access.
Capability Table
____________________ is defined as "the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements."
Certification
"security control assessment"
Certification is being replaced by the term "___".
guidelines
Choosing which recommended practices to implement can pose a challenge for some organizations. In industries that are regulated by governmental agencies, government ___ are often requirements. For other organizations, government guidelines are excellent sources of information and can inform their selection of best practices.
T or F In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.
False pg. 109
T or F Users have the right to use an organization's information systems to browse the Web, even if this right is not specified in the ISSP.
False pg. 135
T or F Rule-based policies are less specific to the operation of a system than access control lists.
False pg. 142
T or F Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex
False pg. 155
T or F Because it sets out general business intentions, a mission statement does not need to be concise.
False pg. 40
T or F A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
False pg. 53
T or F The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.
False pg. 66
T or F Penetration testing is often conducted by contractors, who are commonly referred to as black-hats
False pg. 67
T or F When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.
False pg. 76
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following? For private financial gain For purposes of commercial advantage For political advantage In furtherance of a criminal act
For political advantage
champion
For any top-down approach to security implementation to succeed, the initiative must have a(n) ____ with influence to move the project forward.
Policies are important reference documents
For internal audits For the resolution of legal disputes about management's due diligence Policy documents can act as a clear statement of management's intent
Guidelines for Effective Policy
For policies to be effective, they must be properly: -Developed using industry-accepted practices -Distributed or disseminated using all appropriate methods -Reviewed or read by all employees -Understood by all employees -Formally agreed to by act or assertion -Uniformly applied and enforced
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
For political advantage
waterfall
In the security systems development life cycle (SecSDLC), the work products of each phase fall into the next phase to serve as its starting point, which is known as the ____ model.
permutation
In which cipher method are values rearranged within a block to create the ciphertext?
waterfall
In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?
Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident
Incident classification
The benefits of using information security performance measures include all but which of the following?
Increasing efficiency for InfoSec performance
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
InfoSec community analysis
The ____ component of an EISP defines the organizational structure designed to support information security within the organization.
Information Technology Security Responsibilities and Roles
define privacy
Information collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected
Which of the following is not an example of a disaster recovery plan?
Information gathering procedures
performance measures, once
Information security ___ must be implemented and integrated into ongoing information security management operations. It is insufficient to simply collect these measures ___. Performance measurement is an ongoing, continuous improvement operation.
objectives
Information security ____ must be addressed at the highest levels of an organization's management team in order to be effective and offer a sustainable approach.
The 27005 document includes a five-stage risk management methodology
Information security risk assessment (ISRA) Information security risk treatment Information security risk acceptance Information security risk communication Information security risk monitoring and review
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort? Learning Acting Initiating Establishing
Initiating
PMBoK project plan development
Integrating all project elements into a cohesive plan: Complete goal within the allotted time using only the allotted resources.
describe the interpersonal role
Interacting with superiors, subordinates, outside stakeholders, and other parties that influence or are influenced by the completion of the task
A detailed outline of the scope of the policy development project is created during the ____ phase of the SecSDLC.
Investigation
Cost-Benefit Analysis
It is difficult to determine the value of information It is also difficult to determine the cost of safeguarding it Factors that affect the cost of a safeguard Cost of development or acquisition of hardware, software, and services Training fees Cost of implementation Service and maintenance costs
Developing Information Security Policy
It is often useful to view policy development as a two-part project -First, design and develop the policy (or redesign and rewrite an outdated policy) -Second, establish management processes to perpetuate the policy within the organization The former is an exercise in project management, while the latter requires adherence to good business practices
Category of Threat: Missing, inadequate, or incomplete Provide an Example:
Loss of access to information systems due to disk in place drive failure without proper backup and recovery plan organizational policy or planning
Developing Information Security Policy
Maintenance Phase Maintain and modify the policy as needed to ensure that it remains effective as a tool to meet changing threats The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously Periodic review should be built in to the process
accreditation, certification
Organizations pursue ___ or ___ to gain a competitive advantage. Also provides assurance to customers
A disadvantage of creating a modular ISSP document is that it ____.
May be more expensive than other alternatives.
A disadvantage of creating a single comprehensive ISSP document is that such a document ____ .
May overgeneralize the issues and skip over vulnerabilities.
Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?
Measurements must be useful for tracking non-compliance by internal personnel
Microsoft Risk Management Approach
Microsoft Corporation also promotes a risk management approach Four phases in the Microsoft InfoSec risk management process: Assessing risk Conducting decision support Implementing controls Measuring program effectiveness
It is recommended that the ____ approach(es) to creating and managing ISSPs be used.
Modular
professional associations, lessons learned
More and more security administrators are joining ___ and societies like ISSA and sharing their stories and lessons learned. An alternative to this direct dialogue is the publication of ___.
Security Certification & Accreditation offers several benefits. Which of the following is NOT one of them?
More consistent, comparable, and repeatable certifications of InfoSec programs
Program Evaluation and Review Technique(PERT)
Most popular, originally developed in the 1950s for government driven engineering projects
Developing Information Security Policy Analysis phase should produce
New or recent risk assessment or IT audit documenting the current information security needs of the organization Key reference materials Including any existing policies
NIST, authorization
Newer ___ documents focus less upon certification and accreditation strategy. And more on a holistic risk management strategy incorporating an ___ strategy rather than accreditation.
____ comprise a set of rules that dictates acceptable and unacceptable behavior within a organization.
Policies
Does privacy signify freedom from observation?
No, it means that information will be used only in ways known to the person providing it
The ____________________ Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.
OCTAVE
An alternate set of possible risk control strategies includes all but which of the following?
Obscurity: Hiding critical security assets in order to protect them from attack
Describe the edges of the mccumber cube
One one side: confidentiality, integrity, availability. On the second side: storage, processing, transmission. On the last side: policy, education, technology
Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
Operational
managers
Operational plans are used by ____.
False
Organizations following the IDEAL Governance framework would determine where you are relative to where you want to be in the evaluation phase.
In cryptology, an original message is in a ____ form.
plaintext
Recommended Risk Control Practices
Organizations typically look for a more straightforward method of implementing controls This preference has prompted an ongoing search for ways to design security architectures that go beyond the direct application of specific controls for specific information asset vulnerability
____ is considered a more flexible EAP scheme because it creates an encrypted channel between the client and the authentication server. LEAP TKIP PEAP ICMP
PEAP
Which of the following was originally developed in the late 1950s to meet the need of the rapidly expanding engineering projects associated with government acquisitions such as weapons systems?
PERT
Which of the following was originally developed in the late 1950s to meet the need of the rapidly expanding engineering projects associated with government acquisitions such as weapons systems? GANTT PERT CPM WBS
PERT
The industry best practice for management methodology
PMBoK
ISPME checklist
Perform a risk assessment or information technology audit To determine your organization's unique information security needs Clarify the meaning of "policy" within your organization Ensure clear roles and responsibilities related to information security Including responsibility for issuing and maintaining policies
Quantitative assessment
Performs asset valuation with actual values or estimates May be difficult to assign specific values Use scales instead of specific estimates
Bluetooth is a ____ technology designed for data communication over short distances. Personal Area Network Private Area Network Limited Area Network Small Area Network
Personal Area Network
In which phase of the NIST performance measures development process will the organization identify and document the InfoSec performance goals and objectives?
Phase 2
resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states
Physical
Which of the following attributes does NOT apply to software information assets?
Physical location
What are the specialized areas of security?
Physical, operations, communications, network
Category of Threat: Compromises to intellectual property Provide an Example:
Piracy, copyright infringement
Assessing Risk: Identification and prioritization of risks facing the organization
Plan data gathering - discuss keys to success and preparation guidance Gather risk data - outline the data collection process and analysis Prioritize risks - outline prescriptive steps to qualify and quantify risks
The ____ layer is the outermost layer of the bull's-eye model, hence the first to be assessed for marginal improvement.
Policies
Which of the following is NOT a guideline that may help in the formulation of information technology (IT) policy as well as information security policy?
Policies must be reviewed and approved by legal council before administration.
Bulls-eye model layers
Policies: first layer of defense Networks: threats first meet the organization's network Systems: computers and manufacturing systems Applications: all applications systems
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP? Policy Review and Modification Statement of Purpose Systems Management Limitations of Liability
Policy Review and Modification
Developing Information Security Policy
Policy development projects should be Well planned Properly funded Aggressively managed to ensure that it is completed on time and within budget
rules for shaping a policy
Policy should never conflict with law Policy must be able to stand up in court if challenged Policy must be properly supported and administered
___ feasibility determines acceptable practices based on consensus and relationships among the communities of interest.
Political
ISPME next steps
Post polices to intranet or equivalent Develop a self-assessment questionnaire Develop revised user ID issuance form Develop agreement to comply with information security policies form Develop tests to determine if workers understand policies Assign information security coordinators Train information security coordinators
Which of the following is NOT a factor critical to the success of an information security performance program?
Practical InfoSec budgets and resources for the program
Which of the following is the first phase in the NIST process for performance measures implementation?
Prepare for data collection
Practices
Procedures and guidelines explain how employees will comply with policy
Information security project managers often follow methodologies based on what methodology promoted by the Project Management Institute?
Project Management Body of Knowledge (PMBoK)
true
Project scope management ensures that the project plan includes only those activities that are necessary to complete it.
Which two approaches are available to an organization when employing digital forensics?
Protect and forget; Apprehend and prosecute
Which two approaches are available to an organization when employing digital forensics? Patch and proceed; Protect and forget Protect and forget; Apprehend and prosecute Pursue and prosecute; Identify and apprehend Protect and defend; Apprehend and pursue
Protect and forget; Apprehend and prosecute
The role of the information security community
Protects the organization's information assets from the threats they face
Issue-Specific Security Policy (ISSP)
Provides detailed, targeted guidance -Instructs the organization in secure use of a technology systems -Begins with introduction to fundamental technological philosophy of the organization Protects organization from inefficiency and ambiguity -Documents how the technology-based system is controlled Protects organization from inefficiency and ambiguity (cont'd.) -Identifies the processes and authorities that provide this control. Indemnifies the organization against liability for an employee's inappropriate or illegal system use
Administrators set user privileges
Read, write, create, modify, delete, compare, copy
Which of the following is the first step in the problem-solving process?
Recognize and define the problem
define Network scheduling
Refers to the web of possible pathways to project completion
____________________ is a is a combined function of (1) a threat less the effect of threat-reducing safeguards; (2) a vulnerability less the effect of vulnerability-reducing safeguards; and (3) an asset less the effect of asset value-reducing safeguards.
Residual risk
Residual risk is a combined function of all but which of the following?
Residual risk less a factor of error
Which of the following biometric authentication system is considered to be the most secure?
Retina pattern recognition
The identification and assessment of levels of risk in an organization describes which of the following?
Risk analysis
Which firewall architecture combines the packet-filtering router with a separate, dedicated firewall, such as an application proxy server? Proxy server Dual-homed host Screened host firewall Screened subnet firewall
Screened host firewall
Implementing controls: deployment and operation of the controls selected from the cost-benefit analyses and other mitigating factors from the previous step
Seek holistic approach - incorporate people, process, and technology in mitigation solution Organize by defense-in-depth - arrange mitigation solutions across the business
background checks
Self-assessment for best security practices: People- Do you perform ___ on all employees with access to sensitive data, areas, or access points? Would the average employee recognize a security issue? Would they choose to report it? Would they know how to report it to the right people?
annual
Self-assessment for best security practices: Processes- Are enterprise security policies updated on at least an ___ basis, employees educated on changes, and consistently enforced? Does your enterprise follow a patch/update management and evaluation process to prioritize and mediate new security vulnerabilities? Are the user accounts of former employees immediately removed on termination? Are security group representatives involved in all stages of the project life cycle for new projects?
firewall
Self-assessment for best security practices: Technology- Is every possible route to the Internet protected by a properly configured___? Is sensitive data on laptops and remote systems encrypted? Do you regularly scan your systems and networks, using a vulnerability analysis tool, for security exposures? Are malicious software scanning tools deployed on all workstations and servers?
Enterprise information security program policy (EISP)
Sets strategic direction, scope, and tone for organization's security efforts Assigns responsibilities for various areas of information security Guides development, implementation, and management requirements of information security program
Transference
Shifting the risk to other areas or to outside entities, assets, other processes, or other organizations May be accomplished by rethinking how services are offered Revising deployment models Outsourcing to other organizations Purchasing insurance Implementing service contracts with providers
____ is when an attacker tricks users into giving out information or performing a compromising action. Reverse engineering Phreaking Hacking Social engineering
Social engineering
Residual risk
When vulnerabilities have been controlled as much as possible, there is often remaining risk that has not been completely removed, shifted, or planned for Residual Risk is a combined function of: Threats, vulnerabilities and assets, less the effects of the safeguards in place
Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the ____ consequences of the vulnerability.
economic and non-economic
What is the next phase of the preattack data gathering process after the attacker has collected all of an organization's Internet addresses?
fingerprinting
A(n) ____________________ is any device that prevents a specific type of information from moving between an untrusted network and a trusted network.
firewall
The ____ of the wireless network is the area the radio signal reaches. basic service area usage pattern spectrum footprint
footprint
In large organizations, ____ know operating systems and networks as well as how to interpret the information gleaned by the examiners. forensic examiners incident managers forensic analysts application programmers
forensic analysts
Which of the following allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental?
forensics
System-Specific Security Policy (SysSPs)
frequently do not look like other types of policy They may function as standards or procedures to be used when configuring or maintaining systems SysSPs can be separated into: -Management guidance -Technical specifications -Or combined in a single policy document
testing of contingency plans, the individuals follow each and every procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals.
full-interruption
In the NIST performance measures implementation process, the comparison of observed measurements with target values is known as a ____ analysis.
gap
During Phase 2 of the NIST performance measures development process, the organization will identify and document the information security performance ____ that would guide security control implementation for the information security program of a specific information system.
goals and objectives
The ____________________ assessment, tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures.
hybrid
Access control encompasses four processes beginning with ____________________, checking a client requesting access.
idenification
PERT advantages
makes planning large projects easier (pre/post activity identification), determines probability, anticipates system changes, no formal reading
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
malice
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? ignorance accident intent malice
malice
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
managerial controls
In most cases, simply listing the measurements collected does not adequately convey their ____.
meaning
Communications security involves the protection of which of the following?
media, technology, and content
While the terms may be interchangeable in some organizations, typically the term ____ is used for more granular, detailed measurement, while the term ____ is used for aggregate, higher-level results.
metrics; measures
Typically, the information security policy administrator is ____.
mid-level staff member
Which of the following explicitly declares the business of the organization and its intended areas of operations?
mission statement
Reducing the impact of a successful attack on an organization's system falls under the ____ risk control strategy.
mitgation
The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ____________________ .
mitigation
Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
mitigation
The effectiveness of controls should be ____________________ and measured regularly once a control strategy has been selected.
monitored
Once a control strategy has been selected and implemented, controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk.
monitored and measured
Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
monitoring and measurement
define Controlling
monitoring progress toward completion and making necessary adjustments to achieve the desired objectives
Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives? organization planning leading controlling
organization
A(n) ____________________ is a private word or combination of characters known only by the user.
password
A(n) ____________________ is a secret word or combination of characters known only by the user.
password
testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
penetration testing
Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program?
performance management
Information security ____ is the process of designing, implementing, and managing the use of the collected data elements called measures to determine the effectiveness of the overall security program.
performance measurement
In which cipher method are values rearranged within a block to create the ciphertext?
permutation
Bluetooth networks are referred to as ____. piconets econets honeynets ultra-wideband networks
piconets
certification
the comprehensive evaluation of the technical and nontechnical security controls of an IT system
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
threats-vulnerabilities-assets worksheet
___________________ is a subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury.
tort law
The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.
transferal
An organization that chooses to outsource its risk management practice to independent consultants is taking the ____ control approach.
transference
Types of attacks: Hoaxes
transmission of a virus hoax with a real virus attached; more devious form of attack
Types of attacks: Brute force
trying every possible combination of options of a password
An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
uncertainty
At what point in the incident lifecycle is the IR plan initiated?
when an incident is detected
Benchmarking can help to determine ____ controls should be considered, but it cannot determine ____ those controls should be implemented in your organization.
which, how
Category of Threat: Espionage or Trespass
• Access of protected information by unauthorized individuals • Competitive intelligence (legal) vs. industrial espionage (illegal) • Shoulder surfing can occur anywhere a person accesses confidential information • Controls let trespassers know they are encroaching on organization's cyberspace • Hackers use skill, guile, or fraud to bypass controls protecting others' information • Expert hacker - Develops software scripts and program exploits - Usually a master of many skills - Will often create attack software and share with others • Unskilled hacker - Many more unskilled hackers than expert hackers - Use expertly written software to exploit a system - Do not usually fully understand the systems they hack • Other terms for system rule breakers: - Cracker: "cracks" or removes software protection designed to prevent unauthorized duplication - Phreaker: hacks the public telephone network
Category of Threat: Technological Obsolescence
• Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems • Proper managerial planning should prevent technology obsolescence • IT plays large role
Category of Threat: Information Extortion
• Attacker steals information from computer system and demands compensation for its return or nondisclosure • Commonly done in credit card number theft
Category of Threat: Forces of Nature
• Forces of nature are among the most dangerous threats • Disrupt not only individual lives, but also storage, transmission, and use of information • Organizations must implement controls to limit damage and prepare contingency plans for continued operations • Fire • Floods • Earthquakes • Lightning • Landslides or Mudslides • Tornados or Severe Windstorms • Hurricanes, Typhoons and tropical depressions • Tsunamis • Electrostatic discharge (ESD) • Dust Contamination
Software Design Principles
• Good software development results in secure products that meet all design specifications • Some commonplace security principles: - Keep design simple and small - Access decisions by permission not exclusion - Every access to every object checked for authority - Design depends on possession of keys/passwords - Protection mechanisms require two keys to unlock - Programs/users utilize only necessary privileges • Some commonplace security principles (cont'd.): - Minimize mechanisms common to multiple users - Human interface must be easy to use so users routinely/automatically use protection mechanisms
Category of Threat: Theft
• Illegal taking of another's physical, electronic, or intellectual property • Physical theft is controlled relatively easily • Electronic theft is more complex problem; evidence of crime not readily apparent
Category of Threat: Missing, Inadequate, or Incomplete
• In policy or planning, can make organizations vulnerable to loss, damage, or disclosure of information assets • With controls, can make an organization more likely to suffer losses when other threats lead to attacks
Category of Threat: Human Error or Failure
• Includes acts performed without malicious intent • Causes include: - Inexperience - Improper training - Incorrect assumptions • Employees are among the greatest threats to an organization's data • Employee mistakes can easily lead to: - Revelation of classified data - Entry of erroneous data - Accidental data deletion or modification - Data storage in unprotected areas - Failure to protect information • Many of these threats can be prevented with controls
Category of Threat: Deviations in Quality of Service
• Includes situations where products or services are not delivered as expected • Information system depends on many interdependent support systems • Internet service, communications, and power irregularities dramatically affect availability of information and systems • Internet service issues - Internet service provider (ISP) failures can considerably undermine availability of information - Outsourced Web hosting provider assumes responsibility for all Internet services as well as hardware and Web site operating system software • Communications and other service provider issues - Other utility services affect organizations: telephone, water, wastewater, trash pickup, etc. - Loss of these services can affect organization's ability to function • Power irregularities - Commonplace - Organizations with inadequately conditioned power are susceptible - Controls can be applied to manage power quality - Fluctuations (short or prolonged) • Excesses (spikes or surges) - voltage increase • Shortages (sags or brownouts) - low voltage • Losses (faults or blackouts) - loss of power
Category of Threat: Compromises to Intellectual Property
• Intellectual property (IP): "ownership of ideas and control over the tangible or virtual representation of those ideas" • The most common IP breaches involve software piracy • Two watchdog organizations investigate software abuse: - Software & Information Industry Association (SIIA) - Business Software Alliance (BSA) • Enforcement of copyright law has been attempted with technical security mechanisms
Deliberate Software Attacks
• Malicious software (malware) designed to damage, destroy, or deny service to target systems • Includes: - Viruses - Worms - Trojan horses - Logic bombs - Back door or trap door - Polymorphic threats - Virus and worm hoaxes
Protecting the Functionality of an Organization
• Management (general and IT) responsible for implementation • Information security is both management issue and people issue • Organization should address information security in terms of business impact and cost
Secure Software Development
• Many information security issues discussed here are caused by software elements of system • Development of software and systems is often accomplished using methodology such as Systems Development Life Cycle (SDLC) • Many organizations recognize need for security objectives in SDLC and have included procedures to create more secure software • This software development approach known as Software Assurance (SA)