Info Sec Exam 3
TEMPEST
A U.S. government program designed to protect computers from electronic remote eavesdropping by reducing EMR emissions.
line-interactive UPS
A UPS in which a pair of inverters and converters draw power from the outside source both to charge the battery and provide power to the internal protected device.
standby ferroresonant UPS
A UPS in which the outside power source directly feeds the internal protected device. The UPS serves as a battery backup, incorporating a ferroresonant transformer instead of a converter switch, providing line filtering and reducing the effect of some power problems, and reducing noise that may be present in the power as it is delivered.
double conversion online UPS
A UPS in which the protected device draws power from an output inverter. The inverter is powered by the UPS battery, which is constantly recharged from the outside power.
SPAN
A __________ port, also known as a monitoring port, is a specially configured connection on a network device that is capable of viewing all of the traffic that moves through the entire device.
Thermal detection systems
A category of fire detection systems that focuses on detecting the heat from a fire.
Smoke detection systems
A category of fire detection systems that focuses on detecting the smoke from a fire.
private-key encryption
A cryptographic method in which the same algorithm and secret key are used both to encipher and decipher the message.
symmetric encryption
A cryptographic method in which the same algorithm and secret key are used both to encipher and decipher the message.
asymmetric encryption
A cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message. Either key can be used to encrypt a message, but then the other key is required to decrypt it.
transposition cipher
A cryptographic operation that involves simply rearranging the values within a block based on an established pattern. Also known as a permutation cipher.
permutation cipher
A cryptographic operation that involves simply rearranging the values within a block based on an established pattern. Also known as a transposition cipher
Vernam cipher
A cryptographic technique developed at AT&T and known as the "one-time pad," this cipher uses a set of characters for encryption operations only one time and then discards it.
identification (ID) card
A document used to verify the identity of a member of an organization, group, or domain.
Rate-of-rise sensors
A fire detection sensor that works by detecting an unusually rapid increase in the area temperature within a relatively short period of time.
Fixed-temperature sensors
A fire detection sensor that works by detecting the point at which the ambient temperature in an area reaches a predetermined level.
Ionization sensors
A fire detection sensor that works by exposing the ambient air to a small amount of a harmless radioactive material within a detection chamber; an alarm is triggered when the level of electrical conductivity changes within the chamber.
Photoelectric sensors
A fire detection sensor that works by projecting an infrared beam across an area. If the beam is interrupted, presumably by smoke, the alarm or suppression system is activated.
Air-aspirating detectors
A fire detection sensor used in high-sensitivity areas that works by taking in air, filtering it, and passing it through a chamber that contains a laser beam. The alarm triggers if the beam is broken.
flame detector
A fire detection system that works by detecting the infrared or ultraviolet light produced by an open flame.
clean agent
A fire suppression agent that does not leave any residue after use or interfere with the operation of electrical or electronic equipment.
wet-pipe system
A fire suppression sprinkler system that contains pressurized water in all pipes and has some form of valve in each protected area.
pre-action system
A fire suppression sprinkler system that employs a two-phase response to a fire. When a fire is detected anywhere in the facility, the system will first flood all pipes, then activate only the sprinkler heads in the area of the fire.
dry-pipe system
A fire suppression sprinkler system that has pressurized air in all pipes. The air is released in the event of a fire, allowing water to flow from a central area.
Deluge systems
A fire suppression sprinkler system that keeps all individual sprinkler heads open and applies water to all areas when activated.
Water mist sprinklers
A fire suppression sprinkler system that relies on ultra-fine mists to reduce the ambient temperature below that needed to sustain a flame.
sprinkler systems
A fire suppression system designed to apply a liquid, usually water, to all areas in which a fire has been detected.
exclusive OR operation (XOR)
A function within Boolean algebra used as an encryption function in which two bits are compared. If the two bits are identical, the result is a binary 0; otherwise, the result is a binary 1.
virtual organization
A group of people brought together for a specific task, usually from different organizations, divisions, or departments.
agents
A hardware and/or software component deployed on a remote computer or network segment and designed to monitor network or system traffic for suspicious activities and report back to the host application. For example, IDPS sensors report to an IDPS application.
sensors
A hardware and/or software component deployed on a remote computer or network segment and designed to monitor network or system traffic for suspicious activities and report back to the host application. For example, IDPS sensors report to an IDPS application.
Diffie-Hellman key exchange
A hybrid cryptosystem that facilitates exchanging private keys using public-key encryption.
secret key
A key that can be used in symmetric encryption both to encipher and decipher the message.
message authentication code (MAC)
A key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest.
whitelist
A list of systems, users, files, or addresses that are known to be benign; it is commonly used to expedite those entities' access to systems or networks.
blacklist
A list of systems, users, files, or addresses that have been associated with malicious activity; it is commonly used to block those entities from systems or network access.
Electromechanical locks
A lock that can accept a variety of inputs as keys, including magnetic strips on ID cards, radio signals from badges, personal identification numbers (PINs) typed into a keypad, or some combination of these to activate an electrically powered locking mechanism.
biometric locks
A lock that reads a unique biological attribute such as a fingerprint, iris, retina, or palm and then uses that input as a key.
attack protocol
A logical sequence of steps or processes used by an attacker to launch an attack against a target system or network.
symmetric
A method of encryption that requires the same secret key to encipher and decipher the message is known as __________ encryption.
honeynet
A monitored network or network segment that contains multiple honeypot systems.
secure facility
A physical location that has controls in place to minimize the risk of attacks from physical threats.
mechanical lock
A physical lock that may rely on either a key or numerical combination to rotate tumblers and release the hasp. Also known as a manual lock.
clipping level
A predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to write the event to a log file and/or notify an administrator.
Alarm clustering and compaction
A process of grouping almost identical alarms that occur nearly at the same time into a single higher-level alarm. This consolidation reduces the number of alarms, which reduces administrative overhead and identifies a relationship among multiple alarms. Clustering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by system administrators.
padded cell system
A protected honeypot that cannot be easily compromised.
Secure Electronic Transactions (SET)
A protocol developed by credit card companies to protect against electronic payment fraud.
known vulnerabilities
A published weakness or fault in an information asset or its protective systems that may be exploited and result in loss.
passive vulnerability scanner
A scanner that listens in on a network and identifies vulnerable versions of both server and client software.
Secure Sockets Layer (SSL)
A security protocol developed by Netscape to use public-key encryption to secure a channel over the Internet.
Secure Multipurpose Internet Mail Extensions (S/MIME)
A security protocol that builds on the encoding format of the Multipurpose Internet Mail Extensions (MIME) protocol and uses digital signatures based on public-key cryptosystems to secure e-mail.
Link Encryption
A series of encryptions and decryptions between a number of systems, wherein each system in a network decrypts the message sent to it and then reencrypts the message using different keys and sends it to the next neighbor.
mantrap
A small room or enclosure with separate entry and exit points, designed to restrain a person who fails an access authorization attempt.
security information and event management (SIEM)
A software-enabled approach to aggregating, filtering, and managing the reaction to events, many of which are collected by logging activities of IDPSs and network management devices.
plenum
A space between the ceiling in one level of a commercial building and the floor of the level above. The plenum is used for air return.
ground fault circuit interruption
A special circuit device designed to immediately disconnect a power supply when a sudden discharge (ground fault) is detected.
Secure Hash Standard (SHS)
A standard issued by the National Institute of Standards and Technology (NIST) that specifies secure algorithms, such as SHA-1, for computing a condensed representation of a message or data file.
Privacy-Enhanced Mail (PEM)
A standard proposed by the Internet Engineering Task Force (IETF) that uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures.
polyalphabetic substitutions
A substitution cipher that incorporates two or more alphabets in the encryption process.
monoalphabetic substitution
A substitution cipher that only incorporates a single alphabet in the encryption process.
intrusion detection systems (IDS)
A system capable of automatically detecting an intrusion into an organization's networks or host systems and notifying a designated authority.
message digest
A value representing the application of a hash algorithm on a message that is transmitted with the message so it can be compared with the recipient's locally calculated hash of the same message. If both hashes are identical after transmission, the message has arrived without modification. Also known as a hash value.
hash value
A value representing the application of a hash algorithm on a message that is transmitted with the message so it can be compared with the recipient's locally calculated hash of the same message. If both hashes are identical after transmission, the message has arrived without modification. Also known as a message digest
threshold
A value that sets the limit between normal and abnormal behavior. See also clipping level.
closed-circuit television (CCT)
A video capture and recording system used to monitor a facility.
telework
A work arrangement in which employees work from an off-site location and connect to an organization's equipment electronically. Also known as telecommuting.
Telecommuting
A work arrangement in which employees work from an off-site location and connect to an organization's equipment electronically. Also known as telework.
Fingerprinting
Activities that scan network locales for active systems and then identify the network services offered by the host systems is known as __________.
monitoring port
Also known as a switched port analysis (SPAN) port or mirror port, a specially configured connection on a network device that can view all the traffic that moves through the device.
switched port analysis (SPAN) port
Also known as a switched port analysis (SPAN) port or mirror port, a specially configured connection on a network device that can view all the traffic that moves through the device.
behavior-based detection
Also known as anomaly-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy.
Anomaly-based detection
Also known as behavior-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy.
signature-based detection
Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures.
misuse detection
Also known as knowledge-based detection or signature-based detection, the examination of system or network data in search of patterns that match known attack signatures.
knowledge-based detection
Also known as misuse detection or signature-based detection, the examination of system or network data in search of patterns that match known attack signatures.
fully distributed IDPS control strategy
An IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component.
centralized IDPS control strategy
An IDPS implementation approach in which all control functions are implemented and managed in a central location.
partially distributed IDPS control strategy
An IDPS implementation approach that combines the best aspects of the centralized and fully distributed strategies.
Inline sensors
An IDPS sensor intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall.
passive mode
An IDPS sensor setting in which the device simply monitors and analyzes observed network or system traffic.
network-based IDPS (NIDPS)
An IDPS that resides on a computer or appliance connected to a segment of an organization's network and monitors traffic on that segment, looking for indications of ongoing or successful attacks.
host-based IDPS (HIDPS)
An IDPS that resides on a particular computer or server, known as the host, and monitors activity only on that system. Also known as a system integrity verifier.
Site policy awareness
An IDPS's ability to dynamically modify its configuration in response to environmental activity. A so-called dynamic IDPS can adapt its reactions in response to administrator guidance over time and the local environment. A dynamic IDPS logs events that fit a specific profile instead of minor events, such as file modifications or failed user logins. A smart IDPS knows when it does not need to alert the administrator—for example, when an attack is using a known and documented exploit from which the system is protected.
Vigenère cipher
An advanced type of substitution cipher that uses a simple polyalphabetic code.
Intrusion
An adverse event in which an attacker attempts to gain entry into an information system or disrupt its normal operations, almost always with the intent to do harm.
thermal detectors
An alarm sensor designed to detect a defined rate of change in the ambient temperature within a defined space.
Contact and weight sensors
An alarm sensor designed to detect increased pressure or contact at a specific location, such as a floor pad or a window.
Vibration sensors
An alarm sensor designed to detect movement of the sensor rather than movement in the environment.
Motion detectors
An alarm sensor designed to detect movement within a defined space.
False positive
An alert or alarm that occurs in the absence of an actual attack. A false positive can sometimes be produced when an IDPS mistakes normal system activity for an attack. False positives tend to make users insensitive to alarms and thus reduce their reactions to actual intrusion events.
Trap-and-trace
An application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network.
Honeypots
An application that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the software notifies the administrator of the intrusion.
pen registers
An application that records information about outbound communications.
Active vulnerability scanners
An application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers.
log file monitor (LFM)
An attack detection method that reviews the log files generated by computer systems, looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred.
fail-safe lock
An electromechanical device that automatically releases the lock protecting a control point if a power outage occurs. This type of lock is used for fire safety locations.
fail-secure lock
An electromechanical device that stays locked and maintains the security of the control point if a power outage occurs.
proximity reader
An electronic signal receiver used with an electromechanical lock that allows users to place their cards within the reader's range and release the locking mechanism.
substitution cipher
An encryption method in which one value is substituted for another.
Bit Stream Cipher
An encryption method that involves converting plaintext to ciphertext one bit at a time.
Block Cipher
An encryption method that involves dividing the plaintext into blocks or sets of bits and then converting the plaintext to ciphertext one block at a time.
True attack stimulus
An event that triggers an alarm and causes an IDPS to react as if a real attack is in progress. The event may be an actual attack, in which an attacker is attempting a system compromise, or it may be a drill, in which security personnel are using hacker tools to test a network segment.
False attack stimulus
An event that triggers an alarm when no actual attack is in progress. Scenarios that test the configuration of IDPSs may use false attack stimuli to determine if the IDPSs can distinguish between these stimuli and real attacks.
Secure HTTP (S-HTTP)
An extended version of Hypertext Transfer Protocol that provides for the encryption of protected Web pages transmitted via the Internet between a client and server.
badge
An identification card typically worn in a visible location to quickly verify an authorized member. The badge may or may not show the wearer's name.
Static electricity
An imbalance of electrical charges in the atmosphere or on the surface of a material, caused by triboelectrification.
Alert or alarm
An indication or notification that a system has just been attacked or is under attack. IDPS alerts and alarms take the form of audible signals, e-mail messages, pager notifications, or pop-up windows.
Public key infrastructure (PKI)
An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates.
standby or offline UPS
An offline battery backup that detects the interruption of power to equipment and activates a transfer switch that provides power from batteries through a DC to AC converter until normal power is restored or the computer is shut down.
delta conversion online UPS
An uninterruptible power supply (UPS) that is similar to a double conversion online UPS except that it incorporates a delta transformer, which assists in powering the inverter while outside power is available.
Zero day vulnerabilities
An unknown or undisclosed vulnerability in an information asset or its protection systems that may be exploited and result in loss. This vulnerability is also referred to as zero day (or zero hour) because once it is discovered, the technology owners have zero days to identify, mitigate, and resolve the vulnerability.
b
Class __________ fires are extinguished by agents that remove oxygen from the fire.
c
Class __________ fires are safely extinguished with non-conducting agents only.
Fire suppression systems
Devices that are installed and maintained to detect and respond to a fire, potential fire, or combustion danger.
Digital signatures
Encrypted message components that can be mathematically proven as authentic.
Gaseous (or chemical gas) emission systems
Fire suppression systems that operate through the delivery of gases rather than water.
encapsulating security payload (ESP) protocol
In IPSec, a protocol that provides secrecy for the contents of network communications as well as system-to-system authentication and data integrity verification.
application header (AH) protocol
In IPSec, a protocol that provides system-to-system authentication and data integrity verification, but does not provide secrecy for the content of a network communication.
transport mode
In IPSec, an encryption method in which only a packet's IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses.
tunnel mode
In IPSec, an encryption method in which the entire IP packet is encrypted and inserted as the payload in another IP packet. This requires other systems at the beginning and end of the tunnel to act as proxies to send and receive the encrypted packets and then transmit the packets to their ultimate destination.
certificate revocation list (CRL)
In PKI, a published list of revoked or terminated digital certificates.
certificate authority (CA)
In PKI, a third party that manages users' digital certificates.
registration authority (RA)
In PKI, a third party that operates under the trusted collaboration of the certificate authority and handles day-to-day certification functions.
correction
Intrusion __________ activities finalize the restoration of operations to a normal state and seek to identify the source and method of the intrusion in order to ensure that the same type of attack cannot occur again.
session keys
Limited-use symmetric keys for temporary communications during an online session.
Hash functions
Mathematical algorithms that generate a message summary or digest (sometimes called a fingerprint) to confirm message identity and integrity.
signatures
Patterns that correspond to a known attack.
Hash algorithms
Public functions that create a hash value, also known as a message digest, by converting variable-length messages into a single fixed-length value.
Digital certificates
Public-key container files that allow PKI system components and end users to validate a public key and identify its owner.
public-key encryption
See asymmetric encryption.
mirror port
See monitoring port.
Digital Signature Standard (DSS)
The NIST standard for digital signature algorithm usage by federal information systems. DSS is based on a variant of the ElGamal signature scheme.
enticement
The act of attracting attention to a system by placing tantalizing information in key locations.
entrapment
The act of luring a person into committing a crime in order to get a conviction.
Work Factor
The amount of effort (usually expressed in units of time) required to perform cryptanalysis on an encoded message.
humidity
The amount of moisture in the air.
facilities management
The aspect of organizational management focused on the development and maintenance of its buildings and physical infrastructure.
stateful protocol analysis (SPA)
The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns in an effort to detect misuse and attacks.
Advanced Encryption Standard (AES)
The current federal standard for the encryption of data, as specified by NIST. AES is based on the Rijndael algorithm, which was developed by Vincent Rijmen and Joan Daemen.
Keyspace
The entire range of values that can be used to construct an individual key.
triboelectrification
The exchange of electrons between two materials when they make contact, resulting in one object becoming more positively charged and the other more negatively charged.
False negative
The failure of an IDPS to react to an actual attack event. This is the most grievous IDPS failure, given that its purpose is to detect and respond to attacks.
cryptology
The field of science that encompasses cryptography and cryptanalysis.
attack surface
The functions and features that a system exposes to unauthenticated users.
intrusion detection and prevention system (IDPS)
The general term for a system that can both detect and modify its configuration and environment to prevent intrusions. An IDPS encompasses the functions of both intrusion detection systems and intrusion prevention technology.
Key or Cryptovariable
The information used in conjunction with the algorithm to create the ciphertext from the plaintext; it can be a series of bits used in a mathematical algorithm or the knowledge of how to manipulate the plaintext.
Algorithm
The mathematical formula or method used to convert an unencrypted message into an encrypted message.
Confidence value
The measure of an IDPS's ability to correctly detect and identify certain types of attacks. The confidence value an organization places in the IDPS is based on experience and past performance measurements. The confidence value, which is based on fuzzy logic, helps an administrator determine the likelihood that an IDPS alert or alarm indicates an actual attack in progress. For example, if a system deemed 90 percent capable of accurately reporting a denial-of-service (DoS) attack sends a DoS alert, there is a high probability that an actual attack is occurring.
footprinting
The organized research and investigation of Internet addresses owned or controlled by a target organization.
Plaintext or Cleartext
The original unencrypted message that is encrypted and is the result of successful decryption.
Noise
The presence of additional and disruptive signals in network communications or electrical power delivery. Also, noise can be alarm events that are accurate and noteworthy but do not pose significant threats to information security. Unsuccessful attacks are the most common source of IDPS noise, although some noise might be triggered by scanning and enumeration tools run by network users without harmful intent.
IP Security (IPSec)
The primary and now dominant cryptographic authentication and encryption product of the IETF's IP Protocol Security Working Group. A framework for security development within the TCP/IP family of protocol standards, IPSec provides application support for all uses within TCP/IP, including virtual private networks.
Evasion
The process by which attackers change the format and/or timing of their activities to avoid being detected by an IDPS.
Tuning
The process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing false positives and false negatives.
Alarm filtering
The process of classifying IDPS alerts so they can be more effectively managed. An IDPS administrator can set up alarm filtering by running the system for a while to track the types of false positives it generates and then adjusting the alarm classifications. For example, the administrator may set the IDPS to discard alarms produced by false attack stimuli or normal network operations. Alarm filters are similar to packet filters in that they can filter items by their source or destination IP addresses, but they can also filter by operating systems, confidence values, alarm type, or alarm severity.
Decipher
The process of converting an encoded or enciphered message (ciphertext) back to its original readable form (plaintext).
Decryption
The process of converting an encoded or enciphered message (ciphertext) back to its original readable form (plaintext).
Encipher
The process of converting an original message (plaintext) into a form that cannot be used by unauthorized individuals (ciphertext).
Encryption
The process of converting an original message (plaintext) into a form that cannot be used by unauthorized individuals (ciphertext).
Code
The process of converting components (words or phrases) of an unencrypted message into encrypted components.
protocol stack verification
The process of examining and verifying network traffic for invalid data packets—that is, packets that are malformed under the rules of the TCP/IP protocol.
application protocol verification
The process of examining and verifying the higher-order protocols (HTTP, FTP, and Telnet) in network traffic for unexpected packet behavior or improper use.
tailgating
The process of gaining unauthorized entry into a facility by closely following another person through an entrance and using the credentials of the authorized person to bypass a control point.
Steganography
The process of hiding messages; for example, hiding a message within the digital encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even exists.
back hack
The process of illegally attempting to determine the source of an intrusion by tracing it and trying to gain access to the originating system.
Cryptography
The process of making and using codes to secure information.
Cryptanalysis
The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption.
nonrepudiation
The process of reversing public-key encryption to verify that a message was sent by the sender and thus cannot be refuted.
electrostatic discharge (ESD)
The release of ambient static electricity into a ground.
Site policy
The rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.
fingerprinting
The systematic survey of a targeted organization's Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range.
electromagnetic radiation (EMR)
The transmission of radiant energy through space, commonly referred to as radio waves.
Ciphertext or Cryptogram
The unintelligible encrypted or encoded message resulting from an encryption.
port scanners
Tools used both by attackers and defenders to identify or fingerprint active computers on a network, the active ports and services on those computers, the functions and roles of the machines, and other useful information.
LFM
Using __________, the system reviews the log files generated by servers, network devices, and even other IDPSs.
Cipher
When used as a verb, the transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted components or vice versa (see decipher and encipher); when used as a noun, the process of encryption or the algorithm used in encryption, and a term synonymous with cryptosystem.
Trap and trace
__________ applications use a combination of techniques to detect an intrusion and then trace it back to its source.
HIDPSs
__________ benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files.
false
true/false? A false positive is the failure of an IDPS system to react to an actual attack event.
true
true/false? A permutation cipher simply rearranges the values within a block to create the ciphertext.
true
true/false? A(n) known vulnerability is a published weakness or fault in an information asset or its protective systems that may be exploited and result in loss.
false
true/false? Alarm filtering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by the system administrators.
false
true/false? Encryption methodologies that require the same secret key to encipher and decipher the message are using what is called public key encryption.
false
true/false? Hashing functions require the use of keys.
true
true/false? In DNS cache poisoning, valid packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on the network.
true
true/false? In general, electrostatic discharge damage to chips produces two types of failures: immediate and latent.
true
true/false? Physical security is as important as logical security to an information security program.
true
true/false? The Digital Signature Standard established by NIST is used for electronic document authentication by federal information systems. It is based on a variant of the ElGamal algorithm.
false
true/false? The capacity of UPS devices is measured using the voltage output rating.
false
true/false? Water damage from fire suppression systems is considered less dangerous to computer systems than hazardous chemicals like Halon.