Info Sec Mid-Term
Data privacy
Governs how data is collected shared and used
The goal of a penetration study/test is to violate the site security policy. [T/F]
T
A threat is a potential violation of security. [T/F]
True
Access control mechanisms support confidentiality. [T/F]
True
Principle of Least Privilege / Principle of Least Authority
A subject should be given only those privileges that it needs in order to complete its task.
Principle of Separation of Privilege
A system should not grant permission based on a single condition.
Computer Security Incident Response Team (CSIRT)
A team established to assist and co-ordinate responses to a security incident among a defined constituency.
Delay
A temporary inhibition of a service
Fail back test
A test in which a disaster recovery environment is switched back to the primary data center in order to test resumption of normal operation.
XML External Entities
A type of attack against an application that parses XML input
Cross-Site Scripting (XSS)
A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites
Metamorphic virus
A virus that changes it internal structure but performs the same actions each time it is executed
Polymorphic virus
A virus that changes the form of it decryption routine each time it insets itself into another program
Encrypted virus
A virus that encrypts all of the virus except the cryptographic key and a decryption key
Insecure Deserialization
A vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service [DoS] attack, or even execute arbitrary code
Specification
A(formal or informal) statement of the desired functioning of the system
A/An _______________ is the set of entry points and data that attackers can use to compromise a system.
Attack Surface
A SYN Flood attack impacts which of the following: Availability Integrity Confidentiality
Availability
_______________ refers to the ability to use information or resources.
Availability
Put the classes of applications and systems into the correct order from most important (class 1) to least important (class 4): Mission Critical Critical Essential Non Critical
Class 1 Class 2 Class 3 Class 4
Substitution cipher
Changes characters in the plaintext to produce the ciphertext
Which of the following are security incidents: Unauthorized computer or data access A violation of campus computer security policies and standards Physical or logical damage to systems Presence of a malicious application, such as a virus An unexpected food delivery
Unauthorized computer or data access A violation of campus computer security policies and standards Physical or logical damage to systems Presence of a malicious application, such as a virus
Principle of Fail-Safe Defaults
Unless a subject is given explicit access to an object, it should be denied access to that object.
In the U.S. trademarks are granted for an initial period of _______________ years and can be renewed for unlimited successive same number of year periods.
10
CVE stands for: Common Vulnerabilities and Exposures Common Vulnerabilities and Exploits Corrupt Views and Efforts
Common Vulnerabilities and Exposures
CWE stands for: Common Weaknesses and Exploits Common Weaknesses and Exposures Common Wars and Enemies
Common Weaknesses and Exposures
Information that is absolutely critical to a business that would result in critical damage if it were disclosed to competitors and/or the public is called a _______________ _______________.
Trade Secret
Limiting the objects accessible to a given process run by the user is not a good protection technique. [T/F]
False
Most attacks are not multistage, rather they are a single step attack. [T/F]
False
Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: private keys which may be disseminated widely, and public keys which are known only to the owner. [T/F]
False
Resource hiding is not an important aspect of confidentiality. [T/F]
False
Risks do not change over time. [T/F]
False
Security mechanisms must be technical in nature. [T/F]
False
Small businesses do not need to worry about cyber attacks. [T/F]
False
Two-factor login requires the user to solve 2 math problems (factoring) before they can login. [T/F]
False
When a file is deleted, the data is gone for good and there is no way to recover it. [T/F]
False
When using cloud services and software, the cloud provider is responsible for all security of the network and systems. [T/F]
False
You don't need to use encrypted communications on inside networks. [T/F]
False
Design
Translates the specifications into components that will implement them
A DMZ web server will have a highly restrictive security policy. [T/F]
True
A VPN creates a secure "tunnel" which encrypts traffic between two locations. [T/F]
True
A botmaster, controls bots from one or more systems called command and control (C&C) servers or motherships. [T/F]
True
A drive-by download occurs when a user visits a web page and a download occurs without the user knowing it, or when the user knows it but does not understand the effects of the download. [T/F]
True
The Federal Sentencing Guidelines provide punishment guidelines to help _______________ judges interpret computer crime laws.
Federal
Which are possible threats to business continuity: Flood Fire Lack of Mountain Dew in the soda machine Power Outage Cyber attack
Flood Fire Power Outage Cyber attack
A _______________ network in a wireless network system allows visitors to connect to the Internet while not allowing them to access corporate computing resources.
Guest
The activity taken to make a system as safe as possible is called _______________.
Hardening
A firewall helps protect an organization's network from unwanted traffic. [T/F]
True
A message digest is generated from a mathematical function and is created to ensure the message contents have not changed. [T/F]
True
An "International Domain Name Homograph Attack" uses similar looking characters, possibly from different international character sets, to convince a user to click on a link with what appears to be a legitimate domain name. [T/F]
True
Assumptions and trust underlie confidentiality mechanisms. [T/F]
True
Backups need to be tested occasionally to ensure that they are backing up the correct data and that the files can be restored. [T/F]
True
Principle of Least Common Mechanism
Mechanisms used to access resources should not be shared.
Which of the following are protected under the Digital Millennium Copyright Act? Works that are never published Musical works Pictorial, graphical and sculptural works Dramatic works
Musical works Pictorial, graphical and sculptural works Dramatic works
Systems should be customized based on their purpose and should only serve one need. [T/F]
True
The heart of any security system is people. [T/F]
True
The three security services—confidentiality, integrity, and availability—counter threats to the security of a system. [T/F]
True
The use of a public key system provides a way to block repudiation of origin. [T/F]
True
The word "cryptography" comes from two Greek words meaning "secret writing". [T/F]
True
Trust cannot be quantified precisely. [T/F]
True
When hardening a system, you should change system defaults and disable built-in accounts. [T/F]
True
In order to get a patent, the invention must be: Marketable Useful New Non Obvious
Useful New Non Obvious
Table-top exercise
Usually occurs in a conference room with the ream poring over the plan, looking for gaps and ensuring that all business units are represented therein
VPN stands for: Virtual Private Network Virtual Public Network Very Private Network Virulent Persistent Nuisance
Virtual Private Network
Stealth virus
Viruses that conceal the infection of files
The White Team is made up of all-knowing, neutral, third-party individuals who set the rules of engagement, organizes teams, makes plans and monitors progress. [T/F]
T
The first step to deal with an information security breach is to already have a communication plan in place. [T/F]
T
The primary goal of a Purple Team is to maximize the results of Red Team engagements and improve Blue Team capability. [T/F]
T
The specific failure of the security controls of a system or software is called a vulnerability or security flaw. [T/F]
T
Threats to a business can come from both external threats as well as from inside threats. [T/F]
T
Unlike other testing and verification technologies, a penetration test examines procedural and operational controls as well as technological controls. [T/F]
T
While you can have data protection without data privacy, you cannot have data privacy without data protection. [T/F]
T
Words, slogans and logos used to identify a company and its products or services are examples of items that can be trademarked. [T/F]
T
You can protect items by using the ™ symbol without registering the trademark with the government. [T/F]
T
You crisis communication plan should indicate who is going to prepare and present the information to the media/public. [T/F]
T
You should monitor media and social media so that you can rapidly address any misinformation that surfaces. [T/F]
T
You should do the following during a crisis communication: Take responsibility. Apologize for the inconvenience Be sincere. Make excuses.
Take responsibility. Apologize for the inconvenience Be sincere.
Which of the following are ways to avoid social engineering attacks? Require all visitor to show a government issued ID Locking the company front door Testing your users Training your users Separation of duties
Testing your users Training your users Separation of duties
Peer code review
The action of consciously and systematically convening with one's fellow programmers to check each other's code for mistakes
Black Box Testing
The attacker had no knowledge of the system being tested
White Box Testing
The attacker has full knowledge of the system being tested
Grey Box Testing
The attacker has some knowledge of the system being tested
Defender's Dilemma
The defenders must get it right every time, the attackers only need to get it right once.
Code Signing
The process of digitally signing executables and scripts to confirm the software author and guarantee that the code had not been altered or corrupted since it was signed.
What is the number one concern of the Disaster Recovery Plan? Ensuring that customers are not aware that a disaster has occurred. The safety and health of people. Maintaining company profits. Returning to the original computing location as quickly as possible.
The safety and health of people.
Cryptanalysis
The science of breaking codes
Principle of Open Design
The security of a mechanism should not depend on the secrecy of its design or implementation
Snooping/Eavesdropping
The unauthorized interception of information
Recovery _______________ Objective is the acceptable amount of time to restore the function.
Time
Bots
Malware that carries out some action in coordination with other bots.
Ransomware
Malware that inhibits the use of resources until a money is paid
Goals of security include: Recovery Retaliation Prevention Detection
Recovery Prevention Detection
Smishing
A social engineering approach that exploits SMS, or text, messages.
Number the steps in the Asset lifecycle: Planning Acquiring Deploying Managing Retiring
1 2 3 4 5
Put the steps for developing a business continuity plan in the proper order: Identify the scope of the plan. Identify key business areas. Identify critical functions. Identify dependencies between various business areas and functions. Determine acceptable downtime for each critical function. Create a plan to maintain operations.
1 2 3 4 5 6
Vishing
A social engineering approach that leverages voice communication
The Children's Online Privacy Protection Act (COPPA) protects children under the age of ________________.
13
Which of the following are valid key lengths for the Advanced Encrypt Standard (AES) cipher? 256 128 192 64 512
256 128 192
Works by one or more authors are protected until _______________ years after the death of the last surviving author.
70
An actual security violation that results from a threat is called an: Breach Hack Attack Denial of Service
Attack
Table-top exercise
A structured walk through where a simulated disaster is discussed and each team present discusses their responsibilities and actions they would take if this were an actual emergency
Adware
A Trojan horse that gathers information for marketing purposes and displays advertisements
Spyware
A Trojan horse that records information about the use of a computer, usually resulting in confidential information such as keystrokes, passwords, credit card numbers, and visits to websites
Onetime pad
A cipher that has a key that is at least as long as the message and is chosen at random, so it does not repeat
Digital signature
A construct that authenticates both the origin and contents of a message in a manner that is provable to a disinterested third party
Parallel environments test
A disaster recovery operations is "stood up" and tested, but none of the primary operations are impacted
Denial of Receipt
A false denial that an entity received some information or message
Repudiation of Origin
A false denial that an entity sent (or created) something
Denial of Service
A long term inhibition of service
Cyphertext
A message after it has been encrypted
Mobile Site
A portable site that can be driven and used anywhere
Rabbit / Bacteria
A program that absorbs all of some class of resource
Logic Bomb
A program that performs an action that violates the security policy when some external event occurs
Trojan Horse / Propagating Trojan Horses
A program with an overt (documented or known) purpose and a covert (undocumented or unexpected) purpose.
In public key encryption: A public key is create which is published for everyone to see. Assigns each entity a pair of keys A private key is created by each entity and must be kept secret. One encryption key is shared by all entities in a system.
A public key is create which is published for everyone to see. Assigns each entity a pair of keys A private key is created by each entity and must be kept secret.
Cold Site
A recovery site that is ready in days or weeks. Contract are in place for the use of the facility, but no systems, networking, telecom, data or software is installed and ready to go.
Hot/Mirror Site
A recovery site that is ready in minutes. It maintains up to data system, configurations and data and systems are on and ready
Warm Site
A recovery system that is ready in hours or days. Systems are ready, but dont have current configurations or data and are not turned on
Rootkit
A rootkit is a pernicious (subtle/hidden) Trojan horse. It hides itself on a system so it can carry out its actions without detection.
Cipher
A secret or disguised way of writing code
Decryption key
A short bit string used to decrypt a message
Encryption key
A short bit string used to encrypt a message
Cryptography is a fundamental tool in security because encryption can guarantee: Data Integrity Protection from replay attacks Message Authenticity Data Confidentiality/Privacy
ALL
Motives for cyber security attacks include: Challenge Infamy Subversion Hacktivism Revenge Cash
ALL
Which of the following are best practice when hardening a system: Keep your operating system and applications up to date, especially security patches. Lock accounts after too many login failures. Physically secure the system. Minimize open network ports
ALL
Which of the following are motives for cyber attacks? Infamy Revenge Subversion Hacktivism Challenge Cash/Money
ALL
Which of the following are principles of secure design? Threat Modeling Principle of Fail Safe Input Validation Hashed Credentials/Secrets
ALL
Which of the following are types of disaster recovery tests: Table top exercises Fail Back Fall fail over partial fail over parallel environment
ALL
Which of the following are ways of encrypting files on disk? Whole disk encryption Gnu Privacy Guard [GPG] Pretty Good Privacy [PGP] Whole volume/partition encryption
ALL
Which of the following is a valid term for, "Maximum time constraints for how long an enterprise's key products or services can be unavailable or undeliverable before stakeholders perceive unacceptable consequences." Maximum Tolerable Downtime (MTD) Maximum Tolerable Outage (MTO) Maximum RTO Maximum Allowable Outage (MAO) Maximum Tolerable Period of Disruption (MTPoD)
ALL
Which of the following user classifications are common in a corporate environment: Developers Outsiders Executives Employees
ALL
Failover
Act of switching to an alternative computing facility
Failback
Acting of switching back to the original, recovered computing facility
Principle of Complete Mediation
All accesses to objects be checked to ensure that they are allowed
Full fail over test
All components of the disaster recovery plan are "stood up" in a DR environment and those components are switched over temporarily to cover for the primary systems in order to test
Broken Authentication
Allows a cybercriminal to steal a user's login data, or forge session data, such as cookies, to gain unauthorized access to websites.
Reciprocal Agreement/Mutual Aid
An agreement with another company, or another branch of the same company to share each other's data center in the event of a disaster
Phishing
An attack that uses email or malicious websites to solicit personal information by posing as a trustworthy organization
Injection
An attacker's attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter
Plaintext
An original message before it has ben encrypted
Modification/Alteration
An unauthorized change of information
Personally Identifiable Information (PII)
Any data that could potentially be used to identify a particular person
A/An _______________ is a sequence of actions that create a violation of a security policy. Attack Exfiltration Hack Breach
Attack
The acronym CSIRT stands for: Computer Security Incident Response Team Computer Security Information Recovery Team Computer Secrecy Information Reference Trust Confidentiality Security Integrity Response Team
Computer Security Incident Response Team
Which of the following data/system classifications are common in a government environment: For Your Eyes Only Confidential Top Secret Secret Unclassified
Confidential Top Secret Secret Unclassified
A military security policy (also called a governmental security policy) is a security policy developed primarily to provide: Integrity Availability Confidentiality
Confidentiality
One access control mechanism for preserving _______________ is cryptography, which transforms data to make it incomprehensible.
Confidentiality
The components of the CIA triad are: Confidentiality, International, Availability Confidentiality, Integrity, Assessability Confidentiality, Integrity, Availability Correctness, Integrity, Availability
Confidentiality Integrity Availability
A database server which stores company data belongs on which network segment: Internal DMZ Corporate Data
Corporate Data
CRUD
Create, Read, Update, Delete
Implementation
Creates a system that satisfies that design
Disaster simulation testing
Creates an environment that imitates an actual disaster, with all the equipment, supplies and personnel who would be needed [including business partners and vendors]
A database server which customer data belongs on which network segment: Customer Data Internal Corporate Data
Customer Data
Dynamic analysis involves no execution of the software under test and can detect possible defects in an early stage, before running the program. [T/F]
F
A mail server belongs on which network segment: Internal DMZ Development
DMZ
A web server belongs on which network segment: Internal DMZ Corporate Data
DMZ
A _______________ Broker is a businesses that specialize in creating in depth profiles of individuals for advertisers. This can include a person's sexuality, browsing history, political affiliation and medical records.
Data
Anonymization
De-identifes a person and destroys and way of identifying the data subject. It is irreversible
Some of the Blue Teams responsibilities include: Web App Scanning Defensive Security Infrastructure Protection Incident Response
Defensive Security Infrastructure Protection Incident Response
DMZ stands for: Don't Mess Zone Demilitarized Zone Domestic Martial Zone Drop Military Zone
Demilitarized Zone
Which of the follow are good perimeter defenses employed in a defense in depth strategy? Denial of Service Prevention Fences Firewalls Network Address Translation
Denial of Service Prevention Firewalls Network Address Translation
A developer web server belongs on which network segment: Internal Development DMZ
Development
Digital Forensics
Digital forensics is the science of identifying and analyzing entities, states, and state transitions of events that have occurred or are occurring.
DAST
Dynamic Analysis Software Testing
Structured walk-through
Each team member goes over his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind
CERT - Computer _______________ Response Team
Emergency
A business impact analysis is nice to have, but not required, during business continuity planning. [T/F]
F
A penetration test is an unauthorized attempt to violate specific constraints stated in the form of a security or integrity policy. [T/F]
F
Analysis of a policy model usually discusses particular policies. [T/F]
F
Copyright law protects both software code and software design. [T/F]
F
Disaster Recovery Plans do not need to be maintained and updated. Once created, it is good forever. [T/F]
F
Formal verification and property-based testing are techniques for detecting vulnerabilities. Both are based on the design and/or implementation of the computer system. However, the computer system includes policies, procedures, and an operating environment. These later factors are very easy to express in a formal verification model or in property-based testing. [T/F]
F
Ideas and processes that go into the making of software products can be protected by copyright. [T/F]
F
It is acceptable not to train employees regarding the crisis communication plan because those responsible will instinctively know what to do when the time comes. [T/F]
F
It is acceptable to share speculation with the public and the media during a crisis if that speculation looks plausible. [T/F]
F
It is acceptable to use technical jargon when communicating to the public or media during a crisis. It is their job to look up what they don't know and it more accurately conveys your situation. [T/F]
F
It will be obvious what needs to be done during a disaster, so awareness and staff training is not really important. [T/F]
F
Misconfiguration is a mistake, not a threat. [T/F]
F
Offensive capability is part of a defense in depth strategy. [T/F]
F
Organizations that keeping sensitive data secure from hackers are automatically compliant with data privacy regulations. [T/F]
F
Patents are renewable. [T/F]
F
Risk avoidance is a critical element in the disaster recovery process. [T/F]
F
Runbooks must be only in physical form because the electronic versions won't be accessible in case of emergency so there's no reason to create and maintain them. [T/F]
F
Secure by design, in software engineering, means that the software has been designed without security and it has been added afterwards as part of the testing and debugging phase. [T/F]
F
Security policies are always highly mathematical in nature. [T/F]
F
The Disaster Recovery Plan will provide an effective solution that can be used to recover all business processes within the required time frame. [T/F]
F
The role of trust is not crucial to understanding the nature of computer security. [T/F]
F
There are global standards for what constitutes data privacy. It does not vary widely from location to location and from legislation to legislation. [T/F]
F
With the rise of the data economy, companies are finding less value in collecting, sharing and using data. [T/F]
F
Security Misconfiguration
Failing to implement all the security controls for a server or web application, or implementing the security controls, but doing so with errors
Broken Access Control
Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business functions outside of the limits of the user
A DMZ web server has a policy very similar to that of a development system. [T/F]
False
A hash algorithm takes data and converts it to a unique numerical value in a way that makes it easy to recover back the original text. [T/F]
False
A security violation must actually occur for there to be a threat. [T/F]
False
A terminate and stay resident (TSR) virus becomes inactive (non-resident) in memory after the application, bootstrapping, or macro interpretation has terminated. [T/F]
False
DMZ servers typically have a dynamic private IP address and are usually mapped for outbound traffic using Port Address Translation (PAT) [T/F]
False
Detection mechanisms try to prevent violations of integrity. [T/F]
False
Firewalls should be configured to allow all traffic unless specifically denied. [T/F]
False
Inside servers typically have a fixed public IP address, or are mapped to a public address using Network Address Translation. [T/F]
False
HIPPA stands for the _______________ Insurance Portability and Accountability Act.
Health
Masquerading/Spoofing
Impersonation of one entity by another
A commercial security policy is a security policy developed primarily to provide: Integrity Availability Confidentiality
Integrity
Evaluating ___________ is often very difficult, because it relies on assumptions about the source of the data and about trust in that source
Integrity
A security policy considers all relevant aspects of which of the following: Readiness Integrity Availability Confidentiality
Integrity Availability Confidentiality
Public-key cryptography/asymmetric cryptography
Is a cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner.
Containment
Limiting the objects accessible to a given process run by the user is an obvious protection technique.
When you step away from your computer you should always: Lock your screen Logout Look around to make sure nobody can jump in your seat
Lock your screen Logout
Malicious logic, more commonly called _______________, is a set of instructions that cause a site's security policy to be violated.
Malware
Which of the following are important to have in the Incident Response Plan: Network Diagrams Names and contact information for the local incident response team Procedures for reporting and handling a suspected incident Data flow diagrams System hardware inventory
Network Diagrams Names and contact information for the local incident response team Procedures for reporting and handling a suspected incident Data flow diagrams System hardware inventory
Insufficient logging & monitoring
Not enough audit data and real time data to interpret the state of security of a system
Drive-by-download
Occurs when a user visits a web page and a download occurs without the user knowing it, or when the user knows it but does not understand the effects of the download.
Sensitive Data Exposure
Occurs when an application or program, like a smartphone app or a browser, does not adequately protect information such as passwords, payment info, or health data
COPPA stands for the Children's _______________ Privacy and Protection Act.
Online
OWASP stands for Open Application Project.
Open Web Application Security Project
Integrity includes: Origin Integrity - Authentication Data Integrity - Content of the Information Type Integrity - Type of Data
Origin Integrity - Authentication Data Integrity - Content of the Information
Which of the follow are good policies, procedures and awareness techniques employed in a defense in depth strategy? Password Strength Rules Acceptable Use Policy Data Classification Code Reviews Security Assurance
Password Strength Rules Acceptable Use Policy Data Classification Code Reviews Security Assurance
A _______________ protects the intellectual property rights of an inventor.
Patent
If you want official recognition of your trademark, you can register it with the U.S. _______________ and Trademark Office (USPTO).
Patent
Botnets can be organized in the following ways: Peer-to-Peer Parent-Child Centralized Very High Latency Random Approach
Peer-to-Peer Centralized Very High Latency Random Approach
A typical _______________ attack requires that the attackers create a web site displaying a page that looks like it belongs to a bank. Thus, when victims visit the web site, they will believe they are at the bank's web site and not the false one.
Phishing
Recovery _______________ Objective is the acceptable latency of data that will not be recovered.
Point
_______________ is at the heart of every decision involving security.
Policy
In formal verification, after the analysis, the tester will have information aboutthe resulting state of the system that can be compared with the site security policy. This is called the _______________. Precondition test result post condition
Post Condition
In formal verification, the state in which the vulnerability will arise is called a/an: Co-Condition Postcondition Precondition
Precondition
Which of the following are phases of intrusion handling? Preparation Follow-up Identification Recovery Containment Eradication Retaliation
Preparation Follow-up Identification Recovery Containment Eradication
Which are considered classes of Integrity mechanisms: Prevention Recovery Detection
Prevention Detection
Worms
Program that copies itself from one computer to another.
DPR stands for the General Data _______________ Regulation.
Protection
Data security
Protects data from compromise by external attackers and malicious insiders
Which of the following data/system classifications are common in a corporate environment: Public Confidential Private Executive Legal Sensitive
Public Confidential Private Sensitive
The Lessons Learned stage of Incident Response is often skipped as the business moves back into normal operations but it's critical to look back and heed the lessons learned.
T
Which of the following are among the key provisions of GDPR: Purpose limitation Integrity and confidentiality (security) Accountability Storage limitation Data minimization Lawfulness, fairness and transparency Accuracy Business stockholder value
Purpose limitation Integrity and confidentiality (security) Accountability Storage limitation Data minimization Lawfulness, fairness and transparency Accuracy
Transposition cipher
Rearranges the characters in the plaintext to form the ciphertext. The letters are not changed
Which of the follow plays the part of the "attacker" during a penetration test? red blue green
Red Team
Practical data privacy concerns often revolve around: How data is legally collected or stored. Business profit. Regulatory restrictions. Whether or how data is shared with third parties.
Regulatory restrictions. Whether or how data is shared with third parties. How data is legally collected or stored.
Sandboxing
Running code in an isolated "safe" environment to test its behaviors.
Critical information assets can include: Scientific research Internal manufacturing processes Schematics Company location addresses Customer sales information Corporate financial data Human resource information Proprietary software Patents/Copyrights
Scientific research Internal manufacturing processes Schematics Customer sales information Corporate financial data Human resource information Proprietary software Patents/Copyrights
Wiping files means ... Securely deleting file data by overwriting with zeros, ones and/or other random characters. The normal way an operating system deletes a file. Cleaning a dirty DVD disk so you can read the data on it.
Securely deleting file data by overwriting with zeros, ones and/or other random characters.
A _______________ policy is a statement that partitions the states of the system into a set of authorized, or secure, states and a set of unauthorized, or nonsecure, states.
Security
The Computer Security Act of 1987 mandated baseline _______________ requirements for all federal agencies.
Security
Principle of Economy of Mechanism
Security mechanism should be as simple as possible
Principle of Least Astonishment
Security mechanisms should be designed so that users understand the reason that the mechanism works the way it does and that using the mechanism is simple.
Principle of Psychological Acceptability
Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present
Firewalls
Separate the Internet, the DMZ, and the internal network.
Which of the following are important to include in a Disaster Recovery Plan? Server team and responsibilities Scope of systems, networks and applications that are covered under the plan External contacts Public relations team and responsibilities Anti-virus/Anti-Malware Data, backups and retention policies and procedures
Server team and responsibilities Scope of systems, networks and applications that are covered under the plan External contacts Public relations team and responsibilities Data, backups and retention policies and procedures
_______________ is when an attacker watches the target enter their password.
Shoulder Surfing
Some of the Red Teams responsibilities include: Social Engineering Black Box Testing Defensive Security Ethical Hacking
Social Engineering Black Box Testing Ethical Hacking
SDLC stands for:
Software Development Life Cycle
Secure by Design
Software has been designed from the foundation to be secure
Partial fail over test
Some components of the disaster recovery plan are "stood up" in a DR environment and those components are switched over temporarily to cover for the primary systems in order to test
Which of the following are typically considered as parts of multi-factor authentication? Something someone tells you; Something you guess; Something you know Something you know; Something you have; Something you are Something you are wearing; Something you see; Something you hear
Something you know; Something you have; Something you are
Which of the following are protected under the Digital Millennium Copyright Act? Sound recordings Motion pictures and other audiovisual works Literary works Inventions of new technology
Sound recordings Motion pictures and other audiovisual works Literary works
Like adware, _______________ gathers information about a user, system, or other entity and transmits it or stores it for later retrieval. Unlike adware, its presence is supposed to be invisible to the user and system, so its function is truly covert.
Spyware
_______________ code analysis can be done by a machine to automatically "walk through" the source code and detect noncomplying rules.
Static
_______________ code analysis involves no dynamic execution of the software under test and can detect possible defects in an early stage, before running the program.
Static
SAST
Static Analysis Software Testing
Pseudonymization
Substitutes the identity of the data subject, meaning you need additional information to re-identify the data subject. It is reversible
A good data backup strategy, which includes testing backups for integrity, are a critical part of any disaster recovery plan. [T/F]
T
A penetration study is a test for evaluating the strengths of all security controls on the computer system. [T/F]
T
A security mechanism is an entity or procedure that enforces some part of the security policy. [T/F]
T
A security policy defines "secure" for a system or a set of systems. [T/F]
T
A vulnerability analysis is an important part of a threat/risk assessment. [T/F]
T
All risks identified during a threat/risk assessment must be safeguarded against. [T/F]
T
At the end of the patent exclusivity period, the invention is in the public domain available for anyone to use. [T/F]
T
Contractual software license agreements use a written contract between the software vendor and the customer, outlining the responsibilities of each. [T/F]
T
Copyright protection is indicated by the © symbol. [T/F]
T
Dynamic program analysis tools may require loading of special libraries or even recompilation of program code. [T/F]
T
Employees should be regularly trained on data protection so they understand the processes and procedures necessary to ensure proper collection, sharing, and use of sensitive data. [T/F]
T
If there is a fire at a business location, a valid business continuity strategy could include employees telecommuting until the location is one again usable. [T/F]
T
If users and system administrators are not aware of incident response procedures, response will be delayed and evidence can be corrupted or lost, greatly increasing the potential impact of an incident. [T/F]
T
In a computer system or network, a runbook is a compilation of routine procedures and operations that the system administrator or operator carries out. [T/F]
T
In order to receive protection under the law, trade secrets must be protected with reasonable privacy and security controls. [T/F]
T
In theory, formal verification can prove the absence of vulnerabilities. [T/F]
T
It is critical to have a written Memorandum of Agreement (MOA)/Memorandum of Understanding (MOU) in a Reciprocal Agreement/Mutual Aid disaster recovery situation. [T/F]
T
Peer code reviews not only help to find mistakes, but it has also been repeatedly shown to accelerate and streamline the process of software development like few other practices can. [T/F]
T
Penetration testing is a testing technique, not a proof technique. [T/F]
T
Policies, procedures and awareness are part of a defense in depth strategy. [T/F]
T
Rules of engagement state what the goals of the test are, what the testers are, and are not, allowed to do, and when a test end. [T/F]
T
Table top exercises are a good way to test and train for the crisis communication plan. [T/F]
T
Testing, Operations and Maintenance are all important phases of the Software Development Life Cycle. [T/F]
T
The Computer Fraud and Abuse Act of 1984 is still in force today (with amendments). [T/F]
T
The Digital Millennium Copyright Act guarantees the creators of "original works of authorship" protection against the unauthorized duplication of their work. [T/F]
T
The Disaster Recovery Plan is designed to ensure the continuation of vital business processes in the event that a disaster occurs. [T/F]
T
The Disaster Recovery Plan is focused on the recovery of IT assets. [T/F]
T
DMZ servers typically have a fixed public IP address (or are mapped to one using Network Address Translation (NAT)). [T/F]
True
Digital forensics is the science of identifying and analyzing entities, states, and state transitions of events that have occurred or are occurring. [T/F]
True
Firewalls should separate the Internet, the DMZ, and the internal network. [T/F]
True
Identifying your assets is not easy. [T/F]
True
If group "developers" can read and write the contents of a directory, and user "A" is a member of the developers group, then user A can read and write the contents in that directory. [T/F]
True
Insider servers typically have a dynamic private IP address and are usually mapped for outbound traffic using Port Address Translation (PAT) [T/F]
True
Integrity refers to the trustworthiness of data or resources, and it is usually phrased in terms of preventing improper or unauthorized change. [T/F]
True
It is considered best practice to maintain and review logs of all system activity, including user actions. [T/F]
True
Laws can restrict the availability and use of technology and affect procedural controls.
True
Longer passwords are harder to crack and therefore strong and better to use. [T/F]
True
Many such antivirus programs exist for personal computers, but because each agent must look for particular characteristics or behaviors of virus or set of viruses, they cannot detect viruses with only characteristics or behaviors that have not yet been analyzed. [T/F]
True
One of the goals of computer viruses is to remain undiscovered until executed, and possibly even after that. [T/F]
True
Revealing a public key is safe because the functions used for encryption and decryption have a one way property. That is, telling someone the public key does not allow the person to forge a message that is encrypted with the private key. [T/F]
True
Society distinguishes between legal and acceptable practices. [T/F]
True
Sometimes a Cost-Benefit analysis will determine that it's not worth protecting an asset. [T/F]
True
Spearphishing is a phishing attack tailored for a particular victim. [T/F]
True
Symmetric cryptosystems (also called single key or secret key cryptosystems) are cryptosystems that use the same key for encoding and decoding of messages. [T/F]
True
Computer Virus
When the Trojan horse can propagate freely and insert a copy of itself into another file, it becomes a computer virus.
Using Components with known vulnerabilities
When your OS, web/application server, database management system [DBMS] applications, APIs and all components, runtime environments, and libraries are not secure.
The _______________ Trust Model is a security concept centered on the belief that organizations should not automatically trust anything and instead must verify anything and everything trying to connect to its systems before granting access.
Zero
A _______________ of security occurs when a system enters an unauthorized state. intrusion hack violation breach
breach
The idea behind in is to manage risk with diverse defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense will hopefully prevent a full breach.
defense in depth
Using a security vulnerability to violate the site security policy is called a/an _______________.
exploit
The Federal Information Security Management Act of 2002 requires that federal agencies implement an _______________ _______________ program that covers their operations.
information security
A digital _______________ is a construct that authenticates both the origin and contents of a message in a manner that is provable.
signature
