MIDTERM
A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes __________.
All of the above
Management of classified data includes its storage and _________.
All of the above
Which of the following acts defines and formalizes laws to counter threats from computer-related acts and offenses?
All of the above
The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages?
All of these are BIA stages
__________ law comprises a wide variety of laws that govern a nation or state.
Civil
The National Information Infrastructure Protection Act of 1996 modified which act?
Computer Fraud and Abuse Act
The Council of Europe adopted the Convention of Cybercrime in 2001 to oversee a range of security functions associated with __________ activities.
Internet
The service within Kerberos that generates and issues session keys is known as __________.
KDC
________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
Managerial
__________ has become a widely accepted evaluation standard for training and education related to the security of information systems.
NSTISSI No. 4011
_________ controls address personnel security, physical security, and the protection of production inputs and outputs.
Operational
In SESAME, the user is first authenticated to an authentication server and receives a token. The token is then presented to a privilege attribute server as proof of identity to gain a(n) __________.
PAC
__________ and TACACS are systems that authenticate the credentials of users who are trying to access an organization's network via a dial-up connection.
RADIUS
The ____________________ data file contains the hashed representation of the user's password.
SAM
________often function as standards or procedures to be used when configuring or maintaining systems.
SysSPs
When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems?
The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799.
____________________ are malware programs that hide their true nature and reveal their designed behavior only when activated.
Trojan horses
A(n) __________ is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.
VPN
A(n) _________ is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.
data classification scheme
Standards may be published, scrutinized, and ratified by a group, as in formal or ________ standards.
de juro
The proxy server is often placed in an unsecured area of the network or is placed in the __________ zone.
demilitarized
A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
distributed denial-of-service
Security __________ are the areas of trust within which users can freely communicate.
domains
Some people search trash and recycling bins-a practice known as _________-to retrieve information that could embarrass a company or compromise information security.
dumpster diving
A __________ filtering firewall can react to an emergent event and update or create rules to deal with the event.
dynamic
A short-term interruption in electrical power availability is known as a ____.
fault
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.
hoaxes
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to __________.
identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures, is known as __________.
mean time between failure (MTBF)
Hackers can be generalized into two skill groups: expert and ____________________.
novice
The __________ is the difference between an organization's observed and desired performance.
performance gap
A _________ assigns a status level to employees to designate the maximum level of classified data they may access.
security clearance scheme
The __________ control strategy attempts to shift risk to other assets, other processes, or other organizations.
transference
Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
trespass
The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect __________ in operating systems security.
vulnerabilities
A type of SDLC in which each phase has results that flow into the next phase is called the __________ model.
waterfall
In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria, and then summing and ranking those scores.
weighted factor analysis
