AIT Quiz 2

A security role is

the part an individual plays in the overall scheme of security implementation and administration within an organization

Security governance is the set of practices related to

to supporting, defining, and directing the security efforts of an organization * related to corporate and IT governance

How to handle risk? Once the risk analysis is complete, management must address each specific risk in of the these four possible ways

-Reduce/mitigate Implementing of safeguards -Assign or transfer Outsourcing, purchasing insurance -Accept Written/signed decision from senior management - Reject Ignoring risk is unethical and invalidates due care

Database transactions must have four characteristics

1. Atomicity 2. Consistency 3. Isolation 4. Durability (Acid Model)

Understanding the terms of cost benefit analysis

1. Calculate Annual Cost of Safeguard (ACS) Numerous factors are involved in calculating the value of a safeguard Cost of purchase, cost of maintenance, etc. 2. Calculate post safeguard ALE The value of ARO and ALE changes when a safeguard is applied 3. Cost/benefit equation (ALE before safeguard - ALE after safeguard) - ACS If the result is negative, the safeguard is not a financially viable choice If the result is positive, then that value is the annual savings the organization can gain by deploying the safeguard 4. Select a countermeasure Not just about cost and benefits Issues of legal responsibility and prudent due care must be considered

What are the two types of NATS?

1. Dynamic 2. Static

Steps of Quantitative risk analysis?

1. Inventory assets, and assign value (AV) 2. For each asset, list all possible threats For each asset and threat pair, calculate EF and SLE 3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year (ARO) 4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE) 5. Inventory countermeasures for each threat For each countermeasure, calculate the changes to ARO and ALE based on applying that countermeasure 6. Perform cost/benefit analysis, and select the most appropriate response to each threat for each asset

What is an inference attack?

An inference attack is an attack that combines several pieces of non-sensitive information to gain access to information that should be classified at a higher level of sensitivity.

What is a Strategic Plan?

A strategic plan is a long-term plan that is fairly stable It defines the organization's mission, long-term goals, and vision for the future It is useful for about five years if it is maintained and updated annually

What is a Tactical Plan?

A tactical plan is a midterm plan providing more details on accomplishing the goals set forth in the strategic plan A tactical plan is typically useful for about a year Examples: acquisition plans, and hiring plans

What is a VPN?

A virtual private network (VPN) is a communication tunnel that provides point-to-point transmission of both authentication information and data traffic over an intermediary untrusted network

Within a security policy, several issues must be addressed

Acceptable use policies for email Define what activities can and cannot be performed over an organization's email infrastructure Access control & Privacy Users should have access only to their inbox, and no other user can gain access to an individual's email Email management The mechanisms and processes used to implement, maintain, and administer email Email backup and retention policies Define how and for how long email messages are retained

What are agents?

Agents (aka bots) are intelligent code objects performing actions on behalf of a user Agents typically take initial instructions from the user and then carry on their activity in an unattended manner For instance, a web bot crawls websites to retrieve data on behalf of the user

What is atomicity of the ACID model?

All or none of the instructions in a transaction must be executed If any part of the transaction fails, the entire transaction must be rolled back as if it never occurred

Once the employee has been informed of their release, they should be escorted off the premises and not allowed to return to their work area without an escort

All organization-specific identification, access, or security badges as well as cards, keys, and access tokens should be collected An employee's system access should be disabled or removed

What is consistency of the ACID model?

All transactions must begin operating in an environment that is consistent with all of the database's rules For example, all records have a unique primary key When the transaction is complete, the database must again be consistent with the rules, regardless of whether those rules were violated during the processing of the transaction itself No other transaction should ever be able to utilize any inconsistent data that might be generated during the execution of another transaction

What are the security roles and responsibilities of a Auditor?

An auditor is responsible for testing and verifying that the security policy is properly implemented and the security solutions are adequate The auditor produces compliance and effectiveness reports that are reviewed by the senior manager

What is Operational Plan?

An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans It is valid or useful only for a short time and must be updated often to retain compliance with tactical plans Examples: resource allotments, staffing assignments, and scheduling

Which of the following protocols are used by email clients to retrieve email messages from an email server? Check all that apply. a) Post Office Protocol version 3 (POP3) b) Simple Mail Transfer Protocol (SMTP) c) Internet Message Access Protocol (IMAP)

Answer A and C

Which of the following statements about Network Address Translation (NAT) are correct? Check all that apply a) NAT is a mechanism for converting internal IP addresses in a private network into public IP addresses for transmission over the Internet b) When a packet is received from a client, NAT changes the source address to the NAT's address c) Dynamic NAT permanently assigns a specific external IP address to an internal host d) Stateful NAT operates by maintaining a mapping between requests made by internal clients, a client's internal IP address, and the IP address of the Internet service contacted

Answer A, B , D

Which one of the following types of documents provides a step-by-step description of the actions necessary to implement specific security solutions? a) Security policy b) Standards c) Baselines d) Guidelines e) Procedures

Answer: E

What are applets?

Applets are code objects sent from a server to a client to perform some action Self-contained programs that execute independently of the server Security concern: remote system sending code to the local system for execution Two common types Java applets - Platform-independent The sandbox mechanism isolates Java code objects from the rest of the operating system by enforcing strict rules about the resources those objects can access ActiveX controls - Microsoft No sandbox mechanism: administrators must limit sites these controls can be used with

What is Security Awareness Training

Awareness Establishes a common baseline or foundation of security understanding across the entire organization Applies to all organizational personnel Training Teaches employees to perform their work tasks and to comply with the security policy, standards, guidelines, and procedures Education General, broad security information Employees learn more than they actually need to know to perform their work tasks Awareness and training are often provided in-house

What is the difference between Circuit & Packet switching?

Circuit Switching: - Constant Traffic - Fixed known delays - Connection Orientated - Used primarily for voice - Sensitive to connection loss Packet Switching: - Bursty traffic - Variable delays - Connectionless - Sensitive to data loss - Used for any type of traffic

The email infrastructure employed on the Internet also includes email clients

Clients retrieve email from their server-based inboxes using Post Office Protocol version 3 (POP3) Internet Message Access Protocol (IMAP)

What are the different security modes in security control architecture?

Compartmented security mode Systems may process two or more types of compartmented information Dedicated security mode Systems are authorized to process only a specific classification level at a time Multilevel security mode Systems are authorized to process information at more than one security level even when not all users have clearance for all information processed by the system System-high security mode System are authorized to process only information that all users are cleared for

Once data is transferred over a network connection, the process of securing it becomes much more difficult

Data becomes vulnerable to a number of threats to its CIA properties

What is Durability of the ACID model?

Database transactions must be durable Once they are committed to the database, they must be preserved Databases ensure durability through the use of backup mechanisms, such as transaction logs

Packet Switching Characteristics?

Each segment of data has its own header that contains source and destination information The header is read by each intermediary system and is used to route each packet to its intended destination Each packet takes the best path currently available across the network Each channel or communication path is reserved for use only while a packet is actually being transmitted over it As soon as the packet is sent, the channel is made available for other communications

What is white box testing?

Examines the internal logical structures of a program and steps through the code line by line, analyzing the program for potential errors

What is black box testing?

Examines the program from a user perspective by providing a wide variety of input scenarios and inspecting the output Black-box testers do not have access to the internal code

What are the different cost functions?

Exposure Factor (EF) or loss potential The percentage of loss that an organization would experience if a specific asset were violated by a realized risk In most cases, a realized risk does not result in the total loss of an asset Single Loss Expectancy (SLE) The cost associated with a single realized risk against a specific asset SLE = Asset Value * EF Example: if AV = $200,000 and EF = 45%, then SLE = $90,000 Annualized Rate of Occurrence (ARO) The expected frequency with which a specific threat or risk will occur Annualized Loss Expectancy (ALE) The possible yearly cost of all instances of a specific realized threat against a specific asset ALE = SLE * ARO

Security is a continuous process

For a security plan to be effective, it must be continuously maintained

What is Dynamic NAT?

Grants multiple internal clients access to a few leased public IP addresses A large internal network can still access the Internet without having to lease a large block of public IP addresses In a dynamic mode NAT implementation, the NAT system maintains a database of mappings so that all response traffic from Internet services is properly routed to the original internal requesting client Not always compatible with VPN protocols, like IPSec

What is gray box testing?

Gray-box testing combines the two approaches Testers approach the software from a user perspective They have access to the source code and use it to help design their tests They do not analyze the inner workings of the program

NAT is used for

Hiding the identity of internal clients Masking the design of a private network Keeping public IP address leasing costs to a minimum NAT offers the capability to connect an entire network to the Internet using only a single (or just a few) leased public IP addresses

What is Circuit Switching?

In circuit switching, a dedicated physical pathway is created between the two communicating parties

Email is one of the most widely and commonly used

Internet Services

System components will eventually fail when used in unexpected ways What are 3 ways to avoid system failures?

Limit checks Techniques for managing data types, data formats, and data length when accepting input from a user or another application Ensure that data does not fall outside the range of allowable values Fail-Secure Puts the system into a high level of security (and possibly even disables it entirely) until an administrator can diagnose the problem and restore the system to normal operation Fail-Open Allows users to bypass failed security controls, erring on the side of permissiveness

In addition to employment agreements, there may be other security-related documentation that must be addressed (Employee agreements when hired)

Nondisclosure Agreement (NDA) Used to protect confidential information within an organization from being disclosed by a former employee Violations of an NDA are often met with strict penalties Noncompete Agreement (NCA) Attempts to prevent an employee with special knowledge of secrets from one organization from working in a competing organization in order to prevent the second organization from benefiting from the worker's special knowledge

A plan providing a detailed definition of an organization's short-term objectives is called ...

Operational Plan

What is Packet Switching?

Packet switching occurs when the message or communication is broken up into small segments and sent across the intermediary networks to the destination

What is Static NAT?

Permanently assigns a specific external IP address to an internal host Enables external entities to initiate the communication with systems inside the private network, even if it is using RFC 1918 IP addresses

At the hardware and operating system levels, controls should ensure enforcement of basic security principles

Process isolation mechanisms ensure that each process has its own isolated memory space for storage of data and execution of application code Hardware segmentation is a technique that implements process isolation at the hardware level by enforcing memory access constraints Abstraction hides details not necessary to perform certain activities For example, a system developer might need to know that a procedure, when invoked, writes information to disk, but it's not necessary for him to understand the exact format used to store and retrieve data Protection rings provide for several modes of system operation, thereby facilitating secure operation by restricting processes to running in the appropriate security ring

The change control process has three basic components

Request control A framework within which users can request modifications, managers can conduct cost/benefit analysis, and developers can prioritize tasks Change control Used by developers to recreate the situation encountered by the user and analyze the appropriate changes to remedy the situation, and to create and test solutions prior to rolling them out into a production environment Release control Includes acceptance testing to ensure that any alterations to end user work tasks are understood and functional

What is isolation of the ACID model?

Requires that transactions operate separately from each other If a database receives two SQL transactions that modify the same data, one transaction must be completed in its entirety before the other transaction is allowed to modify the same data This prevents one transaction from working with invalid data generated as an intermediate step by another transaction

The possibility that something could happen to damage, destroy, or disclose data or other resource is known as

Risk

A fundamental part of risk management is

Risk Analysis

An open relay is an

STMP server that does not authenticate senders before accepting and relaying mail Open relays are prime targets for spammers

What is the waterfall model?

Seeks to view the systems development life cycle as a series of iterative activities

Roles and Responsibilities for Security Management Planning?

Senior management is responsible for initiating and defining policies Policies provide direction for the lower levels of the organization's hierarchy Middle management is responsible for fleshing out the security policy into standards, baselines, guidelines, and procedures Operational managers or security professionals must then implement the configurations prescribed in the security management documentation Finally, the end users must comply with all the security policies

The email infrastructure employed on the Internet primarily consists of email servers using

Simple Mail Transfer Protocol (SMTP) to accept messages from clients, transport those messages to other servers, and deposit messages into a user's server-based inbox

What are the security roles and responsibilities of a Data Custodian?

The data custodian is the user who is responsible for implementing the prescribed protection defined by the security policy and senior management The data custodian performs all activities necessary to provide adequate protection for the confidentiality, integrity, and availability of data and to fulfill the requirements and responsibilities delegated from upper management

What are the security roles and responsibilities of a Data Owner

The person who is responsible for classifying information

What is Residual risk?

The risk that remains once countermeasures are implemented Controls gap = Total risk - Residual risk

What is the second step of risk analysis?

The second step consists in considering all possible threats Threats to IT are not limited to IT sources

What are the security roles and responsibilities of a Security Professional/ Information Security Officer?

The security professional is a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management

What are the security roles and responsibilities of a Senior Manager?

The senior manager is the person who is ultimately responsible for the security maintained by an organization The senior manager must sign off on all policy issues, and will be held liable for the overall success or failure of a security solution

What are the security roles and responsibilities of a User, or end user, or operator

The user is any person who has access to the secured system

Risk analysis

Understand risk to allow senior management to make good security decisions about which risks should be mitigated which risks should be transferred which risks should be accepted

Security management is a responsibility of

Upper Management

A software testing methodology where testers examine the internal logical structure of a program, looking for potential errors, is called..

WHITE-BOX TESTING

software development life cycle (SDLC) models

Waterfall model Spiral model Agile Software Development Software Capability Maturity Model (SCMM) IDEAL Model

Once software has been released, users will inevitably request

addition of new features, correction of bugs, and other changes Organizations must have procedures to systematically manage changes

Personally identifiable information (PII) is

any data item that can be easily traced back to an individual Social security numbers Medical information Tax information

A VPN link can be established over

any type of network communication connection

Views are stored in the database as SQL commands rather than

as data tables This dramatically reduces the space requirements of the database On the other hand, retrieving data from a complex view can take significantly longer than retrieving it from a table

What is the first step of risk analysis?

asset valuation The goal is to assign each asset a specific dollar value that encompasses tangible as well as intangible costs

The process of quantitative risk analysis starts with

asset valuation and threat identification Next, the potential and frequency of each risk is estimated This information is then used to calculate various cost functions that are used to evaluate safeguards

VPNs do not provide

availability

Spamming is often possible because hackers are able to locate and take advantage of which of the following? a) E-mail clients b) Open relay agents c) Internet Protocol routing tables

b) Open relay agents

Which of the following mechanisms can reduce the risk of collusion? Check all that apply. a) Background checks b) Separation of duties c) Job rotation d) Nondisclosure agreements

b) Separation of duties c) Job rotation

SMTP is designed to be a

be a mail relay system This means it relays mail from sender to intended recipient However, one wants to avoid turning an SMTP server into an open relay (also known as open relay agent or relay agent)

Which one of the following statements is true? a) Qualitative analysis requires specific dollar valuations of assets b) Quantitative analysis requires subjective inputs from analysts c) A purely quantitative risk analysis is usually not sufficient since there are aspects that cannot be quantified

c) A purely quantitative risk analysis is usually not sufficient since there are aspects that cannot be quantified

What can a VPN do?

can link two networks or two individual systems

VPNs can provide

confidentiality and integrity over insecure or untrusted intermediary networks

NAT is a mechanism for

converting the internal IP addresses found in a private network into public IP addresses for transmission over the Internet

After completing risk analysis, different decisions can be made depending on the results of analysis. Which one of the following options would be considered an irresponsible choice? a) Mitigating a risk b) Transferring a risk c) Accepting a risk d) Ignoring a risk

d) Ignoring a risk

Database transactions must be durable. This means that... a) Transactions are executed separately from each other b) All or none of the instructions in a transaction must be executed c) When the transaction is complete, the database must again be consistent with the rules, as it was before the transaction was executed d) Once transactions have been committed to the database, their effects must be preserved

d) Once transactions have been committed to the database, their effects must be preserved

Mixing data with different classification levels and/or need-to-know requirements is known as

database contamination Often, administrators deploy a trusted front end to add multi-level security to a legacy or insecure DBMS

Layering, also known as

defense in depth, is simply the use of multiple controls in a series

Elements of security management planning include

defining security roles prescribing who will be responsible for security, and how security will be tested for effectiveness developing security policies performing risk analysis

Multilevel security databases contain information at a number of

different classification levels The DBMS must verify the labels assigned to users and, in response to user requests, provide only information that is appropriate

When employees are hired, they should sign an

employment agreement outlining Details of the job description, and the length of time the position is to be filled The rules and restrictions of the organization The security policy, violations, and consequences

Most VPNs use

encryption to protect the encapsulated traffic, but encryption is not necessary for the connection to be considered a VPN

Many organizations use data classification to

enforce access controls based on the security labels assigned to objects and users When mandated by an organization's security policy, data classification must be extended to the organization's databases

Relational databases support the explicit and implicit use of transactions to

ensure data integrity

Rotating personnel reduces the risk of

fraud and misuse of information The longer employees work in a specific position, the more likely they are to be assigned additional work tasks and expand their privileges They may then abuse their privileges for personal gain Job rotation provides a form of peer auditing and protects against collusion If abuse is committed by one employee, it will be easier to detect by another employee who knows the job position and work responsibilities

Quantitative risk analysis creates a report that

has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards This report is usually fairly easy to understand

Risk management is the process of

identifying factors that could damage or disclose data evaluating those factors in light of data value and countermeasure cost implementing cost-effective solutions for reducing risk to an acceptable level

Over a VPN link, clients can perform the same activities and access the same resources they could if

if they were directly connected via a LAN cable

Job rotation provides

knowledge redundancy Multiple employees are each capable of performing the work tasks required by several job positions The organization is less likely to experience serious downtime or loss in productivity if an incident keeps one or more employees out of work for a long time

A termination policy is essential to

maintaining a secure environment even in the face of a disgruntled employee who must be removed from the organization

Terminations should take place with at least

one witness When possible, an exit interview should be performed The primary purpose is to review the liabilities and restrictions placed on the former employee based on employment agreement, nondisclosure agreement, etc.

Views are simply SQL statements that

present data to the user as if they were tables themselves collate data from multiple tables, aggregate individual records, and restrict a user's access to a limited subset of database attributes and/or records

NAT was developed to allow

private networks to use any IP address set without causing conflicts with public Internet hosts with the same IP addresses

Security management planning ensures

proper creation, implementation, and enforcement of a security policy

NAT operates by maintaining a mapping between

requests made by internal clients, a client's internal IP address, and the IP address of the Internet service contacted

The modern waterfall model does allow development to

return to the previous phase to correct defects discovered during the subsequent phase This is known as the feedback loop characteristic of the waterfall model The limitation is that the model can step back only one phase in the development process

IPSec provides for

secured authentication as well as encrypted data transmission

All secure systems implement some sort of

security control architecture

The traditional waterfall model has

seven stages of development As each stage is completed, the project moves into the next phase

Together, change control and configuration management techniques form an important part of

software engineering They protect the organization from development related security issues

Many Internet-compatible email systems rely upon

the X.400 standard for addressing and message handling

NAT maintains information about

the communication sessions between clients and external systems