Info Sec Mid-Term

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Data privacy

Governs how data is collected shared and used

The goal of a penetration study/test is to violate the site security policy. [T/F]

T

A threat is a potential violation of security. [T/F]

True

Access control mechanisms support confidentiality. [T/F]

True

Principle of Least Privilege / Principle of Least Authority

A subject should be given only those privileges that it needs in order to complete its task.

Principle of Separation of Privilege

A system should not grant permission based on a single condition.

Computer Security Incident Response Team (CSIRT)

A team established to assist and co-ordinate responses to a security incident among a defined constituency.

Delay

A temporary inhibition of a service

Fail back test

A test in which a disaster recovery environment is switched back to the primary data center in order to test resumption of normal operation.

XML External Entities

A type of attack against an application that parses XML input

Cross-Site Scripting (XSS)

A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites

Metamorphic virus

A virus that changes it internal structure but performs the same actions each time it is executed

Polymorphic virus

A virus that changes the form of it decryption routine each time it insets itself into another program

Encrypted virus

A virus that encrypts all of the virus except the cryptographic key and a decryption key

Insecure Deserialization

A vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service [DoS] attack, or even execute arbitrary code

Specification

A(formal or informal) statement of the desired functioning of the system

A/An _______________ is the set of entry points and data that attackers can use to compromise a system.

Attack Surface

A SYN Flood attack impacts which of the following: Availability Integrity Confidentiality

Availability

_______________ refers to the ability to use information or resources.

Availability

Put the classes of applications and systems into the correct order from most important (class 1) to least important (class 4): Mission Critical Critical Essential Non Critical

Class 1 Class 2 Class 3 Class 4

Substitution cipher

Changes characters in the plaintext to produce the ciphertext

Which of the following are security incidents: Unauthorized computer or data access A violation of campus computer security policies and standards Physical or logical damage to systems Presence of a malicious application, such as a virus An unexpected food delivery

Unauthorized computer or data access A violation of campus computer security policies and standards Physical or logical damage to systems Presence of a malicious application, such as a virus

Principle of Fail-Safe Defaults

Unless a subject is given explicit access to an object, it should be denied access to that object.

In the U.S. trademarks are granted for an initial period of _______________ years and can be renewed for unlimited successive same number of year periods.

10

CVE stands for: Common Vulnerabilities and Exposures Common Vulnerabilities and Exploits Corrupt Views and Efforts

Common Vulnerabilities and Exposures

CWE stands for: Common Weaknesses and Exploits Common Weaknesses and Exposures Common Wars and Enemies

Common Weaknesses and Exposures

Information that is absolutely critical to a business that would result in critical damage if it were disclosed to competitors and/or the public is called a _______________ _______________.

Trade Secret

Limiting the objects accessible to a given process run by the user is not a good protection technique. [T/F]

False

Most attacks are not multistage, rather they are a single step attack. [T/F]

False

Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: private keys which may be disseminated widely, and public keys which are known only to the owner. [T/F]

False

Resource hiding is not an important aspect of confidentiality. [T/F]

False

Risks do not change over time. [T/F]

False

Security mechanisms must be technical in nature. [T/F]

False

Small businesses do not need to worry about cyber attacks. [T/F]

False

Two-factor login requires the user to solve 2 math problems (factoring) before they can login. [T/F]

False

When a file is deleted, the data is gone for good and there is no way to recover it. [T/F]

False

When using cloud services and software, the cloud provider is responsible for all security of the network and systems. [T/F]

False

You don't need to use encrypted communications on inside networks. [T/F]

False

Design

Translates the specifications into components that will implement them

A DMZ web server will have a highly restrictive security policy. [T/F]

True

A VPN creates a secure "tunnel" which encrypts traffic between two locations. [T/F]

True

A botmaster, controls bots from one or more systems called command and control (C&C) servers or motherships. [T/F]

True

A drive-by download occurs when a user visits a web page and a download occurs without the user knowing it, or when the user knows it but does not understand the effects of the download. [T/F]

True

The Federal Sentencing Guidelines provide punishment guidelines to help _______________ judges interpret computer crime laws.

Federal

Which are possible threats to business continuity: Flood Fire Lack of Mountain Dew in the soda machine Power Outage Cyber attack

Flood Fire Power Outage Cyber attack

A _______________ network in a wireless network system allows visitors to connect to the Internet while not allowing them to access corporate computing resources.

Guest

The activity taken to make a system as safe as possible is called _______________.

Hardening

A firewall helps protect an organization's network from unwanted traffic. [T/F]

True

A message digest is generated from a mathematical function and is created to ensure the message contents have not changed. [T/F]

True

An "International Domain Name Homograph Attack" uses similar looking characters, possibly from different international character sets, to convince a user to click on a link with what appears to be a legitimate domain name. [T/F]

True

Assumptions and trust underlie confidentiality mechanisms. [T/F]

True

Backups need to be tested occasionally to ensure that they are backing up the correct data and that the files can be restored. [T/F]

True

Principle of Least Common Mechanism

Mechanisms used to access resources should not be shared.

Which of the following are protected under the Digital Millennium Copyright Act? Works that are never published Musical works Pictorial, graphical and sculptural works Dramatic works

Musical works Pictorial, graphical and sculptural works Dramatic works

Systems should be customized based on their purpose and should only serve one need. [T/F]

True

The heart of any security system is people. [T/F]

True

The three security services—confidentiality, integrity, and availability—counter threats to the security of a system. [T/F]

True

The use of a public key system provides a way to block repudiation of origin. [T/F]

True

The word "cryptography" comes from two Greek words meaning "secret writing". [T/F]

True

Trust cannot be quantified precisely. [T/F]

True

When hardening a system, you should change system defaults and disable built-in accounts. [T/F]

True

In order to get a patent, the invention must be: Marketable Useful New Non Obvious

Useful New Non Obvious

Table-top exercise

Usually occurs in a conference room with the ream poring over the plan, looking for gaps and ensuring that all business units are represented therein

VPN stands for: Virtual Private Network Virtual Public Network Very Private Network Virulent Persistent Nuisance

Virtual Private Network

Stealth virus

Viruses that conceal the infection of files

The White Team is made up of all-knowing, neutral, third-party individuals who set the rules of engagement, organizes teams, makes plans and monitors progress. [T/F]

T

The first step to deal with an information security breach is to already have a communication plan in place. [T/F]

T

The primary goal of a Purple Team is to maximize the results of Red Team engagements and improve Blue Team capability. [T/F]

T

The specific failure of the security controls of a system or software is called a vulnerability or security flaw. [T/F]

T

Threats to a business can come from both external threats as well as from inside threats. [T/F]

T

Unlike other testing and verification technologies, a penetration test examines procedural and operational controls as well as technological controls. [T/F]

T

While you can have data protection without data privacy, you cannot have data privacy without data protection. [T/F]

T

Words, slogans and logos used to identify a company and its products or services are examples of items that can be trademarked. [T/F]

T

You can protect items by using the ™ symbol without registering the trademark with the government. [T/F]

T

You crisis communication plan should indicate who is going to prepare and present the information to the media/public. [T/F]

T

You should monitor media and social media so that you can rapidly address any misinformation that surfaces. [T/F]

T

You should do the following during a crisis communication: Take responsibility. Apologize for the inconvenience Be sincere. Make excuses.

Take responsibility. Apologize for the inconvenience Be sincere.

Which of the following are ways to avoid social engineering attacks? Require all visitor to show a government issued ID Locking the company front door Testing your users Training your users Separation of duties

Testing your users Training your users Separation of duties

Peer code review

The action of consciously and systematically convening with one's fellow programmers to check each other's code for mistakes

Black Box Testing

The attacker had no knowledge of the system being tested

White Box Testing

The attacker has full knowledge of the system being tested

Grey Box Testing

The attacker has some knowledge of the system being tested

Defender's Dilemma

The defenders must get it right every time, the attackers only need to get it right once.

Code Signing

The process of digitally signing executables and scripts to confirm the software author and guarantee that the code had not been altered or corrupted since it was signed.

What is the number one concern of the Disaster Recovery Plan? Ensuring that customers are not aware that a disaster has occurred. The safety and health of people. Maintaining company profits. Returning to the original computing location as quickly as possible.

The safety and health of people.

Cryptanalysis

The science of breaking codes

Principle of Open Design

The security of a mechanism should not depend on the secrecy of its design or implementation

Snooping/Eavesdropping

The unauthorized interception of information

Recovery _______________ Objective is the acceptable amount of time to restore the function.

Time

Bots

Malware that carries out some action in coordination with other bots.

Ransomware

Malware that inhibits the use of resources until a money is paid

Goals of security include: Recovery Retaliation Prevention Detection

Recovery Prevention Detection

Smishing

A social engineering approach that exploits SMS, or text, messages.

Number the steps in the Asset lifecycle: Planning Acquiring Deploying Managing Retiring

1 2 3 4 5

Put the steps for developing a business continuity plan in the proper order: Identify the scope of the plan. Identify key business areas. Identify critical functions. Identify dependencies between various business areas and functions. Determine acceptable downtime for each critical function. Create a plan to maintain operations.

1 2 3 4 5 6

Vishing

A social engineering approach that leverages voice communication

The Children's Online Privacy Protection Act (COPPA) protects children under the age of ________________.

13

Which of the following are valid key lengths for the Advanced Encrypt Standard (AES) cipher? 256 128 192 64 512

256 128 192

Works by one or more authors are protected until _______________ years after the death of the last surviving author.

70

An actual security violation that results from a threat is called an: Breach Hack Attack Denial of Service

Attack

Table-top exercise

A structured walk through where a simulated disaster is discussed and each team present discusses their responsibilities and actions they would take if this were an actual emergency

Adware

A Trojan horse that gathers information for marketing purposes and displays advertisements

Spyware

A Trojan horse that records information about the use of a computer, usually resulting in confidential information such as keystrokes, passwords, credit card numbers, and visits to websites

Onetime pad

A cipher that has a key that is at least as long as the message and is chosen at random, so it does not repeat

Digital signature

A construct that authenticates both the origin and contents of a message in a manner that is provable to a disinterested third party

Parallel environments test

A disaster recovery operations is "stood up" and tested, but none of the primary operations are impacted

Denial of Receipt

A false denial that an entity received some information or message

Repudiation of Origin

A false denial that an entity sent (or created) something

Denial of Service

A long term inhibition of service

Cyphertext

A message after it has been encrypted

Mobile Site

A portable site that can be driven and used anywhere

Rabbit / Bacteria

A program that absorbs all of some class of resource

Logic Bomb

A program that performs an action that violates the security policy when some external event occurs

Trojan Horse / Propagating Trojan Horses

A program with an overt (documented or known) purpose and a covert (undocumented or unexpected) purpose.

In public key encryption: A public key is create which is published for everyone to see. Assigns each entity a pair of keys A private key is created by each entity and must be kept secret. One encryption key is shared by all entities in a system.

A public key is create which is published for everyone to see. Assigns each entity a pair of keys A private key is created by each entity and must be kept secret.

Cold Site

A recovery site that is ready in days or weeks. Contract are in place for the use of the facility, but no systems, networking, telecom, data or software is installed and ready to go.

Hot/Mirror Site

A recovery site that is ready in minutes. It maintains up to data system, configurations and data and systems are on and ready

Warm Site

A recovery system that is ready in hours or days. Systems are ready, but dont have current configurations or data and are not turned on

Rootkit

A rootkit is a pernicious (subtle/hidden) Trojan horse. It hides itself on a system so it can carry out its actions without detection.

Cipher

A secret or disguised way of writing code

Decryption key

A short bit string used to decrypt a message

Encryption key

A short bit string used to encrypt a message

Cryptography is a fundamental tool in security because encryption can guarantee: Data Integrity Protection from replay attacks Message Authenticity Data Confidentiality/Privacy

ALL

Motives for cyber security attacks include: Challenge Infamy Subversion Hacktivism Revenge Cash

ALL

Which of the following are best practice when hardening a system: Keep your operating system and applications up to date, especially security patches. Lock accounts after too many login failures. Physically secure the system. Minimize open network ports

ALL

Which of the following are motives for cyber attacks? Infamy Revenge Subversion Hacktivism Challenge Cash/Money

ALL

Which of the following are principles of secure design? Threat Modeling Principle of Fail Safe Input Validation Hashed Credentials/Secrets

ALL

Which of the following are types of disaster recovery tests: Table top exercises Fail Back Fall fail over partial fail over parallel environment

ALL

Which of the following are ways of encrypting files on disk? Whole disk encryption Gnu Privacy Guard [GPG] Pretty Good Privacy [PGP] Whole volume/partition encryption

ALL

Which of the following is a valid term for, "Maximum time constraints for how long an enterprise's key products or services can be unavailable or undeliverable before stakeholders perceive unacceptable consequences." Maximum Tolerable Downtime (MTD) Maximum Tolerable Outage (MTO) Maximum RTO Maximum Allowable Outage (MAO) Maximum Tolerable Period of Disruption (MTPoD)

ALL

Which of the following user classifications are common in a corporate environment: Developers Outsiders Executives Employees

ALL

Failover

Act of switching to an alternative computing facility

Failback

Acting of switching back to the original, recovered computing facility

Principle of Complete Mediation

All accesses to objects be checked to ensure that they are allowed

Full fail over test

All components of the disaster recovery plan are "stood up" in a DR environment and those components are switched over temporarily to cover for the primary systems in order to test

Broken Authentication

Allows a cybercriminal to steal a user's login data, or forge session data, such as cookies, to gain unauthorized access to websites.

Reciprocal Agreement/Mutual Aid

An agreement with another company, or another branch of the same company to share each other's data center in the event of a disaster

Phishing

An attack that uses email or malicious websites to solicit personal information by posing as a trustworthy organization

Injection

An attacker's attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter

Plaintext

An original message before it has ben encrypted

Modification/Alteration

An unauthorized change of information

Personally Identifiable Information (PII)

Any data that could potentially be used to identify a particular person

A/An _______________ is a sequence of actions that create a violation of a security policy. Attack Exfiltration Hack Breach

Attack

The acronym CSIRT stands for: Computer Security Incident Response Team Computer Security Information Recovery Team Computer Secrecy Information Reference Trust Confidentiality Security Integrity Response Team

Computer Security Incident Response Team

Which of the following data/system classifications are common in a government environment: For Your Eyes Only Confidential Top Secret Secret Unclassified

Confidential Top Secret Secret Unclassified

A military security policy (also called a governmental security policy) is a security policy developed primarily to provide: Integrity Availability Confidentiality

Confidentiality

One access control mechanism for preserving _______________ is cryptography, which transforms data to make it incomprehensible.

Confidentiality

The components of the CIA triad are: Confidentiality, International, Availability Confidentiality, Integrity, Assessability Confidentiality, Integrity, Availability Correctness, Integrity, Availability

Confidentiality Integrity Availability

A database server which stores company data belongs on which network segment: Internal DMZ Corporate Data

Corporate Data

CRUD

Create, Read, Update, Delete

Implementation

Creates a system that satisfies that design

Disaster simulation testing

Creates an environment that imitates an actual disaster, with all the equipment, supplies and personnel who would be needed [including business partners and vendors]

A database server which customer data belongs on which network segment: Customer Data Internal Corporate Data

Customer Data

Dynamic analysis involves no execution of the software under test and can detect possible defects in an early stage, before running the program. [T/F]

F

A mail server belongs on which network segment: Internal DMZ Development

DMZ

A web server belongs on which network segment: Internal DMZ Corporate Data

DMZ

A _______________ Broker is a businesses that specialize in creating in depth profiles of individuals for advertisers. This can include a person's sexuality, browsing history, political affiliation and medical records.

Data

Anonymization

De-identifes a person and destroys and way of identifying the data subject. It is irreversible

Some of the Blue Teams responsibilities include: Web App Scanning Defensive Security Infrastructure Protection Incident Response

Defensive Security Infrastructure Protection Incident Response

DMZ stands for: Don't Mess Zone Demilitarized Zone Domestic Martial Zone Drop Military Zone

Demilitarized Zone

Which of the follow are good perimeter defenses employed in a defense in depth strategy? Denial of Service Prevention Fences Firewalls Network Address Translation

Denial of Service Prevention Firewalls Network Address Translation

A developer web server belongs on which network segment: Internal Development DMZ

Development

Digital Forensics

Digital forensics is the science of identifying and analyzing entities, states, and state transitions of events that have occurred or are occurring.

DAST

Dynamic Analysis Software Testing

Structured walk-through

Each team member goes over his or her components of the plan in detail to identify weaknesses. Often, the team works through the test with a specific disaster in mind

CERT - Computer _______________ Response Team

Emergency

A business impact analysis is nice to have, but not required, during business continuity planning. [T/F]

F

A penetration test is an unauthorized attempt to violate specific constraints stated in the form of a security or integrity policy. [T/F]

F

Analysis of a policy model usually discusses particular policies. [T/F]

F

Copyright law protects both software code and software design. [T/F]

F

Disaster Recovery Plans do not need to be maintained and updated. Once created, it is good forever. [T/F]

F

Formal verification and property-based testing are techniques for detecting vulnerabilities. Both are based on the design and/or implementation of the computer system. However, the computer system includes policies, procedures, and an operating environment. These later factors are very easy to express in a formal verification model or in property-based testing. [T/F]

F

Ideas and processes that go into the making of software products can be protected by copyright. [T/F]

F

It is acceptable not to train employees regarding the crisis communication plan because those responsible will instinctively know what to do when the time comes. [T/F]

F

It is acceptable to share speculation with the public and the media during a crisis if that speculation looks plausible. [T/F]

F

It is acceptable to use technical jargon when communicating to the public or media during a crisis. It is their job to look up what they don't know and it more accurately conveys your situation. [T/F]

F

It will be obvious what needs to be done during a disaster, so awareness and staff training is not really important. [T/F]

F

Misconfiguration is a mistake, not a threat. [T/F]

F

Offensive capability is part of a defense in depth strategy. [T/F]

F

Organizations that keeping sensitive data secure from hackers are automatically compliant with data privacy regulations. [T/F]

F

Patents are renewable. [T/F]

F

Risk avoidance is a critical element in the disaster recovery process. [T/F]

F

Runbooks must be only in physical form because the electronic versions won't be accessible in case of emergency so there's no reason to create and maintain them. [T/F]

F

Secure by design, in software engineering, means that the software has been designed without security and it has been added afterwards as part of the testing and debugging phase. [T/F]

F

Security policies are always highly mathematical in nature. [T/F]

F

The Disaster Recovery Plan will provide an effective solution that can be used to recover all business processes within the required time frame. [T/F]

F

The role of trust is not crucial to understanding the nature of computer security. [T/F]

F

There are global standards for what constitutes data privacy. It does not vary widely from location to location and from legislation to legislation. [T/F]

F

With the rise of the data economy, companies are finding less value in collecting, sharing and using data. [T/F]

F

Security Misconfiguration

Failing to implement all the security controls for a server or web application, or implementing the security controls, but doing so with errors

Broken Access Control

Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business functions outside of the limits of the user

A DMZ web server has a policy very similar to that of a development system. [T/F]

False

A hash algorithm takes data and converts it to a unique numerical value in a way that makes it easy to recover back the original text. [T/F]

False

A security violation must actually occur for there to be a threat. [T/F]

False

A terminate and stay resident (TSR) virus becomes inactive (non-resident) in memory after the application, bootstrapping, or macro interpretation has terminated. [T/F]

False

DMZ servers typically have a dynamic private IP address and are usually mapped for outbound traffic using Port Address Translation (PAT) [T/F]

False

Detection mechanisms try to prevent violations of integrity. [T/F]

False

Firewalls should be configured to allow all traffic unless specifically denied. [T/F]

False

Inside servers typically have a fixed public IP address, or are mapped to a public address using Network Address Translation. [T/F]

False

HIPPA stands for the _______________ Insurance Portability and Accountability Act.

Health

Masquerading/Spoofing

Impersonation of one entity by another

A commercial security policy is a security policy developed primarily to provide: Integrity Availability Confidentiality

Integrity

Evaluating ___________ is often very difficult, because it relies on assumptions about the source of the data and about trust in that source

Integrity

A security policy considers all relevant aspects of which of the following: Readiness Integrity Availability Confidentiality

Integrity Availability Confidentiality

Public-key cryptography/asymmetric cryptography

Is a cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner.

Containment

Limiting the objects accessible to a given process run by the user is an obvious protection technique.

When you step away from your computer you should always: Lock your screen Logout Look around to make sure nobody can jump in your seat

Lock your screen Logout

Malicious logic, more commonly called _______________, is a set of instructions that cause a site's security policy to be violated.

Malware

Which of the following are important to have in the Incident Response Plan: Network Diagrams Names and contact information for the local incident response team Procedures for reporting and handling a suspected incident Data flow diagrams System hardware inventory

Network Diagrams Names and contact information for the local incident response team Procedures for reporting and handling a suspected incident Data flow diagrams System hardware inventory

Insufficient logging & monitoring

Not enough audit data and real time data to interpret the state of security of a system

Drive-by-download

Occurs when a user visits a web page and a download occurs without the user knowing it, or when the user knows it but does not understand the effects of the download.

Sensitive Data Exposure

Occurs when an application or program, like a smartphone app or a browser, does not adequately protect information such as passwords, payment info, or health data

COPPA stands for the Children's _______________ Privacy and Protection Act.

Online

OWASP stands for Open Application Project.

Open Web Application Security Project

Integrity includes: Origin Integrity - Authentication Data Integrity - Content of the Information Type Integrity - Type of Data

Origin Integrity - Authentication Data Integrity - Content of the Information

Which of the follow are good policies, procedures and awareness techniques employed in a defense in depth strategy? Password Strength Rules Acceptable Use Policy Data Classification Code Reviews Security Assurance

Password Strength Rules Acceptable Use Policy Data Classification Code Reviews Security Assurance

A _______________ protects the intellectual property rights of an inventor.

Patent

If you want official recognition of your trademark, you can register it with the U.S. _______________ and Trademark Office (USPTO).

Patent

Botnets can be organized in the following ways: Peer-to-Peer Parent-Child Centralized Very High Latency Random Approach

Peer-to-Peer Centralized Very High Latency Random Approach

A typical _______________ attack requires that the attackers create a web site displaying a page that looks like it belongs to a bank. Thus, when victims visit the web site, they will believe they are at the bank's web site and not the false one.

Phishing

Recovery _______________ Objective is the acceptable latency of data that will not be recovered.

Point

_______________ is at the heart of every decision involving security.

Policy

In formal verification, after the analysis, the tester will have information aboutthe resulting state of the system that can be compared with the site security policy. This is called the _______________. Precondition test result post condition

Post Condition

In formal verification, the state in which the vulnerability will arise is called a/an: Co-Condition Postcondition Precondition

Precondition

Which of the following are phases of intrusion handling? Preparation Follow-up Identification Recovery Containment Eradication Retaliation

Preparation Follow-up Identification Recovery Containment Eradication

Which are considered classes of Integrity mechanisms: Prevention Recovery Detection

Prevention Detection

Worms

Program that copies itself from one computer to another.

DPR stands for the General Data _______________ Regulation.

Protection

Data security

Protects data from compromise by external attackers and malicious insiders

Which of the following data/system classifications are common in a corporate environment: Public Confidential Private Executive Legal Sensitive

Public Confidential Private Sensitive

The Lessons Learned stage of Incident Response is often skipped as the business moves back into normal operations but it's critical to look back and heed the lessons learned.

T

Which of the following are among the key provisions of GDPR: Purpose limitation Integrity and confidentiality (security) Accountability Storage limitation Data minimization Lawfulness, fairness and transparency Accuracy Business stockholder value

Purpose limitation Integrity and confidentiality (security) Accountability Storage limitation Data minimization Lawfulness, fairness and transparency Accuracy

Transposition cipher

Rearranges the characters in the plaintext to form the ciphertext. The letters are not changed

Which of the follow plays the part of the "attacker" during a penetration test? red blue green

Red Team

Practical data privacy concerns often revolve around: How data is legally collected or stored. Business profit. Regulatory restrictions. Whether or how data is shared with third parties.

Regulatory restrictions. Whether or how data is shared with third parties. How data is legally collected or stored.

Sandboxing

Running code in an isolated "safe" environment to test its behaviors.

Critical information assets can include: Scientific research Internal manufacturing processes Schematics Company location addresses Customer sales information Corporate financial data Human resource information Proprietary software Patents/Copyrights

Scientific research Internal manufacturing processes Schematics Customer sales information Corporate financial data Human resource information Proprietary software Patents/Copyrights

Wiping files means ... Securely deleting file data by overwriting with zeros, ones and/or other random characters. The normal way an operating system deletes a file. Cleaning a dirty DVD disk so you can read the data on it.

Securely deleting file data by overwriting with zeros, ones and/or other random characters.

A _______________ policy is a statement that partitions the states of the system into a set of authorized, or secure, states and a set of unauthorized, or nonsecure, states.

Security

The Computer Security Act of 1987 mandated baseline _______________ requirements for all federal agencies.

Security

Principle of Economy of Mechanism

Security mechanism should be as simple as possible

Principle of Least Astonishment

Security mechanisms should be designed so that users understand the reason that the mechanism works the way it does and that using the mechanism is simple.

Principle of Psychological Acceptability

Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present

Firewalls

Separate the Internet, the DMZ, and the internal network.

Which of the following are important to include in a Disaster Recovery Plan? Server team and responsibilities Scope of systems, networks and applications that are covered under the plan External contacts Public relations team and responsibilities Anti-virus/Anti-Malware Data, backups and retention policies and procedures

Server team and responsibilities Scope of systems, networks and applications that are covered under the plan External contacts Public relations team and responsibilities Data, backups and retention policies and procedures

_______________ is when an attacker watches the target enter their password.

Shoulder Surfing

Some of the Red Teams responsibilities include: Social Engineering Black Box Testing Defensive Security Ethical Hacking

Social Engineering Black Box Testing Ethical Hacking

SDLC stands for:

Software Development Life Cycle

Secure by Design

Software has been designed from the foundation to be secure

Partial fail over test

Some components of the disaster recovery plan are "stood up" in a DR environment and those components are switched over temporarily to cover for the primary systems in order to test

Which of the following are typically considered as parts of multi-factor authentication? Something someone tells you; Something you guess; Something you know Something you know; Something you have; Something you are Something you are wearing; Something you see; Something you hear

Something you know; Something you have; Something you are

Which of the following are protected under the Digital Millennium Copyright Act? Sound recordings Motion pictures and other audiovisual works Literary works Inventions of new technology

Sound recordings Motion pictures and other audiovisual works Literary works

Like adware, _______________ gathers information about a user, system, or other entity and transmits it or stores it for later retrieval. Unlike adware, its presence is supposed to be invisible to the user and system, so its function is truly covert.

Spyware

_______________ code analysis can be done by a machine to automatically "walk through" the source code and detect noncomplying rules.

Static

_______________ code analysis involves no dynamic execution of the software under test and can detect possible defects in an early stage, before running the program.

Static

SAST

Static Analysis Software Testing

Pseudonymization

Substitutes the identity of the data subject, meaning you need additional information to re-identify the data subject. It is reversible

A good data backup strategy, which includes testing backups for integrity, are a critical part of any disaster recovery plan. [T/F]

T

A penetration study is a test for evaluating the strengths of all security controls on the computer system. [T/F]

T

A security mechanism is an entity or procedure that enforces some part of the security policy. [T/F]

T

A security policy defines "secure" for a system or a set of systems. [T/F]

T

A vulnerability analysis is an important part of a threat/risk assessment. [T/F]

T

All risks identified during a threat/risk assessment must be safeguarded against. [T/F]

T

At the end of the patent exclusivity period, the invention is in the public domain available for anyone to use. [T/F]

T

Contractual software license agreements use a written contract between the software vendor and the customer, outlining the responsibilities of each. [T/F]

T

Copyright protection is indicated by the © symbol. [T/F]

T

Dynamic program analysis tools may require loading of special libraries or even recompilation of program code. [T/F]

T

Employees should be regularly trained on data protection so they understand the processes and procedures necessary to ensure proper collection, sharing, and use of sensitive data. [T/F]

T

If there is a fire at a business location, a valid business continuity strategy could include employees telecommuting until the location is one again usable. [T/F]

T

If users and system administrators are not aware of incident response procedures, response will be delayed and evidence can be corrupted or lost, greatly increasing the potential impact of an incident. [T/F]

T

In a computer system or network, a runbook is a compilation of routine procedures and operations that the system administrator or operator carries out. [T/F]

T

In order to receive protection under the law, trade secrets must be protected with reasonable privacy and security controls. [T/F]

T

In theory, formal verification can prove the absence of vulnerabilities. [T/F]

T

It is critical to have a written Memorandum of Agreement (MOA)/Memorandum of Understanding (MOU) in a Reciprocal Agreement/Mutual Aid disaster recovery situation. [T/F]

T

Peer code reviews not only help to find mistakes, but it has also been repeatedly shown to accelerate and streamline the process of software development like few other practices can. [T/F]

T

Penetration testing is a testing technique, not a proof technique. [T/F]

T

Policies, procedures and awareness are part of a defense in depth strategy. [T/F]

T

Rules of engagement state what the goals of the test are, what the testers are, and are not, allowed to do, and when a test end. [T/F]

T

Table top exercises are a good way to test and train for the crisis communication plan. [T/F]

T

Testing, Operations and Maintenance are all important phases of the Software Development Life Cycle. [T/F]

T

The Computer Fraud and Abuse Act of 1984 is still in force today (with amendments). [T/F]

T

The Digital Millennium Copyright Act guarantees the creators of "original works of authorship" protection against the unauthorized duplication of their work. [T/F]

T

The Disaster Recovery Plan is designed to ensure the continuation of vital business processes in the event that a disaster occurs. [T/F]

T

The Disaster Recovery Plan is focused on the recovery of IT assets. [T/F]

T

DMZ servers typically have a fixed public IP address (or are mapped to one using Network Address Translation (NAT)). [T/F]

True

Digital forensics is the science of identifying and analyzing entities, states, and state transitions of events that have occurred or are occurring. [T/F]

True

Firewalls should separate the Internet, the DMZ, and the internal network. [T/F]

True

Identifying your assets is not easy. [T/F]

True

If group "developers" can read and write the contents of a directory, and user "A" is a member of the developers group, then user A can read and write the contents in that directory. [T/F]

True

Insider servers typically have a dynamic private IP address and are usually mapped for outbound traffic using Port Address Translation (PAT) [T/F]

True

Integrity refers to the trustworthiness of data or resources, and it is usually phrased in terms of preventing improper or unauthorized change. [T/F]

True

It is considered best practice to maintain and review logs of all system activity, including user actions. [T/F]

True

Laws can restrict the availability and use of technology and affect procedural controls.

True

Longer passwords are harder to crack and therefore strong and better to use. [T/F]

True

Many such antivirus programs exist for personal computers, but because each agent must look for particular characteristics or behaviors of virus or set of viruses, they cannot detect viruses with only characteristics or behaviors that have not yet been analyzed. [T/F]

True

One of the goals of computer viruses is to remain undiscovered until executed, and possibly even after that. [T/F]

True

Revealing a public key is safe because the functions used for encryption and decryption have a one way property. That is, telling someone the public key does not allow the person to forge a message that is encrypted with the private key. [T/F]

True

Society distinguishes between legal and acceptable practices. [T/F]

True

Sometimes a Cost-Benefit analysis will determine that it's not worth protecting an asset. [T/F]

True

Spearphishing is a phishing attack tailored for a particular victim. [T/F]

True

Symmetric cryptosystems (also called single key or secret key cryptosystems) are cryptosystems that use the same key for encoding and decoding of messages. [T/F]

True

Computer Virus

When the Trojan horse can propagate freely and insert a copy of itself into another file, it becomes a computer virus.

Using Components with known vulnerabilities

When your OS, web/application server, database management system [DBMS] applications, APIs and all components, runtime environments, and libraries are not secure.

The _______________ Trust Model is a security concept centered on the belief that organizations should not automatically trust anything and instead must verify anything and everything trying to connect to its systems before granting access.

Zero

A _______________ of security occurs when a system enters an unauthorized state. intrusion hack violation breach

breach

The idea behind in is to manage risk with diverse defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense will hopefully prevent a full breach.

defense in depth

Using a security vulnerability to violate the site security policy is called a/an _______________.

exploit

The Federal Information Security Management Act of 2002 requires that federal agencies implement an _______________ _______________ program that covers their operations.

information security

A digital _______________ is a construct that authenticates both the origin and contents of a message in a manner that is provable.

signature


Ensembles d'études connexes

Lecture 3 Macro (demand, supply, and Price)

View Set

CET215- Lesson 14 Wireless Networking (Quiz)

View Set

Earth & Environmental Science Unit #2

View Set

OB - Labor Delivery (ch 14) & Postpartum adaptations (ch 15)

View Set

Health of Individual, Family, and Community (4)

View Set