Ch. 3 Policies, Procedures, and Awareness

Data retention policies

- Archiving information - destroying information when the retention limit is reached - handling information involved in litigation

The receptionist received a phone call from an individual claiming to be a partner in a high-level project and requesting sensitive information. The individual is engaging in which type of social engineering attack? - Commitment - Authority - Social validation - Persuasive

- Authority

What is the primary countermeasure to social engineering? - A written security policy - Heavy management oversight - Awareness - Traffic filters

- Awareness

Which of the following defines two-man control? - For any task in which vulnerabilities exist, within the tasks are assigned to different positions with different management - An employee is granted the minimum privileges required to perform the position's duties - A situation in which multiple employees conspire to commit fraud or theft - Certain tasks should be dual-custody in nature to prevent a security breach

- Certain tasks should be dual-custody in nature to prevent a security breach

A code of ethics does all but which of the following? - Serves as a reference for the creation of acceptable use policies - Establishes a baseline for managing complex situations - Improves the professionalism of your organization as well as your profession - Clearly defines courses of action to take when a complex issue is encountered

- Clearly defines courses of action to take when a complex issue is encountered

Your organization entered into an Interoperability Agreement (IA) with another organization a year ago. As a part of this agreement, a federal trust was established between your domain and the partner domain. The partnership has been in the ongoing operations phase for almost nine months now. As a security admin, which tasks should you complete during this phase? - Conduct periodic vulnerability assessments - Negotiate the BPO agreement - Draft an MOU document - Disable user and groups accounts used by the partner organization to access your organization's data - Verify compliance with the IA docs

- Conduct periodic vulnerability assessments - Verify compliance with the IA docs

You have hired 10 new temporary workers who will be with the company for 3 months. You want to make sure that these users can only log on during regular business hours. What should you do? - Configure account lockout in Group Policy - Configure account policies in Group Policy - Configure day/time restrictions in the user accounts - Configure account expiration in the user accounts

- Configure account expiration in the user accounts

As you go through the process of making your network more manageable, you discover that employees in the sales department are on the same network segment as the human resources department. Which of the following steps can be used to isolate these departments? - Create a separate VLAN for each department - Implement the principle of least privilege for the human resources department - Move the sales department into the DMZ - Identify the choke points in your network

- Create a separate VLAN for each department

Which of the following is NOT a protection against collusion? - Separation of duties - Two-man control - Principle of least privilege - Cross-training

- Cross-training

When you inform an employee that they are being terminated, what is the most important activity? - Allow them to complete their current work projects - Disable their network access - Allow them to collect their personal items - Give them two weeks notice

- Disable their network access

Which of the following is NOT an element of the termination process? - Return company property - Disable all network access - Dissolution of the NDA - Exit interview

- Dissolution of the NDA

The best way to initiate solid admin control over an organization's employees is to have what element in place? - An acceptable use policy - Rotation of duties - Mandatory vacations in one-week increments - Distinct job descriptions

- Distinct job descriptions

Which of the following is a common social engineering attack? - Using a sniffer to capture network traffic - distributing hoax virus information emails - Logging on with stolen credentials - Distributing false information about your organizations financial status

- Distributing hoax virus information emails

Which of the following is NOT part of security awareness training? - Employee agreement docs - Establish reporting procedures for suspected security violations - Familiarize employees with the security policy - Communicate standards, procedures, and baselines that apply to the employee's job

- Employee agreement docs

Your company is preparing to enter into a partner relationship with another organization. It will be necessary for the info systems used by each organization to connect and integrate with each other. Which of the following is of primary importance as you take steps to enter into the partner relationship? - Ensure that both organizations have similar incident response procedures - Identify how data ownership will be determined - Ensure that all aspects of the relationship are agreed upon in writing - Ensure that the integration process maintains the security of each organizations network

- Ensure that the integration process maintains the security of each organization's network

Dumpster diving is a low-tech means of gathering information that may be useful in gaining unauthorized access, or as a starting point for more advanced attacks. How can a company reduce the risk associated with dumpster diving? - Establish and enforce a document destruction policy - Mandate the use of Integrated Windows Authentication - Secure all terminals with screensaver passwords - Create a strong pw policy

- Establish and enforce a document destruction policy

Steps to protect your network:

- Identify and document each user on the network and the information the user has access to - identify the high-value network assets - document the trust boundaries - identify the choke points on the network - segregate and isolate networks - isolate server functions - physically secure high-value systems

Your organization is in the process of negotiating an Interoperability Agreement (IA) with another organization. As a part of this agreement, the partner organization proposes that a federated trust be established between your domain and their domain. This configuration will allow users in their domain to access resources in your domain and vice versa. As a security admin, which tasks should you complete during this phase? - Reset all pw used by the 3rd party to access data or applications on your network - Identify how data ownership will be determined - Verify compliance with the IA docs - Conduct security audits on the partner organization - Identify how data will be shared

- Identify how data ownership will be determined - Identify how data will be shared

Which of the following is NOT a form of social engineering? - Impersonating a utility repair tech - Impersonating a user by logging on with stolen creds - A virus hoax email msg - Impersonating a manager over the phone

- Impersonating a user by logging on with stolen credentials

Over the last several years, the use of mobile devices within your organization has increased dramatically. Unfortunately, many department heads circumvented your Information Systems procurement policies and directly purchased tablets and smartphones for their employees without authorization. As a result there is a proliferation of devices within your organization without accountability. You need to get things under control and begin tracking the devices that are owned by your organization. How should you do this? - Implement a mobile endpoint management (MEM) solution - Implement a mobile device management (MDM) solution - Apply security-related Group Policy settings to the devices using a Group Policy object - Join the devices to your organizations domain - Require users to sign an acceptable use policy before allowing them to use mobile devices for work related tasks

- Implement a mobile endpoint management (MEM) solution

Your organization has recently purchases 20 tablets devices for the Human Resources department to use for training sessions. You are concerned that these devices could represent a security risk to your network and want to strengthen their security profile as much as possible. Which actions should you take? (select 2) - Configure a GPO containing mobile device specific settings - Implement storage segmentation - Install the devices in your organization's directory services tree - Enable device encryption - Join the devices to your organization's domain

- Implement storage segmentation - Enable device encryption

Over the last month you have noticed a significant increase in the occurrence of inappropriate activities performed by employees. What is the best first response step to take in order to improve or maintain the security level of the environment? - Terminate all offenders - Initiate stronger auditing - Improve and hold new awareness training - Reduce all employee permissions and privileges

- Improve and hold new awareness training

Which of the following is a legal contract between the organization and the employee that specifies the employee is not to disclose the organization's confidential info? - Employee monitoring agreement - Acceptable use agreement - Non-disclosure agreement - Non-compete agreement

- Non-disclosure agreement

You have been hired as the new network administrator for a startup company. The company's network was implemented prior to your arrival. One of the first tasks you need to complete in your new position is to develop a Manageable Network plan. You have already completed the 1st and 2nd milestones, in which documentation procedures were identified and the network was mapped. You are now working on the 3rd milestone identifying ways to protect the network. Which tasks should you complete as part of this milestone? - Physically secure high-value systems - Apply critical patches whenever they are released - Set account expiration dates - Create an approved application list for each network device - Identify and document each user on the network

- Physically secure high-value systems - Identify and document each user on the network

How can an organization help prevent social engineering attacks? - Publish and enforce clearly-written security policies - Close all unneeded ports on firewalls - Educate employees on the risks and countermeasures - Implement IPsec on all critical systems

- Publish and enforce clearly-written security polices - Educate employees on the risks and countermeasures

Phases of waterfall planning

- Requirements - Design - Implementation - Testing - Deployment - Maintenance

Which of the following mobile device security considerations disables the ability to use the device after a short period of inactivity? - TPM - Screen lock - GPS - Remote wipe

- Screen lock

Which of the following are typically associated with human resources security policies? - Termination - SLA - Pw policies - Background checks - Change management

- Termination - Background checks

Which of the following are NOT reasons to remote wipe a mobile device? - The device is being assigned to another user - The device is locked and someone has entered multiple incorrect pw or PINs - The device is inactive for a period of time - The device is stolen or lost

- The device is inactive for a period of time

Your company security policy requires separation of duties for all network security matters. Which of the following scenarios best describes this concept? - The system admin configures remote access privileges and the security officer reviews and activates each account - Only the security officer can implement new border router rule sets - Security policy authors may never fraternize with system admin personnel - Every change to the default system image requires concurrent processing by multiple domain controllers

- The system admin configures remote access privileges and the security officer reviews and activates each account

You have installed antivirus software on computers at your business. Within a few days, however, you notice that one computer has a virus. When you question the user, she says she installed some software a few days ago. She admits she did not scan the file before running it. What should you add to your security measures to help prevent this from happening again? - Account lockout - Proxy server - User awareness training - Close unused firewall ports

- User awareness training

Which of the following is an action that must take place during the release stage of the SDLC? - Certification, accreditation, and auditing are performed - The product goes into major production and is developed by programmers - Testing of the software for bugs - Vendors develop and release patches in response to exploited vulnerabilities that have been discovered

- Vendors develop and release patches in response to exploited vulnerabilities that have been discovered

You have just received a generic-looking email that is addressed as coming from the administrator of your company. The email says that as part of a system upgrade, you are to go to a website and enter your username and password at a new website so you can manage your email and spam using the new service. What should you do? - Click on the link in the email and look for company graphics or info before entering the login info - Click on the link in the email and follow the directions to enter your login info - Verify that the email was sent by the administrator and that this new service is legitimate - Delete the email - Open a browser and type the URL included in the email

- Verify that the email sent by the administrator and that this new service is legit

You've just received an e-mail message that indicates a new serious malicious code threat is ravaging across the Internet. The message contains detailed information about the threat, its source code, and the damage it can inflict. The message states that you can easily detect whether or not you have already been a victim of this threat by the presence of the three files in \Windows\System32 folder. As a countermeasure, the message suggests that you delete these three files from your system to prevent further spread of the threat. What should your first action based on this message be? - Delete the indicated files if present - Verify the info on well-known malicious code threat management websites - Distribute the msg to everyone in your address book - Perform a complete system backup - Reboot the system

- Verify the info on well-known malicious code threat management

A senior executive reports that she received a suspicious email concerning a sensitive internal project that is behind production. The email was sent from someone she doesn't know, and he is asking for immediate clarification on several of the project's details so the project can get back on track. Which type of an attack best describes the scenario? - MAC spoofing - Passive - Whaling - Masquerading

- Whaling

In a phishing attack:

- a fraudulent message that appears to be legit is sent to the target - the message requests the target to visit a website, which also appears to be legit - the fraudulent website requests that the victim provide sensitive information, such as their account number or pw

Key security decisions made are:

- access controls - rights and permissions - encryption algorithms

Project initiation involves

- an original, profitable idea is recognized, and a cost justification is made - timelines for the project are identified - The potential users are contacted and involved in the concept development - Security objectives that the software needs to meet are created - Initial risk analysis is performed to see if an alternative approach might be beneficial

How often should change control management be implemented? - any time a production system is altered - only when changes are made that affect senior management - only when a production system is altered greatly - at regular intervals throughout the year

- any time a production system is altered

Disposal includes:

- archiving - overwriting - destroying

To protect against phishing:

- check the actual link in the description within emails to verify that they go to the correct URL - Do not click on links in emails - verify that HTTPS is used when you visit e-commerce sites. - implement phishing protections within your browser

Development and coding involves:

- coding - testing - validation

Rules for establishing a baseline for all systems

- create an approved application list - establish criteria and process for getting an application approved - verify apps - create device baselines - secure web browsers - check baselines for security misconfigurations

Steps to map your network:

- create network topology map - create list of all devices (include wireless devices, use a network scanner and confirm manually with room walk through, identify who is using what device and detail information, consider using a database file to store info) - create a list of all protocols being used on the network by using a network analyzer

Key output from system design includes:

- data design - procedural design - architectural design

To protect against legal issues:

- define the types of actions and communications that will be monitored - clearly communicate all monitoring activities - apply monitoring to all employees - comply with all legal requirements for privacy

Change control are:

- developers must be isolated from production - changes must be thoroughly documented - security techniques must be implemented at all stages of the process

Accessibility considerations include:

- do not use insecure protocols - use windows Group Policies to administer Windows systems - make sure that remote access connections are secure - automate administration as much as possible

A useful document will:

- easy to use - include enough detail - document important things - use timestamps - be protected with restricted access and possibly encryption - have a printed hard copy kept in a secure location

Common threat vectors include:

- email attachments - web pages with embedded scripts - browsers pop-ups - social manipulation - poor programming practices - unpatched operating systems or applications - outdated security mechanisms and encryption - breached physical security - unused applications and services on a system - enabled usb ports

Configuration management includes:

- establishing hardware, software, and infrastructure configurations that are to be deployed universally throughout the corporation - tracks and documents significant changes to the infrastructure - assesses the risk of implementing new processes, hardware or software - ensures that proper testing and approval processes are followed before changes are allowed

Installation and implementation involves:

- formal functional testing performed by users - all bugs, vulnerabilities, and risks should be evaluated and documented - user guides and operational manuals are created - certification, accreditation, and auditing are performed

System design identifies

- functional model - behavioral model - informational model

Examples of external threats

- hackers - fraud perpetrators - viruses

Examples of social engineering:

- impersonation - tailgating - spoofed emails - shoulder surfing

As you help a user with a computer problem, you notice she has written her pw on a note stuck to her monitor. You check the pw policy of your company and find that the following settings are currently required. Which of the following is the best action to take to make remembering pw easier so that she no longer has to write the password down? - Remove the complex pw requirement - Decrease the minimum pw length - Increase the account lockout clipping level - Increase the max pw age - Implement end-user training

- implement end-user training

In which phase of the system life cycle is software testing performed? - functional design analysis and planning - installation - software development and coding - system design specifications

- installation - software development and coding

Restrict user access by:

- limiting users to least privilege required for the users job - limit local admins to minimum - user regular user accounts for day2day work - use role-based access controls - don't let user install software - set account expirations - disable or remove accounts when a user leaves the organization

What is another name for a back door that was accidentally left in a product by the manufacture? - Security patch - root kit - maintenance hook - trojan horse

- maintenance hook

At a minimum, track each device owned by your organization :

- make/model number of device - device serial# - OS version - Date device was purchased and vendor - End-of-warranty date - Vendor support - Employee issued device

Examples of internal threats

- malicious acts such as theft, fraud or sabotage - intentional or unintentional actions that destroy or alter data - disclosing sensitive information through snooping or espionage

Update management process includes:

- patch all systems on a regular schedule - automate patching process - consider using Windows Server Update Services

Operations and maintenance involves

- patching and changes as application evolves over time - security functions should remain intact in order to efficiently respond to update requirements - security related patches and upgrades should be applied to a system as quickly as possible

What is the weakest point in an organizations security infrastructure? - People - Technology - Physical structure - Procedures

- people

Which of the following attacks tricks victims into providing confidential information through emails or websites that impersonate an online entity that the victim trusts? - Session hijacking - Man-in-the-middle - Adware - Phishing

- phishing

In which phase of the system life cycle is security integrated into the product? - installation - maintenance - software development - project initiation

- project initiation

Functional design involves

- project plan is developed - security activities and checkpoints identified - design doc is developed - limited resources are allocated - evaluation criteria is identified - framework of the application is designed

A smart phone was lost at the airport. There is no way to recover the device. Which of the following will ensure data confidentiality on the device? - TPM - GPS - Remote wipe - Screen lock

- remote wipe

Which of the following are example of social engineering? - Shoulder surfing - War dialing - port scanning - Dumpster diving

- shoulder surfing - dumpster diving

Which of the following program writing development modes is a method that allows for optimal control over coherence, security, accuracy, and comprehensibility? - clean room - waterfall planning - structured programming - object oriented programming

- structured programming

What is the primary purpose of forcing employees to take mandatory one-week minimum vacations every year? - To prevent the buildup of vacation time - To cut costs on travel - To test their knowledge of security - To check for evidence of fraud

- to check for evidence of fraud

Which of the following social engineering attacks use VOIP to gain sensitive info? - Tailgating - Masquerading - Vishing - Spear phishing

- vishing

Business Continuity Plan steps

1. Analysis 2. Solution Design 3. Implementation 4. Testing and organization acceptance 5. Maintenance

Security planning must include

1. Complying with legal and regulatory compliance issues. 2. Demonstrating ethical policies 3. Practicing due care in the development of policies and procedures. 4. Practicing due diligence by ensuring that approved security measures have been implemented and continue to be effective. 5. Implementing due process by adhering to laws regarding evidence and fairness to protect individuals rights.

Four steps of the prototype model

1. Definition of initial concept 2. Implementation of initial prototype 3. Refinement of prototype until functional 4. Complete and release the final version

Purpose of a PTA

1. Identify programs and systems that are privacy-sensitive 2. Demonstrate the inclusion of privacy considerations during the review of a program or system 3. Provide a record of the program or system and its privacy requirements at the DHS's Privacy Office 4. Demonstrate compliance with privacy laws and regulations

What are the three principles in employee management?

1. Least privilege 2. Separation of duties 3. Two-man control

An effective security policy must be:

1. Planned - Good security is the result of good planning 2. Maintained - must be constantly evaluated and modified as needs change 3. Used - improve security through user awareness

Application vulnerability life cycle

1. application is released 2. any bugs released in program are discovered by hackers 3. Hackers publish bugs and make them known to public 4. Vendors develop and release patches 5. Users install the patches to their system 6. Hackers continue to discover vulnerabilities

Threat vector

A path or means that an attacker can use to compromise the security of a system.

Software development life cycle

A systematic method for design, development, and change management used for software development and implementation of system and security projects. The primary purpose is to increase the quality of the software, both from a functional and security perspective.

When you inform an employee that they are being terminated, what is the most important activity?

A. Allowing them to collect their personal items B. Disabling their network access <---- C. Allowing them to complete their current work projects D. Giving them two weeks notice

What is a service level agreement (SLA)?

A. An agreement to support another company in the event of a crisis B. A contract with a legal entity to limit your asset loss liability. C. A contract with an ISP for a specific level of bandwidth D. A guarantee of a specific level of service <----

In business continuity planning, what is the primary focus of the scope? A. Business processes B. Company assets C. Human Life and safety D. Recovery time objective

A. Business processes

Which of the following is defined as a contract that prescribes the technical support or business parameters a provider will bestow to its client?

A. Certificate practice statement B. Service Level Agreement <------ C. Final Audit Report D. Mutual Aid Agreement

A SLA defines the relationship and contractual responsibilities of providers and service recipients. Which of the following characteristics are most important when designing an SLA?

A. Clear and detailed descriptions of penalties if the level of service is not provided. <---- B. Employee vetting procedures that don't apply to contract labor. C. Detailed provider responsibilities for all continuity and disaster recovery mechanisms. <---- D. Industry standard templates for all SLAs to ensure corporate compliance.

You have a set of DVD-RW discs that have been used to archive files for your latest development project. You need to dispose of the discs. Which of the following methods should you use to best prevent extracting data from the discs?

A. Delete the data on the disks B. Write junk data over the discs seven times C. Deguass the disks D. Shred the disks <----

Which of the following statements is true regarding risk analysis? A. Don't implement a countermeasure if the cost is greater than loss. B. The value of an asset is the worth of a resource to the organization excluding qualitative values. C. Exposure factor is the percent of the asset lost from an unsuccessful threat attack. D. Annualized Rate of Occurrence (ARO) identifies how often the successful threat attack will occur in a single year.

A. Don't implement a countermeasure if the cost is greater than loss. D. Annualized Rate of Occurrence (ARO) identifies how often the successful threat attack will occur in a single year.

Which of the following is the best protection against security violations?

A. Fortress mentality B. Bottom-up decision-making C. Monolithic security D. Defense-in-depth <----

Which of the following is a recommendation to use when a specific standard or procedure does not exist?

A. Guideline <---- B. Procedure C. Baseline D. Standard

Change control should be used to oversee and manage changes over what aspect of an organization?

A. IT hardware and software B. Personnel and policies C. Physical environment D. Every Aspect <-----

Which of the following best describes the concept of due care or due diligence?

A. Legal disclaimers are consistently and conspicuously displayed on all systems B. Security through obscurity is best accomplished by port stealthing C. Availability supersedes security unless physical harm is likely D. Reasonable precautions based on industry best practices are utilized and documented. <----

When is a BCP or DRP design and development actually completed? A. Never B. Only after implementation C. Once senior management approves D. Only after testing and drilling

A. Never

HIPAA is a set of federal regulations that define security guidelines. What do HIPAA guidelines protect?

A. Privacy <---- B. Non-repudiation C. Availability D. Integrity

What is the most effective way to improve or enforce security in any environment?

A. Requiring two-factor authentication B. Providing user-awareness training <---- C. Enforcing account lockout D. Disabling Internet access

You plan to implement a new security device on your network. Which of the following policies outlines the process you should follow before implementing that device?

A. SLA B. Change management <---- C. Resource Allocation D. Acceptable use

What is the primary purpose of source code escrow?

A. To obtain resale rights over software after the vendor goes out of business B. To hold funds in reserve for unpredicted costs before paying the fees of the programmer C. To obtain change rights over software after the vendor goes out of business <---- D. To provide a backup copy of software to use for recovery in the event of a disaster

When would choosing to do nothing about an identified risk be acceptable? A. When the cost of protecting the asset is greater than the potential loss. B. When the asset is an intangible asset instead of a tangible asset. C. When the threat is likely to occur less than once per year. D. When the threat is most likely to come from an internal source instead of an external source.

A. When the cost of protecting the asset is greater than the potential loss.

You have conducted a risk analysis to protect a key company asset. You identify the following values: - Asset value = 400 - Exposure factor = 75 - Annualized rate of occurrence = .25 What is the ALE?

AV x EF x ARO = 75 or 400 x %75 x %25 = 75

What is the average number of times that a specific risk is likely to be realized in a single year? A. Exposure Factor B. Annualized rate of occurrence C. Estimated maximum downtime D. Annualized loss expectancy

B. Annualized rate of occurrence

Which type of data loss prevention system can be configured to block unauthorized email messages from being sent and, therefore, being subject to email retention rules? A. Chinese wall B. Endpoint DLP C. Network DLP D. File-level DLP

B. Endpoint DLP

When recovering from a disaster, which services should you stabilize first? A. Least business critical B. Mission-critical C. Financial support D. Outside communications

B. Mission critical

Your company has developed and implemented countermeasures for the greatest risks to their assets. However, there are still some risk left. What is the remaining risk called? A. Risk B. Residual Risk C. Exposure D. Loss

B. Residual Risk

Which of the following best defines Single Loss Expectancy (SLE)? A. The monetary value of a single employee's loss of productivity due to a successful attack B. The total monetary loss associated with a single occurrence of a threat C. The total cost of all countermeasures associated with protecting against a given vulnerability D. The statistical probability of a malicious event

B. The total monetary loss associated with a single occurrence of a threat.

When conducting a risk assessment, how is the ARO calculated? A. Divide the static variable by the probability index B. Through historical data provided by insurance companies and crime statistics C. Multiply the SLE by the standard annual deviation D. Multiply the SLE by the ALE

B. Through historical data provided by insurance companies and crime statistics.

Purchasing insurance is what type of response to risk? A. Rejection B. Transference C. Acceptance D. Deployment of a countermeasure

B. Transference

Creates an agreement with a vendor to provide services on an ongoing basis

BPO

Specifies a preset discounted pricing structure

BPO

To determine the value of the company assets, an anonymous survey was used to collect the opinions of all senior and mid level managers. Which asset valuation method was used? A. Sensitivity vs. risk B. Asset clarification C. delphi method D. Comparitive

C. Delphi method

Which of the following is not an accepted countermeasure to strengthen a cryptosystem? A. Implement strong systems with redundant encipherment B. Use strong passwords C. Keep the cryptosystem a secret D. Implementing long key spaces

C. Keep the cryptosystem a secret

If an organization shows sufficient due care, which burden is eliminated in the event of a security attack? A. Asset loss B. Liability C. Negligence D. Investigation

C. Negligence

Implement the principle of least privilege

Control your network

As a BCP or DRP plan evolves over time, what is the most important task to perform when rolling out a new version of the plan? A. Obtain senior management approval B. Perform new awareness sessions C. Redefine all roles and responsibilities D. Collect and destroy all old plan copies

D. Collect and destroy all old plan copies

What is the primary goal of business continuity planning? A. Protecting an organization from major computer services failure B. Minimizing the organization's risk of service delays and interruptions C. Minimize decision-making during the developmental process D. Maintaining business operations with reduced or restricted infrastructure capabilities or resources

D. Maintaining business operations with reduced or restricted infrastructure capabilities or resources

Which type of Data Loss Prevention system is usually installed near the network perimeter to detect sensitive data that is being transmitted in violation of organizational security policies? A. File-Level DLP B. Chinese Wall C. Endpoint DLP D. Network DLP

D. Network DLP

Which of the following is not an appropriate response to a risk discovered during a risk analysis? A. Denial B. Assignment C. Mitigation D. Acceptance

Denial

Waterfall planning

Each phase contains a series of instructions that must be executed and documented before the next phase can begin.

Documents how the networks will be changed

ISA

Summarizes which party is responsible for performing specific tasks

MOU

Establish a baseline for all system

Manage your network

Establish an update management process

Manage your network

Create a list of all devices

Map your network

Create a list of all protocols being used on the network

Map your network

Disable VPN configs that allow partner access to your network

Off-boarding

Disable the domain trust relationship between networks

Off-boarding

Compare your organization's security policies with the partner's policies

Onboarding

Draft an ISA

Onboarding

Identify how privacy will be protected

Onboarding

Communicate vulnerability assessment findings with the other party

Ongoing operations

Conduct regular security audits

Ongoing operations

Use timestamps on all documents

Prepare to document

Hiring policies

Processes to follow before hiring: - employment, reference, education history checks - drug screening - background investigation or credit check

Identify the choke points on the network

Protect your network

Segregate and isolate networks

Protect your network

Make sure that remote access connections are secure

Reach your network

Remove insecure protocols

Reach your network

Eavesdropping

Refers to an unauthorized person listening to conversations of employees or other authorized personnel discussing sensitive topics.

Defines how disputes will be managed

SLA

Specifies exactly which services will be performed by each party

SLA

You have conducted a risk analysis to protect a key company asset. You identify the following values: - Asset value = 400 - Exposure factor = 75 - ARO = .25 What is the SLE?

SLE = 400 x %75 = 300

Quantitative value of risk equation

SLE x ARO = ALE This tells you how much a potential threat costs each year.

Attackers send emails with specific info about the victim that ask them to verify personal info or send money.

Spear phishing

You are a database administrator and the first responder for database attacks. You have decided to test one part of your current Business Continuity Plan (BCP) with two other database professionals. Which type of BCP test is this considered? - Complex exercise - Succession planning - Tabletop exercise - Medium exercise

Tabletop exercise

Organization security policy

a high level overview of the corporate security program - written by security professionals - identifies roles and responsibilities to support and maintain the elements of the security program - identifies what is acceptable and unacceptable regarding security management - identifies the rules and responsibilities of the enforcement of the policy

Medium exercise

a larger number of individuals get together and work through a larger scale simulation that incorporates many parts of the BCP.

Non-disclosure agreement (NDA)

a legal contract between the organization and the employee that specifies that the employee is not to disclose the organizations confidential or proprietary info to anyone outside the organization.

Countermeasure

a means of mitigating the potential risk.

Computer aided software engineering

a method of using computers to help with the systematic analysis, development, design, and implementation of software.

Spiral model

a mix of the waterfall and prototype model in which a prototype is developed and tested using the waterfall method. Considerations for improvements are implemented from the center outward.

Tangible asset

a physical item such as a computer, storage device, or document.

Manageable network plan

a process created by the NSA to assist in making a network manageable, defensible, and secure.

Succession planning

a process for identifying and developing internal people with the potential to fill key positions at some point in the future within an organization.

Guideline

a recommendation for use when a specific standard or procedure does not exist.

Regulation

a requirement published by a government or other licensing body that must be followed.

Intangible asset

a resource that has value and may be saleable even though it is not physical or material.

Asset

a resource that has value to an organization. - information, such as files or databases - infrastructure/physical devices such as routers, firewalls, bridges, and servers - support services for the information services

Code Of Ethics

a set of rules or standards that help you to act ethically in various situations.

Tabletop exercise

a small number of individuals get together and test just one part of the BCP. They typically work through a simple scenario and then analyze the plan to identify any changes that may be necessary.

Procedure

a step-by-step process that outlines how to implement a specific action.

Watering Hole

a targeted attack where the victim is a group like an organization, an industry, or a region.

Memorandum of agreement (MOA)

also known as Cooperative Agreement. It describes in detail what is required and expected of the employee and employer as a partnership relationship.

Blanket Purchase Order (BPO)

an agreement with a 3rd party vendor to provide services on an ongoing basis.

Spear phishing

an attack targeted at specific individuals within a company to gain access to information that will allow the attacker to gain commercial advantage or commit fraud.

Social engineering

an attack that exploits human nature by convincing someone to reveal information or perform an activity

Phishing

an email attack that uses a spoofed website to gain sensitive information.

Quantitative analysis

assigns real numbers to the costs of damages and countermeasures. It also assigns concrete probability percentages to risk occurrence.

Object Oriented Programming (OOP)

based on the organization of objects rather than actions. It uses pre-assembled programming code in a self contained module that encapsulates a segment of data and its processing instructions.

Risk Rejection

choosing not to respond to the risk even though the risk is not an acceptable level

Accepting risk

choosing to do nothing.

Health Insurance Portability and Accountability Act (HIPAA)

defines security guidelines that enforce the protection of privacy specifically medical records

Security Policy

defines the overall security goals and processes for an organization.

Prudent man rule

demonstrates that management has taken reasonable actions to ensure safety standards according to accepted best practices.

Clean desk policy

designed to prevent confidential information being left where it is easily accessible.

Security awareness

designed to: - familiarize employees with the security policy - communicate standards, procedures, and baselines that apply to an employee's job - facilitate employee ownership and recognition of security responsibilities - establish reporting procedures for suspected security violations - follow up and gather training metrics to validate employee compliance/organizations posture

Password policy

detail the requirements for passwords for the organization - same password should never be used for different systems - accounts should be disabled or locked after a specified amount of failed logins - should never contain words, slang, or acronyms - users should be required to change their passwords within a certain time frame - strong passwords

Asset valuation

determines the worth of that resource to that organization.

Baseline

dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards.

Authorized access policy

documents access control to company resources and information

Interconnection Security Agreement (ISA)

documents how the information systems of each party in the relationship will be connected and how they will share data.

Employee agreements

documents that explicitly identify the terms and conditions of employment.

Data handling and classification policy

documents the security classification levels of info and the guidelines for handling each level of classified materials.

Annual Loss Expectancy (ALE)

estimates the annual loss resulting from an incident. For example, if you expect a successful attack every four years, the ALE for the incident would be 1/4 of the SLE.

External threat

events originating outside of the organization that typically focus on compromising the organization's information assets.

Natural events

events that may reasonably be expected to occur over time - fire - broken water pipe

Vishing

exploits VOIP telephone services to gain access to an individuals personal and financial information.

Virus Hoax

false reports about non-existent viruses that often claim to do impossible things.

Business Impact Analysis

focuses on the impact losses will have on the organization

Service Level Agreement (SLA)

guarantee the quality of a network service provider's care to a subscriber - mean time between failures - mean time to repair - turn-around times - average response times - number of online users - system utilization rates - system uptimes - volume of transactions - production problems

Standard Operating Procedure

help employees perform routine and often complex actions.

Password security policy

identifies an organization's requirements for strong password creation and security.

Annualized Rate of Occurrence (ARO)

identifies how often in a single year the successful threat attack will occur. ARO information is frequently obtained from insurance companies, law enforcement agencies, and computer incident monitoring organizations. For example, an ARO of 2 indicates that the incident is expected to occur twice a year, while an ARO of .25 means the incident is expected once every four years.

Disaster Recovery Plan

identifies short-term actions necessary to stop the incident and restore critical functions so the organization can continue to operate.

Acceptable Use policy

identifies the employees rights to use company property such as internet access and computer equipment for personal use.

Acceptable Use Policy

identifies the employees rights to use company property, such as internet access and computer equipment for personal use.

Asset identification

identifies the organization's resources

High cohesion

implies that the functions performed by a module are related and clearly defined

what is the primary purpose of imposing software life-cycle management concepts? - reduce product returns - increase interoperability - decrease development overhead - increase the quality of software

increase the quality of software

Low coupling

indicates that a module is not dependent on another module and that changes in the module will not require changes in another module

Internal threats

intentional or accidental acts by employees

Complex exercise

involves a very large number of individuals and a very realistic scenario that may involve full-scale practice exercises.

Ethics

is the concept and practice of behavior that builds and maintains responsibility and trust.

Residual risk

is the portion of risk that remains after the implementation of a countermeasure.

Risk deterrance

letting threat agents know of the consequences they face if they choose to attack the asset.

Shoulder surfing

looking over the shoulder of someone working on a computer

Disasters

major events that have significant impact on an organization. These disrupt production, damage assets, and compromise security. - tornadoes - hurricanes - floods

USA Patriot Act

mandates organizations to provide information, including records and documents, to law enforcement agencies under the authority of a valid court order, subpoena, or other authorized agency.

Structured programming

method used by programmers that allows for optimal control over coherence, security, accuracy, and comprehensibility.

Resource Allocation Policy

outlines how resources are allocated. - staffing - technology - budgets

Privacy policy

outlines how the organization will secure private information for employees, clients, and customers. - Full name - Address - Telephone number - Driver's license - National Identification Number - Credit card numbers - email addresses

Employee monitoring agreement

outlines the organizations monitoring activities.

Email hoax

prey on email receipts who are fearful and will believe most information if it is presented in a professional manner.

Privacy Impact Assessment (PIA)

process that assists organizations in identifying and minimizing the privacy risks of new projects or policies

Termination policies

processes to be implemented when terminating employees: - network access/user accounts disabled immediately - exit interviews are conducted - employees are escorted at all times following termination - all company property is returned - appropriate documents are signed

Non-compete agreement

prohibits an employee from working for a competing organization for a specified time after the employee leaves the organization.

Physical security

protection of assets from physical threats - choosing a secure site and securing the facility - protecting both data and equipment from theft, destruction, compromise - implementing environmental and safety measures to protect personnel and the facility - disposing of sensitive material that is no longer needed

Configuration management policy

provides a structured approach to securing company assets and making changes.

Transferring risk

purchasing insurance to protect the asset

Employee management

reduces asset vulnerability from employees by implementing processes that include the following: - pre-employment processing - employee agreement docs - employee monitoring - termination procedures

Tailgating

refers to an attacker entering a secured building by following an authorized employee.

Impersonation

refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access.

Change control

regulates changes to policies and practices that could impact security. 1. Identify the need for a change and submit it for approval 2. Conduct a feasibility analysis, including technical and budgetary considerations 3. Design the method for implementing the change 4. Implement the change 5. Test the implementation to make sure it conforms to the plan and that the change does not adversely affect CIA 6. Document the change 7. Analyze feedback

privacy threshold assessment (PTA)

required document that serves as the official determination by the Department of Homeland Security as to whether a department program or system has privacy implications and whether additional privacy compliance documentation is required, such as a Privacy Impact Assessment and System of Records Notice

Gramm-Leach-Bliley Act (GLBA)

requires all banks and financial institutions to implement the following: 1. Financial Privacy Rule - requires banks and financial institutions to alert customers to their policies and practices in disclosing customer information. 2. Safeguards Rule - requires banks and financial institutions to develop a written information security plan detailing how they plan to protect electronic and paper files containing personally identifiable financial information. 3. Pretexting Protection - requires banks and financial institutions to train their staff how to recognize social engineering exploits.

Children's Online Privacy Protection Act (COPPA)

requires online services or websites designed for children under the age of 13 to: - obtain parental consent prior to the collection, use, disclosure, or display of a child's personal information - allow children's participation without the need to disclose more personal information than is reasonably necessary to participate.

Sarbanes-Oxley Act (SARBOX)

requires publicly traded companies to adhere to stringent reporting requirements and internal controls on electronic financial reporting systems. A key aspect of the law is the requirement for retaining copies of business records, including email, for a specified period of time.

Distributive Allocation

responds to the risk by spreading it through redundancy and high availability techniques such as clustering, load balancing, and storage arrays.

Collusion

situation in which multiple employees conspire to commit fraud or theft.

Least privilege

specifies that an employee is granted the minimum privileges required to perform duties of the position.

Two-man control

specifies that certain tasks should be dual-custody in nature to prevent a security breach.

Separation of duties

specifies that for any task in which vulnerabilities exist, steps within the task are assigned to different positions with different management.

Ownership of materials agreement

specifies the organization's ownership of intellectual property created by the employee during the employment period.

Attackers send unwanted and unsolicited text msgs to many people with the intent to sell products or services

spim

Exit interview cooperation agreement

stipulates the employee's consent to participate in an exit interview.

Whaling

targets senior executives and high-profile victims

Business continuity

the activity performed by an organization to ensure that critical business functions are available to customers, suppliers, regulators, and other entities that must have access to those functions.

Single Loss Expectancy (SLE)

the amount of loss expected for any single successful threat attack on any given asset. AV x EF = SLE

Employee management

the implementation of processes to ensure that employees play a major role in protecting company assets.

Risk

the likelihood of a vulnerability being exploited.

Threat probability

the likelihood that a particular threat will occur and exploits a specific vulnerability.

Security management

the overall security management vision for an organization as well as the ongoing implementation and maintenance of security

Exposure factor

the percentage of the asset loss because of a successful threat attack.

Risk assessment

the practice of determining which threats identified are relevant and pressing to the organization and then attaching a potential cost that can be expected if the threat occurs.

Risk Management

the process of identifying vulnerabilities and threats and then deciding which countermeasures will reduce those risks to an acceptable level.

Dumpster diving

the process of looking in the trash for sensitive information that has not been properly disposed of.

Loss

the real damage to an asset that reduces its confidentiality, integrity, or availability.

Fraud

the use of deception to divert company assets or profits to an employee.

Exposure

the vulnerability to losses from a threat agent

Prototype

type of iterative development that was made to combat the weaknesses of waterfall based models. In this model, a small segment of the code is prototyped.

Clean room model

used for the development of high-quality software. All levels of development are tested for bugs and defects with the goal of finding problems before they can mature.

Asset Classification

used to identify the appropriate value and protection levels. This can expedite the valuation process by grouping similar assets and comparing the valuation of different classifications.

Comparative valuation

uses a ranking based on an arbitrary scale that is compatible with the organization's industry.

Delphi

uses an anonymous survey to determine the value of an asset

Sensitivity vs. Risk chart

uses quadrants to qualify the value of an asset based on sensitivity and risk.

Qualitative analysis

uses scenarios to identify risks and responses, more speculative and results in relative costs or rankings.

Extreme programming model

values simplicity, feedback, courage, and communication. It simplifies planning to bring the entire team of developers, managers, and customers together so that adequate feedback and evaluations can be provided.

ad hoc

when the most qualified developers are given a project without a consistent team, funding, or schedule.