CSCI 501 Quiz 6 REV
its important to identify risk....
-before they lead to an incident -before they lead to countermeasure and controls - on a continuous basis across the life of the product system or project -you can never reduce risk to zero. -you must identify the cost of risk handling methods. -in many cases small risk reduction have significantly high costs. -part of your job is to identify the tolerable risk levels and apply controls to reduce risks to that level. -you must focus must focus some risk management efforts on identifying new risk so you can manage them before a negative event occurs. part of this process includes continually reevaluating risks to make sure you have put the right countermeasure in place.
risk managment and information technology
-central concern in information security. -every action requires risk -attention to risk can mean success or failure in a business. -organizations can't solve every problem but should balance between utility and cost of various risk management options. - different organizations have different risk tolerances. -as security professional, you will work with others to identify risk and apply risk management solutions. -you must understand the true impact of risk -a succesful attack might result in immediate costs but also cause customers to go to competitor. -the true cost can be far higher than immediate cost to clean up. -you must help create and or maintain plan that makes sure your company continues to operate in the face of disruption.
emerging threats
-new technology -changes in the culture of the organization or enviroment -unauthorized use of technology -changes in regulations and laws -changes in business practices *proactive security professional watches for new threats that might trigger the need of new risk review. two most common are cloud and virtualization. as organizations are moving torwards outsourcing data and processing to cloud services providers they encounter new threats. the threats are related to internal and external virtualization.
risk response and recovery
-organizations are constantly changing -shareholder s exert new presures -organizations must main a supply chains connecting their suppliers and their customers. -stay competitive require organizations to shift personal, alter IT organizations and rearrange logistics. -any increase in risk. the structure of the organization must reflect the culture of the organization. -invest in cost effective plans to reduce risk
cloud threats
-violation of virtualization barriers - lack of access controls for outsource resources -reliability of cloud or virtualization services -cloud service provider lock in -insecure application program interfaces -malicious insiders -account hijacking
What file type is least likely to be impacted by a file infector virus?
.docx
What ISO security standard can help guide the creation of an organization's security policy?
27002
An IDS is what type of control? A. Detective control B. Preventive control C. Corrective control D. Compensating control E. All of the above
A
True
A personnel safety plan should include an escape plan. True/False?
Mantrap
A physical security control system that has a door at each end of a secure chamber.
Business Continuity Plan
A plan that contains the actions needed to keep critical business processes running after a disruption is called a __________.
Disaster Recovery Plan
A plan that details the steps to recover from a major disruption and restore the infrastructure necessary for normal business operations is a __________.
Which of the following statements apply to the definition of a computer virus? (Select 3 answers) A self-replicating computer program containing malicious segment Requires its host application to be run to make the virus active A standalone malicious computer program that replicates itself over a computer network Can run by itself without any interaction Attaches itself to an application program or other executable component A self-contained malicious program or code that does need a host to propagate itself
A self-replicating computer program containing malicious segment Requires its host application to be run to make the virus active Attaches itself to an application program or other executable component
Checklist test
A simple review of the plan by managers and the business continuity team to make sure that contact numbers are current and that the plan reflects the company's priorities and structure.
False
A smurf attack tricks users into providing logon information on what appears to be a legitimate Web site but is in fact a Web site set up by an attacker to obtain this information.
Sandbox
A strategy for separating programs and running them in their own virtual space.
False
A structured walk-through test is a review of a business continuity plan to ensure that contact numbers are current and that the plan reflects the company's priorities and structure. True/False?
True
A vulnerability is any exposure that could allow a threat to be realized. True or False?
Vulnerability
A weakness that allows a threat to be realized or to have an effect on an asset
disaster
A(n) _________ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime.
A plan that details the steps to recover from a major disruption and restore the infrastructure necessary for normal business operations is a ________. A. Disaster recovery plan (DRP) B. Business impact analysis (BIA) C. Business continuity plan (BCP) D. None of the above
A.
A vulnerability is any exposure that could allow a threat to be realized. A. True B. False
A.
An IDS is what type of control? A. Detective control B. Preventive control C. Corrective control D. Compensating control E. All of the above
A.
The primary steps to disaster recovery include the safety of individuals, containing the damage, and assessing the damage and beginning the recovery operations. A. True B. False
A.
What type of system is intentionally exposed to attackers in an attempt to lure them out? A. Honeypot B. Bastion host C. Web server D. Database server
A. Honeypot Explanation: Honeypots are sacrificial hosts and services deployed at the edges of a network to act as bait for potential hacking attacks. Typically, you configure these systems to appear real.
Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered? A. Polymorphic virus B. Stealth virus C. Cross-platform virus D. Multipartite virus
A. Polymorphic virus: Other Virus Classifications Explanation: Polymorphic viruses include a separate encryption engine that stores the virus body in encrypted format while duplicating the main body of the virus. The virus exposes only the decryption routine for possible detection. It embeds the control portion of the virus in the decryption routine, which seizes control of the target system and decrypts the main body of the virus so that it can execute.
11. ________ attack countermeasures such as antivirus signature files or integrity databases. A. Retro viruses B. Stealth viruses C. Polymorphic viruses D. Slow viruses
A. Retro viruses
Gwen is investigating an attack. An intruder managed to take over the identity of a user who was legitimately logged in to Gwen's company's website by manipulating Hypertext Transfer Protocol (HTTP) headers. Which type of attack likely took place? A. Session hijacking B. XML injection C. Cross-site scripting D. SQL injection
A. Session hijacking: How Can Attackers Attack Web Applications? Explanation: Session hijacking is an attack in which the attacker intercepts network messages between a web server and a web browser. It extracts one or more pieces of data, most commonly a session ID, and uses that to communicate with the web server. The attacker pretends to be an authorized user by taking over the authorized user's session.
The CEO of Kelly's company recently fell victim to an attack. The attackers sent the CEO an email informing him that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place? A. Spear phishing B. Pharming C. Adware D. Command injection
A. Spear phishing Explanation: This scenario is a classic example of a spear phishing attack, highly targeted at an individual and including information about the company.
What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations? A. Whois B. Simple Network Management Protocol (SNMP) C. Ping D. Domain Name System (DNS)
A. Whois: DNS, ICMP, and Related Tools Explanation: Whois is a tool that provides information on domain registrations, including the registrar, name servers, and the name of the registering organization
6. A ________ is a virus that attacks and modifies executable programs (like COM, EXE, SYS, and DLL files). A. file infector B. system infector C. data infector D. stealth virus
A. file infector
8. A ________ is a type of virus that primarily infects executable programs. A. file infector B. system infector C. data infector D. program infector
A. file infector
13. Unexplained increases in bandwidth consumption, high volumes of inbound and outbound e-mail during normal activity periods, a sudden increase in e-mail server storage utilization (this may trigger alarm thresholds set to monitor and manage disk/user partition space), and an unexplained decrease in available disk space are all telltale symptoms of a ________. A. worm B. Trojan C. logic bomb D. DoS
A. worm
countermeasures
Action, device, procedure, technique or other measure that reduces the vulnerability of an information system.
Vulnerability
Adam is evaluating the security of a web server before it goes live. He believes that an issue in the code allows an SQL injection attack against the server. What term describes the issue that Adam discovered?
False
Adware is any unsolicited background process that installs itself on a user's computer and collects information about the user's browsing habits and Web site activities.
The incident-handling process includes which of the following?
All of the Above
Which of the following is an activity phase control?
All of the Above
Identify a drawback of log monitoring.
Amount of information.
Detective control
An IDS is what type of control?
True
Anomaly detection involves developing a network baseline profile of normal or acceptable activity, such as services or traffic patterns, and then measuring actual network traffic against this baseline.
Threat
Any action that could damage an asset
Incident
Any event that either violates or threatens to violate your security policy is known as a(n) __________.
Event
Any observable occurrence within a computer or network
In which OSI layer do you find FTP, HTTP, and other programs that end users interact with?
Application
Identify a security objective that adds value to a business.
Authorization
A plan that contains the actions needed to keep critical businesses processes running after a disruption is called a ___________________________. A. Disaster recovery plan (DRP) B. Business impact analysis (BIA) C. Business continuity plan (BCP) D. None of the above
C
3. Which of the following is the definition of botnet? A. A botnet is a type of virus that primarily infects executable programs. B. A botnet consists of a network of compromised computers that attackers use to launch attacks and spread malware. C. A botnet is a type of virus that includes a separate encryption engine that stores the virus body in encrypted format while duplicating the main body of the virus. D. A botnet is a group of honeypots made to simulate a real live network, but isolated from it.
B. A botnet consists of a network of compromised computers that attackers use to launch attacks and spread malware.
24. Which of the following is the definition of logic bomb? A. A type of virus that infects other files and spreads in multiple ways. B. A program that executes a malicious function of some kind when it detects certain conditions. C. A type of virus that typically infects a data file and injects malicious macro commands. D. A type of virus that attacks document files containing embedded macro programming capabilities.
B. A program that executes a malicious function of some kind when it detects certain conditions.
16. _____________ are the main source of distributed denial of service (DDoS) attacks and spam. A. Logic bombs B. Botnets C. Stealth viruses D. Trojans
B. Botnets
What program, released in 2013, is an example of ransomware? A. BitLocker B. Crypt0L0cker C. FileVault D. CryptoVault
B. Crypt0L0cker: Ransomware Explanation: One of the first ransomware programs was Crypt0L0cker, which was released in 2013. With ransomware, the attacker generally alerts the users to the restrictions and demands a payment to restore full access. The demand for a payment, or ransom, gives this type of malware its name.
What is NOT one of the four main purposes of an attack? A. Denial of availability B. Data import C. Data modification D. Launch point
B. Data import: The Purpose of an Attack Explanation: The four main purposes of an attack are denial of availability, data modification, data export, and as a launch point.
Which type of virus targets computer hardware and software startup functions? A. Hardware infector B. System infector C. File infector D. Data infector
B. System infector: Virus Explanation: There are three primary types of viruses. System infectors target computer hardware and software startup functions. File infectors attack and modify executable programs (such as COM, EXE, SYS, and DLL files in Microsoft Windows). Data infectors attack document files containing embedded macro programming capabilities.
5. ________ are viruses that target computer hardware and software startup functions. A. File infectors B. System infectors C. Data infectors D. Stealth virus
B. System infectors
14. Unrecognized new processes running, startup messages indicating that new software has been (or is being) installed (registry updating), unresponsiveness of applications to normal commands, and unusual redirection of normal Web requests to unknown sites are all telltale symptoms of a ________. A. worm B. Trojan C. logic bomb D. DoS
B. Trojan
23. Another way that malicious code can threaten businesses is by using mass bulk e-mail (spam), spyware, persistence cookies, and the like, consuming computing resources and reducing user productivity. These are known as ________. A. attacks against confidentiality and privacy B. attacks against productivity and performance C. attacks against data integrity D. attacks that damage reputation
B. attacks against productivity and performance
1. Malicious code attacks all three information security properties. Malware can modify database records either immediately or over a period of time. This property is ________. A. confidentiality B. integrity C. availability D. security
B. integrity
20. Whether software or hardware based, a ____________ captures keystrokes, or user entries, and then forwards that information to the attacker. A. botnet B. keystroke logger C. file infector D. logic bomb
B. keystroke logger
7. A ____ enables the virus to take control and execute before the computer can load most protective measures. A. file infector B. system infector C. data infector D. program infector
B. system infector
What are the primary components of business continuity management (BCM)?
BCP and DRP
What determines the extent of the impact that a particular incident would have on a business operations over time?
BIA
Which of the following answers refers to an undocumented (and often legitimate) way of gaining access to a program, online service, or an entire computer system? Logic bomb Trojan horse Rootkit Backdoor
Backdoor
Which of the following type of program is also commonly referred as a Trojan horse?
Backdoor
When monitoring a system for anomalies, the system is measured against ___________.
Baseline
What are the types of penetration test?
Black Box, White Box, and Gray Box
A malware-infected networked host under remote control of a hacker is commonly referred to as: Trojan Worm Bot Honeypot
Bot
Which of the terms listed below applies to a collection of intermediary compromised systems that are used as a platform for a DDoS attack? Honeynet Botnet Quarantine network Malware
Botnet
Which access control model is based on a mathematical theory published in 1989 to ensure fair competition?
Brewer and Nash Integrity Model
What are the principles of the PCI DSS?
Build and maintain a secure network, Protect cardholder data, and Implementing strong access control measures.
A plan that ensures your company continues to operate in the face of adverse circumstances is called a ________.
Business continuity plan (BCP)
Risk that remains even after risk mitigation efforts have been implemented is known as ___________________________ risk. A. Qualitative B. Quantitative C. Residual D. None of the above
C
________________ is the limit of time that a business can survive without a particular critical system A. Recovery time objective (RTO) B. Critical business function (CBF) C. Maximum tolerable downtime (MTD) D. None of the above
C
Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter? A. Virus B. Worm C. Trojan horse D. Logic bomb
C. Trojan horse: Trojan Horses Explanation: Trojans, or Trojan horse programs, are the largest class of malware. A Trojan is any program that masquerades as a useful program while hiding its malicious intent. The masquerading nature of a Trojan encourages users to download and run the program.
What is NOT a typical sign of virus activity on a system? A. Unexplained decrease in available disk space B. Unexpected error messages C. Unexpected power failures D. Sudden sluggishness of applications
C. Unexpected power failures: Evidence of Virus Code Activities Explanation: Unexpected power failures are normally a sign of some type of hardware problem and are not indicative of virus activity on a system.
22. One of the ways that malicious code can threaten businesses is by causing economic damage or loss due to the theft, destruction, or unauthorized manipulation of sensitive data. These are known as ________. A. attacks against confidentiality and privacy B. attacks against productivity and performance C. attacks against data integrity D. attacks that create legal liability
C. attacks against data integrity
2. Malicious code attacks all three information security properties. Malware can erase or overwrite files or inflict considerable damage to storage media. This property is ________. A. confidentiality B. integrity C. availability D. security
C. availability
4. What term is used to describe a type of virus that attacks document files containing embedded macro programming capabilities? A. file infector B. multipartite virus C. data infector D. logic bomb
C. data infector
15. A ___________ is a program that executes a malicious function of some kind when it detects certain conditions. A. worm B. Trojan C. logic bomb D. DoS
C. logic bomb
19. A ____________ tricks users into providing logon information on what appears to be a legitimate Web site but is in fact a Web site set up by an attacker to obtain this information. A. smurf attack B. DDoS attack C. phishing attack D. Trojan
C. phishing attack
What is the cipher that shifts each letter in the English alphabet a fixed number of positions, with Z wrapping back to A?
Caesar
Alison discovers that a system under her control has been infected with malware, which is using a key logger to report user keystrokes to a third party. What information security property is this malware attacking?
Confidentiality
What refers to the management of baseline settings for a system device?
Configuration control
Yolanda would like to prevent attackers from using her network as a relay point for a smurf attack. What protocol should she block? A. Hypertext Transfer Protocol (HTTP) B. Transmission Control Protocol (TCP) C. Internet Control Message Protocol (ICMP) D. User Datagram Protocol (UDP)
C. Internet Control Message Protocol (ICMP): Smurf Attacks Explanation: In a smurf attack, attackers direct forged ICMP echo request packets to IP broadcast addresses from remote locations to generate denial of service (DoS) attacks.
Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose? A. Ping B. Simple Network Management Protocol (SNMP) agent C. Nmap D. Remote Access Tool (RAT)
C. Nmap: Port-Scanning and Port-Mapping Tools
10. ________ include a separate encryption engine that stores the virus body in encrypted format while duplicating the main body of the virus. A. Retro viruses B. Stealth viruses C. Polymorphic viruses D. Multipartite viruses
C. Polymorphic viruses
What type of malicious software allows an attacker to remotely control a compromised computer? A. Worm B. Polymorphic virus C. Remote Access Tool (RAT) D. Armored virus
C. Remote Access Tool (RAT): Maintaining Access Using a Remote Administration Tool Explanation: RAT is a Trojan that, when executed, enables an attacker to remotely control and maintain access to a compromised computer.
Bob is developing a web application that depends upon a database backend. What type of attack could a malicious individual use to send commands through his web application to the database? A. Cross-site scripting (XSS) B. XML injection C. SQL injection D. LDAP injection
C. SQL injection: Injection Explanation: An SQL code injection attacks applications that depend on data stored in databases. SQL statements are inserted into an input field and are executed by the application. SQL injection attacks allow attackers to disclose and modify data, violate data integrity, or even destroy data and manipulate the database server.
Any event that wither violates or threatens to violate your security policy is known as a(n) __________________________. A. Countermeasure B. Impact C. Risk D. Incident
D
Which of the following is an action that could damage an asset?
Threat
How to worms propagate to other systems?
Through the network service
Breanne's system was infected by malicious code after she installed an innocent-looking solitaire game that she downloaded from the Internet. What type of malware did she likely encounter?
Trojan Horse
A computer virus is an executable program that attaches to, or infects, other executable programs.
True
A successful denial of service (DoS) attack may create so much network congestion that authorized users cannot access network resources.
True
A type of software that performs unwanted and harmful actions in disguise of a legitimate and useful program is known as a Trojan horse. This type of malware may act like a legitimate program and have all the expected functionalities, but apart from that it will also contain a portion of malicious code that the user is unaware of. True False
True
A vulnerability is a flaw or weakness in your system security procedures, design, implementation, or internal controls.
True
A vulnerability is any exposure that could allow a threat to be realized. True or false?
True
ActiveX is used by developers to create active content
True
An electronic mail bomb is a form of malicious macro attack that typically involves an email attachment that contains macros designed to inflict maximum damage.
True
Attacks against confidentiality and privacy, data integrity, and availability of services are all ways malicious code can threaten businesses.
True
Backdoor programs are typically more dangerous than computer viruses.
True
Because people inside an organization generally have more detailed knowledge of the IT infrastructure than outsiders do, they can place logic bombs more easily.
True
Defense in depth is the practice of layering defenses to increase overall security and provide more reaction time to respond to incidents.
True
It is common for rootkits to modify parts of the operating system to conceal traces of their presence.
True
The function of homepage hijacking is to change a browser's homepage to point to the attacker's site.
True
The goal of a command injection is to execute commands on a host operating system.
True
The primary steps to disaster recovery include the safety of individuals, containing the damage, and assessing the damage and beginning the recovery operations.
True
The primary steps to disaster recovery include the safety of individuals, containing the damage, and assessing the damage and beginning the recovery operations. True or false?
True
The term "web defacement" refers to someone gaining unauthorized access to a web server and altering the index page of a site on the server.
True
Unlike viruses, worms do NOT require a host program in order to survive and replicate.
True
What is the weakness in a system that makes it possible for a threat to cause it harm?
Vulnerability
Maximum tolerable downtime (MTD)
What term describes the longest period of time that a business can survive without a particular critical system?
Which Type of Attacker intends to be helpful?
White-Hat Hacker
Val would like to limit the websites that her users visit to those on an approved list of pre-cleared sites. What type of approach is Val advocating?
Whitelisting
What tool might be used by an attacker during the reconnaissance phase of an attack to glean information about domain registrations?
Whois
A standalone malicious computer program that typically propagates itself over a computer network to adversely affect system resources and network bandwidth is called: Spyware Worm Trojan Spam
Worm
Maximum Tolerable Downtime
__________ is the limit of time that a business can survive without a particular critical system.
Detective control
a control that detects when an action has occurred. Smoke detectors, log monitors, system audits.
Compensating controls
a control that is designed to address a threat in place of a preferred control that is too expensive or difficult to implement
Management control
a control that is designed to manage the risk process
Operational control
a control that operational personnel may implement and manage, such as physical security or incident response.
Preventive control
a control that stops an action before it occurs. Locked doors, firewall rules, user passwords
Proximity reader
a device able to sense a person's nearby token or access card without requiring physical contact
Redundant Array of Inexpensive Disks (RAID)
a disk set management technology that gains speed and fault tolerance. Can provide some protection against software or data compromises, such as virus infection.
Clustering
a logical division of data composed of one or more sectors on a hard drive.
Simulation test
a method of testing a BCP or DRP in which a business interruption is simulated, and the response team responds as if the situation were real
Service bureau
a service provider that has sufficient capacity to offer outsourced wholesale services to smaller customers.
Single point of failure (SPOF)
a single piece of hardware or software that must operate for the larger system or network to operate
Disruption
a sudden unplanned event
Which of the following is a type of authentication? a. By Ownership b. By Accountability c. By Prototype d. By Status
a. By Ownership
acceptance
accept a positive risk you take no steps to address it because the potential effect of the risk are positive and add value.
safeguards
address gaps or weaknesses in the control s that could otherwise lead to realized threat.
acceptance
allows organization to accept risk. organization knows the risk exist and has decided that the cost of reducing it is higher than the loss would be. this can include self insuring or using a deductible.
Mutual aid
an agreement between organizations able to help each other by relocating IT processing in time of need from disaster
Incident
an event tat results in violating your security policy, or poses an imminent threat to your security policy
Control
any mechanism or action that prevents, detects, or addresses an attack
transfer (transference/assignment)
approach allows to transfer the risk to another entity. insurance is a common way to reduce risk. an organization sells the risk to insurance company in return for a premium. other times you can reduce the risk to insulate an organization from excessive liability.
calculate asset value (AV)
asset can be tangible like buildings or intangible like reputation. first step is to determine the organizations assets and their values. asset value should consider the replacement value of equipment or systems. it should include factors such as loss of productivity.
elements of risk
assets, vulnerabilities and threats are elements of risk. -new threats emerge to add to existing ones. -as these factors change over time, risk changes as well. - you should perform risk reassessments to identify new or changed risk.
Quantitative risk assessment
assigns a numerical value, generally a cost value, to each risk, making risk impact comparisons more objective.
gaming consoles
computers that are optimized to handle graphics application efficently. today most are connect to the internet and are exposed to new threats. manufacturers do provide security patches but not all users are diligent about keeping their system updated.
Which of the following is a weakness of WLANs? a. WPA b. RF Shielding c. User Groups d. SSID Beaconing
d. SSID Beaconing
Reciprocal centers
data centers of businesses that do the same type of work but are not direct competitors and can be used as alternate processing sites in the case of a disaster.
avoid
deciding not to take the risk. company decides to not enter a line of business that has risk level is too high. with avoidance management decides that the potential loss to the company exceeds the potential value gained by continuing the risky activity.
Qualitative risk assessment
describes risks and then ranks their relative potential impact on business operations
quantitative risk assessment
dollar value on each risk. many risk values are difficult to measure. these include the reputation and availability of countermeasures. exact number can be difficult to determine especially if the cost of the impact of future events. are easier to automate than qualitative assessments. based on severity of the risk. a solid risk assessment uses both techniques. qualitative risk analysis gives you a better understanding of the overall impact a disruption will have as the effects ripple through the organization. it often leads to better
static environments
environments that do not change overtime after deployement
identify risks
first part of identifying risk is what could go wrong. answers include fires floods earthquake, lightning strike, loss of electricity or other utility, labor strikes and transportation unavailability.
Any event that either violates or threatens to violate your security policy is known as a(n) ________. A. Countermeasure B. Impact C. Risk D. Incident
D.
21. As of 2013, Cisco estimated that there were more than ________ devices connected to the Internet. A. 700 million B. 1.7 billion C. 3.5 billion D. 7 billion
D. 7 billion
Alison discovers that a system under her control has been infected with malware, which is using a keylogger to report user keystrokes to a third party. What information security property is this malware attacking? A. Integrity B. Availability C. Accounting D. Confidentiality
D. Confidentiality: Malicious Code and Activity Explanation: Malicious code attacks all three properties of information security. In this case, the keylogger is stealing information, which is a violation of confidentiality.
Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered? A. SQL injection B. Command injection C. XML injection D. Cross-site scripting (XSS)
D. Cross-site scripting (XSS): Injection Explanation: XSS attacks allow attackers to embed client-side scripts into webpages that users view. When a user views a webpage with a script, the web browser runs the attacking script. These scripts can be used to bypass access controls. XSS effects can pose substantial security risks, depending on how sensitive the data are on the vulnerable site.
Annualized rate of occurrence (ARO)
how often a loss is likely to occur every year. the annualized loss expediency (ALE) is the product of this rate and the single loss expectancy (SLE). ALRE=AROxSLE
event
is a measurable occurance that has impact on the system.
incident
is any event that either violates or threatens to violate security policy. for example employee warehouse theft is an incident. incident are events that justify a countermeasure.
vulnerability
is any exposure that could allow a threat to be realized. some vulnerabilities are weaknesses and some are just side effects of other actions such as allowing employees to use their smart phone to connect to corporate network
threat
is something generally bad that might happen. a threat could be a tornado hitting your data center or an attacker stealing your database of customer data.
risk
is the likelihood that a particular threat will be realized againist a specific vulnerability. most risks lead to possible damage or negative results that could damage your organization. not all risk are inherently bad; some risks can lead to positive results. the extent of damage or even the positive effect from a threat determines the level of risk
Remote Journaling
method of recording transactions to a remote server in real time.
reduce (reduction/mitigation)
mitigate or reduce identified risks. these controls might be to administrative, technical, or physical. I.E adding antivirus software reduces the risk of computer infection
mobile devices
mobile operating system patches and upgrades are available and easy to apply but not all users update their devices. bad prior upgrade experiences may prevent users from applying needed patches. this can lead to threats to unpatched mobile endpoints.
monitor and control risk response
monitor and measure each risk response to ensure that it is performing as expected. include passive monitoring and logging as well as active testing to see how a control behaves.
assess risks
not all risk could face the same risks. they depend on location scenario. its important to determine which risk is the most important one.
qualitative risk assessment
ranks risk based on their probability of occurrence and impact on business operations. impact is the degree of effect a realized threat would pose. impact is expressed in low insignificant to high catastrophic values. can be fairly subjective but do help determine the most critical risks require input from people who work in different departments. allows us to understand the ripple effect.
impact
refers to the amount of harm a threat exploiting a vulnerability can cause. for example, if a virus could affect all the data on the system.
calculate the exposure factor (EF)
represents the percentage of asset value that will be lost if an incident is to occur. for example a car incident
Residual risk
risk that remains after you have installed countermeasures and controls
Load balancing
routing protocols that divide message traffic over two or more links
controls
safeguards and countermeasures
Activity phase controls
security controls that can be classified as either technical or administrative. Preventative controls, detective controls, or corrective controls
embedded systems
small computers that are contained in large devices. components are often enclosed in a chassis that houses the rest of the device. such device can include other hardware and mechanical parts. i.e robotic vacuum device contains an embedded system that controls movement. the embedded computer is not easily accessible and is difficult to update with security patches.
plan risk response
starting with the highest priority risk and exploring potential response for each one. with direction of your higher ups determine which one provides the best value.
Static environments
systems that do not change very much or at all after deployment
implementing risk response
take action to implement the chosen response to each risk from the previous step
Fault tolerance
the ability to encounter a fault, or error, of some type and still support critical operations
Succession planning
the act of planning who will step in if key personnel are incapacitated or unavailable.
Loss expectancy
the amount of money that is lost as a result of an IT asset failure
Total risk
the combined risk of all business assets
Redundancy
the feature of network design that ensures the existence of multiple pathways of communication. to avoid a single point of failure
mainframes
the large computers exist in primarly in large organization data centers. they handle large scale data processing and are expensive to maintain. downtime is expensive and discouraged. there aren't really oppertunities to apply security patches until a downtime window approaches.
Consortium agreement
the legal definition for how members of a group will interact
Incident response team
the members of the organization's security incident response team.
EMI shielding
the practice of using magnetic or conductive material to reduce the effect of outside electromagnetic interference (EMI) on sensitive electronic equipment
risk register
the result of the risk identification process is list of identified risk. -a description of the risk -the expected impact associated if the associated event occurs -the probability of the event occuring -steps to mitigate the risk -steps to take should the event occur -rank of the risk
Parallel tests
the same as full-interruption test, except that processing does not stop at the primary site.
17. In a __________, the attacker uses IP spoofing to send a large number of packets requesting connections to the victim computer. These appear to be legitimate but in fact reference a client system that is unable to respond. A. smurf attack B. phishing attack C. DoS attack D. SYN flood attack
D. SYN flood attack
12. ________ counter the ability of antivirus programs to detect changes in infected files. A. Retro viruses B. Stealth viruses C. Polymorphic viruses D. Slow viruses
D. Slow viruses
Val would like to limit the websites that her users visit to those on an approved list of pre-cleared sites. What type of approach is Val advocating? A. Blacklisting B. Context-based screening C. Packet filtering D. Whitelisting
D. Whitelisting: Staying Ahead of the Attackers Explanation: Whitelisting is maintaining a list of trusted sites. All messages and connection requests from sites not in the whitelist are ignored. Any site that you wish to use must be added to your whitelist before connections are allowed.
9. Malware developers often use _____________ to write boot record infectors. A. C programming language B. C++ programming language C. Java D. assembly language
D. assembly language
26. What term is used to describe a type of virus that includes a separate encryption engine that stores the virus body in encrypted format while duplicating the main body of the virus? A. multipartite virus B. data infector C. stealth virus D. polymorphic virus
D. polymorphic virus
18. In a _________, attackers direct forged Internet Control Message Protocol (ICMP) echo-request packets to IP broadcast addresses from remote locations to generate denial of service attacks. A. phishing attack B. SYN flood attack C. polymorphic virus D. smurf attack
D. smurf attack
27. What name is given to a type of virus that uses a number of techniques to conceal itself from the user or detection software? A. polymorphic virus B. data infector C. multipartite virus D. stealth virus
D. stealth virus
Identify an example of an access control formal model.
DAC
An AUP is part of a layered approach to security, and it supports confidentiality. What else supports confidentiality?
Data Classification Standards
What is NOT one of the four main purposes of an attack?
Data import
Identify a primary step of the SDLC.
Design
A plan that ensures your company recovers from a disaster is a ________.
Disaster recovery plan (DRP)
The incident-handling process includes which of the following? A. Documentation B. Response C. Notification D. Recovery and followup E. All of the above
E
True
Examples of major disruptions include extreme weather, application failure, and criminal activity. True/False?
A smurf attack tricks users into providing logon information on what appears to be a legitimate website but is in fact a website set up by an attacker to obtain this information.
False
A worm is a self-contained program that has to trick users into running it.
False
Retro viruses counter the ability of antivirus programs to detect changes in infected files.
False
Spyware does NOT use cookies.
False
System infectors are viruses that attack document files containing embedded macro programming capabilities.
False
The four primary types of malicious code attacks are unplanned attacks, planned attacks, direct attacks, and indirect attacks.
False
The process of describing a risk scenario and then determining the degree of impact that event would have on a business operations is quantitative risk. True or false?
False
The process of describing a risk scenario and then determining the degree of impact that event would have on business operations is quantitative risk analysis.
False
Trojans are self-contained programs designed to propagate from one host machine to another using the host's own network communications protocols.
False
What is NOT a common motivation for attackers?
Fear
US Organizations must comply with ___________.
Federal Laws and Laws of the States where they are located.
True
Fencing and mantraps are examples of physical controls. True/False?
What are the types of monitoring devices?
Firewall, IPS, and NIPS
corrective
Forensics and incident response are examples of __________ controls.
Which law requires all types of financial institutions to protect customers' private financial information?
GLBA
Which of the following is NOT a common type of data classification standard?
Guideline
Identify the compliance law that requires adherence to the minimum necessary rule.
HIPAA
What type of system is intentionally exposed to attackers in an attempt to lure them out?
Honeypot
What is something you would not expect to find on a large network?
Hub
Identify two phases of the access control process.
Identification and Authorization
SYN flood attack
In a __________, the attacker uses IP spoofing to send a large number of packets requesting connections to the victim computer. These appear to be legitimate but in fact reference a client system that is unable to respond.
An event that has a negative impact on operations is known as a(n) ________.
Incident
Yolanda would like to prevent attackers from using her network as a relay point for a smurf attack. What protocol should she block?
Internet Control Message Protocol (ICMP)
Which of the following answers lists an example of spyware? Keylogger Vulnerability scanner Computer worm Packet sniffer
Keylogger
2,000,000
Kim is the risk manager for a large organization. She is evaluating whether the organization should purchase a fire suppression system. She consulted a variety of subject matter experts and determined that there is a 1 percent chance that a fire will occur in a given year. If a fire occurred, it would likely cause $2 million in damage to the facility, which has a $10 million value. Given this scenario, what is the single loss expectancy (SLE)?
Identify an advantage of IPv6 over IPv4.
Larger address space
Identify one of the first computer viruses to appear in the world.
Lehigh
Malicious code activated by a specific event is called: Backdoor Logic bomb Dropper Retrovirus
Logic bomb
You log onto a network and are asked to present a combination of elements, such as username, password, token, smart card, or biometrics. This is an example of what?
Logical Access Controls
Integrity
Malicious code attacks all three information security properties. Malware can modify database records either immediately or over a period of time. This property is_______________
Harmful programs designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems are commonly referred to as: Adware Malware Ransomware Spyware
Malware
Assembly Language
Malware developers often use _____________ to write boot record infectors.
________ is the maximum time that a business can survive without a particular critical system.
Maximum tolerable downtime (MTD)
Identify the configuration that is best for networks with varying security levels, such general users, a group of users working on a secret research project, and a group of executives.
Multilayered Firewall
What helps you determine the appropriate access to classified data?
Need To Know
Which defense-in-depth layer involves the use of chokepoints?
Network
Brian would like to conduct a port scan against his systems to determine how they look from an attacker's viewpoint. What tool can he use for this purpose?
Nmap
Identify a security principle that can be satisfied with an asymmetric digital signature and not by a symmetric signature.
Nonrepudiation
attacks against data integrity
One of the ways that malicious code can threaten businesses is by causing economic damage or loss due to the theft, destruction, or unauthorized manipulation of sensitive data. These are known as ________.
Adam discovers a virus on his system that is using encryption to modify itself. The virus escapes detection by signature-based antivirus software. What type of virus has he discovered?
Polymorphic virus
Which type of Trojan enables unauthorized remote access to a compromised system? pcap RAT MaaS pfSense
RAT
What is an asymmetric encryption algorithm?
RSA
Malware that restricts access to a computer system by encrypting files or locking the entire system down until the user performs requested action is known as: Grayware Adware Ransomware Spyware
Ransomware
Which of the terms listed below refers to an example of a crypto-malware? Backdoor Ransomware Keylogger Rootkit
Ransomware
Identify the primary components of risk management.
Reduction, Avoidance, and Mitigation
Which of the following are primary categories of rules that most organizations must comply with?
Regulatory and Organizational
Which domain is primarily affected by weak endpoint security on a VPN client?
Remote Access Domain
What type of malicious software allows an attacker to remotely control a compromised computer?
Remote Access Tool (RAT)
Risk that remains even after risk-mitigation efforts have been implemented is known as ________ risk.
Residual
Which of the following terms refers to the likelihood of exposure to danger?
Risk
Residual
Risk that remains even after risk mitigation efforts have been implemented is known as __________ risk.
A collection of software tools used by a hacker to mask intrusion and obtain administrator-level access to a computer or computer network is known as: Rootkit Spyware Backdoor Trojan
Rootkit
What are the parts of a quantitative risk assessment?
SLE, ARO, and ALE
Identify the compliance law whose primary goal is to protect investors from financial fraud.
SOX Act
Bob is developing a web application that depends upon a database backend. What type of attack could a malicious individual use to send commands through his web application to the database?
SQL Injection
Which of the following is a process to verify policy compliance?
Security Audit
What does risk management directly affect?
Security Controls
What does a lapse in a security control or policy create?
Security Gap
Gwen is investigating an attack. An intruder managed to take over the identity of a user who was legitimately logged into Gwen's company's website by manipulating Hypertext Transfer Protocol (HTTP) headers. Which type of attack likely took place?
Session hijacking
What is adware? Unsolicited or undesired electronic messages Malicious program that sends copies of itself to other computers on the network Software that displays advertisements Malicious software that collects information about users without their knowledge
Software that displays advertisements
Safeguard
Something built-in or used in a system to address gaps or weaknesses in the controls that could otherwise lead to an exploit.
The CEO of Kelly's company recently fell victim to an attack. The attackers sent the CEO an email informing him that his company was being sued and he needed to view a subpoena at a court website. When visiting the website, malicious code was downloaded onto the CEO's computer. What type of attack took place?
Spear phishing
What is NOT a part of an ordinary IT security policy framework?
Specifications
Malicious software collecting information about users without their knowledge/consent is known as: Crypto-malware Adware Ransomware Spyware
Spyware
Which of the following is a detailed written definition of how software and hardware are to be used?
Standard
What are the primary types of computer attacks?
Structured, Direct, and Indirect
What is NOT a typical sign of virus activity on a system?
Sudden sluggishness of applications
Which type of virus targets computer hardware and software startup functions?
System Infectors
All of the above
The incident-handling process includes which of the following? ~Documentation ~Response ~Notification ~Recovery and followup ~All of the above
Risk
The likelihood that a threat will occur.
Impact
The magnitude of harm that could be caused by a threat exercising a vulnerability
Emergency operations center (EOC)
The place in which the recovery team will meet and work during a disaster
True
The primary steps to disaster recovery include the safety of individuals, containing the damage, and assessing the damage and beginning the recovery operations. True or False?
Likelihood
The probability that a potential vulnerability might be exercised within the construct of an associated threat environment.
False
The process of describing a risk scenario and then determining the degree of impact that event would have on business operations is quantitative risk analysis.
purpose of risk management
to identify possible problems before something bad happens. -early identification is important because it gives you the opportunity to manage those risks instead of just reacting to them.
vehicle systems
vehicles contain computing systems that monitor conditions provide connectivity to the internet, provide real time routing and even control of the vehicle's operation. systems tend to be very difficult to upgrade or patch due to effort required to take the vehicle to a service agent who can perform maintenance.
share
when you share a positive risk you use a third party to help capture the opportunity associated with that risk. i.e banding with another organization to purchase a group of workstation licenses enables both organization to take advantage of the buying them at reduce price by buying them in a bundle.
exploit
you take advantage of opportunity that arises when you respond to the risk. i.e suppose your organization develops training material for use within your organization to help address a specific risk. you might exploit the risk by packaging and marketing those training to other organizations.
A plan that details the steps to recover from a major disruption and restore the infrastructure necessary for normal business operations is a ___________________________. A. Disaster recovery plan (DRP) B. Business impact analysis (BIA) C. Business continuity plan (BCP) D. None of the above
A
Risk register
A list of identified risks that results from the risk-identification process.
Countermeasure
A measure installed to counter or address a specific threat.
How does a standard differ from a compliance law?
A Law can require a standard to be met.
system infector
A ________ enables the virus to take control and execute before the computer can load most protective measures.
File Infector
A ________ is a virus that attacks and modifies executable programs (like COM, EXE, SYS, and DLL files).
logic bomb
A ___________ is a program that executes a malicious function of some kind when it detects certain conditions.
False
A business impact analysis (BIA) details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations. True/False?
Administrative control
A control involved in the process of developing and ensuring compliance with policy and procedures.
Technical control
A control that is carried out or managed by a computer system.
Corrective control
A control that mitigates or lessens the effects of the threat.
Deterrent control
A control that warns the user that completing a requested action could result in a violation or threat
What file type is least likely to be impacted by a file infector virus? A. .exe B. .docx C. .com D. .dll
B. .docx: File (Program) Infectors Explanation: The .docx file type is least likely to be impacted by a file infector virus. File infectors typically attack program files with .com or .exe file extensions.
The process of describing a risk scenario and then determining the degree of impact that event would have on business operations is quantitative risk analysis. A. True B. False
B.
25. What is meant by multipartite virus? A. A type of virus that typically infects a data file and injects malicious macro commands. B. A type of virus that uses a number of techniques to conceal itself from the user or detection software. C. A type of virus that infects other files and spreads in multiple ways. D. A type of virus that primarily infects executable programs.
C. A type of virus that infects other files and spreads in multiple ways.
A plan that contains the actions needed to keep critical business processes running after a disruption is called a ________. A. Disaster recovery plan (DRP) B. Business impact analysis (BIA) C. Business continuity plan (BCP) D. None of the above
C.
Risk that remains even after risk mitigation efforts have been implemented is known as ________ risk. A. Qualitative B. Quantitative C. Residual D. None of the above
C.
________ is the limit of time that a business can survive without a particular critical system. A. Recovery time objective (RTO) B. Critical business function (CBF) C. Maximum tolerable downtime (MTD) D. None of the above
C.
What ISO security standard can help guide the creation of an organization's security policy? A. 12333 B. 17259 C. 27002 D. 42053
C. 27002: Implementing Effective Software Best Practices Explanation: Consider implementing an ISO/IEC 27002-compliant security policy. ISO/IEC 27002 is the most widely recognized security standard
What is a mechanism for accomplishing confidentiality, integrity, authentication, and nonrepudiation?
Cryptography
What program, released in 2013, is an example of ransomware?
Crypt0L0cker
Larry recently viewed an auction listing on a website. As a result, his computer executed code that popped up a window that asked for his password. What type of attack has Larry likely encountered?
Cross-site scripting (XSS)
What is NOT a common motivation for attackers? A. Money B. Fame C. Revenge D. Fear
D. Fear: What Motivates Attackers? Explanation: The four main motivations for attackers are money, fame, a desire to impose political beliefs on others, and revenge.
The incident-handling process includes which of the following? A. Documentation B. Response C. Notification D. Recovery and follow up E. All of the above
E.