CYB 115
_________ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty.
Risk
The __________ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
acceptance
The SETA program is a control measure designed to reduce the instances of __________ security breaches by employees.
accidental
A(n) _________ is a document containing contact information for the people to be notified in the event of an incident.
alert roster
Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems.
control
The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________."
management
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.
people
RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure.
redundant
A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years.
strategic
Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered "National Security Information," __________ data is the lowest-level classification.
unclassified
Security __________ are the areas of trust within which users can freely communicate.
domains
The formal decision-making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) __________.
CBA
The ________is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.
EISP
The __________ plan specifies the actions an organization can and should take while an adverse event is in progress. An adverse event could result in loss of an information asset or assets, but it does not currently threaten the viability of the entire organization.
IR
According to Bishop, what is the goal of the authentication system?
It is to ensure that entities are correctly identified.
_________ addresses are sometimes called electronic serial numbers or hardware addresses.
MAC
________ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.
Managerial
__________ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders.
Operational
__________ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures.
Qualitative assessment
According to Bishop, what are the assumptions underlying effective biometric authentication systems.
1) The transmission from the biometric device to the computer's analysis process is tamperproof. 2) The biometric device is accurate in the environment in which it is used. (All of the above.)
According to Bishop, which of the following is a technique for thwarting Type 2 password attacks?
1) disabling 2) disconnection 3) jailing (All of the above)
According to NIST SP 800-14's security principles, security should ________.
1)support the mission of the organization 2)require a comprehensive and integrated approach 3)be cost-effective (All of the above)
The goals of information security governance include all but which of the following?
1) Strategic alignment of information security with business strategy to support organizational objectives 2) Risk management by executing appropriate measures to manage and mitigate threats to information resources 3) Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved 4)EXCEPT: Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care
__________ is simply how often you expect a specific type of attack to occur.
ARO
__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
Defense in depth
According to Bishop, nearly all passwords can eventually be guessed. What then is the goal of those trying to defend passwords from attack?
The goal is to maximize the time needed to guess the password.
According to Bishop, which of the following describes the role performed by complementation functions in an authentication system.
They perform the role of generating the complementary information from the authentication information
Risk _________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.
appetite
Some people search trash and recycling bins—a practice known as _________—to retrieve information that could embarrass a company or compromise information security.
dumpster diving
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to __________.
identify and prioritize opportunities for improvement within the context of a continuous and repeatable process