Tech 171 quiz 1
Phases of SDLC
. Investigation 2. Analysis 3. Logical Design 4. Physical Design 5. Implementation 6. Maintenance and Change
Phases of SecSDLC
1. Investigation 2. Analysis 3. Logical Design 4. Physical Design 5. Implementation 6. Maintenance and Change
A famous study entitled "Protection Analysis: Final Report" was published in ____.
1978
____ is the predecessor to the Internet
ARPANET
The ____________________ phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems
Analysis
The ____________________ phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems.
Analysis
An organizational resource that is being protected is sometimes logical, such as a Web site, software information, or data. Sometimes the resource is physical, such as a person, computer system, hardware, or other tangible object. Either way, the resource is known as a(n) ___________.
Asset
____ of information is the quality or state of being genuine or original
Authenticity
____________________ enables authorized users — persons or computer systems — to access information without interference or obstruction and to receive it in the required format.
Availability
The CNSS model of information security evolved from a concept developed by the computer security industry known as the ____________________ triangle.
CIA
The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization
CISO
During the ____________________ War, many mainframes were brought online to accomplish more complex and sophisticated tasks so it became necessary to enable the mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers
Cold
A(n) _________________________ is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.
Community of Interest
The history of information security begins with the history of ____________________ security.
Computer
In an organization, the value of ____________________ of information is especially high when it involves personal information about employees, customers, or patients.
Confidentiality
Which of the following is a valid type of data ownership?
Data Users, Data Owners and Data Custodians
Which of the following is a valid type of role when it comes to data ownership
Data owners, custodians, and users
An emerging methodology to integrate the effort of the development team and the operations team to improve the functionality and security of applications is known as __________.
DevOps
A server would experience a(n) __________ attack when a hacker compromises it to acquire information via a remote location using a network connection.
Direct
A(n) ____ attack is a hacker using a personal computer to break into a system
Direct
A(n) ____________________ information security policy outlines the implementation of a security program within the organization.
Enterprise
A breach of possession always results in a breach of confidentiality.
False
A champion is a project manager, who may be a departmental line manager or staff unit manager, and has expertise in project management and information security technical requirements.
False
A(n) hardware system is the entire set of people, procedures, and technology that enable business to use information.
False
An e-mail virus involves sending an e-mail message with a modified field.
False
Applications systems developed within the framework of the traditional SDLC are designed to anticipate a software attack that requires some degree of application reconstruction.
False
Direct attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat.
False
E-mail spoofing involves sending an e-mail message with a harmful attachment
False
Hardware is often the most valuable asset possessed by an organization, and it is the main target of intentional attacks.
False
In general, protection is "the quality or state of being secure—to be free from danger."
False
Information has redundancy when it is free from mistakes or errors and it has the value that the end user expects
False
Information security can be an absolute.
False
Key end users should be assigned to a developmental team, known as the united application development team.
False
Network security focuses on the protection of physical items, objects, or areas from unauthorized access and misuse.
False
Network security focuses on the protection of the details of a particular operation or series of activities.
False
Policies are written instructions for accomplishing a specific task.
False
Risk evaluation is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization's security and to the information stored and processed by the organization.
False
SecOps focuses on integrating the need for the development team to provide iterative and rapid improvements to system functionality and the need for the operations team to improve security and minimize the disruption from software release cycles
False
T/F Applications systems developed within the framework of the traditional SDLC are designed to anticipate a software attack that requires some degree of application reconstruction.
False
T/F Information security can be an absolute.
False
The Analysis phase of the SDLC examines the event or plan that initiates the process and specifies the objectives, constraints, and scope of the project.
False
The Analysis phase of the SecSDLC begins with a directive from upper management
False
The Security Development Life Cycle (SDLC) is a general methodology for the design and implementation of an information system. T/F
False
The Security Development Life Cycle (SDLC) is a methodology for the design and implementation of an information system.
False
The bottom-up approach to information security has a higher probability of success than the top-down approach
False
The bottom-up approach to information security has a higher probability of success than the top-down approach. T/F
False
The implementation phase is the longest and most expensive phase of the systems development life cycle (SDLC).
False
The physical design is the blueprint for the desired solution
False
The physical design is the blueprint for the desired solution.
False
The possession of information is the quality or state of having value for some purpose or end
False
The possession of information is the quality or state of having value for some purpose or end.
False
The water-ski model is a type of SDLC in which each phase of the process flows from the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.
False
When a computer is the subject of an attack, it is the entity being attacked
False (Object)
MULTICS stands for Multiple Information and Computing Service.
False (multiplexed)
In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a ____ value.
Hash
Part of the logical design phase of the SecSDLC is planning for partial or catastrophic loss. ____ dictates what steps are taken when an attack occurs.
Incidence Response
The senior technology officer is typically the chief ____________________ officer.
Information
Information has ____________________ when it is whole, complete, and uncorrupted
Integrity
6 phases of SDLC Investigation
Investigation Analysis Logical Design Physical Design Implementation Maintenance & Change
__________ was the first operating system to integrate security as one of its core functions.
MULTICS
Which of the following phases is the longest and most expensive phase of the systems development life cycle?
Maintenance and Change
Which of the following phases is often considered the longest and most expensive phase of the systems development life cycle?
Maintenance and change
A(n) ____________________ is a formal approach to solving a problem by means of a structured sequence of procedures.
Methodology
____ presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems.
NSTISSI No. 4011
The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected local area ____________________.
Network
A computer is the ____________________ of an attack when it is the target entity.
Object
During the early years, information security was a straightforward process composed predominantly of ____________________ security and simple document classification schemes.
Physical
____ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.
Physical
__________ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.
Physical
During the ____ phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design.
Physical Design
The ____________________ of information is the quality or state of ownership or control of some object or item.
Possession
A frequently overlooked component of an IS, ____________________ are written instructions for accomplishing a specific task.
Procedures
A frequently overlooked component of an information system, ____________________ are the written instructions for accomplishing a specific task
Procedures
The ____ is a methodology for the design and implementation of an information system in an organization.
SDLC
A variation of n SDLC that can be used to implement information security solutions in an organizations with little or no formal security in place is the __________.
SecSDLC
Organizations are moving toward more ____-focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product.
Security
People with the primary responsibility for administering the systems that house the information used by the organization perform the role of ____.
Security Administrators
The ____________________ component of the IS comprises applications, operating systems, and assorted command utilities
Software
____________________ carries the lifeblood of information through an organization.
Software
An information system is the entire set of __________, people, procedures, and networks that enable the use of information resources in the organization.
Software, Hardware, and Data
A computer is the ____ of an attack when it is used to conduct the attack.
Subject
A methodology and formal development strategy for the design and implementation of an information system is referred to as a __________.
System Development Life Cycle (SDLC)
The most successful kind of top-down approach involves a formal development strategy referred to as a ____.
Systems Development life cycle
Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system.
T/F True
In the ____________________ approach, the project is initiated by upper-level managers who issue policy, procedures and processes, dictate the goals and expected outcomes, and determine accountability for each required action.
Top-Down
A breach of possession may not always result in a breach of confidentiality.
True
A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information.
True
A(n) project team should consist of a number of individuals who are experienced in one or multiple facets of the technical and nontechnical areas.
True
Confidentiality ensures that only those with the rights and privileges to access information are able to do so.
True
During the early years of computing, the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage.
True
Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system.
True
In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that taking more would be noticed — but eventually the employee gets something complete or useable.
True
Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems, which is often referred to as a bottom-up approach
True
Of the two approaches to information security implementation, the top-down approach has a higher probability of success.
True
Recently, many states have implemented legislation making certain computer-related activities illegal.
True
T/F Using a methodology increases the probability of success
True
The investigation phase of the SDLC involves specification of the objectives, constraints, and scope of the project.
True
The investigation phase of the SecSDLC begins with a directive from upper management.
True
The primary threats to security during the early years of computers were physical theft of equipment, espionage against the products of the systems, and sabotage.
True
The roles of information security professionals are aligned with the goals and mission of the information security community of interest.
True
The value of information comes from the characteristics it possesses
True
To achieve balance — that is, to operate an information system that satisfies the user and the security professional — the security level must allow reasonable access, yet protect against threats
True
To achieve balance — that is, to operate an information system that satisfies the user and the security professional — the security level must allow reasonable access, yet protect against threats. T/F
True
To achieve balance—that is, to operate an information system that satisfies the user and the security professional—the security level must allow reasonable access, yet protect against threats.
True
Using a methodology increases the probability of success
True
When unauthorized individuals or systems can view information, confidentiality is breached. T/
True
When unauthorized individuals or systems can view information, confidentiality is breached. _________________________
True
A type of SDLC in which each phase has results that flow into the next phase is called the __________ model
Waterfall
The ____ model consists of six general phases
Waterfall
hash value
a fingerprint of the author's message that is compared with the recipient's locally calculated has of the same message
methodology
a formal approach to solving a problem based on a structural sequence of procedures
metholodgy
a formal approach to solving a problem based on structured sequence of procedures
McCumber Cube
a graphical representation of the architectural approach widely used in computer and information security
community of interest
a group of people who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives
bottom-up approach
a method of establishing security policies that begin as a grassroots effort in which systems administrators attempt to improve the security of their systems
systems development life cycle (SDLC)
a methodology for the design and implementation of an information system
security systems development life cycle (SecSDLC)
a methodology for the design and implementation of an information system. The SDLC contains different phases depending on the methodology deployed, but generally the phase address the investigation, analysis, design, implementation, and maintenance of an information system
top-down approach
a methodology of establishing security policies that is initiated by upper management
object
a passive entity in an information system that receives or contains information
operations security
a process used by an organization to deny an adversary information (generally not confidential information) about its intentions and capabilities by identifying, controlling, and protecting the organization's planning processes or operations
availability
a quality or state of information characterized by being accessible and correctly formatted for use without interference or obstruction
authenticity
a quality or state of information characterized by being genuine or original rather than reproduced or fabricated
champrion
a senior executive who promotes a security project and ensures its support
exposure
a single instance of a system being open to damage
loss
a single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure
project team
a small functional team of people who are experienced in one one or multiple facets of the required technical and nontechnical areas for the project to which they are assigned
security professional
a specialist in the technical and nontechnical aspect of security information
threat agent
a specific instance or component that represents a danger to an organisation's asset. Threats can be accidental or purposeful, for example lightning strikes or hackers.
security
a state of being secure and free from danger or harm. Also, the actions taken to make someone or something secure
rand report r-609
a study sponsored by the department of defense which attempted to define multiple controls and mechanisms necessary for the protection of multilevel computer system
network security
a subset of communication security; the protection of voice and data networking components, connections, and content
exploit
a technique used to compromise a system
waterfall model
a type of SDLC in which each phase of the process "flows from" the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments
APRANET
advanced research project agency (ARPA) began to examine feasibility of redundant networked communications. (The predecessor to the internet)
salami theft
aggregation of information used with criminal intent
computer security
all action taken to preserve computer systems from losses
enterprise information security policy (EISP)
also known as the general security policy, IT security policy, or information security policy, this policy is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
attack
an act that takes advantage of a vulnerability to compromise a controlled system
subject
an activity entity that interacts with an information system and causes information to move through the system for a specific purpose. Examples include individuals, technical components, and computer processes
subject of an attack
an agent entity that is used as an active tool to conduct an attack
phising
an attempt to obtain personal or financial information using fraudulent means, usually be posing as a legitimate entity
accuracy
an attribute of information in which the data is free of error and has the value that the user expects
utility
an attribute of information that describes how data has value or usefulness for an end purpose
availability
an attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction
accuracy
an attribute of information that describes how data is free of errors and has the value that the user expects
confidenality
an attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems
integrity
an attribute of information that describes how data is whole, complete, uncorrupted
possession
an attribute of information that describes how the data's ownership or control is legitimate or authorized
chief information officer (CIO)
an executive-level position that oversees that organization's computing technology and strives to create efficiency in the processing and access of the organization's information
systems administrator
an individual responsible for administering information system
risk assessment specialist
an individual who understands financial risk assessment techniques, the value of organization assets, and security moethod
security policy developer
an individual who understands the organizational culture, existing policies, and requirements for develop and implementing security policies
threat
an object, person, or other entity that represents a constant danger to an asset
Implementation Phase (SDLC)
any needed software, hardware, or components are purchased, revived and tested
software (IS component)
application OS, and command utilities. Most difficult to serve
investigation phase (SecSDLC)
begins with a directive from upper management, dictating the processing, outcomes, and goals of the project, as well as the constraints placed on the activity.
In an organization, the value of ____________________ of information is especially high when it involves personal information about employees, customers, or patients.
confidentiality
Analysis phase (SDLC)
consists primarily of assessments of the organization, its current systems, and its capability to support the
Logical design (SecSDLC)
devolves the blueprint for security. Examines and implements key policies. Develops incident response plan
Analysis (SecSDLC)
document from the investigation phase are studied, existing security is examined, threats are documented, and existing controls are assesed
MULTICS
first operating system created with security as its primary goal
team leader
for information security, a project manager who understands project management, personnel management, and technical requirements
CIA triangle
industry standard for computer security since the development of the mainframe wit three characteristic: confidentiality, integrity, and availability
The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________.
information Security
maintenance and change phase (SDLC)
longest and most expensive phase. Consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle
maintenance and change phase (SecSDLC)
longest and most important phase, Adapt the security plan to new and evolving threats to maintain security
the protection of all communications media, technology, and content is known as ___________. communications
media
file hashing
method for ensuring information validity. Involves a file being read by a special algorithm that uses the value of the bits in the file tom computer a single large number called a hash value
data custodians
people who are responsible for storage, maintenance, and protection of information
data owners
people who own the information and thus determine the level of classification for their data and approve its access authorization
data user
people who work with the information to perform their daily jobs and support the mission of the organization
During the __________ phase, specific technologies are selected to support the alternatives identified and evaluated in the prior phases.
physical design
communication security
protection of all communication media, technology, and content
information security
protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy education, training and awareness, and technology
community security
securing information in transmit using tools such as cryptographic systems, as well as its associated media and technology
Organizations are moving toward more __________-focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product
security
implementation phase (SecSDLC)
security solutions are acquired, tested, implemented, and tested again
physical design (SDLC)
specific technologies are selected to support the alternatives identified and evaluated in the logical design phase
end user
synonymous with data user. An individual who uses computer application for his daily work.
security posture
synonymous with protection profile. The implementation of an organisation's security policies, procedure, and programs
control
synonymous with safeguard and countermeasure. A security mechanism, policy, or procedure that can counter system attack, reduce risks, and resolve volnerabilities
A methodology for the design and implementation of an information system that is a formal development strategy is referred to as a __________.
systems development life cycle
physical design phase (SecSDLC)
technologies are chosen to support the blueprint from the logical design phase. Plan is presented to all involved to all involved parties
access
the ability to use, manipulate, modify, or affect an object
components information systems (IS)
the entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization
c.i.a. triangle
the industry standard for computer security since the development of the mainframe. It is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.
logical design phase (SDLC)
the information gained from the analysis phase is used to begin creating a solution system for a business problem
object of an attack
the object or entity being attacked
asset
the organizational resource that is being protected. An asset can be logical, such as a web site or information or other tangible object
Investigation phase (SDLC)
the phase is used to outline the scope and goals of implementing a security system. It will also cover the budget, time frames, and feasibility of the system
risk
the probability that something can happen
e-mail spoofing
the process of sending an email with a modified field. The modified field is often the address of the originator
information security
the protection of information and the systems and hardware that use, store, and transmits that information
physical security
the protection of physical items, object, or areas from unauthorize access and misuse
posession
the quality or state of having ownership or control of some object or item
Risk Appetite & Risk Tolerance
the quantity and nature of risk that organization are willing to accept
organizational culture
the specific social and political atmosphere within an given organization that determines the organization's procedures and policies and willingness to adapt to changes
security
to be protected from adversaries- from those who would do harm, intentionally or otherwise
personnel security
to protection the individuals or group of individuals who are authorized to access the organization and its operations.
chief information security officer (CISO)
typically considered the top information security office in an organization. The CISO is usually not an execute-level position, and frequently the person in this role reports to the CIO
vulnerability
weakness in a controlled system, where controls are not present or no longer effective
procedures
written instructions for accomplishing a specific task