Combined for test 1 ISEC
Baseline
A benchmark used to make sure that a system provides a minimum level of security across multiple applications and across different products
Terminal Access Controller Access control system plus (TACACS+)
A cisco proprietary remote access client/server protocol that provides authentication, authorization, and accounting
Birthday Attack
A cryptographic attack on hash collisions (different text with the same key), so named after the surprisingly high probability of any two classroom students sharing a birthday
RTO - Recovery time objective
A defined metric for how long it must take to recover an IT system, application, and data access
Data classification standards
A definition of different data types with respect to security sensitivity
Authorizing official (AO)
A designated senior manager who reviews a certification report and makes the decision to approve the system for implementation
SQL injection
A form of web application attack in which a hacker submits SQL(structured query language) expressions to cause authentication bypass, extraction of data, planting of information, or access to a command shell
Risk Register
A list of identified risks that results from the risk identification process
Trojan horse
A malicious software that appears benign to the user but actually performs a task on behalf of a perpetrator with malicious intent
Software as a service (SaaS)
A model of software development or service where customers use applications on demand
Smurf attack
A network attack in which forged Internet control message protocol (ICMP) echo request packets are sent to IP broadcast addresses from remote locations to generate DoS attacks
Session hijack
A network attack in which the attacker attempts to take over an existing connection between two network computers
Netcat
A network utility program that reads from and writes to network connections
Firewall
A program or dedicated hardware device that inspects network traffic passing through it and denies or permits that traffic based on a set of rules you determine at configuration
need-to-know
A property that indicates a specific a subject needs access to a specific object. This is necessary to access the object in addition to possessing the proper clearance for the object's classification
Security policy
A set of policies that establish how an organization secures its facilities and IT infrastructure. Can also address how the organization meets regulatory requirements
Outsourcing Concerns
-privacy -risk -data security -ownership -adherence to policy
Documentation requirements:
-sensitive assets list -the orgs security process -the authority of the persons responsible for security -the policies, procedures, and guidelines adopted by the org
Data Classification Standard: Value
-the value to the organization -the cost of replacement or loss -the value to the competitors -the value to the orgs reputation
Gramm-Leach-Bliley Act (GLBA)
A U.S. federal law requiring banking and financial institutions to protect customers' private data and have proper security controls in place.
Health Insurance Portability and Accountability Act (HIPPA)
A US federal law requiring health care institutions and insurance providers to protect patients private data and have proper security controls in place
Family Educational Rights and Privacy (FERPA)
A US federal law that protects the private data of students including their transcripts and grades, with which K-12 and higher education institutions must comply
Federal Information Security Management Act (FISMA)
A US federal law that requires US government agencies to protect citizens' private data and have proper security controls in place
Which type of attack involves the creation of some deception in order to trick unsuspecting users?
Fabrication
Warm site
Facility with environmental utilities and basic computer hardware
Evil Twin
Faking an open or public wireless network to use a packet sniffer on any user who connects to it
?True or False: A VPN router is a security appliance that is used to filter IP packets
False
True or False: A rootkit uses a directed broadcast to create a flood of network traffic for the victim computer.
False
True or False: Denial of service (DoS) attacks are larger in scope than Distributed Denial of Service (DDoS) attacks
False
True or False: Store-and-Forward communications should be used when you need to talk to someone immediately.
False
True or False: You should use easy-to-remember personal information to create secure passwords
False
True or False: Cryptography is the process of transforming data from cleartext to ciphertext.
False (Encryption not Cryptography)
True or False: The anti-malware utility is one of the most popular backdoor tools in use today
False: Netcat
True or False: A phishing attack "poisons" a domain name on a domain name server.
False: Pharming
True or False: Vishing is a type of wireless network attack
False: Social Engineering attacks
True or False: User-based permission levels limit a person to executing certain functions and often enforces mutual exclusivity
False: Task-based
True or False: Bricks-and-mortar stores are completely obsolete now.
False: They have global reach
True or False: Voice patter biometrics are accurate for authentication because voices can't easily be replicated by computer software
False: easy to replicate
What compliance regulation applies specifically to the educational records maintained by schools about students?
Family Education Rights and Privacy Act (FERPA)
What do organizations expect to occur with the growth of the IoT?
Higher Risks
Which organization pursues standards for the IoT devices and is widely recognized as the authority for creating standards of the Internet?
Internet Society
Which IoT challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion?
Interoperability
Four aspects of control
Identification, Authentication, Authorization, Accountability
biba integrity model
Access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity; this prevents users from corrupting data at a higher level than what the user may have access to and helps ensure data integrity
ISO/IEC 27005, "Information Security Risk Management"
An ISO standard that describes information security risk management in a generic manner. The documents include examples of approaches to information security risk assessment and lists of possible threats, vulnerabilities, and security controls.
RFC 1087 "Ethics and the Internet"
An acceptable-use policy statement as issued by the Internet Advisory Board and the US Government defining ethics and the Internet
role-based access control (RBAC)
An access control method bases access control approvals on the jobs the user is assigned
Memorandum of Understanding (MOU)
An agreement between two or more parties that expresses areas of common interests that result in shared actions
Blanket purchase agreement (BPA)
An agreement that defines a streamlined method of purchasing supplies or services
Masquerade attack
An attack in which one user or computer pretends to be another user or computer
Pharming
An attack that seeks to obtain personal or private financial information through domain spoofing
Distributed denial of service (DDoS)
An attack that uses ping or ICMP echo-request echo-replay messages to bring down the availability of a server or system. DDoS attacks initiate from more than one host device
Denial of Service (DoS)
An attack that uses ping or ICMP echo-request, echo-reply messages to bring down the availability of a server or system. DoS attacks are usually sourced from a single host device.
asynchronous token
An authentication token used to process challenge-response authentication with a server. The token takes the server's challenge value and calculates a response. The user enters the response to authenticate a connection.
Authority-level policy
An authorization method in which access resources are decided by the user's authority level
Security Assertion Markup language (SAML)
An open XML standard used for exchanging both authentication and authorization data.
Threat
Any action that could damage an asset
Mitigation
Any activities designed to reduce the severity of a vulnerability or remove it altogether
Degaussing
Applying a strong magnetic force to magnetic media usually makes electronics unusable
Authentication, Authorization, and Accounting (AAA)
Core services provided by one or more central servers to help standardize access control for network resources
In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)?
Correspondent node
In Mobile IP, what term describes a device that would like to communicate with a mobile node(MN)?
Correspondent node (CN)
Challenge-Handshake Authentication Protocol (CHAP)
Decentralized authentication protocol that hashes passwords with a one-time challenge number to defeat eavesdropping and replay attacks
Accountability
Defining the roles, responsibilities, and what key IT security employees and incident response team members must do
Which type of denial of service attack exploits the existence of software flaws to disrupt a service?
Logic attack
Infrastructure as a service (Iaas)
Provides users with the access to a physical or virtual machine. Users must select and load their own operating systems. They then manage all aspects of the machine, just as though it were a local computer.
Which formula is typically used to describe the components of information security?
Risk = Threat X Vulnerabilities
Earl is preparing a risk register for his organization's risk management program. Which data is LEAST likely to be included in a risk register?
Risk Survey results
Residual Risk
Risk that remains after you have installed counter measures and controls
Spim
Similar to spam of unsolicited messages, but through an instant messaging service rather than email
Cross-site request forgery(XSRF)
Similar to the XSS attack, an attacker provides script code that causes a trusted user who views the input script to send malicious commands to a web server
Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?
Simulation Test
SLE
Single loss expectancy
Malware
Software designed to infiltrate one or more target computers and follow an attacker's instructions
constrained user interface
Software that allows users to enter only specific information and perform only specific actions
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place?
Spim
Keystroke logger
Surveillance software or hardware that records to a log file every keystroke a user logs; also known as a key logger
Remote Wiping
The ability to remotely wipe or delete data on a device or storage media
Compliance
The act of following laws, rules, and regulations that apply to your organization and its use of IT systems, applications and data
proactive change management
The act of initiating changes to avoid expected problems
Vishing
The act of performing a phising attack by telephone in order to elicit personal information
Typosquatting
The act of registering and squatting a slightly wrong URL in hopes a user mistypes the intended URL
security kernel
The central part of a computing environment's hardware, software, and firmware that enforces access control for computer systems
Security gap
The difference between the security controls in place and the controls needed to address all vulnerabilities
Principal of least privilege
The idea that users should be granted only the levels of permission they need in order to perform their duties is called the ....
Certifier
The individual or team responsible for performing the security test and evaluation for the system. The certifier also prepares the report for the authorizing officer on the risk of operating the system
Care of Address (COA)
The local address for the MN when it connects to another network, the FA assigns the COA to the MN and sends it to the HA when the MN connects. In many cases, the COA is actually the FA address. The HA forwards any packets for the MN to the COA. The FA receives the packets and forwards them to the MN.
Impact
The magnitude of harm that could be caused by a threat exercising a vulnerability
Promiscuous Mode
The mode in which sniffers operate; it is non-intrusive and does not generate network traffic. This means that every data packet is captured and can be seen by the sniffer.
Organizational compliance
The organization must comply with its own policies, audits, culture and standards
What type of malicious software masquerades as legitimate software to entice the user to run it?
Trojan Horse
? True or False: IoT devices cannot share and communicate you IoT device data to other systems and applications without your authorization or knowledge
True
?True or False: Networks, routers, and equipment require continuous monitoring and management to keep WAN service available
True
A security awareness program should address the requirements and expectations of your security policy
True
A senior manager or business-process owner should lead a change control committee
True
Fuzzing is the practice of providing random input to software to see how it handles unexpected data
True
The negotiation process and creation of agreements is one of the first steps in the business partner onboarding process
True
The process of managing all changes to computer and device configurations is called configuration management
True
The red book describes components of trusted network infrastructure
True
True or False: A Chinese wall security policy defines a barrier and develops a set of rules that makes sure no subject gets to objects on the other side of the wall
True
True or False: A birthday attack is a type of cryptographic attack that is used to make brute-force attack of one-way hashes easier.
True
True or False: A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded URL link or opening an email attachment.
True
True or False: A trusted operating system (TOS) provides features that satisfy specific government requirements for security.
True
True or False: An IT security policy framework is like an outline that identifies where security controls should be used
True
True or False: Authorization is the process of granting rights to use an organization's IT assets, systems, applications, and data to a specific user.
True
True or False: Authorization is the process of granting rights to use an organizations IT assets, systems, applications, and data to a specific user.
True
True or False: Bring your own device (BYOD) opens the door to considerable security risks
True
True or False: Cars that have Wi-Fi access and onboard computers require software patches and upgrades from the manufacturer.
True
True or False: Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it
True
True or False: Devices that combine the capabilities of mobile phones and personal digital assistants (PDAs) are commonly called smartphones
True
True or False: E-commerce systems and applications demand strict confidentiality, integrity, and availability (CIA) security controls.
True
True or False: Each 4g device has a unique Internet Protocol (IP) address and appears just like any other wired device on a network.
True
True or False: Encrypting the data within databases and storage devices gives an added layer of security
True
True or False: Failing to prevent an attack all but invites an attack
True
True or False: Hypertext Transfer Protocol (HTTP) is the communications protocol between web browsers and websites with data in cleartext.
True
True or False: IoT technology has a significant impact on developing economies, given that it can transform countries into e-commerce-ready nations
True
True or False: Metadata of IoT devices can be sold to companies seeking demographic marketing data about users and their spending habits
True
True or False: One of the first industries to adopt and widely use mobile applications was the healthcare industry
True
True or False: Organizations should start defining their IT security policy framework by defining as asset classification policy
True
True or False: Rootkits are malicious software programs designed to be hidden from normal methods of detection
True
True or False: The Director of IT security is generally in charge of ensuring that the Workstation Domain conforms to Policy
True
True or False: The Government Information Security Reform Act of 2000 focuses on management and evaluation of the security of unclassified and national security systems.
True
True or False: The most critical aspect of a WAN services contract is how the service provider supplies troubleshooting, network management, and security management services
True
True or False: The recovery point objective (RPO) is the maximum amount of data loss that is acceptable.
True
True or False: The system/application domain holds all the mission critical systems, applications, and data.
True
True or False: The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.
True
True or False: The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks.
True
True or False: Using a secure logon and authentication process is one of the six steps to prevent malware.
True
True or False: When servers need operating system upgrades or patches, administrators take them offline intentionally so they can perform the necessary work without risking malicious attacks
True
With proactive change management, management initiates the change to achieve a desired goal
True
With reactive change management, management responds to changes in the business environment
True
You should specify an off boarding process to follow when you terminate relationships with outsourced resources
True
Parallel Test
The same as a full-interruption test, except that processing does not stop at the primary site.
Controlling access: Accountability
Tracking or logging what authenticated and unauthenticated users do while accessing the system
True or False: A bricks-and-mortar strategy includes marketing and selling goods and services on the Internet
false: e-commerce
Kerberos
a computer network authentication protocol that allows nodes communicating over a nonsecure network to prove their identity to one another in a secure manner
multi-tenancy
a database feature that allows different groups of users to access the database without being able to access each other's data
synchronous token
a device used as a logon authenticator for remote users of a network
emergency operations group
a group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies
temporal isolation
a method of restricting resource access to specific periods of time. You may see temporal isolation more commonly described as time of day restrictions
Zero-day
a new and previously unknown attack for which there are no current specific defenses.
Whaling
a phising attack that targets the executive user of most valuable employees, otherwise considered the "whale". Sometimes called spear phising
CCTA Risk analysis and management method (CRAMM)
a risk analysis method developed by the UK government. Best suited for large organizations
worm
a self-replicating piece of malicious software that can spread from device to device
procedure
a set of step-by-step actions to be performed to accomplish a security requirement, process, or objective
Waterfall model
a software development model that defines how development activities progress from one distinct phase to the next
event log
a software or application-generated record that some action has occurred
Collaboration
a software-based application like WebEx that supports audio conferencing and sharing of documents for realtime discussions with team members or colleagues
ARP poisoning
a spoofing attack, attacker spoofs the MAC address of a targeted device by sending false ARP resolution responses with a different MAC address
Interoperability
a term used to describe computers, devices, or applications that can be configured to work together
Vulnerability
a weakness that allows a threat to be realized of to have an effect on an asset
hardware configuration chart
an up-to-date map or layout of the configuration of the hardware components. Includes: -as-built diagram of the network, to help plan the sequence of of change and see the ripple effects it might generate -copies of all software configurations so that you can examine changes and updates planned for one device in terms of their impact on other devices
Threat
any action that could damage an asset
SLE - single loss expectancy
asset value * exposure factor = SLE
Bella-La Padula model
an access control model that provides multilayered security for access to systems, applications, and data based on hierarchy
Cryptographic attack (hash)
an algorithm that converts a large amount of data to a single (long) number
Dictionary password attack
an attack method that takes all the words from a dictionary file and attempts to log on by entering each dictionary entry as a password
Malicious Attack
an attack on a computer system or network asset succeeds by exploiting vulnerability in the system
passphrase
an authentication credential that is generally longer and more complex than a password. passphrases can also contain multiple words
continous authentication
an authentication method in which a user is authenticated at multiple times or event intervals
two-factor authentication
an authentication method that uses two types of authentication credentials
white-hat hackers
an information security of network professional who uses various penetration test tools to uncover or fix vulnerabilities
System owner
refers to the person or group that manages the infrastructure
Exposure Factor (EF)
represents the percentage of the asset value that will be lost if an incident were to occur.
spyware
software that gathers user information through the user's Internet connection without the user's knowledge
threshold mechanism
some value that indicates a change from normal to abnormal behavior. In the case of failed logon attempts, a threshold of five means that when a user fails to logon five time the action should be considered abnormal
Cyberattacker
someone that attacks a computer system or function
RPO - recovery point objective
the maximum acceptable level of data loss after a disaster
Data Classification Standard: Sensitivity
the measure of the effect that a breach of the integrity or the disclosure of information would have on the org. measured by: -liability or fines -reputation -credibility -loss of market share
Data classification Standard: Criticality
the measure of the importance of information to the mission of the org.
mobile node (MN)
the mobile device that moves from one network to another. The MN has a fixed IP address regardless of the current network
Regulatory compliance
the organization must comply with laws and government regulation
Crossover error rate (CER)
the point where a biometric device's sensitivity returns false rejections and false acceptance equally
likelihood
the probability that a potential vulnerability might be exercised within the construct of an associated threat environment
False Acceptance Rate (FAR)
the rate at which invalid subjects are accepted
The orange book talks about maintaining access control and confidentiality in a classified system
true
Organization for Economic Cooperation and Development (OECD)
-more than 30 countries -goal is economic cooperation and growth -eight privacy principles: --an org should collect only what it needs --an org should not share its information -- an org should keep its information up to data --an org should use its information only for the purpose for which it was collected --an org should properly destroy its information when no longer needed
Disclosure
1) Any instance of an unauthorized user accessing protected information 2) A reference, under HIPPA, to how a covered entity shares protected information with other organizations
SLC steps
1) Project initiation and planning 2)Functional requirements and definition 3)System design specification 4)Build (develop) and document 5)Acceptance testing 6)Implementation (transition to production) 7)Operations and maintenance 8)Disposal
Sequence of change control procedures:
1) request 2)Impact assessment 3)approval 4)build/test 5)implement 6)Monitor
The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?
13
? Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service?
443
Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support the service?
80
syn flood
A DoS attack that fills up a computer's connection table by sending a flood of unacknowledged connection requests. Once the connection table fills up, the computer cannot respond to any new legitimate connection requests
Voice Over IP (VoIP)
A collection of communication protocols and technologies to deliver voice communications and sessions over IP networks
Voice over IP (VoIP)
A collection of communication protocols and technologies to deliver voice communications and sessions over IP networks
Gap Analysis
A comparison of security controls in place and the controls that are needed to address all identified threats
Cracker
A computer attacker who has hostile intent, possesses sophisticated skills, and may be interested in financial gain
Black-hat hacker
A computer attacker who tires to break IT security for the challenge and to prove technical prowess
Hacker
A computer expert who explores computing environments to gain knowledge
Gray-hat hacker
A computer hacker with average abilities who may one day become a black-hat hacker (wanna-be)
Wardialer
A computer program used to identify the phone numbers that can successfully make a connection with a computer modem
Service level agreement (SLA)
A contractual commitment by a service provider or support organization to its customers or users
public key infrastructure (PKI)
A general approach to handling encryption keys using trusted entities and digital certificates; the hardware, software, policies, and procedures to manage all aspects of digital certificates
Standard
A mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the organization
Mandatory Access Control (MAC)
A means of restricting access to an object based on the object's classification and the user's security clearance
Mandatory access control (MAC)
A means of restricting access to an object based on the object's classification and the user's security clearance
discretionary access control (DAC)
A means of restricting access to objects based on the identity of subjects and/or groups to which they belong
logical access control
A mechanism that limits access to computer systems and network resources
physical access control
A mechanism that regulates access to physical resources, such as buildings or rooms
Single sign-on (SSO)
A method of access control that allows a user to log on to a system and gain access to other resources within the network via the initial logon. SSO helps a user avoid having to logon multiple times and remember multiple passwords
agile development
A method of developing software that is based on small project iterations, or sprints, instead of long project schedules
Simulation Test
A method of testing a BCP or DRP in which a business interruption is simulated, and the response team responds as if the situation were real
System lifecycle
A method used in systems engineering to describe the phases of a system's existence including:design, development, deployment, operation, and disposal.
Brute-force password attack
A method used to attempt to compromise logon and password access controls by attempting every combination. Brute-force password attacks usually follow a specific attack plan, including the use of social engineering to obtain user information
Compliance liaison
A person whose responsibility it is to ensure that employees are aware of and comply with an organization's security policies
script kiddie
A person with little or no skill who simply follows directions to carry out an attack without fully understanding the meaning of the steps performed
Business Continuity Plan - BCP
A plan for how to handle outages to IT systems, applications, and data access in order to maintain business operations
smart card
A plastic card with authentication credentials embedded in either a microchip of magnetic strip on the card
Clean desk policy
A policy stating that users must never leave sensitive information in plain view on an unattended desk or workstation
DIAMETER
A popular centralized access control protocol that succeeded RADIUS and provides access control for stable and static workforces
Business Impact analysis - BIA
A prerequisite analysis for the BCP that prioritizes business operations and functions and their associated IT systems, applications, and data and the impact of an outage or downtime
guideline
A recommendation for how to use or how to purchase a product or system
Foreign Agent (FA)
A router with additional capabilities connected to another network ( not the HA), the FA assigns the MN a local address. When the MN connects to another network that supports Mobile IP, it announces itself to the FA
Home Agent (HA)
A router with additional capabilities over standard routers, the HA keeps track of the MNs it manages. When an MN leaves the local network, the HA forwards packets to the MN's current network
Packet Sniffer
A software application that uses a hardware adapter card in promiscuous mode to capture all network packets sent across a network segment
Virus
A software program that attaches itself to or copies itself into another program for the purpose of causing the computer to follow instructions that were intended by the original program developer
Adware
A software program that collects information about Internet usage and uses it to present targeted advertisements to users
Protocol Analyzer
A software program that enables a computer to monitor and capture network traffic, including passwords and data in clear-text.
Password cracker
A software program that performs one of two functions: brute-force password attack to gain unauthorized access to a system or recovery of passwords stored in a computer system
Payment Card Industry Data Security Standard (PCIDSS)
A standard, not a compliance or law, for merchants and service providers regarding safeguarding the processing, storage, and transmission of cardholder data
Internet Engineering Task Force
A standards organization that develops and promotes Internet Standards
functional policy
A statement of an organization's management direction for security in such specific functional areas as email, remote access , and internet surfing
decentralized access control
A system that puts access control into the hands of people such as department managers who are closet system users; there is no one centralized entity to process access requests in this system
Business-to-Business (B2B)
A term used to describe a business that builds online systems with links for conducting business-to-business transactions, usually for integrated supply-chain purchases and deliveries
Business-to-consumer (B2C)
A term used to describe an online storefront for consumers to purchase goods and services directly.
Meta Data
A term used to refer to data about data
Internet of Things (IoT)
A term used to refer to the large number of networked devices that can now connect to the internet
Cookie
A text file sent from a website to a web browser to store for later use. Cookies contain details gleaned from visits to a website
Port Scanner
A tool used to scan IP host devices for open ports that have been enabled
spoofing
A type of attack in which one person, program, or computer disguises itself as another person, program, or computer to gain access to some resource
Hijacking
A type of attack in which that attacker takes control of a session between two machines and masquerades as one of them
Social engineering
A type of attack that relies on persuading a person to reveal information
Phishing
A type of fraud in which an attacker attempts to trick the victim into providing private information
Rootkit
A type of malware that modifies or replaces one or more existing programs to hide the fact that a computer has been compromised
trusted operating system (TOS)
A type of operating system that includes additional controls to address the additional security needs of systems that handle extremely sensitive information
Quantitative Risk Analysis
A type of risk assessment that assigns a numerical value, generally a cost value, to each risk, making risk impact comparisons more objective
Qualitative Risk Analysis
A type of risk assessment that describes risks and then ranks their relative potential impact on business operations
Vulnerability
A weakness that allows a threat to be realized or to have an effect on an asset
Disaster Recovery plan - DRP
A written plan for how to handle major disasters or outages and recover mission critical systems, applications, and data
Address Resolution Protocol (ARP)
ARP is used to map an Internet Protocol (IP) address to a physical or MAC address
Acceptable Use Policy (AUP)
An organization-wide policy that defines what is allowed and disallowed regarding use of IT assets by employees and authorized contractors
Bring Your own Device (BYOD)
An organizational policy of allowing or even encouraging employees, contractors, and others to connect their personal equipment to the corporate network; this offers cost savings but requires proper security controls, policies, and procedures
Backdoor
An undocumented and often unauthorized access method to a computer resource that bypasses normal access controls
Asset
Any item that has value to an organization or a person
Controlling Access: Identification
Assertions made by users about who they are
Brewer and Nash integrity model
Based on a mathematical theory published in 1989 to ensure fair competition. Dynamically changing access permissions.
Which password attack is typically used specifically against password files that contain cryptographic hashes?
Birthday attacks
Data owner
Classifying data is the duty of the person that owns the data.
Jody would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?
Collaboration
Jody would like to find a solution that allows realtime document sharing and editing between teams. Which technology would best suit her needs?
Collaboration
Confidentiality, Availability, Integrity (CIA)
Confidentiality- The requirement to keep information private or safe Integrity- The Validity of information or data. Data with high integrity has not been altered Availability-A mathematical formula that quantifies the amount of uptime for a system compared to the amount of downtime
? Which network device is capable of blocking network connections that are identified as potentially malicious?
Demilitarized Zone (DMZ)
Which risk is most effectively mitigated by an upstream Internet Service Provider (ISP)?
Distributed Denial of Service (DDoS)
What is the first step in a disaster recovery effort?
Ensure that everyone is safe
True or False: In the Remote Access Domain, if private data or confidential data is compromised remotely, you should set automatic blocking for attempted logon retries.
False: Apply first level and second level tokens and biometrics
True or False: Cryptography is the process of transforming data from cleartext into ciphertext
False: Encryption
True or False: A security policy is a comparison of the security controls you have in place and the controls you need in order to address all identified threats.
False: Gap analysis
MAC address filtering
Firewall Filtering rules that filter wireless network traffic by the MAC address
Which element of the security policy framework offers suggestions rather than mandatory actions?
Guideline
Bob recently accepted a position as the information security and compliance manager for a medical practice. Which regulation is likely to most directly apply to Bob's employer?
HIPPA
Which law governs the use of the IoT by healthcare providers, such as physicians and hospitals
HIPPA
Which act governs the use of Internet of Things (IoT) by healthcare providers, such as physicians and hospitals?
Health Insurance Portability and Accountability Act (HIPAA)
Annual Rate of Occurrence - ARO
How often a loss is likely to occur every year, also called likelihood.
Business Driver
Include people, information, financials, and performance goals that support business objectives
ownership
In authentication, this is something you have, such as a smart card, key, badge, or token
Rachel is investigating an information security incident that took place at the high school where she works. She suspects that students may have broken into the student records system and altered their grades. If correct, which one of the tenets of information security did this attack violate?
Integrity
Account-lockout policy
Many systems are configured to disable a user ID after a certain number of consecutive failed logon attempts.
Sprint
One of the small project iterations used in the "agile" method of developing software, in contrast with the usual long project schedules of other methods of development software
Risk Survey
Organizations send lists of prepared questions to participants for input. A variety of people from different areas of the organization take the survey. The Delphi method is a specific type of survey in which responses are anonymized, shuffled, and sent back out to participants for comment.
Risk management guide for Information Technology Systems.
Part of the special publication 800 series reports, these products provide detailed guidance of what you should consider in risk management and risk assessment in computer security. The reports include checklists, graphics, formulas, and references to U.S. regulatory issues.
Physical destruction
Physically destroying the media on which data are stored
Risk-response plan
Plan risk response- starting with the highest priority risks Implement risk response Monitor and control risk response
Which element of the security policy framework requires approval from upper management and applies to the entire organization?
Policy
Remote Authentication Dial-In User Service (RADIUS)
Popular protocol, first introduced in the early 1990's, that supports remote user authentication for large numbers of users wishing to connect to central servers
PMBOK
Project Management Body of Knowledge - a collection of the knowledge and best practices of the project management profession
Which tool can capture the packets transmitted between systems over a network?
Protocol analyzer
Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?
Rule-based access control
Which element of the IT security policy framework provides detailed written definitions for hardware and software and how they are to be used?
Standard
Opportunity Cost
The amount of money a company loses due to downtime, either intentional or unintentional
Downtime
The amount of time that an IT system, application, or data is not available to users
Phreaking
The art of exploring bugs and weaknesses that exist in the telephone system
Security administrator
The group of individuals responsible for planning, designing, implementing and monitoring an organizations security plan
Controlling Access: Authorization
The permissions of a legitimate user or process has on a system
cloud computing
The practice of using computing services that are hosted in a virtualized data center with remote access to the application and data
Government Information Security Reform Act of 2000
The precursor to the FISMA, the Security Reform Act required US government agencies to have an information security program, perform periodic risk assessments and made security awareness training mandatory for US government employees
Separation of duties
The process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall risk
Separation of Duties
The process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task
Risk Management
The process of identifying, assessing, prioritizing, and addressing risks
Key distribution centers (KDCs)
The process of issuing keys to valid users of cryptosystem so they can communicate
Change Control
The process of managing changes to computer/device configuration of application software
Configuration control
The process of managing the baseline settings of a system or device
Access Control
The process of protecting a resource so that it is used only by those allowed to use it; a particular method used to restrict or allow access to resources
Annual Loss Expectancy - ALE
The product of the ARO and the SLE
Controlling Access: Authentication
The proving of that assertion
Unified Messaging
The storage of fax, email, and voice communications in a single location
Certification
The technical evaluation of a system to provide assurance that you have implemented the system correctly. Also, an official statement that attests that a person has satisfied specific requirements. Requirements often include possessing a certain level of experience, completing a course of study, and passing an examination
Store-and-Forward Communications
The technique or relaying communications between two or more users by intermediate storage. Delivery from sender to a central storage is immediate, but final transmission to the recipient depends upon availability and a request for the stored information.
Cross-site scripting (XSS)
This is an attack in which an attacker inputs client-side script code to a web application
Correspondant Node (CN)
This is the node that wants to communicate with the MN.
Full-Interruption test
This is the only complete test. They interrupt the primary data center and transfer processing capability to an alternate site.
Which term describes an action that can damage or compromise an asset?
Threat
Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?
Typosquatting
SPAM
Unwanted email or unsolicited messages
Positive Risk
Uses Risk Management
Negative risk
Uses Risk Management Risk = Threat * Vulnerabilities
The Internet Society
Vision: The internet is for everyone Mission: To promote the open development, evolution, and use of the Internet for the benefit of all people throughout the world.
Which of the following is an example of a hardware security control? a) Security Policy b) NTFS permission c) MAC filtering d) ID badge
d
Which of the following is an example of two-factor authentication? a) personal identification number (PIN) and password b) token and smart card c) password and security questions d) smart card and personal identification number (PIN)
d
Which of the following is NOT an area of critical infrastructure where the Internet of Things (IOT) is likely to spur economic development in less developed countries? a) Water Supply management b) Agriculture c) Wastewater Treatment d) E-commerce
d) e-commerce
De-identified data
data about an individual that contains no information that could be linked to a specific individuals identity
Chinese wall security policy
defines a wall, or barrier, and develops a set of rules that makes sure no subject gets to objects on the other side of the wall.
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
defines risk-based strategic assessment and planning technique for security. Is a self-directed approach.
Classification process
determines how you handle classified data
Classification Scope
determines what data you should classify
Cold site
facility with basic environmental utilities but no infrastructure components. Least expensive, longest switchover time.
view-based access control
limiting users' access to database views, as opposed to allowing users to access data in database tables directly.
Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through it's online site. Which type of loss did the company experience as a result of lost sales?
opportunity cost
wiping
overwriting data on the media to ready data for reuse
Data ownership
personal data such as contacts, pictures, or emails are the intellectual property of the employee. Business emails and all attachments are the intellectual property of the organization.
Awareness
programs can remind staff about security policies. Can also measure how well the staff follows the policy
ticket-granting servers (TGSs)
provides a way to get more tickets for the same or other applications after the user is verified, so that step doesn't need to be repeated several times during the day. Tickets usually expire daily or after a few hours
Change control board
provides the oversight to protect the computing resources and the data contained within those applications and databases
Agile development
sprints, some deliverable once or more frequently each month
remediation
the act of fixing a known risk, threat, or vulnerability that is identified or found in an IT infrastructure
Espionage
the act of spying to obtain secret information, typically to aid another nation state.
Passive wiretap
the attacker does not make changes to the system
Accreditation
the formal agreement by the authorizing official to accept the risk of implementing the system
URL hijack
typosquatting
Logic Attack
use software flaws to crash or seriously hinder the performance of remote servers.
