CYBR 3300 Final Review new

Constrained data item (CDI

- Data item with protected integrity

Key distribution center {KDC

-Generates and issues session keys

Steps In ISO 2700

1) Risk Assessment 2) Risk Treatment 3) Risk Acceptance 4) Risk Communication 5) Risk Monitoring and Review

Steps in Microsoft Risk Management Approach

1. Assessing risk 2. Conducting decision support 3. Implementing controls 4. Measuring program effectiveness

5 Components of COSO Framework

1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring

Authentication server (AS)

A Kerberos server that authenticates clients and servers

timing channels

A TCSEC-defined covert channel that communicates by managing the relative timing of events

storage channels

A TCSEC-defined covert channel that communicates by modifying a stored object, such as in steganography

electronic vaulting

A backup method that uses bulk batch transfer of data to an off-site facility; this transfer is usually conducted via leased lines or secure Internet connections

database shadowing

A backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server. This server combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations

configuration

A collection of components that make up a configuration item

software library

A collection of configuration items that is usually controlled and that developers use to construct revisions and issue new configuration items

False

A company striving for "best security practices" makes every effort to establish security program elements that meet every minimum standard in their industry.

Bell-LaPadula (BLP) confidentiality model

A confidentiality model or "state machine reference model" that ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances

collusion

A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions

False

A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions is known as racketeering. __________

collusion

A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions.

timeshare

A continuity strategy in which an organization co-leases facilities with a business partner or sister organization

service bureau

A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee

mutual agreement

A continuity strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster

rolling mobile site

A continuity strategy that involves contracting with an organization to provide specialized facilities configured in the payload area of a tractor-trailer

symmetric encryption

A cryptographic method in which the same algorithm and secret key are used both to encipher and decipher the message

asymmetric encryption

A cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message

XOR cipher conversion

A cryptographic operation in which a bit stream is subjected to a Boolean XOR function against some other data stream, typically a key stream

transposition cipher

A cryptographic operation that involves simply rearranging the values within a block based on an established pattern

Bluetooth

A de facto industry standard for short-range wireless communications between wireless telephones and headsets, between PDAs and desktop computers, and between laptops.

Trusted Computer System Evaluation Criteria (TCSEC)

A deprecated (no longer used) DoD system certification and accreditation standard that defined the criteria for assessing the access controls in a computer system

alert message

A description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process

after-action review (AAR}

A detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery

application layer proxy firewall

A device capable of functioning both as a firewall and an application layer proxy server

bastion host

A device placed between an external, untrusted network and an internal, trusted network

proxy firewall

A device that provides both firewall and proxy services

wireless access point (WAP)

A device used to connect wireless networking users and their devices to the rest of the organization's network(s)

alert roster

A document that contains contact information for personnel to be notified in the event of an incident or disaster

warm site

A facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications

cold site

A facility that provides only rudimentary services, with no computer hardware or peripherals

screened-host architecture

A firewall architectural model that combines the packet filtering router with a second, dedicated device such as a proxy server or proxy firewall

screened-subnet architecture

A firewall architectural model that consists of one or more internal bastion hosts located behind a packet filtering router on a dedicated network segment, with each host performing a role in protecting the trusted network

single bastion host architecture

A firewall architecture in which a single device performing firewall duties, such as packet filtering, serves as the only perimeter device providing protection between an organization's networks and the external network

deep packet inspection (DPI)

A firewall function that involves examining multiple protocol headers and even content of network traffic, all the way through the TCP/IP layers and including encrypted, compressed, or encoded data

dynamic packet filtering firewall

A firewall type that can react to network traffic and create or modify configuration rules to adapt

stateful packet inspection (SPI) firewall

A firewall type that keeps track of each network connection between internal and external systems using a state table, and that expedites the fi ltering of those communications

talk-through

A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization

hot site

A fully configured computing facility that includes all services, communications links, and physical plant operations

configuration item

A hardware or software item that will be modified and revised throughout its life cycle

standard of due care

A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or organization would under similar circumstances.

build list

A list of the versions of components that make up a build

total cost of ownership (TCO)

A measurement of the true cost of a device or application, which includes not only the purchase price, but annual maintenance or service agreements, the cost to train personnel to manage the device or application, the cost of systems administrators, and the cost to protect it

minor release

A minor revision of a version from its previous state.

honey net

A monitored network or network segment that contains multiple honeypot systems

port

A network channel or connection point in a data communications system

dual-homed host

A network configuration in which a device contains two network interfaces: one that is connected to the external network and one that is connected to the internal network

packet filtering firewall

A networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules

security clearance

A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access

passphrase

A plain-language phrase, typically longer than a password, from which a virtual password is derived

clipping level

A predefined assessment level that triggers a predetermined response when surpassed.

virtual private network (VPN)

A private, secure network operated over a public and insecure network

difference analysis

A procedure that compares the current state of a network segment against a known previous state of the same network segment (the baseline of systems and services)

lnfoSec performance management

A process of designing, implementing. and managing the use of specific measurements to determine the effectiveness of the overall security program

cache server

A proxy server or application-level firewall that stores the most recently accessed information in its internal caches, minimizing the demand on internal servers

mandatory access control (MAC

A required, structured data classification scheme that rates each collection of information as well as each user

mandatory vacation policy

A requirement that all employees take time off from work, which allows the organization to audit the individual's areas of responsibility

True

A requirement that all employees take time off from work, which allows the organization to audit the individual's areas of responsibility, is known as a mandatory vacation policy. __________

password

A secret word or combination of characters that only the user should know; used to authenticate the user

False

A security metric is an assessment of the performance of some action or process against which future performance is assessed. __________

proxy server

A server that exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server, thus protecting and minimizing the demand on internal servers

Wired Equivalent Privacy (WEP)

A set of protocols designed to provide a basic level of security protection to wireless networks and to prevent unauthorized access or eavesdropping. WEP is part of the IEEE 802.11 wireless networking standard

Wi·Fi Protected Access {WPA)

A set of protocols used to secure wireless networks; created by the Wi-Fi Alliance. Includes WPA and WPA2

penetration testing

A set of security tests and evaluations that simulate attacks by a hacker or other malicious external source

major release

A significant revision of a version from its previous state

build

A snapshot of a particular version of software assembled or linked from its component modules

content filter

A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network

monoalphabetic substitution

A substitution cipher that incorporates only a single alphabet in the encryption process

polyalphabetic substitution

A substitution cipher that incorporates two or more alphabets in the encryption process

state table

A tabular record of the state and context of each packet in a conversation between an internal and external user or system

business process

A task performed by an organization or one of its units in support of the organization's overall mission

port-address translation (PAT)

A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to many basis; that is, one external valid address is mapped dynamically to a range of internal addresses by adding a unique port number to the address when traffic leaves the private network and is placed on the public network

network-address translation (NAT)

A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned internal address

metric

A term traditionally used to describe any detailed statistical analysis technique on performance, but now commonly synonymous with performance measurement

certificate authority (CA)

A third party that manages users digital certificates and certifies their authenticity

war game

A type of rehearsal that seeks to realistically simulate the circumstances needed to thoroughly test a plan

lattice-based access control

A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects

False

A(n) credit check can uncover past criminal behavior or other information that suggests a potential for future misconduct or a vulnerability that might render a job candidate susceptible to coercion or blackmail. __________

Formula for Annualized loss expectancy

ALE = SLE X ARO

discretionary access controls (DACs)

Access controls that are implemented at the discretion or option of the data user

nondiscretionary controls

Access controls that are implemented by a central authority.

crossover error rate (CER

Also called the equal error rate, the point at which the rate of false rejections equals the rate of false acceptances

application layer firewall

Also known as a layer seven firewall, a device capable of examining the application layer of network traffic (for example, HTIP, SMTP, FTP) and filtering based upon its header content rather than the traffic IP headers

cost-benefit analysis (CBA)

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization

anomaly-based IDPS

An IDPS that compares current data and traffic patterns to an established baseline of normalcy, looking for variance out of parameters. Also known as a behavior-based !OPS

signature-based IDPS

An IDPS that examines systems or network data in search of patterns that match known attack signatures. Also known as a knowledge-based !OPS

network-based IDPS (NIDPS}

An IDPS that resides on a computer or appliance connected to a segment of an organization's network and monitors traffic on that segment, looking for indications of ongoing or successful attacks

host-based IDPS (HIDPS}

An IDPS that resides on a particular computer or server, known as the host, and monitors activity only on that system

computer security incident response team (CSIRT)

An IR team composed of technical IT, managerial IT, and lnfoSec professionals who are prepared to detect, react to, and recover from an incident

Biba integrity model

An access control model that is similar to BLP and is based on the premise that higher levels of integrity are more worthy of trust than lower levels

incident

An adverse event that could result in a loss of information assets, but does not threaten the viability of the entire organization

honey pot

An application that entices individuals who are illegally perusing the internal areas of a network by providing simulated rich content areas while the software notifies the administrator of the intrusion

vulnerability scanner

An application that examines systems connected to networks and their network traffic to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers

configuration and change management (CCM)

An approach to implementing system change that uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track changes through completion, and maintain systems inventory and supporting documentation

intra net vulnerability assessment

An assessment approach designed to find and document selected vulnerabilities that are likely to be present on the organization's internal network

platform security validation (PSV)

An assessment approach designed to find and document vulnerabilities that may be present because misconfigured systems are used within the organization

Internet vulnerability assessment

An assessment approach designed to find and document vulnerabilities that may be present in the organization's public network

wireless vulnerability assessment

An assessment approach designed to find and document vulnerabilities that may be present in the organization's wireless local area networks

baseline

An assessment of the performance of some action or process against which future performance is assessed.

baseline

An assessment of the performance of some action or process against which future performance is assessed; the first measurement (benchmark) in benchmarking

war driving

An attacker technique of moving through a geographic area or building, actively scanning for open or unsecured WAPs

benchmarking

An attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate

benchmarking

An attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate.

dumb card

An authentication card that contains digital user data, such as a personal identification number (PIN), against which user input is compared

synchronous token

An authentication component in the form of a token a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication

asynchronous token

An authentication component in the form of a token- a card or key fob that contains a computer chip and a liquid crystal display and shows a computergenerated number used to support remote login authentication

smart card

An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a PIN

Kerberos

An authentication system that uses symmetric key encryption to validate an individual user's access to various network resources by keeping a database containing the private keys of clients and servers that are in the authentication domain it supervises.

internal benchmarking

An effort to improve information security practices by comparing an organization's current efforts against its past efforts, or a desired target value, to identify trends in performance, areas of excellence, and areas in need of improvement

substitution cipher

An encryption method in which one value is substituted for another

adverse event

An event with negative consequences that could threaten the organization's information assets or operations. Sometimes referred to as an incident candidate.

operational feasibility

An examination of how well a particular solution fits within the organization's culture and the extent to which users are expected to accept the solution

political feasibility

An examination of how well a particular solution fits within the organization's political environmen

organizational feasibility

An examination of how well a particular solution fits within the organization's strategic planning objectives and goals

technical feasibility

An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking. and personnel

dumpster diving

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information

public key infrastructure (PKI)

An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates

demilitarized zone (DMZ)

An intermediate area between a trusted network and an untrusted network that restricts access to internal systems

Information Technology System Evaluation Criteria (ITSEC

An international set of criteria for evaluating computer systems, very similar to TCSEC

Common Criteria for Information Technology Security Evaluation

An international standard (150/IEC 15408) for computer security certification that is considered the successor to TCSEC and ITSEC

business impact analysis (BIA)

An investigation and assessment of adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization's core processes and its recovery priorities

business continuity (BC)

An organization's set of efforts to ensure its long-term viability when a disaster precludes normal operations at the primary site

crisis management (CM

An organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster

disaster recovery (DR

An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from a disaster

incident response (IR)

An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from an incident

trap and trace applications

Applications that combine the function of honey pots or honey nets with the capability to track the attacker back through the network

Defense Risk Treatment

Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk

Formula for Cost Benefit Analysis

CBA = ALE(precontrol) - ALE(postcontrol) - ACS

log files/logs

Collections of data stored by a system and used by administrators to audit systems performance and use both by authorized and unauthorized users

False

Collusion is the requirement that every employee be able to perform the work of at least one other employee. __________

Wander freely in and out of facilities.

Contract employees—or simply contractors—should not be allowed to do what?

Managerial Controls

Controls that cover security processes designed by strategic planners, integrated into the organization's management practices, and routinely used by security administrators to design, implement, and monitor other control systems

Operational Controls

Controls that deal with the operational functions of security that have been integrated into the repeatable processes of the organization

Technical Controls

Controls that support tactical portion of security program and that have been implemented as reactive mechanisms to deal with the immediate needs of the organization as it responds to the realities of the technical environment

Costs associated with treating a risk

Cost of development or acquisition (hardware, software, and services) • Training fees (cost to train personnel) • Cost of implementation (installing, configuring, and testing hardware, software, and services) CHAPTER 7 Risk Management: Treating Risk • Service costs (vendor fees for maintenance and upgrades or from outsourcing the information asset's protection and/or insurance) • Cost of maintenance {labor expense to verify and continually test, maintain, train, and update) • Potential cost from the loss of the asset, either from removal of service (termination) or compromise by attack

benchmarking

Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is known as which of the following?

Unconstrained data item

Data not controlled by Clark-Wilson; non validated input or any output

performance measurements

Data or the trends in data that may indicate the effectiveness of security countermeasures or controls-technical and managerialimplemented in the organization

False

Data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization are known as progress measurements. __________

Which technique does a group rate or rank a set of information, compile the result and repeat until everyone is satisfied with the result

Delphi

incident response procedures (IR procedures)

Detailed, step-by-step methods of preparing. detecting. reacting to, and recovering from an incident

Detective Controls

Detects or identifies an incident or threat when it occurs; for example, anti-malware software

slow-onset disasters

Disasters that occur over time and gradually degrade the capacity of an organization to withstand their effects

rapid-onset disasters

Disasters that occur suddenly, with little warning, taking people's lives and destroying the means of production. Examples include earthquakes, floods, storm winds, tornadoes, and mud flows

Deterrent Controls

Discourages or deters an incipient incident; an example would be signs that indicate video monitoring

signing the employment contract

Employees new to an organization should receive an extensive InfoSec briefing that includes all of the following EXCEPT:

performance evaluations

Employees pay close attention to job __________, and including InfoSec tasks in them will motivate employees to take more care when performing these tasks.

Directive Controls

Employs administrative controls such as policy and training designed to proscribe certain user behavior in the organization

digital signatures

Encrypted message components that can be mathematically proven to be authentic

Preventive Controls

Helps an organization avoid an incident; an example would be the requirement for strong authentication in access controls

consultants

Hired for specific tasks or projects

False

ISO 27001 certification is only available to companies that do business internationally.

Which international standard provides a structured methodology for evaluating threats to economic performance in an organization and was developed using the Australian/New Zealand standard AS/NZS 4260:2004 as a foundation

ISO 3100

The InfoSec measurement development process recommended by NIST is divided into tow major activities. Which of the following is one of them

Identification and definition of the current InfoSec program

Terminate the relationship with the individual and request that he or she be censured.

If a temporary worker (temp) violates a policy or causes a problem, what is the strongest action that the host organization can usually take, depending on the SLA?

transport mode

In IPSec, an encryption method in which only a packet's IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses

tunnel mode

In IPSec, an encryption method in which the entire IP packet is encrypted and inserted as the payload in another IP packet

single loss expectancy (SLE)

In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack (impact). The SLE is the product of the asset's value and the exposure factor

annualized rate of occurrence (ARO

In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis.

annualized loss expectancy (ALE

In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy

capabilities table

In a lattice-based access control, the row of attributes associated with a particular subject

agent

In an IDPS, a piece of software that resides on a system and reports back to a management server. Also referred to as a senso

firewall

In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside network and the inside network

blueprint

In information security, a framework or security model customized to an organization, including implementation details

framework

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including lnfoSec policies, security education and training programs, and technological controls. Also known as a security model.

footprint

In wireless networking, the geographic area in which there is sufficient signal strength to make a network connection

heighten InfoSec awareness

Incorporating InfoSec components into periodic employee performance evaluations can __________.

number of systems and users of those systems

InfoSec measurements collected from production statistics depend greatly on which of the following factors?

COSO

Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence

security event information management (SEIM) systems

Log management systems specifically tasked to collect log data from a number of servers or other network devices for the purpose of interpreting. filtering, correlating. analyzing. storing, and reporting the data

the repeatability of measurement development, customization, collection, and reporting activities

NIST recommends the documentation of performance measurements in a standardized format to ensure ____________.

Unified Threat Management (UTM)

Networking devices categorized by their ability to perform the work of multiple devices, such as a stateful packet inspection firewall, network intrusion detection and prevention system, content fi lter, spam fi lter, and malware scanner and filter

SP 800- 12, Rev. 1: An Introduction to Information Security (2017)

Newly revised after over 2.0 years, this document serves as a starting point for those with little to no background in InfoSec

Which alternative risk management methodology s the process promoted by the Computer Emergency Response Team (CERT) Coordination Center and has three variations for different organizational needs including one known as ALLEGRO

OCTAVE

True

One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured. __________

effective security

One of the fundamental challenges in InfoSec performance measurement is defining what?

True

One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?"

personally identifiable information (PII)

Organizations are required by privacy laws to protect sensitive or personal employee information, including __________.

Measurements must be useful for tracking non-compliance by internal personnel.

Organizations must consider all but which of the following during development and implementation of an InfoSec measurement program?

False

Performance measurements are seldom required in today's regulated InfoSec environment.

Benchmarking doesn't help in determining the desired outcome of the security process.

Problems with benchmarking include all but which of the following?

Transformation procedure (TP)

Procedure that only allows changes to a constrained data item

Integrity verification procedure (IVP}

Procedure that scans data and confirms its integrity

Kerberos ticket granting service (TGS

Provides tickets to clients who request services

digital certificates

Public key container files that allow PKI system components and end users to validate a public key and identify its owner

True

Recommended or best practices are those security efforts that seek to provide a superior level of performance in the protection of information. __________

Mitigation Risk Treatment

Reducing the impact to information assets should an attacker successfully exploit a vulnerability

Corrective

Remedies a circumstance or mitigates damage done during an incident

Termination Risk Treatment

Removing or discontinuing the information asset from the organization's operating environment

Compensating Controls

Resolves shortcomings, such as requiring the use of encryption for transmission of classified data over unsecured networks

Recovery Controls

Restores operating conditions back to normal; for example, data backup and recovery software

Which of the following is NOT a consideration when selecting recommended best practices? Threat environment is similar Resource expenditures are practical Organization structure is similar Same certification and accreditation agency or standard

Same certification and accreditation agency or standard

best security practices (BSPs)

Security efforts that are considered among the best in the industry

recommended practices

Security efforts that seek to provide a superior level of performance in the protection of information

Transference Risk Treatment

Shifting risks to other areas or to outside entities

False

Standardization is an attempt to improve information security practices by comparing an organization's efforts against those of a similar organization or an industry-developed standard to produce results it would like to duplicate. __________

What determines whether the organization already has or can acquire the technology necessary to implement and support the proposed treatment

Technical Feasibility

True

Temporary workers—often called temps—may not be subject to the contractual obligations or general policies that govern other employees.

structured walk-through

The CP testing strategy in which all involved individuals walk through a site and discuss the steps they would take during an actual CP event

full-interruption testing

The CP testing strategy in which all team members follow each IR/DR/BC procedure, including those for interruption of service, restoration of data from backups, and notification of appropriate individuals

desk check

The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster; each individual reviews the plan and validates its components

simulation

The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred

rejection of the certification application based on lack of compliance or failure to remediate shortfalls

The ISO certification process takes approximately six to eight weeks and involves all of the following steps EXCEPT:

identification and definition of the current InfoSec program

The InfoSec measurement development process recommended by NIST is divided into two major activities. Which of the following is one of them?

business resumption planning (BRP)

The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams

business continuity planning (BCP)

The actions taken by senior management to develop and implement the BC policy, plan, and continuity teams

crisis management planning (CMP)

The actions taken by senior management to develop and implement the CM policy, plan, and response teams.

disaster recovery planning (DRP)

The actions taken by senior management to develop and implement the DR policy, plan, and recovery teams

incident response planning (IRP)

The actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team

contingency planning (CP}

The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster

due diligence

The actions that demonstrate that an organization has made a valid effort to protect others and that the implemented standards continue to provide the required level of protection.

work recovery time (WRT)

The amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered

remote journaling

The backup of data to an off-site facility in close to real time based on transactions as they occur

reduced employee turnover due to misinterpreted security policies and practices

The benefits of ISO certification to an organization's employees include all of the following EXCEPT:

increased opportunities for government contracts

The benefits of ISO certification to organizations include all of the following EXCEPT:

False

The biggest barrier to baselining in InfoSec is the fact that many organizations do not share information about their attacks with other organizations. __________

• SP 800-53A, Rev. 4 (Rev. 5 currently in draft): Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (2014)

The companion guide to SP 800-53, Rev. 4 and the functional successor to SP 800-26: Security Self-Assessment Guide for Information Technology Systems, this SP provides a systems development life cycle (SDLC) approach to security assessment of information systems.

vulnerability assessment and remediation domain

The component of the maintenance model focused on identifying specific, documented vulnerabilities and remediating them in a timely fashion

external monitoring domain

The component of the maintenance model that focuses on evaluating external threats to the organization's information assets

planning and risk assessment domain

The component of the maintenance model that focuses on identifying and planning ongoing information security activities and identifying and managing risks introduced through IT information security projects

internal monitoring domain

The component of the maintenance model that focuses on identifying. assessing. and managing the configuration and status of information assets in an organization.

least privilege

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary

performance measurements

The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization.

revision date

The date associated with a particular version or build

virtual password

The derivative of a passphrase

business continuity plan (BC plan)

The documented product of business continuity planning; a plan that shows the organization's intended efforts to continue critical functions when operations at the primary site are not feasible

crisis management plan (CM plan)

The documented product of crisis management planning; a plan that shows the organization's intended efforts to protect its personnel and respond to safety threats

disaster recovery plan (DR plan)

The documented product of disaster recovery planning; a plan that shows the organization's intended efforts in the event of a disaster

incident response plan (IR plan)

The documented product of incident response planning; a plan that shows the organization's intended efforts in the event of an incident

cryptology

The field of science that encompasses cryptography and cryptanalysis.

cost avoidance

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident

intrusion detection and prevention system (IDPS}

The general term for a system with the capability both to detect and modify its configuration and environment to prevent intrusions

contingency planning management team (CPMT}

The group of senior managers and project members organized to conduct and lead all CP efforts

Diffie-Hellman key exchange method

The hybrid cryptosystem that pioneered the technology

incident detection

The identification and classification of an adverse event as an incident, accompanied by the CSIRT's notification and the implementation of the IR reaction phase.

crisis management planning team (CMPT}

The individuals from various functional areas of the organization assigned to develop and implement the CM plan

separation of duties

The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them

standard of due care

The legal standard that requires an organization and its employees to act as a "reasonable and prudent" individual or organization would under similar circumstances

recovery time objective (RTO)

The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported business processes, and the MTD

two-person control

The organization of a task or process such that it requires at least two individuals to work together to complete. Also known as dual contro

apprehend and prosecute

The organizational CP philosophy that focuses on an attacker's identification and prosecution, the defense of information assets, and preventing recurrence

protect and forget

The organizational CP philosophy that focuses on the defense of information assets and preventing recurrence rather than the attacker's identification and prosecution.

footprinting

The organized research and investigation of Internet addresses owned or controlled by a target organization

recovery point objective (RPO)

The point in time before a disruption or system outage to which business process data can be recovered after an outage, given the most recent backup copy of the data

business continuity policy (BC policy)

The policy document that guides the development and implementation of BC plans and the formulation and performance of BC teams

crisis management policy (CM policy)

The policy document that guides the development and implementation of CM plans and the formulation and performance of CM teams

disaster recovery policy (DR policy)

The policy document that guides the development and implementation of DR plans and the formulation and performance of DR teams

incident response policy (IR policy)

The policy document that guides the development and implementation of IR plans and the formulation and performance of IR teams

IP Security (IPSec)

The primary and now dominant cryptographic authentication and encryption product of the IETF's IP Protocol Security Working Group. A framewo rk for security development within the TCP/IP family of protocol standards, IPSec provides application support for all uses within TCP/IP, including VPNs

need-to-know

The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks

asset valuation

The process of assigning financial value or worth to each information asset

baselining

The process of conducting a baseline

disaster classification

The process of examining an adverse event or incident and determining whether it constitutes an actual disaster

incident classification

The process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident

vulnerability assessment (VA

The process of identifying and documenting specific and provable flaws in the organization's information asset environment

cryptography

The process of making and using codes to secure information

cryptanalysis

The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption

non repudiation

The process of reversing public key encryption to verify that a message was sent by a specific sender and thus cannot be refuted

remediation

The processes of removing or repairing flaws in information assets that cause a vulnerability or removing the risk associated with the vulnerability

false reject rate

The rate at which authentic users are denied or prevented access to authorized areas as a result of a failure in the biometric device

false accept rate

The rate at which fraudulent users or non users are allowed access to systems or areas as a result of a failure in the biometric device. This failure is also known as a Type II error or a false positive

version

The recorded state of a particular revision of a software or hardware configuration item

task rotation

The requirement that all critical tasks can be performed by multiple individuals.

job rotation

The requirement that every employee be able to perform the work of at least one other employee

job rotation

The requirement that every employee be able to perform the work of at least one other employee.

auditing

The review of a system's use to determine if misuse or malfeasance has occurred

access control

The selective method by which systems specify who may use a particular resource and how they may use it

trusted network

The system of networks inside the organization that contains its information assets and is under the organization's control

untrusted network

The system of networks outside the organization over which it has no control

fingerprinting

The systematic survey of a targeted organization's Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range

business continuity planning team (BCPT}

The team responsible for designing and managing the BC plan of relocating the organization and establishing primary operations at an alternate site until the disaster recovery planning team can recover the primary site or establish a new location

disaster recovery planning team (DRPT}

The team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recovery from disasters, including reestablishment of business operations at the primary site after the disaster

incident response planning team (IRPT}

The team responsible for designing and managing the IR plan by specifying the organization's preparation, reaction, and recovery from incidents

maximum tolerable downtime (MTD

The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption

hybrid encryption system

The use of asymmetric encryption to exchange symmetric keys so that two (or more) organizations can conduct quick, efficient, secure communications based on symmetric encryption

war driving

The use of mobile scanning techniques to identify open wireless access points

biometrics

The use of physiological characteristics to provide authentication for a provided identification.

SP 800-184: Guide for Cybersecurity Event Recovery (2016)

This SP extends the roles and responsibilities of those involved in incident response to include a tactical-to-strategic approach on the latter stages of IR- recovery and program improvement, involving management in the performance measures and continuous improvement administration of the IR program

SP 800-61, Rev. 2: Computer Security Incident Handling Guide (2012)

This SP provides a methodology and specific measures for responding to computer incidents. This SP also provides guidance on the development of policy and plans for designing and implementing an incident response (IR) program

SP 800-39: Managing Information Security Risk: Organization, Mission, and Information System View (2011)

This SP provides additional discussion on the higher-level functions associated with risk management,

SP 800-53, Rev. 4: Security and Privacy Controls in Federal Information Systems and Organizations (2013)

This SP provides detailed information on the NIST family of security controls andThis SP also discusses the use of controls as part of planned baselines of varying rigor (low, moderate, and high security

SP 800-55, Rev. 1: Performance Measurement Guide for Information Security (2008)

This SP provides guidance on the development and implementation of a performance measurement program, including the selection of key performance measures related to information security, to support an organization's continuous improvement program

• SP 800-100: Information Security Handbook: A Guide for Managers (2007)

This SP serves as the managerial tutorial equivalent of SP 800-12, providing overviews of the roles and responsibilities of a security manager in the development, administration, and improvement of a security program

SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Syst ems (1996)

This document describes recommended practices and provides information on commonly accepted InfoSec principles that can direct the security team in the development of a security blueprint. It also describes the philosophical principles that the security team should integrate into the entire InfoSec process

SP 800-34, Rev. 1: Contingency Planning Guide for Federal Information Systems (2010)

This guide defines the seven-stage methodology for responding to an event requiring disaster recovery operations. The guide also provides an overview of business continuity strategies and methods.

SP 800-30, Rev. 1: Guide for Conducting Risk Assessments

This guide provides a foundation for the development of an effective risk management program, and it contains both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems

• SP 800-18, Rev. 1: Guide for Developing Security Plans for Fede ral Information Systems (2006)

This guide provides detailed methods for assessing, designing, and implementing controls and plans for applications of various sizes. It serves as a guide for the security planning activities described later and for the overall InfoSec planning process

port scanners

Tools used both by attackers and defenders to identify or fingerprint active computers on a network, the active ports and services on those computers, the functions and roles of the machines, and other useful information

False

Two-person control is the requirement that all critical tasks can be performed by multiple individuals. _________

covert channels

Unauthorized or unintended methods of communica tions hidden inside a computer system

Acceptance Risk Treatment

Understanding the consequences of choosing to leave an information asset's vulnerability facing the current level of risk, but only after a formal evaluation and intentional acknowledgment of this decision

False

Using a practice called baselining, you are able to compare your organization's efforts to those of other organizations you feel are similar in size, structure, or industry.

due care and due diligence

What do you call the legal requirements that an organization must adopt a standard based on what a prudent organization should do, and then maintain that standard?

background check

When hiring security personnel, which of the following should be conducted before the organization extends an offer to any candidate, regardless of job level?

Which of the following is NOT a valid rule of thumb on risk treatment strategy selection?

When the attacker's potential gain is less that the cost of attack: Apply protections to decrease the atteacjers cost or reduce the attacker's gain, by using technical or operation controls

What is not a rul of thumb for selecting a risk treatment strategy

When the likelihood of an attack is high and the impact is great - outsource security efforts so that any resulting loss is fiscally someone else's responsibility

political activism

Which of the following is NOT a common type of background check that may be performed on a potential employee?

same certification and accreditation agency or standard

Which of the following is NOT a consideration when selecting recommended best practices?

high level of employee buy-in

Which of the following is NOT a factor critical to the success of an information security performance program?

Identify relevant stakeholders and their interests in InfoSec measurement.

Which of the following is NOT a phase in the NIST InfoSec performance measures development process?

What affect will measurement collection have on efficiency?

Which of the following is NOT a question a CISO should be prepared to answer before beginning the process of designing, collecting, and using performance measurements, according to Kovacich?

Are the user accounts of former employees immediately removed on termination?

Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the category of people?

former employee's home computer must be audited

Which of the following is NOT a task that must be performed if an employee is terminated?

those that evaluate the frequency with which employees access internal security documents

Which of the following is NOT one of the types of InfoSec performance measures used by organizations?

legal liability

Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence?

separation of duties

Which of the following policies makes it difficult for an individual to violate InfoSec and is quite useful in monitoring financial affairs?

job rotation

Which of the following policies requires that every employee be able to perform the work of at least one other staff member?

two-person control

Which of the following policies requires that two individuals review and approve each other's work before the task is considered complete?

performance management

Which of the following terms is described as the process of designing, implementing, and managing the use of the collected data elements to determine the effectiveness of the overall security program?

reference monitor

Within TCB, a conceptual piece of the system that manages access controls- in other words, it mediates all access to objects by subjects

temporary workers

Workers brought in by organizations to fill positions for a short time or to supplement the existing workforce.

contract employees

Workers hired to perform specific services for the organization.

contract employees

Workers typically hired to perform specific services for the organization and hired via a third-party organization are known as __________.

The Information Security Governance Framework

a managerial model provided by an industry working group, National Cyber Security Partnership

Content-dependent access controls-

access to a specific set of information may be dependent on its content

Temporal (time-based) isolation

access to information is limited by a time-of-day constraint

Treating risk begins with which of the following

an understanding of risk treatment strategies

Temporary worker

are brought in by organizations to fill positions temporarily or to supplement the existing workforce

Contract employee

are typically hired to perform specific services for the organization

Which of the following is not a step in the FAIR risk management framework? identify scenario components, evaluate loss event frequency, assess control impact, derive and articulate risk?

asses control impact

The process of assigning financial value or worth to each information asset is known as ________

asset valuation

Formula for SLE

asset value (AV) x exposure factor {EF)

Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan too are developing is known as which of the following

benchmarking

Benchmarking

comparison of organizational effectiveness, efficiency, and productivity against an established measure

Since even the implementation of new technologies does not necessarily guarantee an organization can gain or maintain a competitive lead, the concept of _________ has emerged as organizations strive not to all behind technologically

competitive disadvantage

Best Business Practices

considered those thought to be among the best in the industry, balancing the need to access information w ith adequate protection

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as _________

cos-benefit analysis (CBA)

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the finicaial ramifications of an incident is known as __________

cost avoidance

Each of the following is an item that affects the cost of a particular risk treatment strategy EXCEPT: cost of maintenance, cost of development, cost of implementation, cost of IT operations

cost of IT operations

What is the result of subtracting the post-control annualized loss expectancy and the annualized cost of the safeguard from the pre-control annualized loss expectancy

cost-benefit analysis

COBIT

created by the Information Systems Audit and Control Association {ISACA) and the IT Governance Institute (!TGI) in 1992

Application of training and education among the other approach elements is a common method of which risk treatment strategy

defense

Constrained user interfaces

designed specifically to restrict what information an individual user can access

The only use of teh acceptance strategy that is recognized as valid industry practices occurs when teh organization has done all but which of the following

determined that the cost to control the risk to an information asset are much lower than the benefit gained from the information asset

Strategies to reestablish operations at the primary site after an adverse event threatens continuity of business operations are covered by which of the following plans in the mitigation control approach

disaster recovery plan

The Microsoft Risk Management Approach includes four phases which of the following is NOT one of them? conducting decision support, implementing controls, evaluating alternative strategies, measuring program effectiveness

evaluating alternative strategies

The gold standard

for those ambitious organizations in which the best business practices are not sufficien

Each of the following is a recommendations from the FDIC when creating a successful SLA EXCEPT: determine objectives, forecasting costs, defining requirements, setting measurements

forecasting costs

NIST's Risk Management Framework follows a three-tiered approach with most organizations working from the top down, focusing first on aspects that affect the entire organizations, such as _________

governance

ISO 27000

includes a standard for the performance of risk management

The NIST risk management approach includes all but which of the following elements? inform, assess, frame, respond

inform

Internal Benchmarking

involves comparing measured past performance (the baseline) against actual performance for the assessed category

The Information Technology Infrastructure Library (ITIL)

is a collection of methods and practices for managing the development and operation of IT infrastructures

The Delphi Technique

is a process whereby a group rates or ranks a set of information. The individual responses are compiled and then returned to the group for another iteration. This process continues until the entire group is satisfied with the result.

The OCTAVE Method

is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls

What affects the cost of a control? liability insurance, CBA report, asset resale, or maintenance?

maintenance

Which of the following risk treatment strategies describes an organizations efforts to reduce damage caused by a realization incident or disaster

mitigation

Once a control strategy has been selected and implemented, controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk.

monitored and measured

What determines how well a proposed treatment will address user acceptance and support, management acceptance and support and the systems compatibility with the requirements of the organizations stakeholders

operational feasibility

What determine how well the proposed InfoSec treatment alternative will contribute to the efficiency, effectiveness, and overall operation of an organization

organizational feasibility

External Benchmarking

process of seeking out and studying the practices used in other organizations that produce the results you desire in your organization

what does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks

qualitative assessments of many risk components

When the vulnerabilities have been controlled to the degree possible, there is often remaining risk that has not been completely removed, what is this called?

residual risk

Which of the following can be described as the quantity and nature that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility

risk appetite

The ISO 27005 Standards for Inforamtion Security Risk Management includes all but which of the following stages: risk assessment risk treatment, risk communication, risk determination

risk determination

Which of the following is NOT an alternative to using CBA to justify risk controls

selective risk avoidance

By multiplying the asset value by the exposure factor, you calculate which of the following

single loss expectancy

External consistency

the data in the system is consistent with similar data in the outside world

Exposure Factor

the percentage loss that would occur from a given vulnerability being exploited

Internal consistency

the system does what it is expected to do every time, without exception

Benefit

the value to the organization of using controls to prevent losses associated with a specific vulnerability

SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (2010)

this document continues the NIST RMF program and provides additional guidance on the use of the NIST Risk Management Framework

Which risk treatment strategies describes an organization's attempt to shift risk to other assets, other processes, or other organizations

transference

Which of the following is NOT one of the methods noted for selecting the best risk management model?

use the methodology most similar to what is currently in use

Government recommendations and best practices

useful for organizations that operate in industries regulated by governmental agencies

Each of the following is a commonly used quantitative approach used for asset valuation EXCEPT: value to owners, value to competitors, value retained from past maintenance, value to adversaries

value to competitors

Clark-Wilson Integrity Model

which is built upon principles of change control rather than integrity levels, was designed for the commercial environment

The goal of InfoSec is not to bring residual risk __________; rather is is to bring residual risk in line with an organizations risk appetite

zero

False

​A standard of due process is a legal standard that requires an organization and its employees to act as a "reasonable and prudent" individual or organization would under similar circumstances. __________