Exam 3- Chapters 9, 10, 11
What two things does a security policy set for an organization? What are the 5 policy elements included in the infrastructure of IT policy?
-sets the tone and culture of an organization policy elements: -policies -procedures: define actions to implement policy, standards, and procedures -standards: define specific products/mechanisms used to support policy -baselines: define minimum required parameters to achieve consistent security level -guidelines: define recommended actions
What are the two most widely accepted models for software development?
1. agile development method 2. waterfall method
An audit's purpose checks controls for what 3 considerations?
1. appropriate security level- is level of security control suitable for risk it addresses? 2. correctly installed- is security control in right place and working well? 3. effectiveness of purpose- is security control effective in addressing the risk it was designed for?
What are the 5 areas of focus when auditing an identity management system?
1. approval process- Who grants approval for access requests? 2. authentication mechanisms- What mechanisms are used for security requirements? 3. password policy and enforcement- Does the organization have an effective password policy and uniformity enforced? 4. monitoring- Does organization have sufficient monitoring systems to detect unauthorized access? 5. remote access systems- All systems properly secure with strong authentication?
In security auditing analysis, what 3 things should be checked for in computing environments?
1. are security policies sound and appropriate for the business or activity? 2. are there controls supporting the policies? 3. is there effective implementation and upkeep of controls? -if yes to all then in good shape
When backing up data and applications, what 3 things must be included when planning for recovery?
1. backup storage and media 2. location 3. access
What are the 4 different tools/techniques for security monitoring?
1. baselines 2. alarms, alerts, trends 3. closed circuit TV 4. systems that sport irregular behavior
What are the 3 different testing methods for systems?
1. black-box testing 2. grey-box testing 3. white-box testing
What two plans are part of the business continuity management plan?
1. business continuity plan (BCP) 2. disaster recovery plan (DRP)
What 5 tests for a business continuity plan and disaster recovery plan should be done?
1. checklist 2. structured walk-through 3. simulation 4. parallel 5. full-interruption
What 2 things are involved in the change management process?
1. configuration control- management of baseline settings for a system device 2. change control- management of changes to the configuration
Contingency planning involves what 6 components?
1. critical business function (CBF) 2. business impact analysis (BIA) 3. maximum tolerable downtime (MTD) 4. recovery time objective (RTO) 5. recovery point objective (RPO) 6. emergency operations center (EOC)
What 3 things do backups provide extra copies of needed resources?
1. data 2. documentation 3. equipment
What are the 3 different data classification standards?
1. data owner: responsible for classifying data 2. system owner: in control of change or configuration management 3. classifying information criteria on: -value -sensitivity -criticality
What three things are required when defining an audit plan?
1. define objectives- which business process or system to review 2. define areas of assurance to check 3. Identify personnel who will participate in the audit
Before implementing procedures, what are the 2 classification procedures that must be done?
1. determine their scope and process 2. conduct business impact analysis to evaluate organizations data and determine the scope
What are the 4 different areas of a security audit? What is each one's goal?
1. endpoint protection: goal- up to date, universal application 2. system access policy: goal- current with technology 3. intrusion detection & event-monitoring systems: goal-log reviews 4. cryptographic controls: goal-key management, usage
What are the 3 primary steps to disaster recovery?
1. ensure the safety of individuals 2. contain the damage 3. assess damage and begin recovery operations according to the DRP and BCP
In configuration management, what are the 2 things the security professional is responsible for?
1. ensuring adequate review of all system changes before approval/implementation 2. ensuring configuration changes won't cause unintended consequences for security
What 3 things does the DRP do?
1. established emergency operations center as an alternate location from which BCP/DRP will be coordinated and implemented 2. names and EOC manager 3. determines whether that manager should declare an incident a disaster
What are 3 ways that an organization can ensure compliance?
1. event logs 2. compliance liaison 3. remediation
What are the 4 main types of log information needed to capture for security auditing?
1. event logs 2. access logs 3. security logs 4. audit logs
What are the 4 post-audit activities?
1. exit interview 2. data analysis 3. generation of audit report 4. presentation of findings
What are the 3 different types of backups? What does each entail?
1. full: copies everything to a backup media 2. incremental: starts with full backup when network traffic is light, each night backs up the days changes 3. differential: starts with full backup, then backs up changes made since last day on a daily basis
What are the 3 responsibilities of security administration when handling events, disasters, and interruptions?
1. handle events, disruptions, interruptions, and disasters 2. forms an incident response team 3. manages emergency operations group
What are the 4 different aspects of access control?
1. identification 2. authentication 3. authorization 4. accountability
What 3 controls are used to monitor activity and verify security controls?
1. intrusion detection system (IDS) 2. intrusion protection system (IPS) 3. firewall
What are the two areas of a security audit?
1. large in scope and cover the entire department or business function 2. narrow and address only one specific system or control
What are the 7 personnel security prinicples?
1. limiting access 2. job rotations 3. separation of duties 4. mandatory vacations 5. security awareness 6. security training 7. social engineering
What 4 things do security reviews include when looking at security controls and addressing their risk? (4 elements also make up the security review cycle)
1. monitor 2. audit 3. improve 4. secure
What are the 5 professional requirements?
1. org only collects what is needed 2. org shouldn't share its info 3. org should keep the info up to date 4. org should use info only for the purpose it was collected 5. org properly destroys info that's no longer needed
What 4 questions must be determined to put the right security controls in place and determine what actions are acceptable?
1. organization security policy should define all acceptable and unacceptable actions 2. organization might create its own standards based on those developed/endorsed by standards bodies 3. communications and other actions permitted by policy documents are acceptable 4. communications and actions specifically banned in security policy are unacceptable
What are the 2 different analysis methods?
1. patter/signature-based IDS 2. Anomaly-based IDS
What 3 things can be used to ensure that there are no change control issues?
1. peer review: ensures peer/expert double checks all changes before put into production 2. back-out plan: ensure that if change doesn't work properly, a process exists to restore the system to a known good condition 3. documentation: keep documentation current to reflect system's true design
When assessing the impact of downtime, what 4 issues should be considered during a business impact analysis?
1. people- how will you notify them and its impact? 2. systems 3. data- what data is critical to running the business? 4. property- what items are essential to business?
What are the 6 steps incident handling involves?
1. preparation 2. identification 3. notification 4. response 5. recovery and follow-up 6. documentation and reporting
What are the 5 main concerns/considerations when outsourcing security?
1. privacy 2. risk 3. data security 4. ownership 5. adherence to policy
What are the 4 most common permission levels for organizations? What does each entail?
1. promiscuous- everything is allowed (used by homeowners, easy for attackers to succeed) 2. permissive- anything not specifically prohibited is ok (for public internet sites, schools, libraries, and training center) 3. prudent- reasonable list of things is permitted, all others are prohibited (used in businesses) 4 paranoid- few things are permitted, all others are prohibited and carefully monitored (for secure facilities)
What 5 things does the change control committee ensure about the changes made?
1. properly tested 2. authorized 3. scheduled 4. communicated 5. documented
What are the 3 different kinds of security monitoring for computer systems? What methods are used for each?
1. real-time monitoring: -host intrusion detection system (HIDS) -system integrity monitoring -data loss prevention (DLP) 2. non-real-time monitoring: -application logging -system logging 3. log activities: -host based activity -network and network devices
What 2 levels must an organization comply with?
1. regulatory compliance 2. organizational compliance
What are the 6 (order matters) change control procedures for a system?
1. request 2. impact assessment 3. approval 4. build/test 5. implement 6. monitor
What 2 phases does the disaster recovery plan include?
1. restores business operations 2. returns operations to their original state before the disaster
What are the 4 documentation requirements for the security administration team to identify what input are needed?
1. sensitive asset list 2. organizations security process 3. authority of the person responsible for security 4. policies, procedures, and guidelines adopted by organization
What are the 4 most common agreements that help formalize concerns when outsourcing security?
1. service level agreement (SLA) 2. blanket purchase agreement (BPA) 3. memorandum of understanding (MOU) 4. interconnection security agreement (ISA)
What are the 3 ways to show strong professional ethics?
1. set the example 2. encourage adopting ethical guidelines and standards 3. inform users through security awareness training
What are the 3 reasons you should conduct a business impact analysis?
1. set value of each business unit or resource as it relates to how the entire organization operates 2. identify critical needs to develop recovery plan 3. set order or priority for restoring organization's functions after disruption
What are the 3 methods of detecting anomalies?
1. statistical-based methods: develop baselines of normal traffic and network activity then create alerts when deviates 2. traffic-based methods: alert when detects unacceptable deviation from expected behavior 3. protocol patterns: looks for deviations from protocols
What 4 things should be done when operating in a reduced/modified environment?
1. suspend normal practices 2. identify minimum recovery resources as part of recover needs 3. combine services that were on different hardware platforms onto common servers 4. continue to make backups of data and systems
What is the difference between the system life cycle (SLC) and the system development life cycle (SDLC)?
1. system life cycle (SLC): includes operations and disposal 2. system development life cycle (SDLC): ends with the transition to production
What are the advantages and disadvantages to security outsourcing?
Advantages: -external security management firm has high-level expertise that the organization doesn't Disadvantages: -outsourcing firm doesn't have internal knowledge to protect assets the best -organization isn't developing in-house capability or talent and will need to continue to pay for services indefinitely
What term is the process of managing all changes to a computer and device configurations? It evaluates the impact a modification might have on security.
Configuration management
What term is a software process or service designed to run on computer servers? It intercepts and examines system calls or specific processes for patterns or behaviors that should not normally be allowed.
Host intrusion detection system (HIDS)
What is a set of concepts and policies for managing IT infrastructure, development, and operations? The information is published in a series of books, each covering a separate IT management topic.
Information Technology Infrastructure Library (ITIL)
What term is a list of ethical and unethical online practices of activities on the internet?
Internet Architecture Board (IAB)
What is the correct order of change control procedures regarding changes to systems and networks?
Request impact assessment approval build/test implementation monitor
What is the term for the security operations center where the security administration does their work?
SOC --> security operations center
What term gives the SOC team an integrated set of tools with which to determine the security level of a networked environment, identify any anomalies, and respond to any issues in a structured manner?
Security, orchestration, automation, and response system (SOAR)
What term defines the scope and contents of 3 levels of an audit report? Often used to help increase the confidence customers have in an organizations system security.
Service Organizational Control (SOC)
T/F: A host-based intrusion detection system (HIDS) can recognize an anomaly that is specific to a particular machine or user.
True
T/F: After audit activities are completed, auditors perform data analysis.
True
T/F: One way to harden a system is to turn off or disable unnecessary services.
True
T/F: You must continue to make backups of data and systems while running at an alternate site.
True
which access control means tracking or logging what authenticated and unauthenticated users do while accessing the system?
accountability
What term is the formal acceptance by the authorizing official of the risk of implementing the system?
accreditation
which method depends on short sprints of activities. Works well in very dynamic environments where requirements change and often are revisited.
agile development methodology
What term is a profile-based system; compares current activity with stored profiles of normal activity?
anomaly-based activity
What term means before determining if something has worked, you must define how it's supposed to work?
assessing the system
Which access control means proving of that assertation?
authentication
which access control means permissions a legit user or process has on a system?
authorization
What term is a benchmark used to make sure that a system provides a minimum level of security across multiple applications and different products
baseline
What term is a standard collection of configuration settings and performance metrics which a system is compared to determine where its securely configured?
benchmark
What term uses testing method that isn't based on knowledge or programs architecture or design?
black-box testing
which agreement is a streamlined method of meeting recurring needs for supplies or services; it creates pre-approved accounts with qualified suppliers to fulfill reoccurring orders.
blanket purchase agreement (BPA)
What term contains the actions needed to keep critical business processes running after a disruption?
business continuity plan (BCP)
what term refers to analysis of the CBF to determine what kinds of events could interrupt normal operation?
business impact analysis (BIA)
What term is a trusted entity can certify a message and data by adding a cryptographic checksum and digital signature
certification
What term is the process of managing changes to computer/device configuration or application software
change control
What term is a group that oversees all proposed changes to IT systems, applications, and production assets?
change control committees
What term is a planned approach to controlling change by involving all affected departments? What two things can this term be?
change control management can be: -reactive: management responds to changes in business environment -proactive: management initiates the change to achieve desired goal -both occur on a continuous basis, regularly scheduled basis, release, and program-by-program basis
What term is a simple review of the business continuity plan by managers and the business continuity team to make sure that contact numbers are current and that the plan reflects the company's priorities and structure?
checklist test
What term helps ensure professionalism?
code of ethics
What term is a person whose responsibility is to ensure that employees are aware of and comply with an organizations security policies
compliance liaison
Which term makes sure all personnel are aware and comply with the organizations policy?
compliance liaison
what term is the process of managing the baseline settings of a system or device
configuration control
What term refers to an act carried out in secrecy?
covert act
What term refers to business function, that if fails, causes normal operations to cease?
critical business function (CBF)
What does an organizations permission levels depend on?
depends on organizations needs and policies
A ____ is an event that prevents a critical business function (CBF) from operating for a period greater than the maximum tolerable downtime (MTD)
disaster
What term details the steps to recover from a disruption and restores the infrastructure necessary for normal business operations?
disaster recovery plan (DRP)
What term is a sudden unplanned event?
disruption
what term is the place where the recovery team will meet and work during a disruption?
emergency operations center (EOC)
Adopting ethical boundaries in an attempt to demonstrate them to others is considered what?
encouraging the adoption of ethical guidelines and standards
what term is a software or application-generated record that some action has occurred
event log
What term refers to records of actions that the organizations operating system and application software creates, showing which user/system accessed data/resource and when?
event logs
What term refers to incorrectly identifying abnormal activity as normal?
false negative
What term refers to incorrectly identifying normal activity as abnormal?
false positive
What term is the ability to encounter a fault, or error, of some type and still support critical operations?
fault tolerance
What does SOC 1 level in an audit report focus on ?
focuses on internal controls over financing reporting
What does SOC 2 level in an audit report focus on?
focuses on stakeholders (confidentiality, integrity, availability)
What does SOC 3 level in an audit report focus on?
for public consumption (confidentiality, integrity, availability)
Antivirus, firewall, and email use policies belong to what part of a security policy hierarchy?
functional policies
what term is a statement of an organization's management direction of security in such specific functional areas as email, remote access, and internet surging
functional policy
What term lies somewhere between black-box testing and white-box testing?
grey-box testing
What term refers to the state of a computer or device in which you have turned off or disabled unnecessary services and protected the ones that are still running?
hardened configuration
What term refers to a process of changing hardware and software configurations to make computers and devices as secure as possible?
hardening
Which access control means assertations made by the user about who they are?
identification
What term refers to members of the organization who have the training and documentation necessary to respond to incidents as they occur. The team members include an incident team leader, communications team leader, and IT and IT security personnel.
incident response team (IRT)
which agreement is an extension of MOU; documents technical requirements for interconnected assets and is often used to specify technical needs and security responsibilities.
interconnection Secuity agreement (ISA)
What term is a strategy to minimize risk by rotating employees between various systems or duties
job rotation
What term is the principle in which a subject (user, application, or another entity) should be given the minimum level of rights necessary to perform legitimate functions
least privilege
What term is journaled entries that provide information, such as who logged on the system, when they logged on, and what information or resources were accessed?
log file
When should an organization's managers have an opportunity to respond to the findings in an audit?
managers can respond to a draft copy of the audit report
What term is the most time a business can survive without a specific CBF?
maximum tolerable downtime (MTD)
which agreement is between two or more people that expresses common areas of interest that result in shared action (also called letter of intent)
memorandum of understanding (MOU)
Security controls place limits on risky activities. If you are permanently reviewing all your controls to capture change on the go in any component, you are doing what?
monitoring
what term is a property that indicates a specific subject needs access to a specific object? This is necessary to access the object in addition to possessing the proper clearance for the object's classification
need to know
What term refers to using tools to determine the layout and services running on an organization's systems and networks?
network mapping
What term is a reconnaissance technique that enables an attacker to use port mapping to learn which operating system and version is running on a computer?
operating system fingerprinting
What term is an act carried out in the open or easily viewed by others?
overt act
What term is the same as a full-interruption test, except that processing does not stop at the primary site.
parallel test
What term is rule-based detection; relies on pattern matching and statefule matching?
pattern/signature-based IDS
What term is a testing method that tries to exploit a weakness in the system to prove that an attacker could successfully penetrate it?
penetration testing
what term are written instructions for how to use policies and standards. They may include a plan of action for installation, testing, and auditing of security controls.
procedure
What is the least likely goal of an information security awareness program?
punish users who violate policy
What term is the analysis of activity as it is happening?
real-time monitoring
What term means the process of gathering information?
reconnaissance
what term is the point which data must be recovered?
recovery point objective (RPO)
What term is the timeframe for restoring a CBF; must be shorter than or equal to MTD?
recovery time objective (RTO)
What term refers to the feature of network design that ensures the existence of multiple pathways of communication whose purpose is to prevent or avoid single points of failure?
redundancy
what term is the act of fixing a known risk, threat, or vulnerability that is identified or found in an IT infrastructure
remediation
which term means fixing something broken/defective; with a computer system it means fixing security vulnerabilities.
remediation
What term means a group of individuals in an organization that are responsible for planning, designing, implementing, and monitoring an operations security plan and physical location?
security administration
What term is a crucial type of evaluation to avoid a data breach?
security audit
What term is an audit that focuses on security policies and controls?
security audit
What term places limits on activities that might pose a risk to an organization?
security controls
What term is a rich integrated set of tools that help collect, assess, and visualize a networked environment's state?
security information and event management system (SIEM)
What term is the process of dividing tasks into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task
separation of duties
which agreement is legally binding; details services the third party will provide and communicates expectations and anticipates the needs of the organization and outside firm?
service level agreement (SLA)
To audit a computer environment, what should be looked for? How can this be done?
should check to see how the operation has met the security goals -can be done either manually or automated
Which intrusion detection system relies on pattern matching?
signature detection
What term is a method of testing a BCP or DRP in which a business interruption is simulated and the response team responds as if the situation were real?
simulation test
what term is one of the small project iterations used in agile method of developing software, in contrast with the usual long project schedules of other methods of development software
sprint
What term is a detailed written definition for hardware and software and how they are to be used? They ensure that consistent security controls are used throughout the IT system.
standard
What term is a technique of matching network traffic with rules of signatures based on the appearance of the traffic and its relationship to other packets?
stateful matching
What term refers to a type of test that involves a group of stakeholders collectively reading through a response plan and discussing how they would implement each step. (also called a tabletop exercise)
structured walk-through test
What must the security administration identify? What is their responsibility?
they must identify and document their information assets and then assign each responsibility to a person or position.
T/F: a blanket purchase agreement (BPA) creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services.
true
What term is a process of finding the weakness in a system and determining which places may be attack points?
vulnerability testing
Which method is based on traditional project management practices in which extensive planning proceeds development (can't go backward)
waterfall method
What term is based on knowledge of application's design and source code?
white-box testing
What term is security testing that is based on knowledge of the application's design and source code?
white-box testing