Management of Information Security Midterm
Risk Appetite
Before the organization can or should proceed, it needs to understand whether the current level of controls identified at the end of the risk assessment process results in a level of risk management it can accept • The amount of risk that remains after all current controls are implemented is residual risk • The organization may very well reach this point in the risk management process, examine the documented residual risk, simply state, "Yes, we can live with that," and then document everything for the next risk management review cycle • What is difficult is the process of formalizing exactly what the organization "can live with"; this process is the heart of risk appetite
Alternatives to Feasibility Analysis
Benchmarking • Due care and due diligence • Best business practices • Gold standard • Government recommendations and best practices • Baseline
a long-term interruption (outrage) in electrical power availability.
Blackout
also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system's hard drive or removable storage media.
Boot virus
an abbreviation of robot; an automated software program that executes certain commands when it receives a specific input. See also Zombie.
Bot
A more recently created area of law related to information security specifies a requirement for organizations to notify affected parties when they have experienced a specified type of information loss. This is commonly known as a __________ law.
Breach
a long-term decrease in electrical power availability.
Brownout
an attempt to guess a password by attempting every possible combination of characters and numbers in it.
Brute force password attack
an application error that occurs when more data is sent to a program buffer than it is designed to handle.
Buffer overrun (or buffer overflow)
Which of the following is NOT a step in the problem-solving process?
Build support among management for the candidate solution
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a __________.
CISO
The __________ certification, considered to be one of the most prestigious certifications for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral.
CISSP
a model of infosec that offers a comprehensive view of security for data while being stored, processed, or transmitted is the __________ security model
CNSS
In information security governance who is responsible for policy, procedures, and training?
Chief Information Officer
The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.
Chief Information Security Officer(CISO)
Describe the key approaches organizations are using to achieve unified ERM.
Combining physical security and InfoSec under one leader as one business function Using separate business functions that report to a common senior executive Using a risk council approach to provide a collaborative approach to risk management
an application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function.
Command injection
Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
Common good
Data Security
Commonly used as a surrogate for information security, the focus of protecting information in its various states- at rest, in processing, and in transmission
the collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage.
Competitive intelligence
Policy __________ means the employee must agree to the policy.
Compliance
Classification categories must be mutually exclusive and which of the following?
Comprehensive
which of the following organizations put forth a code of ethics designed primarily for infosec professionals who have earned their cetifications? the code includes the canon: provide diligent and competent service to principals
(ISC)2
Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
(ISC)^2
What are the included tasks in the identification of risks?
- Creating an inventory of information assets - Classifying and organizing those assets meaningfully - Assigning a value to each information asset - Identifying threats to the cataloged assets - Pinpointing vulnerable assets by tying specific threats to specific assets
Information Security Roles and Titles
-Chief Information Security Officer (CISO) or Chief Security Officer (CSO) - Security managers - Security administrators and analysts - Security technicians - Security staffers and watchstanders - Security consultants - Security officers and investigators - Help desk personnel
4 steps FDIC: SLA
-Determining objectives - Defining requirements - Setting measurements - Establishing accountability
There are twelve categories of threats to information security. List five of them and provide an example of each.
Compromises to intellectual property: Software piracy or other copyright infringement Deviations in quality of service: Fluctuations in power, data, and other services Espionage or trespass: Unauthorized access and/or data collection Forces of nature: Fire, flood, earthquake, lightning, etc. Human error or failure: Accidents, employee mistakes Information extortion: Blackmail threat of information disclosure Sabotage or vandalism:Damage to or destruction of systems or information Software attacks: Malware: viruses, worms, macros, etc. Technical hardware failures or errors: Hardware equipment failure Technical software failures or errors: Bugs, code problems, loopholes, back doors Technological obsolescence: Antiquated or outdated technologies Theft: Illegal confiscation of equipment or information
One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.
Computer Security Act (CSA)
What are configuration rules? Provide examples
Configuration rules are instructional codes that guide the execution of the system when information is passing through it. Rule-based policies are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly. Many security systems require specific configuration scripts that dictate which actions to perform on each set of information they process. Examples include firewalls, intrusion detection and prevention systems (IDPSs), and proxy servers.
The process of integrating the governance of the physical security and information security efforts is known in the industry as __________.
Convergence
a hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.
Cracker
attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software.
Cracking
a web application fault that occurs when an application running on a Web server inserts commands into a user's browser session and causes information to be sent to a hostile server.
Cross site scripting (XSS)
Focuses on enhancing the security of the critical infrastructure in the United States.
Cybersecurity Act
According to Mark Pollitt, ____ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents.
Cyberterrorism
a hacker who attacks systems to conduct terrorist activities via networks or internet pathways.
Cyberterrorist
formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state.
Cyberwarfare
A ____ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
DDoS
Which of the following is the result of a U.S. led international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?
DMCA
commonly used as a surrogate for information security, data security is the focus of protecting data or information in its various states-at rest (in storage), in processing, and in transmission (over networks).
Data security
a collection of related data stored in a structured form and usually managed by a database management system.
Database
a subset of information security that focuses on the assessment and protection of information stored in data repositories like database management systems and storage media.
Database security
Which type of attack involves sending a large number of connection or information requests to a target?
Denial-of-Service (DoS)
In a ____ attack, the attacker sends a large number of connection or information requests to a target.
Denial-of-service
an attack that attempts to overwhelm a computer target's ability to handle incoming communications, prohibiting legitimate users from accessing those systems.
Denial-of-service (DoS) attack
Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences (also known as duty- or obligation-based ethics)?
Deontological ethics
Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past?
Descriptive ethics
Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies, and technical controls.
Deterrance
a variation of the brute force attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information.
Dictionary password attack
Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis are known as _________.
Digital forensics
a form of DoS attack in which a coordinated stream of requests is launched against a target from many locations at the same time using bots or zombies.
Distributed denial-of-service (DDoS)
the intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate Internet locations.
Domain Name System (DNS) cache poisoning
the percentage of time a particular service is not available; the opposite of uptime.
Downtime
An organization increases its liability if it refuses to take the measures a prudent organization should; this is known as the standard of _____________.
Due care
In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is this important?
During the implementation phase, the team must create a plan to distribute and verify the distribution of the policies. Members of the organization must explicitly acknowledge that they have received and read the policy. Otherwise, an employee can claim never to have seen a policy, and unless the manager can produce strong evidence to the contrary, any enforcement action, such as dismissal for inappropriate use of the Web, can be overturned and punitive damages might be awarded to the former employee.
Which policy is the highest level of policy and is usually created first?
EISP
Identifying Threats
Each threat presents a unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent's attack strategy • Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset • In general, this process is referred to as a threat assessment
Human error or failure often can be prevented with training, ongoing awareness activities, and _______________.
Education
With policy, the most common distribution methods are hard copy and __________.
Electronic
A collection of statutes that regulates the interception of wire, electronic, and oral communications.
Electronic Communications Privacy Act (ECPA)
Which of the following is usually conducted via leased lines or secure Internet connections whereby the receiving server archives the data as it is received
Electronic vaulting
According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
Establishing
Assessing Risk
Estimating risk is not an exact science; thus some practitioners use calculated values for risk estimation, whereas others rely on broader methods of estimation • The goal is to develop a repeatable method to evaluate the relative risk of each of the vulnerabilities that have been identified and added to the list
Defines socially acceptable behaviors.
Ethics
The impetus to begin an SDLC-based project may be ____________________, that is, a response to some activity in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders.
Event driven
Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect is known as _________.
Evidentiary material
Writing a policy is not always as easy as it seems. However, the prudent security manager always scours available resources for __________ that may be adapted to the organization.
Examples
a hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information.
Expert hacker
a technique used to compromise a system
Exploit
In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.
F
Training should be as specialized as possible; personnel who are responsible for one duty should not be trained on other duties to avoid confusion during a disaster
F
When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan.
F
What is one of the most frequently cited failures in project management?
Failure to meet project deadlines
A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
False
A(n) compromise law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information.
False
Because it sets out general business intentions, a mission statement does not need to be concise.
False
Ethics carry the sanction of a governing authority.
False
Having an established risk management program means that an organization's assets are completely protected.
False
ISACA is a professional association with a focus on authorization, control, and security. ___________
False
Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy.
False
InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals
False
It is the responsibility of InfoSec professionals to understand state laws and bills
False
MAC addresses are considered a reliable identifier for devices with network interfaces because they are essentially foolproof.
False
Penetration testing is often conducted by contractors, who are commonly referred to as black-hats.
False
The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.
False
To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996
False
Risk identification, risk analysis, and risk evaluation are part of a single function known as risk protection. __________
False - assessment
A short-term interruption in electrical power availability is known as a ________.
Fault
Complete loss of power for a moment is known as a ____.
Fault
Which of the following is NOT a requirement for laws and policies to deter illegal or unethical activity?
Fear of humiliation
Which of the following is a requirement for laws and policies to deter illegal or unethical activity?
Fear of penalty, probability of being penalized, and probability of being caught
Laws and policies and their associated penalties only deter if three conditions are present. What are these conditions?
Fear of penalty—Threats of informal reprimand or verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of pay.Probability of being caught—There must be a strong possibility that perpetrators of illegal or unethical acts will be caught. Probability of penalty being administered—The organization must be willing and able to impose the penalty.
What is necessary for a top-down approach to the implementation of InfoSec to succeed?
For any top-down approach to succeed, high-level management must buy into the effort and provide its full support to all departments. Such an initiative must have a champion—ideally, an executive with sufficient influence to move the project forward, ensure that it is properly managed, and push for its acceptance throughout the organization.
List the significant guidelines used in the formulation of effective information security policy.
For policies to be effective, they must be properly: 1. Developed using industry-accepted practices 2. Distributed or disseminated using all appropriate methods 3. Reviewed or read by all employees 4. Understood by all employees 5. Formally agreed to by act or assertion 6. Uniformly applied and enforced
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is NOT one of those reasons?
For political advantage
The penalty for violating the National Information Infrastructure Protection Act of 1996 depends on the value of the information obtained and whether the offense is judged to have been committed for one of three reasons. What are those reasons?
For purposes of commercial advantage For private financial gain In furtherance of a criminal act
The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for several reasons. Which of the following is one of those reasons?
For purposes of commercial advantage; For private financial gain; In furtherance of a criminal act
The coherent application of methodical investigatory techniques to collect, preserve, and present evidence of crimes in a court or court-like setting is known as _________.
Forensics
ISO 27014:2013 is the ISO 27000 series standard for:
Governance of Information Security
Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
HIPAA
One form of online vandalism is ____ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Hacktivist
One form of online vandalism is __________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Hacktivist/Cyberactivist
a hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Hacktivist/Cyberactivist
Which of the following is an example of a Trojan horse program?
Happy99.exe
Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
Health Information Technology for Economic and Clinical Health Act
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____.
Hoaxes
As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus _______________.
Hoaxes
The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
Hold regular meetings with the CIO to discuss tactical InfoSect planning
In large organizations, the InfoSec department is often located within a(n) _________ division headed by the _________, who reports directly to the _________.
IT, CISO, CIO
Contrast the vision statement with the mission statement.
If the vision statement states where the organization wants to go, the mission statement describes how it wants to get there.
The three general categories of unethical behavior that organizations and society should seek to eliminate
Ignorance, accident, and intent
Information security governance yields significant benefits. List five.
1. An increase in share value for organizations 2. Increased predictability and reduced uncertainty of business operations by lowering information-security-related risks to definable and acceptable levels 3. Protection from the increasing potential for civil or legal liability as a result of information inaccuracy or the absence of due care 4. Optimization of the allocation of limited security resources 5. Assurance of effective information security policy and policy compliance 6. A firm foundation for efficient and effective risk management, process improvement, and rapid incident response 7. A level of assurance that critical decisions are not based on faulty information 8. Accountability for safeguarding information during critical business activities, such as mergers and acquisitions, business process recovery, and regulatory response.
Briefly describe five different types of laws.
1. Civil law embodies a wide variety of laws pertaining to relationships between and among individuals and organizations. 2. Criminal law addresses violations harmful to society and is actively enforced and prosecuted by the state. 3. Tort law is a subset of civil law that allows individuals to seek recourse against others in the event of personal, physical, or financial injury. 4. Private law regulates the relationships among individuals and among individuals and organizations, and encompasses family law, commercial law, and labor law. 5. Public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. Public law includes criminal, administrative, and constitutional law.
an industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character
10.4 password rule
Medium sized organizations tend to spend approximately __________ percent of the total IT budget on security.
11
Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) which is longer than ____ characters in Internet Explorer 4.0, the browser will crash.
256
Larger organizations tend to spend approximately __________ percent of the total IT budget on security.
5
A content filter
A network filter that allows administrators to restrict access to external content from within a network is known as a _____.
Database security
A subset of information security that focuses on the assessment and protection of information stored in repositories
Which of the following is a responsibility of the crisis management team?
Activating the alert roster
"4-1-9" is one form of a(n) __________ fraud.
Advance-fee fraud
a form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only a small advance fee or personal banking information to facilitate the transfer.
Advance-fee fraud (AFF)
malware intended to provided undesired marketing and advertising, including popups and banners on a user's screen.
Adware
Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place is known as a(n) _________.
Affidavit
Describe the Freedom of Information Act. How does its application apply to federal vs. state agencies?
All federal agencies are required under the Freedom of Information Act (FOIA) to disclose records requested in writing by any person. However, agencies may withhold information pursuant to nine exemptions and three exclusions contained in the statute. FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies. Each state has its own public access laws that should be consulted for access to state and local records.
The management of human resources must address many complicating factors; which of the following is NOT among them?
All workers operate at approximately the same level of efficiency
Why is policy so important?
Among other reasons, policy may be one of the very few controls or safeguards protecting certain information. Also, properly developed and implemented policies enable the information security program to function almost seamlessly within the workplace. Policy also serves to protect both the employee and the organization from inefficiency and ambiguity.
Which of the following should be included in an InfoSec governance program?
An InfoSec risk management methodology
Help Desk Personnel
An important part of the information security team is the help desk, which enhances the security team's ability to identify potential problems • When a user calls the help desk with a complaint about his or her computer, the network, or an Internet connection, the user's problem may turn out to be related to a bigger problem, such as a hacker, denial-ofservice attack, or a virus • Because help desk technicians perform a specialized role in information security, they have a need for specialized training
In which phase of the SecSDLC does the risk management task occur?
Analysis
Why is threat identification so important in the process of risk management?
Any organization typically faces a wide variety of threats. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end. At every step, the manager is called on to exercise good judgment and draw on experience to make the process function smoothly.
An approach that applies moral codes to actions drawn from realistic situations.
Applied ethics
Threat Assessment
Armed with a properly classified inventory, you can assess potential weaknesses in each information asset—a process known as threat assessment • Any organization typically faces a wide variety of threats; if you assume that every threat can and will attack every information asset, then the project scope becomes too complex • To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end
Risk Assessment
Assessing the relative risk for each vulnerability is accomplished via a process called risk assessment • Risk assessment assigns a risk rating or score to each specific vulnerability • While this number does not mean anything in absolute terms, it enables you to gauge the relative risk associated with each vulnerable information asset, and it facilitates the creation of comparative ratings later in the risk control process
an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it.
Attack
an interruption of service, usually from a service provider, which causes an adverse event within an organization.
Availability disruption
If operations at the primary site cannot be quickly restored, the ____________________ occurs concurrently with the DR plan, enabling the business to continue at an alternate site.
BCP BC plan business continuity plan
Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
Back door
a malware payload that provides access to a system by bypassing normal access controls.
Back door
In digital forensics, all investigations follow the same basic methodology once permission to search and seize is received, beginning with _________.
identifying relevant items of evidentiary value
An understanding of the potential consequences of a successful attack on an information asset by a threat is known as __________.
impact
__________ is the risk assessment deliverable that places each information asset into a ranked list according to its value based on criteria developed by the organization.
information asset value weighted table analysis
Which of the following is a common element of the enterprise information security policy?
information on the structure of the InfoSec organization
A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?
investigation
Information Security
is about identifying, measuring and mitigating the risk associated with operating information assets
Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
issue-specific
Once the members of the RM framework team have been identified, the governance group should communicate all of the following for the overall RM program EXCEPT:
its personnel structure
Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair.
j. risk rating worksheet
Which of the following is not a role of managers within the communities of interest in controlling risk?
legal management must develop corporate-wide standards
The ______________________ phase is the last phase of SecSDLC, but perhaps the most important.
maintenance and change
Risk __________ is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be mitigated.
management
Many organizations create a single document that combines elements of the __________ SysSP and the ___________ SysSP.
management guidance, technical specifications
Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
manufacturer's model or part number
as a subset of information assets, the systems and network that store, process, and transmit information.
media
Access control list user privileges include all but which of these?
operate
measures that deal with the functionality of security in an organization
operational controls
Which of the following variables is the most influential in determining how to structure an information security program?
organizational culture
Which of the following is a key step needed in order for a JAD approach to be successful?
organize workshop activities
In ____________________ testing, security personnel simulate or perform specific and controlled attacks to compromise or disrupt their own systems by exploiting documented vulnerabilities.
penetration
the impetus for a project that is the result of a carefully developed planning strategy
plan-driven
Which of the following is NOT one of the basic rules that must be followed when developing a policy?
policy should be focused on protecting the organization from public embarrassment
Which of the following is NOT a unique function of Information Security Management?
principles
What is the last stage of the business impact analysis?
prioritize resources associated with the business processes
The Risk Management Framework includes all of the following EXCEPT:
process contingency planning
Which of the following attributes does NOT apply to software information assets?
product dimensions
What should you be armed with to adequately assess potential weaknesses in each information asset?
properly classified inventory
Policy is only enforceable and legally defensible if it uses a process that assures repeatable results and conforms to each of the following EXCEPT __________.
properly conceived
Which type of device exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server?
proxy server
What is the final step in the risk identification process?
ranking assets in order of importance
Operational feasibility
refers to user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders - User acceptance and support can be achieved by means of communication, education, and involvement
SP 800-18, Rev.1: Guide for Developing Security Plans for Federal Information Systems
reinforces a business process centered approach to policy management
As each information asset is identified, categorized, and classified, a __________ value must also be assigned to it.
relative
Once an information asset is identified, categorized, and classified, what must also be assigned to it?
relative value
Which of the following is NOT one of the administrative challenges to the operation of firewalls?
replacement
Which of the following is a disadvantage of the one-on-one training method?
resource intensive, to the point of being inefficient
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility is known as __________.
risk appetite
Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
risk appetite
The identification, analysis, and evaluation of risk in an organization describes which of the following?
risk assessment
assigns a comparative risk rating or score to each specific information asset
risk assessment
associated with assessing risks and then implementing or repairing controls to assure the confidentiality, integrity, and availability of information
risk management
What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?
risk tolerance
behavioral feasibility
same as operational feasibility
Qualified individuals who are tasked with configuring security technologies and operating other technical control systems are known as a(n) ___________.
security technician
Data classification schemes should categorize information assets based on which of the following?
sensitivity and security needs
is an agency that provides, in the case of DR/BC planning, physical facilities for a fee.
service bureau
Which contingency plan strategy do individuals work on their own tasks and are responsible for identifying the faults in their own procedures?
simulation
Which type of document is a more detailed statement of what must be done to comply with a policy?
standard
the process of moving an organization towards its vision by accomplishing its mission
strategic planning
The first priority of the CISO and the InfoSec management team should be the __________. a. development of a security policy b. implementation of a risk management program c. adoption of an incident response plan d. structure of a strategic plan
structure of a strategic plan
IT
supports the business objectives of the organization by supplying and supporting IT appropriate to the business' needs
Human error or failure often can be prevented with training, ongoing awareness activities, and ______.
technical controls
measures that use or implement a technical solution to reduce risk of loss in an organization
technical controls
Which of the following are the two general groups into which SysSPs can be separated?
technical specifications and managerial guidance
Another key U.S. federal agency is _________, which is responsible for coordinating, directing, and performing highly specialized activities to protect U.S. information systems and produce foreign intelligence information.
the NSA
Single Lose Expectancy(SLE)
the calculation value associated with the most likely loss from an attack
In the area of risk management, process communications is the necessary information flow within and between all of the following EXCEPT:
the corporate change control officer
Factors that affect the external context and impact the RM process, its goals, and its objectives include the following EXCEPT:
the organization's governance structure
When an incident violates civil or criminal law, it is the organization's responsibility to notify the proper authorities; selecting the appropriate law enforcement agency depends on __________.
the type of crime committed
a specific instance or component that represents a danger to an organization's assets
threat agent
The risk assessment deliverable titled __________ serves to rank-order each threat to the organization's information assets according to criteria developed by the organization.
threat severity weighted table analysis
What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
threats-vulnerabilities-assets worksheet
A(n) ___________ attack enables an attacker to extract secrets maintained in a security system by observing the time it takes the system to respond to various queries.
timing
Digital forensics can be used for two key purposes: ________ or _________.
to investigate allegations of digital malfeasance; to perform root cause analysis
The assessment of the amount of risk an organization is willing to accept for a particular information asset is known as risk __________.
tolerance
An estimate made by the manager using good judgment and experience can account for which factor of risk assessment?
uncertainty
Which of the following is NOT among the typical columns in the risk rating worksheet?
uncertainty percentage
The final component of the design and implementation of effective policies is __________.
uniform and impartial enforcement
Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
user-specific security policies
Which of the following is a key advantage of the bottom-up approach to security implementation?
utilizes the technical expertise of the individual administrators
Which of the following is a tool that can be useful in resolving the issue of what business function is the most critical?
weighted analysis tool
_____ is the process of assigning scores for critical factors, each of which is weighted in importance by the organization.
weighted factor analysis
Which of the following is NOT an aspect of access regulated by ACLs?
where the system is located
an attack that makes use of malware that is not yet known by the anti-malware software companies.
zero-day attack
Defense
—Applying safeguards that eliminate or reduce the remaining uncontrolled risk The defense risk control strategy attempts to prevent the exploitation of the vulnerability • This is the preferred approach and is accomplished by means of countering threats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards • This approach is sometimes referred to as "avoidance". • Three common methods of risk defense are: - Application of policy - Application of training and education - Implementation of technology
NIST Risk Management Framework
• National Institute for Standards and Technology (NIST) has modified its fundamental approach to systems management and certification/ accreditation to one that follows the industry standard of effective risk management • As discussed in "Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View" The first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made • The risk frame establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations • Establishing a realistic and credible risk frame requires that organizations identify: (i) risk assumptions (ii) risk constraints (iii) risk tolerance; and (iv) priorities and tradeoffs
Delivery Methods
• Selection of the training delivery method is not always based on the best outcome for the trainee • Often other factors — budget, scheduling, and needs of the organization — come first - One-on-One - Formal Class - Computer-Based Training (CBT) - Distance Learning/Web Seminars - User Support Group - On-the-Job Training - Self-Study (Noncomputerized)
Automated Tools
• The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and maintenance • Tools like Vigilent Policy Center (VPC) keep policies confidential, behind password-protected intranets, and generate periodic reports indicating which employees have and have not read and acknowledged the policies • Tools such as VPC also make it clear which manager was responsible for the policy, as his or her name is prominently displayed on the policy, along with the date of approval
Discuss the three general categories of unethical behavior that organizations should try to control.
Ignorance:Ignorance of the law is no excuse, but ignorance of policies and procedures is. The first method of deterrence is education. Organizations must design, publish, and disseminate organizational policies and relevant laws, and employees must explicitly agree to abide by them. Reminders, training, and awareness programs support retention, and one hopes, compliance. Accident: Individuals with authorization and privileges to manage information within the organization have the greatest opportunity to cause harm or damage by accident. The careful placement of controls can help prevent accidental modification to systems and data. Intent: Criminal or unethical intent refers to the state of mind of the individual committing the infraction. A legal defense can be built upon whether the accused acted out of ignorance, by accident, or with the intent to cause harm or damage. Deterring those with criminal intent is best done by means of litigation, prosecution, and technical controls. Intent is only one of several factors to consider when determining whether a computer-related crime has occurred.
In which phase of the SDLC must the team create a plan to distribute and verify the distribution of the policies?
Implementation
This collaborative support group began as a cooperative effort between the FBI's Cleveland field office and local technology professionals with a focus of protecting critical national infrastructure.
InfraGard
According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
Initiating
Describe what happens during each phase of the IDEAL General governance framework.
Initiating - Lay the groundwork for a successful improvement effort. Diagnosing - Determine where you are relative to where you want to be. Establishing - Plan the specifics of how you will reach your destination. Acting - Do the work according to the plan. Learning - Learn from the experience and improve your ability to adopt new improvements in the future.
a class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers.
Integer bug
Which of the following is a C.I.A. characteristic that addresses the threat from corruption, damage, destruction, or other disruption of its authentic state?
Integrity
the creation, ownership, and control of original ideas as well as the representation of those ideas.
Intellectual property(IP)
Which of the following is NOT used to categorize some types of law?
International
A detailed outline of the scope of the policy development project is created during which phase of the SDLC?
Investigation
What is the first phase of the SecSDLC?
Investigation
Which phase of the SDLC should get support from senior management?
Investigation
Which phase of the SDLC should see clear articulation of goals?
Investigation
Which of the following is true about a hot site?
It duplicates computing resources, peripherals, phone systems, applications, and workstations.
According to Wood, which of the following are reasons the InfoSec department should report directly to top management?
It fosters objectivity and the ability to perceive what's truly in the best interest of the organization as a whole
A well-defined risk appetite should have the following characteristics EXCEPT:
It is not limited by stakeholder expectations.
escalating privileges to gain administrator-level control over a smartphone operating system (typically associated with Apple iOS smartphones). See also Rooting.
Jailbreaking
Any court can impose its authority over an individual or organization if it can establish which of the following?
Jurisdiction
Likelihood
Likelihood is the overall rating - a numerical value on a defined scale - of the probability that a specific vulnerability will be exploited • Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset, i.e. 1- 100, low-med-high, etc. • Whatever rating system you employ for assigning likelihood, use professionalism, experience, and judgment to determine the rating—and use it consistently • Whenever possible, use external references for likelihood values, after reviewing and adjusting them for your specific circumstances
the overall rating of the probability that a specific vulnerability will be exploited or attacked.
Liklihood
Which of the following is an attribute of a network device built into the network interface?
MAC address
a type of virus written in a specific macro language to target applications that use the language.
Macro virus
an attack designed to overwhelm the receiver with excessive quantities of email.
Mail bomb
There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
Malice
computer software specifically designed to perform malicious or unwanted actions.
Malware
In the ______________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
Man-in-the-Middle
In the well-known ____ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
Man-in-the-Middle
a group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner.
Man-in-the-Middle
Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
Managerial controls
the average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures.
Mean time between failure (MTBF)
the average amount of time a computer technician needs to determine the cause of a failure.
Mean time to diagnose (MTTD)
the average amount of time until the next hardware failure.
Mean time to failure (MTTF)
the average amount of time a computer technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
Mean time to repair (MTTR)
All network devices are assigned a unique number by the hardware at the network interface layer called the _____.
Media Access Control (MAC) address
Security in Medium-Sized Organizations
Medium-sized organizations may still be large enough to implement the multi-tiered approach to security described for large organizations, though perhaps with fewer dedicated groups and more functions assigned to each group • In a medium-sized organization, more of the functional areas are assigned to other departments within IT but outside the InfoSec department, especially the central authentication function • The medium-sized organization only have one full-time security person, with perhaps three individuals with part-time InfoSec responsibilities
a virus that is capable of installing itself in a computer's operating system, starting when the computer is activated, and residing in the system's memory even after the host application is terminated.
Memory-resident virus
A formal approach to solving a problem based on a structured sequence of procedures, the use of which ensures a rigorous process and increases the likelihood of achieving the desired final objective is known as a ____________.
Methodology
Microsoft Risk Management Approach
Microsoft Corp. also promotes a risk management approach • Four phases in the MS InfoSec risk management process: - Assessing risk - Conducting decision support - Implementing controls - Measuring program effectiveness
The EISP must directly support the organization's __________.
Mission statement
Which of the following explicitly declares the business of the organization and its intended areas of operations?
Mission statement
the presence of additional and disruptive signals in network communications or electrical power delivery.
Noise
a virus that terminates after it has been activated, infected its host system, and replicated itself.
Non-memory-resident virus
The study of what makes actions right or wrong, also known as moral theory.
Normative ethics
Describe the foundations and frameworks of ethics.
Normative ethics—The study of what makes actions right or wrong, also known as moral theory—that is, how should people act?Meta-ethics—The study of the meaning of ethical judgments and properties—that is, what is right? Descriptive ethics—The study of the choices that have been made by individuals in the past—that is, what do others think is right? Applied ethics—An approach that applies moral codes to actions drawn from realistic situations; it seeks to define how we might use ethics in practice. Deontological ethics—The study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences; also known as duty-based or obligation-based ethics. This approach seeks to define a person's ethical duty.
There are generally two skill levels among hackers: expert and ____
Novice
a relatively unskilled hacker who uses the work of expert hackers to perform attacks.
Novice hacker
Security Officers and Investigators
Occasionally, the physical security and InfoSec programs are blended into a single, converged functional unit • When that occurs, several roles are added to the pure IT security program, including physical security officers and investigators • Sometimes referred to as the guards, gates, and guns (GGG) aspect of security, these roles are often closely related to law enforcement and may rely on employing persons trained in law enforcement and/or criminal justice
What does it mean to "know the enemy" with respect to risk management?
Once an organization becomes aware of its weaknesses, managers can take up Sun Tzu's second dictum: Know the enemy. This means identifying, examining, and understanding the threats facing the organization's information assets. Managers must be fully prepared to identify those threats that pose risks to the organization and the security of its information assets.
Classifying and Categorizing Information Assets
Once the initial inventory is assembled, determine whether its asset categories are meaningful to the risk managementprogram • Inventory should also reflect sensitivity and security priority assigned to each information asset • A data classification scheme categorizes these information assets based on their sensitivity and security needs • Each of these categories designates the level of protection needed for a particular information asset • Some asset types, such as personnel, may require an alternative classification scheme that would identify the clearance needed to use the asset type • Classification categories must be comprehensive and mutually exclusive
What is the values statement and what is its importance to an organization?
One of the first positions that management must articulate is the values statement. The trust and confidence of stakeholders and the public are important factors for any organization. By establishing a formal set of organizational principles and qualities in a values statement, as well as benchmarks for measuring behavior against these published values, an organization makes its conduct and performance standards clear to its employees and the public.
Security Awareness
One of the least frequently implemented, but most effective security methods is the security awareness program • Security awareness programs: - set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure - remind users of the procedures to be followed When developing an awareness program: - Focus on people - Refrain from using technical jargon - Use every available venue - Define learning objectives, state them clearly, and provide sufficient detail and coverage - Keep things light - Don't overload the users - Help users understand their roles in InfoSec - Take advantage of in-house communications media - Make the awareness program formal; plan and document all actions. - Provide good information early, rather than perfect information late.
Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
Operational
Annualized Loss Expectancy(ALE)
Overall loss potential per risk
Which of the following was originally developed in the late 1950s to meet the need of the rapidly expanding engineering projects associated with government acquisitions such as weapons systems?
PERT
____ is an integrated system of software, encryption methodologies, and legal agreements that can be used to support the entire information infrastructure of an organization
PKI
a script kiddie who uses automated exploits to engage in denial-of-service attacks.
Packet monkey
a software program or hardware appliance that can intercept, copy, and interpret network traffic.
Packet sniffer
an information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.
Penetration tester
Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
People
the redirection of legitimate Web to illegitimate Web sites with the intent to collect personal information.
Pharming
a form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information.
Phishing
a hacker who manipulates the public telephone system to make free calls or disrupt services.
Phreaker
_________ resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states.
Physical
What is the role of planning in InfoSec management? What are the factors that affect planning?
Planning usually involves many interrelated groups and organizational processes. The groups involved in planning represent the three communities of interest; they may be internal or external to the organization and can include employees, management, stockholders, and other outside stakeholder. Among the factors that affect planning are the physical environment, the political and legal environment, the competitive environment, and the technological environment.
A key difference between policy and law is that ignorance of policy is a viable defense. What steps must be taken to assure that an organization has a reasonable expectation that policy violations can be appropriately penalized without fear of legal retribution?
Policies must be: Effectively written Distributed to all individuals who are expected to comply with them Read by all employees Understood by all employees, with multilingual translations and translations for visually impaired or low-literacy employees Acknowledged by the employee, usually by means of a signed consent form Uniformly enforced, with no special treatment for any group (e.g., executives)
Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
Policy
Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
Policy Review and Modification
According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
Policy administrator
malware that over time changes the way it appears to antivirus programs, making it undetectable by techniques that look for preconfigured signatures.
Polymorphic threat
_________ devices often pose special challenges to investigators because they can be configured to use advanced encryption and they can be wiped by the user even when the user is not present.
Portable
a form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target's identity, but the real object is to trick the target into revealing confidential information.
Pretexting
Which subset of civil law regulates the relationships among individuals and among individuals and organizations?
Private
the unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources.
Privilege escalation
a hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government.
Professional hacker
Information security project managers often follow methodologies based on what methodology promoted by the Project Management Institute?
Project Management Body of Knowledge (PMBoK)
Which of the following is NOT a primary function of Information Security Management?
Projects
Which of the following functions does information security perform for an organization?
Protecting the organization's ability to function; Enabling the safe operation of applications implemented on the organization's IT systems; Protecting the data the organization collects and uses
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.
Public law
Which of these denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts?
RM Framework
Which of these denotes the identification, analysis, evaluation, and treatment of risk to information assets?
RM process
What is the system most often used to authenticate the credentials of users who are trying to access an organization's network via a dial-up connection?
Radius
The hash values for a wide variety of passwords can be stored in a database known as a(n) __________ which can be indexed and quickly searched using the hash value allowing the corresponding plaintext password to be determined.
Rainbow table
a table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file.
Rainbow table
computer software specifically designed to identify and encrypt valuable information in a victim's system in order to extort payment for the key needed to unlock the encryption.
Ransomware
To be certain that employees understand the policy, the document must be written at a reasonable __________, with minimal technical jargon and management terminology.
Reading level
Mitigation
Reducing the impact to information assets should an attacker successfully exploit a vulnerability The mitigation risk control strategy is the control approach that attempts to reduce, by means of planning and preparation, the damage caused by a realized incident or disaster • This approach includes three types of plans: - Disaster recovery (DR) plan - Incident response (IR) plan - Business continuity (BC) plan • Mitigation depends upon the ability to detect and respond to an attack as quickly as possible
Termination
Removing or discontinuing the information asset from the organization's operating environment Like acceptance, the termination risk management strategy is based on the organization's need or choice not to protect an asset; - Here, however, the organization does not wish the information asset to remain at risk and so removes it from the environment that represents risk • The cost of protecting an asset may outweigh its value, or, it may be too difficult or expensive to protect an asset, compared to the value or advantage that asset offers the company • In either case, termination must be a conscious business decision, not simply the abandonment of an asset, which would technically qualify as acceptance
Which of the following is compensation for a wrong committed by an individual or organization?
Restitution
Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
Risk assessment
For the purposes of relative risk assessment, how is risk calculated?
Risk equals likelihood of vulnerability occurrence multiplied by value (or impact), minus percentage risk already controlled, plus an element of uncertainty.
The __________ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts.
Risk management policy
__________ is the risk assessment deliverable that assigns a value to each TVA triple, incorporating likelihood, impact, and possibly a measure of uncertainty.
Risk ranking worksheet
escalating privileges to gain administrator-level control over a computer system (including smartphones).
Rooting
The ____ data file contains the hashed representation of the user's password.
SAM
Technology services are usually arranged with an agreement defining minimum service levels known as an
SLA
Web hosting services are usually arranged with an agreement providing minimum service levels known as a(n) ____.
SLA
a short-term decrease in electrical power availability.
Sag
a hacker of limited skill who use expertly written software to attack a system.
Script kiddie
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination is known as a(n) _________.
Search warrent
This person would be responsible for some aspect of information security and report to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.
Security manager
Security Managers
Security managers are accountable for the day-to-day operations of the InfoSec program • They accomplish objectives identified by the CISO, to whom they and they resolve issues identified by technicians, administrators, analysts, or staffers whom they supervise • Managing security requires an understanding of technology but not necessarily technical mastery
Security Staffers and Watchstanders
Security staffer is a catchall title that applies to those who perform routine watchstanding or administrative activities • The term "watchstander" includes the people who watch intrusion consoles, monitor e-mail accounts, and perform other routine yet critical roles that support the mission of the InfoSec department • Security watchstanders are often entry-level InfoSec professionals responsible for monitoring some aspect of the organization's security posture, whether technical or managerial • In this position, new InfoSec professionals have the opportunity to learn more about the organization's InfoSec program before becoming critical components of its administration
Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
Security technician
Security Technician
Security technicians are the technically qualified individuals who configure firewalls and IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented • A security technician is usually an entry-level position, but one that requires strong technical skills, which can make this job challenging for those who are new to the field, given that it is difficult to get the job without experience and yet experience comes with the job • Security technicians who want to move up in the corporate hierarchy must expand their technical knowledge horizontally, gaining an understanding of the general organizational issues of InfoSec as well as all technical areas
Security Training
Security training involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely • Management can either develop customized training or outsource all or part of the training program • There are two methods for customizing training for users by functional background or skill level - Functional background: • General user • Managerial user • Technical user - Skill level: • Novice • Intermediate • Advanced
a document or part of a document that specifies the expected level of service from a service provider.
Service Level Agreement (SLA)
Which of the following is an information security governance responsibility of the Chief Security Officer?
Set security policy, procedures, programs, and training
Transference
Shifting risks to other areas or to outside entities The transference risk control strategy attempts to shift risk to another entity • This goal may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers • When an organization does not have adequate security management and administration experience, it should hire individuals or firms that provide expertise in those areas (outsourcing)
the direct, covert observation of individual information or system use.
Shoulder surfing
"4-1-9" fraud is an example of a ____ attack.
Social engineering
the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.
Social engineering
the unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property.
Software piracy
Security Education
Some organizations may have employees within the InfoSec department who are not prepared by their background or experience for the InfoSec roles they are supposed to perform • When tactical circumstances allow and/or strategic imperatives dictate, these employees may be encouraged to use a formal education method • Local and regional resources might also provide information and services in educational areas
undesired e-mail, typically commercial advertising transmitted in bulk.
Spam
a highly targeted phishing attack.
Spear phishing
a short-term increase in electrical power availability, also known as a swell
Spike
a technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.
Spoofing
____ is any technology that aids in gathering information about a person or organization without their knowledge.
Spyware
A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization is known as a(n)_______________.
Stakeholder
The Computer Security Act charges the National Bureau of Standards, in cooperation with the National Security Agency (NSA), with the development of five standards and guidelines establishing minimum acceptable security practices. What are three of these principles?
Standards, guidelines, and associated methods and techniques for computer systems Uniform standards and guidelines for most federal computer systems Technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in federal computer systems Guidelines for use by operators of federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice Validation procedures for, and evaluation of the effectiveness of, standards and guidelines through research and liaison with other government and private agencies
7 steps to Implement Training
Step 1: Identify program scope, goals, and objectives Step 2: Identify training staff Step 3: Identify target audiences Step 4: Motivate management and employees Step 5: Administer the program Step 6: Maintain the program Step 7: Evaluate the program
Which type of planning is the primary tool in determining the long-term direction taken by an organization?
Strategic
Which of the following is true about planning?
Strategic plans are used to create tactical plans
a long-term increase in electrical power availability.
Surge
What is a SysSP and what is one likely to include?
SysSPs often function as standards or procedures to be used when configuring or maintaining systems—for example, to configure and operate a network firewall. Such a document could include: a statement of managerial intent; guidance to network engineers on selecting, configuring, and operating firewalls; and an access control list that defines levels of access for each authorized user.
Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
System testing
A project can have more than one critical path.
T
The ____ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network.
TCP
a form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications.
TCP hijacking
In which level of planning are budgeting, resource allocation, and manpower critical components?
Tactical
How does tactical planning differ from strategic planning?
Tactical planning has a more short-term focus than strategic planning—usually one to three years. It breaks down each applicable strategic goal into a series of incremental objectives. Each objective should be specific and ideally will have a delivery date within a year.
Which of the following is a part of an information security program?
Technologies used by an organization to manage the risks to its information assets; activities used by an organization to manage the risks to its information assets; personnel used by an organization to manage the risks to its information assets
Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of a federal computer system?
The Computer Security Act
Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
The Electronic Communications Privacy Act of 1986
FAIR Approach
The Factor Analysis of Information Risk (FAIR) framework includes: - A taxonomy for information risk - Standard nomenclature for information risk terms - A framework for establishing data collection criteria - Measurement scales for risk factors - A computational engine for calculating risk - A modeling construct for analyzing complex risk scenarios Basic FAIR analysis is comprised of ten steps in four stages: Stage 1 - Identify scenario components: 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2 - Evaluate Loss Event Frequency (LEF): 3. Estimate the probable Threat Event Frequency (TEF) 4. Estimate the Threat Capability (TCap) 5. Estimate Control strength (CS) 6. Derive Vulnerability (Vuln) 7. Derive Loss Event Frequency (LEF) Stage 3 - Evaluate Probable Loss Magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4—Derive and articulate Risk 10. Derive and articulate Risk • Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low
ISO 27005 Standard for InfoSec Risk Management
The ISO 27000 series includes a standard for the performance of Risk Management, ISO 27005 (http://www.27000.org/iso-27005.htm) • The 27005 document includes five-stage a risk management methodology: 1. Risk Assessment 2. Risk Treatment 3. Risk Acceptance 4. Risk Communication 5. Risk Monitoring and Review
Security Consultants
The InfoSec consultant is typically an independent expert in some aspect of InfoSec • He or she is usually brought in when the organization makes the decision to outsource one or more aspects of its security program • While it is usually preferable to involve a formal security services company, qualified individual consultants are available for hire
The OCTAVE Methods
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation • By following the OCTAVE Method, an organization can make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets • The operational or business units and the IT department work together to address the information security needs of the organization There are three variations of the OCTAVE Method: - The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge, and which was designed for larger organizations (300 or more users) - OCTAVE-S, for smaller organizations of about 100 users - OCTAVE-Allegro, a streamlined approach for information security assessment and assurance
Risk Identification
The Risk Management project should be well organized and funded, with a clear champion, a statement of work, and all needed support. • Risk identification begins with the process of self-examination • Managers: - Identify the organization's information assets - Classify and categorize them into useful groups - Prioritize them by overall importance
Implementing Security Education, Training, and Awareness Programs
The SETA program is designed to reduce accidental security breaches by members of the organization • SETA programs offer three major benefits: - They can improve employee behavior - They can inform members of the organization about where to report violations of policy - They enable the organization to hold employees accountable for their actions • The purpose of SETA is to enhance security: - By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems - By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely - By improving awareness of the need to protect system resources Management of Info
List the advantages and disadvantages of using a modular approach for creating and managing the ISSP.
The advantages of the modular ISSP policy are: - Often considered an optimal balance between the individual ISSP and the comprehensive ISSP approaches - Well controlled by centrally managed procedures, assuring complete topic coverage - Clear assignment to a responsible department Written by those with superior subject matter expertise for technology-specific systems The disadvantages of the modular ISSP policy are: - May be more expensive than other alternatives - Implementation can be difficult to manage
Chief Information Security Officer (CISO) or Chief Security Officer (CSO)
The chief information security officer (CISO), or in some cases, the CSO, is primarily responsible for the assessment, management, and implementation of the program that secures the organization's information • The senior executive responsible for security may also be called the director of security, senior security manager, or some similar title • The CISO usually reports directly to the CIO, although in larger organizations one or more additional layers of management may separate the two officers
Cost Benefit Analysis (CBA)
The criterion most commonly used when evaluating a project that implements InfoSec controls and safeguards is economic feasibility • Organizations can begin this type of economic feasibility analysis by valuing the information assets and determining the loss in value if those information assets became compromised • This decision-making process is called a cost benefit analysis or an economic feasibility study
What is the final component of the design and implementation of effective policies? Describe this component.
The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination—organizations must establish high standards of due care with regard to policy management.
Prioritizing (Rank Ordering) Information Assets
The final step in the risk identification process is to prioritize, or rank order, the assets • This goal can be achieved by using a weighted table analysis
How should the initial inventory be used when classifying and categorizing assets?
The inventory should reflect the sensitivity and security priority assigned to each information asset. A classification scheme should be developed (or reviewed, if already in place) that categorizes these information assets based on their sensitivity and security needs.
What is a key difference between law and ethics?
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not.
In the WBS approach, the project plan is first broken down into tasks placed on the WBS task list. The minimum attributes that should be identified for each task include all but which of the following?
The number of people and other resources needed for each task
Annual Rate of Occurence(ARO)
The probability of the specific attack per year
Identification and Prioritization of Information Assets
The risk identification process begins with the identification of information assets, including people, procedures, data and information, software, hardware, and networking elements • This step should be done without pre-judging the value of each asset; values will be assigned later in the process
Security Administrators and Analysts
The security administrator is a hybrid of a security technician and a security manager, with both technical knowledge and managerial skill • The security analyst is a specialized security administrator that, in addition to performing security administration duties, must analyze and design security solutions within a specific domain • Security analysts must be able to identify users' needs and understand the technological complexities and capabilities of the security systems they design
Factors that affect the internal context and impact the RM process, its goals, and its objectives include the following EXCEPT:
The threat environment—threats, known vulnerabilities, attack vectors
the illegal taking of another's property, which can be physical, electronic, or intellectual.
Theft
Project Management Tools
There are many tools that support the management of the diverse resources in complex projects - Most project managers combine software tools that implement one or more of the dominant modeling approaches • Projectitis occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work prjectlibre libreplan openproject project-open redmine agilefant
Describe the use of an IP address when deciding which attributes to track for each information asset.
This attribute is useful for network devices and servers but rarely applies to software. You can, however, use a relational database and track software instances on specific servers or networking devices. Many larger organizations use the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset-identification process very difficult.
Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) __________
Threat
The basic outcomes of InfoSec governance should include all but which of the following?
Time management by aligning resources with personnel schedules and organizational objectives
PMBoK Knowledge Areas
To apply project management to InfoSec, you must first identify an established project management methodology • While other project management approaches exist, the PMBoK, promoted by the Project Management Institute (PMI) is considered the industry best practice
___________________ is a subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury.
Tort law
Acts of ____ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
Trespass
unauthorized entry into the real or virtual property of another party.
Trespass
___________are malware programs that hide their true nature, and reveal their designed behavior only when activated.
Trojan Horses
____ are software programs that hide their true nature, and reveal their designed behavior only when activated.
Trojan horses
a malware program that hides its true nature and reveals its designed behavior only when activated.
Trojan horses
A clearly directed strategy flows from top to bottom rather than from bottom to top.
True
Deterrence is the best method for preventing an illegal or unethical activity.
True
Due diligence requires that an organization make a valid and ongoing effort to protect others
True
Information security is the protection of the confidentiality, integrity, and availability of information assets, in storage, processing, and transmission via the application of policy, education, training, awareness, and technology.
True
Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________
True
The Gramm-Leach-Bliley (GLB) Act, also known as the Financial Services Modernization Act of 1999, contains a number of provisions that affect banks, securities firms, and insurance companies
True
The Secret Service is charged with the detection and arrest of any person who commits a U.S. federal offense relating to computer fraud, as well as false identification crimes.
True
The purpose of a weighted factor analysis is to list assets in order of their importance to the organization.
True
Which law extends protection to intellectual property, which includes words published in electronic formats?
U.S. Copyright Law
The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes, is known as __________.
Uncertainty
Acceptance
Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control The acceptance risk control strategy is the decision to do nothing to protect an information asset from risk, and to accept the outcome from any resulting exploitation • It may or may not be a conscious business decision. • Unconscious acceptance of risk is not a valid approach to risk control • An organization that decides on acceptance as a strategy for every identified risk of loss may in fact be unable to conduct proactive security activities and may have an apathetic approach to security in general
the percentage of time a particular service is available; the opposite of downtime.
Uptime
Which of the following is an advantage of the user support group form of training?
Usually conducted in an informal social setting
Which of the following sections of the ISSP provides instructions on how to report observed or suspected policy infractions?
Violations of Policy
a type of malware that is attached to other executable programs.
Virus
a message that reports the presence of a nonexistent virus or worm and wastes valuable time as employees share the message.
Virus hoax
a potential weakness in an asset or its defensive control system(s).
Vulnerability
In which model in the SecSDLC does the work products of each phase fall into the next phase to serve as its starting point?
Waterfall
It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity. Which of the following is NOT one of them?
What other activities require the same resources as this activity?
Which of the following is NOT a valid rule of thumb on risk treatment strategy selection?
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain by using technical or operational controls.
a type of malware that is capable of activation and replication without being attached to an existing program.
Worm
Which statement defines the differences between a computer virus and a computer worm?
Worms can make copies all by themselves but viruses need to attach to an existing program on the host computer to replicate
____ are machines that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack.
Zombies
A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system is known as __________.
a security analyst
Specifies the subjects and objects that users or groups can access.
a. capability table
The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.
a. risk management
What are the two general approaches for controlling user authorization for the use of a technology?
access control lists and capability tables
The policy champion and manager is called the policy ____________________.
administrator
When dealing with an incident, the incident response team must conduct a(n) ____________________, which entails a detailed examination of the events that occurred from first detection to final recovery.
after action review
Information ____________ occurs when pieces of non-private data are combined to create information that violates privacy.
aggregation
is a document containing contact information of the individuals to notify in the event of an actual incident.
alert roster
Treating risk begins with which of the following?
an understanding of risk treatment strategies
A gathering of key reference materials is performed during which phase of the SDLC?
analysis
A risk assessment is performed during which phase of the SecSDLC?
analysis
In the __________ phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution.
analysis
Organizational feasibility
analysis examines how well the proposed information security alternatives will contribute to efficiency, effectiveness, and overall operation of an organization
The most complex part of an investigation is usually __________.
analysis for potential EM
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited availability is known as risk __________.
appetite
An evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack, is known as threat __________.
assessment
Risk __________ is an approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.
assessment
Which of the following activities is part of the risk identification process?
assigning a value to each information asset
an act that is an intentional or unintentional attempt to compromise the information and/or the systems that support it
attack
An approach to combining risk identification, risk analysis, and risk evaluation into a single strategy.
b. risk assessment
A clear declaration that outlines the scope and applicability of a policy
b. statement of purpose
_____is the analysis of measures against established standards.
baselining
A ____________ overflow is an application error that occurs when the system can't handle the amount of data that is sent.
buffer
Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
bull's-eye model
In the event of an incident or disaster, which team sets up and starts off-site operations?
business continuity
When a disaster renders the current business location unusable, which plan is put into action?
business continuity
Labels that must be comprehensive and mutually exclusive.
c. classification categories
Which of the following is the first step in the process of implementing training? a. identify training staff b. identify target audiences c. identify program scope, goals, and objectives d. motivate management and employees
c. identify program scope, goals, and objectives
Which of the following activities is part of the risk evaluation process?
calculating the severity of risks to which assets are exposed in their current setting
Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
can suffer from poor policy dissemination, enforcement, and review
Which of the following is NOT one of the three general causes of unethical and illegal behavior?
carelessness
Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
centralized authentication
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
champion
The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n).
chief information security officer
In which type of site are no computer hardware or peripherals provided?
cold site
After an incident, but before returning to its normal duties, the CSIRT must do which of the following?
conduct an after-action review
Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an event?
contingency planning
The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident is known as __________.
cost avoidance
Rather than making the effort to conduct a detailed assessment of the cost of recovery from an attack when estimating the danger from possible threats, organizations often __________.
create a subjective ranking based on anticipated recovery costs
Addresses violations harmful to society and is actively enforced and prosecuted by the state.
criminal law
Using the Program Evaluation and Review Technique, which of the following identifies the sequence of events or activities that requires the longest duration to complete, and that therefore cannot be delayed without delaying the entire project?
critical path
Ethics are based on ___________________, which are the relatively fixed moral attitudes or customs of a societal group.
cultural mores
. Which of the following is NOT a stage in the NIST Cybersecurity Framework (CSF)? a. Identify b. Detect c. Recover d. React
d. React
What is the final step in the risk identification process? a. assessing values for information assets b. classifying and categorizing assets c. identifying and inventorying assets d. ranking assets in order of importance
d. ranking assets in order of importance
Which of the following is a disadvantage of the one-on-one training method? a. inflexible scheduling b. may not be responsive to the needs of all the trainees c. content may not be customized to the needs of the organization d. resource intensive, to the point of being inefficient
d. resource intensive, to the point of being inefficient
The recognition, enumeration, and documentation of risks to an organization's information assets.
d. risk identification
Which of the following is NOT a consideration when selecting recommended best practices? a. threat environment is similar b. resource expenditures are practical c. organization structure is similar d. same certification and accreditation agency or standard
d. same certification and accreditation agency or standard
In order to ensure effort is spent protecting information that needs protecting, organizations implement _____.
data classification schemes
individual who determines the level of classification associated with data
data owner
Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
data users
organization's information assets
data, hardware, software, procedures, people
Honey pots
decoy systems designed to lure potential attackers away from critical systems.
Political feasibility
defines what can and cannot occur based on the consensus and relationships between the communities of interest, especially given that the budget allocation decisions can be politically charged
Technical feasibility
determines whether or not the organization has or can acquire the technology and expertise to implement, support and manage the new safeguards
The act of attempting to prevent an unwanted action by threatening punishment or retaliation on the instigator if the act takes place is known as ___________.
detterence
When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
due diligence
A process focused on the identification and location of potential evidence related to a specific legal action after it was collected through digital forensics is known as _________.
e-discovery
Occurs when a manufacturer performs an upgrade to a hardware component at the customer's premises.
e. field change order
The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment is known as ___________.
ethics
usually a documented way to circumvent controls or take advantage of weaknesses in control systems
exploit
An evaluation of the dangers to information assets, including a determination of their potential to endanger the organization.
f. threat assessment
a short-term interruption in electrical power availability
fault
To move the InfoSec discipline forward, organizations should take all of the following steps EXCEPT:
form a committee and approve suggestions from the CISO
44. Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?
frequency of review
Laws, policies, and their associated penalties only provide deterrence if three conditions are present. Which of these is NOT one of them?
frequency of review
testing of contingency plans, the individuals follow each and every procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals.
full-interruption
The quantity and nature of risk that organizations are willing to accept.
g. risk appetite
An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures.
h. qualitative assessment
a person who accesses systems and information without authorization and often illegally.
hacker
Remains even after the current control has been applied.
i. residual risk
The recognition, enumeration, and documentation of risks to an organization's information assets is known as risk __________.
identification
Security in Small Organizations
In a small organization, InfoSec often becomes the responsibility of a jack-of-all-trades, a single security administrator with perhaps one or two assistants for managing the technical components • It is not uncommon in smaller organizations to have the systems or network administrators play these many roles • Because resources are often limited in smaller organizations, the security administrator frequently turns to freeware or open source software to lower the costs of assessing and implementing security • In small organizations, security training and awareness is most commonly conducted on a one-on-one basis, with the security administrator providing advice to users as needed Some feel that small organizations, to their advantage, avoid some threats precisely because of their small size • Threats from insiders are also less likely in an environment where every employee knows every other employee • In general, the less anonymity an employee has, the less likely he or she feels able to get away with abuse or misuse of company assets • Smaller organizations typically have either one individual who has full-time duties in InfoSec or, more likely, one individual who manages or conducts InfoSec duties in addition to those of other functional areas, most likely IT, possibly with one or two assistants
Which of the following is the process of examining a possible incident and determining whether it constitutes an actual incident
Incident classification
According to the ITGI, what are the four supervisory tasks a board of directors should perform to ensure strategic InfoSec objectives are being met?
Inculcate a culture that recognizes the criticality of information and InfoSec to the organization Verify that management's investment in InfoSec is properly aligned with organizational strategies and the organization's risk environment Assure that a comprehensive InfoSec program is developed and implemented Demand reports from the various layers of management on the InfoSec program's effectiveness and adequacy
the collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage.
Industrial espionage
What strategic role do the InfoSec and IT communities play in risk management? Explain.
InfoSec - Because members of the InfoSec community best understand the threats and attacks that introduce risk, they often take a leadership role in addressing risk. IT - This group must help to build secure systems and ensure their safe operation. For example, IT builds and operates information systems that are mindful of operational risks and have proper controls implemented to reduce risk.
data that has been organized, structured, and presented to provide additional insight into its context, worth, and usefulness.
Information
the focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information.
Information asset
Blackmail threat of informational disclosure is an example of which threat category?
Information extortion
the act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information. Also known as cyberextortion.
Information extortion