343w midterm

Ace your homework & exams now with Quizwiz!

Disk-to-Disk-to-Cloud

An organization aggregates all local backups to a central repository and then backs up that repository to an online vendor, with a ____ backup strategy.

Risk Identification Risk Control Risk assessment

Components of risk management:

Confidentiality

Confidentiality is roughly equivalent to privacy. The right people see it

Availability

Data is available to those who need it in which it is used in information security.

Identification of key pieces of hardware to recover

Effective Contingency Planning should contain all of the following except:

threat-agent

a specific and identifiable instance of a general threat that exploits vulnerabilities set up to protect the asset

Business impact analysis (BIA)

an investigation and assessment of the impact that various attacks can have on the organization.

more vigor

another way to say Fewer words is:

Threat assessment

assessed regarding its potential to endanger the organization.

Standards

ave the same compliance requirements as policies, are more detailed state-ments of what must be done to comply with policy. S

Disaster recovery planning (DRP)

deals with the preparation for and recovery from a disaster,whether natural or man-made

control, safeguard, countermeasure

defender tries to prevent attacks by:

Scope Data gathering process Seek objective Determine needs of higher management validation

hat major objectives should be considered when conducting the BIA?

an organization must establish an entity that will be responsible for contingency policy and plans

how to begin a CP

SIgnature matching

looks for attack patterns

network-based IDPS (NIDPS)

monitors traffic on a segment of an organization's network, looking for indications of ongoing or successful attacks while residing on a computer or appliance connected to that network segment

intrusion detection and prevention system (IDPS)

network burglar alarm. It is designed to be placed in a network to determine whether or not the network is being used in ways that are out of compliance with the policy of the organization.

incremental backup

only archives the files that have been modified since the last backupand thus requires less space and time than the differential to create

risk management

process of identifying vulnerabilities in anorganization's information systems and taking carefully reasoned steps to ensure the confi-dentiality, integrity, and availability of all the components of the organization's informationsystem

Remote journaling (RJ)

reocrding live transactions offsite

bare metal recovery

replace OS when they fail

anomaly-based IDPS

statistical patterns

differential backup

storage of all files that have changed or been added since the lastfull backup.

Risk control

the process of applying controls to reduce the risks to an organization's data and information systems.

Risk identification

the process of examining, documenting, and asses-sing the security posture of an organization's information technology and the risks it faces

information security (InfoSec)

the protection of the confidentiality, integrity,and availability of information, whether in storage, during processing, or in transmission.

possible, probable, and definite.

three broad categories of incident indicators

- presence of unfamiliar files - presence or execution of unknown programs or processes - unusual consumption of computing resources - unusual system crashes

. There are four types of possible incident candidates:

Denial of service

A ____ attack seeks to prevent legitimate users access to services by either tying up a server's available resources or causing it to shut down.

Disaster recovery plan

A ____ deals with the preparation for and recovery from a disaster, whether natural or man-made.

Business continuity Plan

A ____ is a document that describes how, in the event of a disaster, critical business functions continue at an alternate location while the organization recovers its ability to function at the primary site.

Hypervisor

A ____ is a synonym for a virtualization application.

Network-Attached Storage

A ____ is commonly a single device or server that attaches to a network and uses TCP/IP-based protocols and communications methods to provide an online storage environment.

Persistant

A ____ rootkit is one that becomes a part of the system bootstrap process and is loaded every time the system boots.

Business Impact Analysis

A _______ is an investigation and assessment of the impact that various events or incidents can have on the organization.

Moderate

A backup plan using WAN/VLAN replication and a recovery strategy using a warm site is most suitable for information systems that have ____ priority within an organization.

War Gaming

A favorite pastime of information security professionals is ______, which is a simulation of attack and defense activities using realistic networks and information systems, with the exercise of IR plans being an important element.

Business process

A task performed by an organization or organizational subunit in support of the organization's overall mission.

Red teaming

A typical CSIRT needs experience in all of the following except: System administration Red teaming Network administration Cryptography

Realistic chance of success Threatens the confidentiality, integrity, or availability of information resources and assets Directed against information assets owned or operated by the organization

A valid attack is classified as an information security incident when it has all of the following: Realistic chance of success Data exfiltration from the target network Threatens the confidentiality, integrity, or availability of information resources and assets Directed against information assets owned or operated by the organization

Differential

A(n) ____ backup only archives the files that have been modified since the last full backup.

Policy

A(n) ____ is a plan or course of action used by an organization to convey instructions from its senior management to those who make decisions, take actions, and perform other duties on behalf of the organization.

Indication

A(n) ____ is a sign that an adverse event is underway and has a probability of becoming an incident.

private Cloud

A(n) ____ is an extension of an organization's intranet into cloud computing.

Threat

A(n) ____ is an object, person, or other entity that is a potential risk of loss to an asset.

Contingency Planning Management Team

A(n) _____ is the collection of individuals responsible for the overall planning and development of the contingency planning process, including the organization of subordinate teams and oversight of subordinate plans.

Incident Response Plan

A(n) ___________ is a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets.

Vulnerability Assessment

According to NIST, ________ is an additional service that an IR team might offer.

Integrity

Accuracy of data, has not been written to.

After action review

At the end of every test, exercise, or assessment function, the group should assume for an ______.

ssessingmission/business processes and recovery criticality, identifying resource requirements,and identifying recovery priorities.

BIA is conducted in three stages:

False

Because CSIRT opportunities are typically ancillary to the CSIRT member's day-to-day job, managers don't need to worry about burnout.

Retention

Both data backups and archives should be based on a(n) ____ schedule that guides the frequency of replacement and the duration of storage.

Have Physical Access

If an intruder can ____ a device, then no electronic protection can deter the loss of information.

DNS cache Poisoning

In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on that network.

Adverse Event

In an organization, unexpected events occur periodically; these are referred to as ___________.

Adverse event; incident

In contingency planning, a(n) _________ that threatens the security of the organization's information is called an _________.

CSIRT

In some organizations, the ______ may simply be a loose or informal association of IT and InfoSec staffers who are called up if an attack on the organization's information assets is detected.

Protect and Forget

In the ____ approach, the focus is on the defense of the data and the systems that house, use, and transmit it. protect and forget, or apprehend and prosecute

Passive Voice

In traditional grammar, a verb form (or voice) in which the grammatical subject receives the verb's action.

Active Voice

In traditional grammar, the verb form (or voice) in which the subject of the sentence performs or causes the action expressed by the verb. For example:

Integrity

Information assets have ____ when they are not exposed (while being stored, processed, or transmitted) to corruption, damage, destruction, or other disruption of their authentic states.

Raid 2 (Disk stripping with parity)

hammon code to store sptrips oof data on differant drives

False Positive

Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____.

Raid 0

Provides 1 large volume across multiple hard disks

Maximum tolerable downtime

Represents the total amount of time the system owner/authorizing official is willing to accept for a mission/business process outage or disruption and includes all impact considerations.

risk assessment

Risk assessment assigns a risk ratingor score to each information asset

Likelihood X value - %risk mitigated + Uncertainty

Risk assessment equation

CSIRT

The CISO should select members from each community of interest to form the _______ that will execute the IR plan.

clear and formal commitment of senior executive management.

The CP process will fail without what critical element?

CIA Triangle

The ____ illustrates the most critical characteristics of information and has been the industry standard for computer security since the development of the mainframe.

Pen/Trap Statute

The ____ is a federal law that creates a general prohibition on the real-time monitoring of traffic data relating to communications.

Trigger

The ____ is/are the circumstances that cause the IR team to be activated and the IR plan to be initiated.

Monitoring Port

The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device.

Apprehend and Prosecute

The _____ approach focuses on the identification and apprehension of the intruder with additional attention given to the collection and preservation of evidentiary materials that might support administrative or criminal prosecution. protect and forget, or apprehend and prosecute

IR Duty Officer

The ______ is a CSIRT team member, other than the team leader, who is currently performing the responsibilities of the team leader in scanning the organization's information infrastructure for signs of an incident.

Incident response planning (IRP)

The actions an organization can, and perhaps should, take while an incident is in progress

Recovery time objective

The period of time within which systems, applications, or functions must be recovered after an outage.

recovery point objective

The point in time to which lost systems and data can be recovered after an outage as determined by the business unit.

Trespass

The term ____ refers to a broad category of electronic and human activities in which an unauthorized individual gains access to the information an organization is trying to protect.

IR plan tests and CSIRT performance measures

The two ways to evaluate CSIRT effectiveness are:

Snort

The use of IDPS sensors and analysis systems can be quite complex. One very common application is an open source software program called ____, which runs on a UNIX or Linux system that can be managed and queried from a desktop computer using a client interface.

- use of dormant accounts - changes to logs - presence of hacker tools - notifications by partner or peer - notification by hacker.

There are five types of definite incident candidates:

- activities at unexpected times - presence of unexpected new accounts - reported attacks - notification from IDPS.

There are four types of probable incident candidates:

Protect and Forget; Apprehend and Prosecute

There are multiple philosophies for incident response. On either end of the spectrum are:

Obtaining commitment and support from senior management Managing and conducting the overall CP process Writing the master CP document Conducting the business impact analysis (BIA), which includes

What are the primary responsibilities of the contingency planning management team (CPMT)?

Raid 1 (disk Miroring)

Uses twin drives, copies on each

Business manager - familiar with operations information tech-nology manager - familiar with systems information security manager - have an oversee of security planning

What are the three communities of interest, and why are they important to CP?

Incident response Disaster recovery Business continuity Crisis management

What four teams may be subordinate to the CPMT in a typical organization?

insurance

What is the number one budgetary expense for disaster recovery?

An organization should keep three levels of computer systems available

What is the rule of three?

Clipping level

When the measured activity is outside the previously-known-good parameters in a behavior-based IDPS, it is said to exceed the ____ (the level at which the IDPS triggers an alert to notify the administrator).

Hypervisor

When using virtualization, it is commonplace to use the term ____ to refer to the system that provides a virtualized environment in or on a host platform.

Penn testing

Which of the following is not part of IR Plan Testing? Parallel Testing Walk Throughs Penetration Testing Desk Checking

Employee schedule

Which of the following is not part of the BIA? Production Schedules Financial Reports IT Application Logs Employee schedule

Defense

____ __ sometimes referred to as avoidance) is the risk control strategy that attempts to prevent the exploitation of a vulnerability.

Honey Pots

____ are closely monitored network decoys serving that can distract adversaries from more valuable machines on a network; can provide early warning about new attack and exploitation trends; and can allow in-depth examination of adversaries during and after exploitation.

Data Archives

____ are used for recovery from disasters that threaten on-site backups.

Mitigation

____ is the risk control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.

RAID

____ uses a number of hard drives to store information across multiple drive units.

Incident Response

_______ is a set of procedures that commence when an incident is detected.

CSIRT

_________ is a a set of people, policies, procedures, technologies, and information necessary detect, react, and recover from an incident that could potentially result in unwanted modification, damage, destruction, or disclosure of the organization's information.

vulnerability

a flaw or weakness in system security procedures, design,implementation, or internal controls that could be exercised (accidentally triggered orintentionally exploited) and result in a security breach or violation of the system's secu-rity policy.

issue-specific security policy (ISSP)

addresses specific areas of tech-nology and contains a statement on the organization's position on a specific issue.

enterprise information security policy (EISP)

based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope,and tone for all security efforts.

intrusion detection systems (IDSs

burglar alram detects violation

Business continuity planning (BCP

document that describes how, in the event of a disaster, critical business functions will continue at an alternate location while the organization recovers its ability to function at the primary site—as supported by the DR plan.

signature-based IDPS

examines data traffic in search of patterns that match known signatures

systems-specific security policies (SysSPs)

frequently codified as standards and procedures to be used when configuring or maintaining systems.

Disaster Recov Plan business continuity plan

two components ofbusiness resumption planning(BRP)

Data backup

typically a snap-shot of the data from a specific point in time.


Related study sets

Chapter 31: Orthopaedic Injuries- Scenarios

View Set

PSCS 3111 - Midterm Exam (Chapters 1-6)

View Set

Reproductive System Chapter 28 Mastering 28.2

View Set

Substance Abuse & Counseling, Exam 2

View Set

Course Point - Ch. 15 Evaluation

View Set