C725
Examples of Block ciphers
(DES, 3DES, and AES)
Exasmples of hashing functions
(SHA-1 and SHA-3)
In example In the room where the safe resides, closed-circuit televisions, motion sensors, and alarm systems quickly detect any unusual activity
(detection)
The formal study of information security has accelerated primarily for what reason?
(increasingly interconnected global networks)
Defense in depth is needed to ensure that which three mandatory activities are present in a security system?
(prevention, detection, and response
In example The sound of an alarm could trigger the doors to automatically lock, the police to be notified, or the room to fill with tear gas
(response).
The goals of the DRP include these:
*Keeping the computers running. Computer services are an integral part of most businesses, especially those such as Internet service providers, where these services are the business. *Meeting formal and informal service-level agreements (SLAs) with customers and suppliers. *Being proactive rather than reactive. A carefully rehearsed DRP must be second nature to critical personnel. The DRP should include a comprehensive checklist of activities to perform through practice runs to make sure the people who are responsible for recovery are not caught by surprise.
Question :According to a 2013 Verizon Breach Investigations Report, what percentage of breaches were driven by financial motives?
75%
How many domains are contained within the CBK?
8
Which of the following events are considered natural disasters?
A Earthquakes B Chemical fires C Rat infestations
Which of the following statements is true of ethical conduct?
A Ethical conduct is expected of all IS specialists. B Ethical conduct helps define a high moral code of professional behavior. C Ethical conduct speaks to the credibility of the individual.
Which of the following is not true about the use of fingerprints for identification and authentication (I&A)?
A Fingerprints are an infallible physical security control.
Which of the following is concerned with configuration management?
A Hardware B Software C Documentation
Which of the following statements are true of smart cards?
A Smart cards are used more extensively in Europe and Asia than in the United States. B Smart cards can store passwords such as personal identification numbers (PINs). C Although they promise great strides in authenticating users, smart cards are not infallible.
Question :Computer laws have become increasingly difficult to enforce for which of the following reasons?
A The inability of legislation in the United States to keep pace with technological advances B The globalization of the economy, resulting in unclear international legal boundaries C Conflicting security standards within the United States and between the United States and other nations
Which statement best describes the location of a DMZ?
A DMZ is located immediately behind your first Internet firewall.
The Access Control domain includes which of the following?
A collection of mechanisms to create secure architectures for asset protection
Which of the following statements best defines a covert channel?
A covert channel is a communication channel that allows transfer of information in a manner that violates the system's security policy.
Which of the following choices is not part of a security policy?
A description of specific technologies used in the field of information security regulations
Which statement best describes a digital signature?
A digital signature allows the recipient of data to prove the source and integrity of data.
____________assumes the entire burden of providing backup computing services for the customer. This includes hosting the application software and data in a so-called mirror site. T
A hot-site facility
A message is said to be digitally signed if it's sent with which of the following?
A message digest encrypted with the sender's private key
Which of the following statements best describes a mobile unit site?
A mobile unit site is a fully equipped recovery site on wheels.
Which of the following is the simplest type of firewall to implement?
A packet-filtering firewall
______________is a repeat transmission of a valid data transmission that was already conducted, typically a malicious action meant to cover the perpetrator's fraudulent intent, such as replaying a log-in activity that was recorded when the legitimate user first logged in. These attacks can occur when a man in the middle of a conversation stream collects and stores the communication and then goes back through the stream looking for authentication credentials or session initiation messages.
A replay attack
Which of the following would be defined as an absence or weakness of a safeguard that could be exploited?
A risk
Question :Which of the following terms best describes an event that could cause harm to the information systems?
A threat
Question :Within IT security, which of the following combinations best defines risk?
A threat coupled with a vulnerability
Which of the following would be defined as an absence or weakness of a safeguard that could be exploited?
A vulnerability
The growing demand for InfoSec specialists is occurring predominantly in which of the following types of organizations
Gov, corporations, not for profit foundations
Question :Which of the following statements best describes HVAC?
HVAC is a type of environmental control system.
________________ can also be used with symmetric key cryptography; the result of the operation is called a message authentication code, or MAC. When you hear the term hash, think of digital signatures, and when you hear the term MAC, think of shared secret cryptography operations.
Hashing-type functions
Question :Environmental controls include which of the following elements?
Heating and air conditioning Diesel backup generators
Which of the following is an advantage of using hot sites as a backup alternative?
Hot sites can be made ready for operation within a short period of time.
Following are the areas of physical security: ple and property
How to choose a site How to secure a site How to protect the peo
Question :When backing up an application system's data, which of the following is a key question to be answered first?
How to store backups
Which statement about IPSec is true
IPSec performs encryption and authentication.
What is meant by the phrase "the umbrella of information security"?
IS incorporates many different pursuits and disciplines
Which of the following statements best describes IT security measures?
IT security measures should be tailored to meet organizational security goals.
Question :Which of the following should be given technical security training?
IT support personnel and system administrators
Which of the following statements is true about identification?
Identification establishes user accountability for the actions on the system.
Question :The Operations Security domain includes which of the following?
Identification of controls over hardware, media, and personnel
Which of the following terms best describes a computer that uses more than one CPU in parallel to execute instructions?
Multiprocessing
Which of the following statements best describes natural justice?
Natural justice is considered self-evident and thus requires no statutes.
_____________Covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy.
Noninterference model:
______________ This service guarantees that the sender of a message cannot deny having sent the message and the receiver cannot deny having received the message.
Nonrepudiation:
_______________ also known as ISO 15408, combines the best features of the TCSEC with the ITSEC and the CTCPEC, and synergizes them into a single international standard.
The Common Criteria,
Which of the following statements best describes the intentions of the ISC2 Code of Ethics?
The ISC2 Code of Ethics helps certificate holders resolve dilemmas related to their practice. B The ISC2 Code of Ethics provides guidance on encouraging good behavior. C The ISC2 Code of Ethics provides guidance on discouraging poor behavior.
Which of the following terms best defines the sum of protection mechanisms inside the computer, including hardware, firmware, and software
Trusted computing base
Operations security requires the implementation of physical security to control which of the following?
Unauthorized personnel access
Controls (such as documented processes) and countermeasures (such as firewalls) ...
must be implemented as one or more of these previous types, or the controls are not there for the purposes of security
Secondary storage is a
nonvolatile storage format that can store application and system code plus data when the system is not in use. Examples of this are disk drives or other persistent data storage mechanisms (including Flash [USB] drives, memory sticks, and tapes).
Security controls are the basic toolkit for the security practitioner who mixes and matches them to carry out the objectives of confidentiality, integrity, and/or availability by using
people, processes, and technology to bring them to life.
Secuyrity consultants do this:
perform risk analysis of new systems by balancing the needs of business with the threats that stem from opening up access to data or managing new information that could compromise the business if it fell into the wrong hands.
Access controls is equated to
prevention
Random memory is the computer's
primary working and storage area. It is addressable directly by the CPU and stores application or system code in addition to data.
Preventative controls
protect vulnerabilities and either make an attack unsuccessful or reduce its impact.
Using asymmetric key cryptography, you share your __________with everyone you want to communicate with privately, but you keep your private key secret. Your private key essentially is your identity.
public key
Corrective controls
reduce the effect of an attack.
Deterrent controls
reduce the likelihood of a deliberate attack.
Recovery controls
restore lost computer resources or capabilities to recover from security violations.
Issue-specific policies identify and define ____________
specific areas of concern and state an organization's position or posture on the issue. Depending on the issue and its controversy, as well as potential impact, issue-specific policy can come from the head of the organization, the top management official, the chief information officer (CIO), or the computer security program manager (such as CISO).
__________provides facilities (including power, air conditioning, heat, and other environmental systems) necessary to run a data processing center without any of the computer hardware or software.
the cold site
Primary storage is a volatile storage medium, meaning that
the contents of the physical memory are lost when the power is removed.
Confidentiality is sometimes referred to as
the principle of least privilege, meaning that users should be given only enough privilege to perform their duties, and no more. Some other synonyms for confidentiality you might encounter include privacy, secrecy, and discretion.
Which of the following statements best defines risk management?
the process of identifying, assessing, and controlling risks to an organization's assets.
The Trusted Computing Base (TCB) is
the totality of protection mechanisms within a computer system, including hardware, firmware, and software
Careers in information security are booming because of which of the following factors?
threat of cyber terrorism, gov regs, growth of the internet
An attacker, then, is the link between a ___and an ____The attacker has two characteristics: __ and ___
vulnerability, exploit. skill, will
Functional requirements describe
what a system should do.
In applying these concepts to risk analysis, the IS practitioner must anticipate...
who might want to attack the system, how capable the attacker might be, how available the exploits to a vulnerability are, and which systems have the vulnerability present.
group of smaller LANs connected logically or physically is referred to as a________________. As you might suspect, the WAN covers a larger geographic area than a LAN (technically, a network that covers an area larger than a single building). A WAN can span an entire nation or even the globe using satellites. A WAN is inherently more complex than a LAN because of its size and use of multiple network protocols and configuration. WANs can combine other subnetworks, such as intranets, extranets, and virtual private networks (VPNs), to provide enhanced network capabilities
wide area network, or WAN
Question :Business losses that result from computer crime are difficult to estimate for which of the following reasons?
A Companies are not always aware that their computer systems have been compromised. B Companies are sometimes reluctant to report computer crime because it is bad advertising. C Losses are often difficult to quantify.
How is the Building Security in Maturity Model (BSIMM) used to measure the maturity of a software assurance program?
By looking for evidence of security activities in the SDLC
____________________Acts as a state machine model for a discretionary access control environment.
Access matrix model:
matches an IP address to an Ethernet address, which is a physical device (network adapter) that has a unique media access control (MAC) address assigned by the manufacturer of the device. Helps with network addressing tasks
Address Resolution Protocol (ARP):
______________ is also referred to as natural justice. We owe this legal concept to the Romans, who believed certain legal principles were "natural" or self-evident and did not need to be codified by statute
Administrative law
Question :Which of the following is the first step in establishing an information security program?
Adoption of a corporate information security policy statement
What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects?
An access control list
_______________ enables the network administrator to implement stricter security policies than packet-filtering routers can manage. Instead of relying on a generic packet-filtering tool to manage the flow of Internet services through the firewall, special-purpose code (a proxy service) is installed on the gateway for each desired application.
An application-level gateway
Question :Which of the following statements best describes an audit trail?
An audit trail is a history of transactions indicating data that has been changed or modified.
Question :Which type of individual is most likely to perform a grudge attack?
An employee who feels that his employer has mistreated him
___________ is an intranet that allows select users outside the firewalls to access the site. For example, a company might give vendors and suppliers limited access to the intranet while excluding the general public.
An extranet
_____________ is a local or wide area network based on TCP/IP, but with fences (firewalls) that limit the network's access to the Internet. Intranets use the standard software and protocols you find on the Internet, but they are for private use and are not accessible to the public via the Internet. Companies can use low-cost Internet software such as browsers to build internal sites, such as human resources and internal job postings. An intranet is more secure than the Internet because it has a restricted user community and local control.
An intranet
What is the best definition of carders?
An underground hacker network for the trafficking of stolen credit and debit cards
_______________minimize and detect software operational irregularities.
Application-level controls
Question :According to the Gartner Group, which of the following statements is true?
Approximately 40 percent of businesses experiencing a disaster of some sort go out of business.
Operations security seeks to primarily protect against which of the following?
Asset threats
Which of the following terms best describes the verification that the user's claimed identity is valid?
Authentication
_______________are important for encrypting/decrypting data in bulk, such as files or batches of data. They're also useful for encrypting data in storage systems to prevent unauthorized access. These can be used to encrypt data fields (attributes) in records and tables, entire records of data, or entire files or database tables.
Block ciphers
Class ________ systems to all subjects and objects in the system. In addition, covert channels are addressed.
B1
Which Orange Book rating represents the highest security level?
B2
Which statement best defines BSIMM?
BSIMM is designed to help organizations understand, measure, and plan a software security initiative.
Leonard J. LaPadula and David E. Bell developed this early and popular security model in the 1970s. It forms the basis of the TCSEC. This model is a formal one of security policy that describes a set of access control rules. By conforming to a set of rules, the model inductively proves that the system is secure. A subject's access (usually a user) to an object (usually a file) is allowed or disallowed by comparing the object's security classification with the subject's security clearance.
Bell-LaPadula Model
he Orange Book is founded upon which security policy model?
Bell-LaPadula model
_____________ covers integrity levels, which are analogs to the sensitivity levels from the Bell-LaPadula model. Integrity levels cover inappropriate modification of data and prevent unauthorized users from making modifications to resources and data.
Biba Integrity Model
Which of the following statements is not true about the BCP and DRP?
Both plans describe preventative, not reactive, security procedures.
Which of the following best represents the three objectives of information security?
CIA
Question :People more interested in certifying themselves as security experts in a business context should consider preparing for which of the following certifications?
CISA
___________are written to compensate individuals who were harmed through wrongful acts known as torts. A tort can be either intentional or unintentional (as in the case of negligence). Common law is generally associated with civil disputes in which compensation is financial but does not involve imprisonment.
Civil laws:
_____________: Proposes "well formed transactions." It requires mathematical proof that steps are performed in order exactly as they are listed, authenticates the individuals who perform the steps, and defines separation of duties.
Clark and Wilson model
Which Orange Book security rating introduces security labels?
Class B1
Question :Which of the following is not a media viability control used to protect the feasibility of data storage media?
Clearing
Question :An organization short on funding but long on its ability to assume risk would most likely use which of the following recovery sites? A __________ site
Cold
We inherited which of our legal systems from England?
Common law
Cybersecurity is like an umbrella. Under the umbrella are the following:
Compliance, policies, standards, admin, auditing, software dev security, permission controls, incident response, physical security, intrusion detection and prevention, ops controls, antivirus, security testing, training and awareness, key management, public key infrastructure, disaster recovery, access controls
The Security Architecture and Design domain includes which of the following?
Concepts and principles for secure designs of computing resources
Which of the following terms best describes the primary concern of the Bell-LaPadula security model?
Confidentiality
Which of the following represents the three goals of information security? Spell it out
Confidentiality, Integrity, and availability
Which of the following statements is true about controlling info?
Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity, and accountability.
Which of the following statements best describes controls?
Controls mitigate risk and reduce the potential for loss.
_____________punishes those who violate government laws and harm an individual or group. Unlike civil law, criminal law includes imprisonment in addition to financial penalties.
Criminal law:
Question :Which of the following is the best way to handle obsolete magnetic tapes before disposing of them?
D Degaussing the tapes
Which of the following best represents the two types of IT security requirements?
Functional and assurance
Question :People more interested in certifying themselves as security technical practitioners should consider preparing for which of the following certifications?
GIAC and CEH
Which ISO/OSI layer defines how to address the physical devices on the network?
Data Link Layer
Which of the following terms is not a method to protect subjects, objects, and the data within the objects?
Data mining
Question :The growth in the security profession is driven by which of the following?
Demands by industry and government for scarce resources
Which of the following computer crimes involves overtaxing a computer's resources until it is no longer functional?
Denial of service (DoS)
Information security professionals usually address three common challenges to availability:
Denial of service (DoS) due to intentional attacks or because of undiscovered flaws in implementation (for example, a program written by a programmer who is unaware of a flaw that could crash the program if a certain unexpected input is encountered) Loss of information system capabilities because of natural disasters (fires, floods, storms, or earthquakes) or human actions (bombs or strikes) Equipment failures during normal use
___________ discover errors after they've occurred.
Detective controls
The peer review activity is found in which phase of the SDLC?
Development phase
Related to information security, confidentiality is the opposite of which of the following?
Disclosure
_________________ dictates that the information owner is the one who decides who gets to access the system(s). This is how most corporate systems operate.
Discretionary Access Control
Which of the following places the Orange Book classifications in order from most secure to least secure?
Division A, Division B, Division C, Division D
Question :The Orange Book describes four hierarchical levels to categorize security systems. Which of the following levels require mandatory protection?
Divisions A and B
The Information Security Governance and Risk Management domain includes which of the following?
Documented policies, standards, procedures, and guidelines Management of risk to corporate assets
Question :One purpose of a security awareness program is to modify which of the following?
Employees' attitudes and behaviors
Question :Which of the following terms best describes a cookbook on how to take advantage of a vulnerability?
Exploit
, "Access Control Systems and Methodology," covers this domain. Cryptography This domain contains the stuff of espionage and spy novels. It involves encrypting data so that authorized individuals may view the sensitive data and unauthorized individuals may not. Cryptography is a highly complex topic. The InfoSec specialist needs to understand the function but not necessarily the mechanics of cryptography. Topics in the Cryptography domain include
Identifying the application and use of cryptography Comprehending the cryptographic life cycle Understanding encryption concepts Identifying key management processes Using digital signatures Identifying nonrepudiation Recognizing the methods of cryptanalytic attacks Using cryptography to maintain network security Using cryptography to maintain application security Understanding the public key infrastructure (PKI) Identifying certificate-related issues Understanding information-hiding alternatives
___________________ is one who maintains overall responsibility for the information within an information system. In the corporate world, it might be a department head or a division executive. In the academic world, it might be a dean of records or a university president. I
Information Owner
___________Simplifies analysis of covert channels. A covert channel is a communication channel that allows two cooperating processes of different security levels (one higher than the other) to transfer information in a way that violates a system's security policy.
Information flow model:
____________: A concern of the U.S. Department of Homeland Security, information warfare includes attacks upon a country's computer network to gain economic or military advantage.
Information warfare
Which phase of a system development life cycle is most concerned with establishing a sound policy as the foundation for design?
Initiation
Which of the following does not pertain to physical security?
Installing firewalls on all computers
Question :Which of the following terms best describes the primary concern of the Biba security model?
Integrity
The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address?
Integrity and availability
______________ is tightly integrated with the IP protocol. Some of its functions include announcing network errors and congestion, troubleshooting, and reporting timeouts.
Internet Control Message Protocol (ICMP)
Which of the following definitions best describes computer forensics?
Investigating crimes committed using computers
Which statement about Secure Hash Algorithms (SHA) is true?
It creates a fixed-length message digest from a variable-length input message.
Which of the following statements is true about a trade secret?
It is a patent in the works.
Which statement best describes Stuxnet?
It is a piece of sophisticated malware that bridges and threatens the cyber and physical world.
Which statement best describes risk reduction in a system development life cycle?
It should be applied equally to all phases.
Question :An effective information security policy should not have which of the following characteristics?
It should be designed with a short- to mid-term focus.
Previous2 of 2Next Question :Which statement best describes President Clinton's 1998 Commission on Critical Infrastructure Protection?
It was an interagency effort to recommend a holistic framework for solving problems with critical systems such as finance, energy, and communications.
Question :Which of the following is not one of the provisions of the ISC2 Code of Ethics?
Judge not, lest you be judged
________________ is designed to provide authentication for client/server applications by using symmetric key cryptography (described in Lesson 11).This is available in many commercial products as well. This protocol uses robust cryptography so that a client can prove his or her identity to a server (and vice versa) across an insecure network connection, such as the Internet.
Kerberos
Question :Which of the following events is considered a man-made disaster?
Labor walkout
Which of the following topics are part of an information security practice?
Laws and ethical practices, access controls, security architecture
Question :If a programmer is restricted from updating and modifying production software, what is this an example of?
Least privilege
Which security procedure forces collusion between two operators of different categories to have access to unauthorized data?
Limiting the specific accesses of operations personnel
Question :ISC2 was formed for which of the following purposes?
Maintaining a common body of lknoweldge for IS, certifying industy professionals and practioners in ana international IS standard, ensuring that creds are maintained
_____________________ ........the system decides who gains access to information based on the concepts of subjects, objects, and labels, as defined here. Deals with 3 things: subjects, objects, labels. Used most often in military settings (also called nondiscretionary access control?)
Mandatory Access Control
Which of the following security models is dependent on security labels?
Mandatory access control
The security activity in the Requirements Gathering phase of the SDLC is needed to do which of the following?
Map security and privacy needs
The Law, Regulations, Investigations, and Compliance domain includes which of the following?
Methods to investigate computer crime incidents
Question :Which of the following is considered the main disadvantage of using multiple centers as a recovery site?
Multiple centers are more difficult to administer than other types of recovery sites.
Although the FTC does not mandate privacy practices, the report lists four privacy practices that all companies engaged in electronic commerce should observe
Notice/awareness: In general, websites should tell the user how they collect and handle user information. The notice should be conspicuous, and the privacy policy should clearly state how the site collects and uses information. Choice/consent: Websites must give consumers control over how their personally identifying information is used. Abuse of this practice is gathering information for a stated purpose but using it in another way, one to which the consumer might object. Access/participation: Perhaps the most controversial of the fair practices, users would be able to review, correct, and, in some cases, delete personally identifying information on a particular website. Most companies that currently collect personal information have no means of allowing people to review what the company collected, nor do they provide any way for a person to correct incorrect information. Implementing this control would be a burden to companies to retrofit onto an existing system. As you have likely seen with commercial credit reports, inaccurate information or information used out of context can make people's lives problematic. Security/integrity: Websites must do more than reassure users that their information is secure with a "feel-good" policy statement. The site must implement policies, procedures, and tools that will prevent unauthorized access and hostile attacks against the site.
Which statement best defines OWASP?
OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.
Which type of password provides maximum security because a new password is required for each new log-on?
One-time or dynamic password
The industry standard that mandates everyone who touches credit card information use secure systems is known as which of the following?
Payment Card Industry Data Security Standard
Information security is primarily a discipline to manage the behavior of
People
The scope definition of the BCP should include all of the following except:
Performing a dry run of emergency fire and medical evacuation procedures
The Physical (Environmental) Security domain includes which of the following?
Perimeter security controls and protection mechanisms Data center controls and specifications for physically secure operations
Which of the following is the number one priority of disaster response?
Personnel safety
Which of the following is the most secure way to dispose of information stored on optical media?
Physical destruction
Which of the following statements is true of the level of physical security?
Physical security is proportional to the value of the property being protected.
:The Business Continuity and Disaster Recovery Planning domain includes which of the following?
Plans for recovering business operations in the event of loss of access by personnel
Which of the following is not considered a physical security protection device?
Police helicopter
Which of the following terms can best be defined as high-level statements, beliefs, goals, and objectives
Policies
What is layer 6 of ISO/OSI?
Presentation Layer
_____________ is a distributed key-management approach that does not rely on certificate authorities. Users can sign one another's public keys, adding some degree of confidence to a key's validity. Also, Which mail standard relies on a web of trust?
Pretty Good Privacy (PGP)
Integrity models have three goals:
Prevent unauthorized users from making modifications to data or programs Prevent authorized users from making improper or unauthorized modifications Maintain internal and external consistency of data and programs
Question :Which operations security control prevents unauthorized intruders from internally or externally accessing the system and lowers the amount and impact of unintentional errors that are entering the system? ___________ controls
Preventative
__________reduce the frequency and impact of errors and prevent unauthorized intruders.
Preventative controls
The Three Types of Security Controls Are
Preventative, Detective, and Responsive
The Cryptography domain includes which of the following?
Principles, means, and methods to disguise information to ensure confidentiality, integrity, and authenticity
Which of the following terms best describes (a) step-by-step instructions used to satisfy control requirements?
Procedure
Which of the following embodies all the detailed actions that personnel are required to follow?
Procedures
One way to think of the CIA triad...
Protect the confidentiality of data Preserve the integrity of data Promote the availability of data for authorized use
Question :Physical security pertains to which of the following?
Protecting an organization's assets and ensuring the continuity of business in case of a disaster
Question :Which of the following is not a major concern when reviewing site selection?
Proximity of restaurants, banks, and other conveniences for employees
The components of program level policy are as follows ___________
Purpose, which resource is covered, responsibilities, compliance
Question :Which of the following is not a benefit of cold sites?
Quick Recovery
Question :Which algorithm is used today for encryption in PGP?
RSA
_________________are administrative laws that regulate the behavior of administrative agencies of government. Considered part of public law, regulatory law addresses issues that arise between the individual and a public entity. Regulatory laws can also exact financial penalties and imprisonment
Regulatory laws:
__________________is a client/server protocol and software that enables remote access users to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. For example, you might need to dial up an external network to gain access so that you can perform work, deposit a file, or pick up a file. The earliest versions of America Online (AOL) used this protocol. This also allows a company to maintain user profiles in a central database that all remote servers can share. Having a central service also means it's easier to track usage for billing and network statistics. This is the de facto industry standard for many network product companies and is in wide use
Remote Access Dial-In User Service (RADIUS)
f ARP translates an IP address to a MAC address, then RARP translates hardware interface (MAC) addresses to IP protocol addresses.
Reverse Address Resolution Protocol (RARP): I
Which term best describes the encryption algorithm selected by NIST for the new Advanced Encryption Standard?
Rijndael Rijndael is the block cipher algorithm recently chosen by the National Institute of Science and Technology (NIST) as the Advanced Encryption Standard (AES). It supersedes the Data Encryption Standard (DES).
Which of the following terms best describes the probability that a threat to an information system will materialize?
Risk
___________________ groups users with a common access need. You can assign a role for a group of users who perform the same job functions and require similar access to resources. Role-based controls simplify the job of granting and revoking access by simply assigning users to a group and then assigning rights to the group for access control purposes. This is especially helpful in companies that experience a high rate of employee turnover or frequent changes in employee roles.
Role-based access control (RBAC)
An access control policy for a bank teller is an example of the implementation of which of policy?
Role-based policy B/C Role-based access control (RBAC) groups users with a common access and need. A role for a group of users is assigned to those who perform the same job functions and require similar access to resources.
Which system was developed in 1997 as a means of preventing fraud during electronic payments?
Secure Electronic Transaction (SET)
Based on technology from RSA Data Security, ______________offers another standard for electronic mail encryption and digital signatures.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
Who is responsible for ensuring that systems are auditable and protected from excessive privileges?
Security admins
Which of the following roles helps development teams meet security requirements?
Security consultants
A program for information security should include which of the following elements?
Security policies and procedures
When should security be implemented when considering an IT system development life cycle?
Security should be treated as an integral part of the overall system design.
Question :Which of the following is considered the most extensive type of disaster recovery testing?
Simulation
Annualized loss expectancy (ALE):
Single loss expectancy (SLE) multiplied by annualized rate of occurrence (ARO)
The following are prominent technical controls
Smart/dumb cards Audit trails/access logs Intrusion detection Biometric access controls
The computer criminal who calls a help desk trying to obtain another user's password is most likely a _____.
Social engineer
Question :The Patent and Trademark Office (PTO) resisted patenting software for years for what primary reason?
Software was the product of scientific truth or mathematical expressions.
_____________ is even more insidious. It's phishing with a personal touch. It's crafted to target specific people so meticulously that even the most overly cautious person is convinced. Spear phishing is carried out on the criminal's favored targets: users who manage company bank accounts, especially small businesses with commercial banking relationships. Often, companies are unaware of any attacks until the checks begin bouncing. By then, the money is long gone.
Spear phishing
____________Acts as an abstract mathematical model consisting of state variables and transition functions.
State machine model:
_____________is a more complex packet-filtering technology that filters traffic based on more than just source, destination, port number, and protocol type. Stateful inspection keeps track of the state of the current connection to help ensure that only desired traffic passes through. This allows the creation of one-way rules—for example, inside to outside.
Stateful inspection filtering
Question :The CISSP categorizes computer attacks by type. Which of the following is not one of the categories identified by the CISSP?
Subterfuge
The DES, 3DES, and AES algorithms are examples of which type of cryptography?
Symmetric key
Computer crime is generally made possible by which of the following?
System design flaws
A violation of the "separation of duties" principle arises when the security systems software is accessed by which of the following individuals?
Systems programmer As software is deemed ready, it is promoted from environment to environment by systems and security administration personnel, not the programmer.
Which protocol does the Internet use? This
TCP/IP
The Telecommunications and Network Security domain includes which of the following?
Technology, principals, and best practices to secure telephonic, corporate, and internet based networks
Dynamic analysis is found in which Secure SDLC phase?
Testing phase
Which of the following statements best explains why the BCP is important?
The BCP is important because it minimizes disruption in business continuity.
7ApplicationConsists of standard communication services and applications that everyone can use. 6PresentationEnsures that information is delivered to the receiving machine in a form that it can understand. 5SessionManages the connections and terminations between cooperating computers. 4TransportManages the transfer of data and assures that received and transmitted data are identical. 3NetworkManages data addressing and delivery between networks. 2Data LinkHandles the transfer of data across the network media. 1PhysicalDefines the characteristics of the network hardware.
The OSI Model
___________________ of 2002, passed by the U.S. Congress after the accounting scandals at firms such as Enron and WorldCom, captured the attention of internal auditors and CEOs nationwide. SOX requires executives to review and modernize companies' financial reporting systems to comply with its regulations
The Sarbanes-Oxley (SOX) Act
______________describes the critical processes, procedures, and personnel that must be protected in the event of an emergency. (preventative)
The business continuity plan (BCP)
Previous3 of 3Next Question :Which of the following statements best reflects the European Union Data Protection Directive of 1998?
The directive's goal was to standardize privacy protection among the E.U. members. C It resulted in the Safe Harbor Privacy Principles that allowed the United States to meet minimum privacy controls in the European Union.
_________________describes the exact steps and procedures personnel in key departments, specifically the IT department, must follow to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations (reactive).
The disaster recovery plan (DRP)
Which attribute is included in an X.509 (digital) certificate?
The distinguished name of the subject
Which of the following statements best describes the information security Common Body of Knowledge?
The information security Common Body of Knowledge is a compilation and distillation of all security information collected internationally of relevance to information security professionals.
Question :Which of the following statements best describes the purpose of the BIA?
The purpose of the BIA is to define a strategy that minimizes the effect of disturbances and to allow for the resumption of business processes
When risks are well understood, three outcomes are possible:
The risks are mitigated (countered). Insurance is acquired against the losses that would occur if a system were compromised. The risks are accepted and the consequences are managed.
Which of the following offers confidentiality to an email message?
The sender encrypting it with the receiver's public key
_________________ is described as something you have plus something you know plus something you are (SYH/SYK/SYA). For example, a person trying to access a data center door might be required to swipe a card (a badge), enter a PIN on a keypad to prove that she's the owner of the badge, and offer a fingerprint or iris or retinal scan to prove that she is the person assigned the badge and PIN. Knowledge Check
The three-factor mechanism
Why is it important to educate personnel on the physical security of their facility?
They become more aware of the safety of coworkers and equipment.
Question :Which of the following statements pertaining to protection rings is false?
They provide users with a direct access to peripherals.
Layered security, as in the previous example, is known as defense in depth... So
This security is implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response. Defense in depth also seeks to offset the weaknesses of one security layer by the strengths of two or more layers.
What is the main objective of separation of duties?
To ensure that no single individual can compromise a system
What was the purpose of Operation Eligible Receiver?
To test the security strength of our national computer systems
______________ provide control over various stages of a transaction
Transaction-level controls
Which protocol of the TCP/IP suite addresses reliable data transport?
Transmission Control Protocol (TCP)
What are the two types of ciphers?
Transposition and substitution
_____________ is identical but uses a double-length key (128 bits) that encrypts, then encrypts, and then encrypts again (called "folding" in crypto-speak). Banks commonly use 3DES to protect your PIN number when you enter it at an ATM or on a point-of-sale keypad (where you swipe your credit or debit card at the cash register).
Triple DES (3DES)
Which of the following computer recovery sites is only partially equipped? A ___________site
Warm
Lesson 12, "Telecommunications, Network, and Internet Security," covers this domain. Software Development Security Application development in a networked environment (see Lesson 13, "Software Development Security") focuses on sound and secure application development techniques. This domain requires a good understanding of the controls needed for the software development life cycle (SDLC), and how they're applied during each phase. Topics covered in this domain include
Understanding and applying security in the SDLC Understanding the environment and security controls Assessing the effectiveness of software security
Business Continuity Planning (BCP), along with the Business Impact Assessment (BIA) and the Disaster Recovery Plan (DRP), is the core of this domain. The following topics are included in this domain:
Understanding business continuity requirements Conducting business impact analysis Developing a recovery strategy Understanding the disaster recovery process Exercising, assessing, and maintaining the plans
"Operations Security," covers this domain. Knowledge Check Access Control Who may access the system, and what can they do after they are signed on? That is the focus of this CBK domain. Specific topics include
Understanding identification, authentication, authorization, and logging and monitoring techniques and technologies Understanding access control attacks Assessing effectiveness of access controls Understanding the identity and access provisioning life cycle
Business Continuity Planning and Disaster Recovery Planning," covers this domain. This domain covers the different targets of computer crimes, bodies of law, and the different types of laws and regulations as they apply to computer security. Other topics included in this domain are
Understanding legal issues that pertain to information security internationally Adopting professional ethics Understanding and supporting investigations Understanding forensic procedures Following compliance requirements and procedures Ensuring security in contractual agreements and procurement processes (such as cloud computing, outsourcing, and vendor governance)
Cryptography," covers this domain. Telecommunications and Network Security This domain covers another technical segment of the CBK. Topics include not just network topologies, but also their weaknesses and defenses. Many of the operational tools, such as firewalls, fall into this domain, along with the following subject areas:
Understanding secure network architecture and design Securing network components Establishing secure communications channels (VPN, SSL, and so on) Understanding network attacks (denial of service, spoofing, and so on)
Physical Security Control," covers this domain. Operations Security This domain covers the kind of operational procedures and tools that eliminate or reduce the capability to exploit critical information. It includes defining the controls over media, hardware, and operators with special systems privileges. Specific topics include
Understanding security operations concepts (need-to-know, separation of duties, and so on) Employing resource protection Managing incident response Implementing preventable measures against attacks Implementing and supporting patch and vulnerability management Understanding change and configuration management Understanding system resilience and fault-tolerant requirements
Law, Investigations, and Ethics," covers this domain. Physical (Environmental) Security Topics covered in this domain include securing the physical site using policies and procedures coupled with the appropriate alarm and intrusion detection systems, monitoring systems, and so forth. Topics include
Understanding site and facility design considerations Supporting the implementation and operation of perimeter security (physical access controls and monitoring, keys, locks, safes, and so on) Supporting the implementation and operation of facilities security (badges, smart cards, PINs, and so on) Supporting the protection and securing of equipment Understanding personnel privacy and safety (duress, travel, and so on)
The Security Architecture and Design domain (see Lesson 5, "Security Architecture and Design"), one of the more technical areas of study within the CBK, discusses concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and other controls to enforce various levels of confidentiality, integrity, and availability. Specific topics cover
Understanding the fundamental concepts of security models (confidentiality models, integrity models, and multilevel models) Identifying the components of information systems security evaluation models (such as Common Criteria) Understanding security capabilities of information systems (memory protection, trusted platform modules, and so on) Pinpointing the vulnerabilities of security architectures Recognizing software and system vulnerabilities and threats Understanding countermeasure principles (such as defense in depth)
What are the three classic ways of authenticating yourself to the computer security software?
Use something you know, something you have, and something you are.
Which of the following roles is responsible for ensuring that third-party suppliers and outsourced functions remain in security compliance?
Vendor managers
Which of the following storage types is best described as a condition in which RAM and secondary storage are used together?
Virtual Memory
Question :Which of the following terms best describes the absence or weakness in a system that may possibly be exploited?
Vulnerability
The Certified Information Systems Security Professional (CISSP) recognizes five methods of testing the DRP:
Walk-throughs: Members of the key business units meet to trace their steps through the plan, looking for omissions and inaccuracies. Simulations: During a practice session, critical personnel meet to perform a dry run of the emergency, mimicking the response to a true emergency as closely as possible. Checklists: In a more passive type of testing, members of the key departments check off the tasks for which they are responsible and report on the accuracy of the checklist. This is typically a first step toward a more comprehensive test. Parallel testing: The backup processing occurs in parallel with production services that never stop. This is a familiar process for those who have installed complex computer systems that run in parallel with the existing production system until the new system proves to be stable. An example of this is when a company installs a new payroll system: Until the new system is deemed ready for full cut-over, the two systems operate in parallel. Full interruption: Also known as the true/false test, production systems are stopped as if a disaster occurred to see how the backup services perform. They either work (true) or fail (false), in which case the lesson learned can be as painful as a true disaster.
The CBK defines these major categories of physical security threats:
Weather: Tornadoes, hurricanes, floods, fire, snow, ice, heat, cold, humidity, and so forth Fire/chemical: Explosions, toxic waste/gases, smoke, and fire Earth movement: Earthquakes and mudslides Structural failure: Building collapse because of snow/ice or moving objects (cars, trucks, airplanes, and so forth) Energy: Loss of power, radiation, magnetic wave interference, and so forth Biological: Virus, bacteria, and infestations of animals or insects Human: Strikes, sabotage, terrorism, and war
Which of the following is not one of the FTC's four Fair Information Practices?
Websites must have 100 percent availability, in case users want to change their personal information.
Security functional requirements describe which of the following?
What a security system should do by design
The simplest form of determining the degree of a risk involves looking at two factors:
What is the consequence of a loss? What is the likelihood that this loss will occur?
Question :Which of the following statements is true of security dogs?
When trained, security dogs provide effective perimeter control.
Which standards applies to digital certificates?
X.509
An exploit is
a program or "cookbook" on how to take advantage of a specific vulnerability. I
_______________ is a compromise between the services offered by hot- and cold-site vendors. A warm-site facility provides the building and environmental services previously mentioned, with the addition of the hardware and communication links already established. However, the customer's applications are not installed, nor are workstations provided. In this case, the customer restores application software from backups using workstations it provides.
a warm-site facility
Responsibilities of a program level policy________
address the duties of the officials and offices throughout the organization, including the role of line managers, applications owners, users, and the information processing or IT organization.
Quantitative or quasi-subjective risk analysis attempts to establish and maintain ...........
an independent set of risk metrics and statistics. Some of the calculations used for quantitative risk analysis include these: Annualized loss expectancy (ALE): Single loss expectancy (SLE) multiplied by annualized rate of occurrence (ARO) Probability: Chance or likelihood, in a finite sample, that an event will occur or that a specific loss value might be realized if the event occurs Threat: An event whose occurrence could have an undesired impact Control: Risk-reducing measure that acts to detect, prevent, or minimize loss associated with the occurrence of a specified threat or category of threats Vulnerability: The absence or weakness of a risk-reducing safeguard
Program-framework policies provide _________
an organization-wide direction for broad areas of program implementation. These policies might be issued to ensure that everyone complies with acceptable use rules (e-mail, Internet, cellphones and other wireless devices, and so on), or that everyone correctly addresses disaster planning and risk analysis issues.
The scope of a program level policy specifies which resources_______________
are covered. Often the program covers all systems and agency personnel, but this is not always the case. In some instances, a policy might name specific assets, such as major sites and large systems.
Using _____________ you share your public key with everyone you want to communicate with privately, but you keep your private key secret. Your private key essentially is your identity—when someone can successfully decrypt a message that you sent encrypted with your private key, they know that the message could have come from only you if the decryption using the public key succeeds. That's the basis of asymmetric key or public key infrastructures (PKI).
asymmetric key cryptography,
Compliance of a program level policy_________________
authorizes and delineates the use of specified penalties and disciplinary actions for individuals who fail to comply with the organization's computer security policies.
From a security perspective, ______________ should be designed to prevent the loss of confidentiality, integrity, or availability of information, including data or software, when stored outside the system. T
media controls
Controls are implemented to
mitigate risk and reduce the potential for loss.
An example of integrity checks is
balancing a batch of transactions to make sure that all the information is present and accurately accounted for.
An application-level gateway is often referred to as a __________because it is a designated system that is specifically armored and protected against attacks.
bastion host
Which college curriculum is more appropriate for a career in information security
business admin and comp info sciences
_____________ evaluates risks to the organization and prioritizes the systems in use for purposes of recovery.
business impact analysis (BIA)
Question :Place the following steps of the BCP in the correct sequence: (a) create the BIA; (b) obtain signoff of the tested BCP; (c) identify the scope of the BCP; (d) write the BCP:
c, a, d, b
Verification testing for seat belt functions might include
conducting stress tests on the fabric, testing the locking mechanisms, and making certain the belt will fit the intended application, thus completing the functional tests.
. Verification is the process of
confirming that one or more predetermined requirements or specifications are met.
Validation then determines the
correctness or quality of the mechanisms used to meet the needs. In other words, you can develop software that addresses a need, but it might contain flaws that could compromise data when placed in the hands of a malicious user
Validation, or assurance testing, might then include
crashing the car with crash-test dummies inside to "prove" that the seat belt is indeed safe when used under normal conditions and that it can survive under harsh conditions.
Real memory refers to a
definite storage location for a program in memory and direct access to a peripheral device. This is common with database management systems that control how storage is used outside the operating system's control.
Detective controls
discover attacks and trigger preventative or corrective controls.
Vendor managers are needed to
ensrue that outsourced functions are operating within security policies and standards
Process controls are implemented to
ensure that different people can perform the same operations exactly in the same way each time. Processes are documented as procedures on how to carry out an activity related to security.
Confidentiality models are primarily intended to
ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible. Common confidentiality controls are user IDs and passwords
People, process, and technology controls are
essential elements of several areas of practice in information technology (IT) security, including operations security, applications development security, physical security, and cryptography. These three pillars of security are often depicted as a three-legged stool
Virtual memory....
extends the volume of primary storage by using secondary storage to hold the memory contents. In this way, the operating system can run programs larger than the available physical memory. Virtual memory (memory contents stored on disk) is swapped in and out of primary memory when needed for processing.
System-specific policies, on the other hand, are much more _________
focused because they address only one system.
Some activities that preserve confidentiality, integrity, and/or availability are
granting access only to authorized personnel, applying encryption to information that will be sent over the Internet or stored on digital media, periodically testing computer system security to uncover new vulnerabilities, building software defensively, and developing a disaster recovery plan to ensure that the business can continue to exist in the event of a disaster or loss of access by personnel.
Security admins do this
help to establish new user accounts, ensure that auditing mechanisms are present and operating as needed, ensure that communications between systems are securely implemented, and assist in troubleshooting problems and responding to incidents that could compromise confidentiality, integrity, or availability of the systems.
Assurance requirements describe
how functional requirements should be implemented and tested.
The purpose of a program level policy___________
includes defining the goals of the computer security program and its management structure. Security-related needs, such as confidentiality, integrity, and availability, might form the basis of organizational goals established in policy.
Qualitative risk analysis...........
is the most widely used approach to risk analysis. Probability data is not required, and only estimated potential loss is used. Most qualitative risk analysis methodologies make use of interrelated elements: Threats Vulnerabilities Controls
Availability models ...
keep data and resources available for authorized use, especially during emergencies or disasters.
Integrity models ...
keep data pure and trustworthy by protecting system data from intentional or accidental changes.
Vulnerability refers to a
known problem within a system or program.
A Trusted Computer Base utilizes......
layering, abstraction and data hiding to protect subjects, objects, and data within the objects.
Process controls for IT security include assignment of roles for
least privilege, separation of duties, and include documented procedures
Risk involves ...
looking at what is the consequence of a loss and the likelihood that this loss will occur.