Combined for test 1 ISEC

Ace your homework & exams now with Quizwiz!

Baseline

A benchmark used to make sure that a system provides a minimum level of security across multiple applications and across different products

Terminal Access Controller Access control system plus (TACACS+)

A cisco proprietary remote access client/server protocol that provides authentication, authorization, and accounting

Birthday Attack

A cryptographic attack on hash collisions (different text with the same key), so named after the surprisingly high probability of any two classroom students sharing a birthday

RTO - Recovery time objective

A defined metric for how long it must take to recover an IT system, application, and data access

Data classification standards

A definition of different data types with respect to security sensitivity

Authorizing official (AO)

A designated senior manager who reviews a certification report and makes the decision to approve the system for implementation

SQL injection

A form of web application attack in which a hacker submits SQL(structured query language) expressions to cause authentication bypass, extraction of data, planting of information, or access to a command shell

Risk Register

A list of identified risks that results from the risk identification process

Trojan horse

A malicious software that appears benign to the user but actually performs a task on behalf of a perpetrator with malicious intent

Software as a service (SaaS)

A model of software development or service where customers use applications on demand

Smurf attack

A network attack in which forged Internet control message protocol (ICMP) echo request packets are sent to IP broadcast addresses from remote locations to generate DoS attacks

Session hijack

A network attack in which the attacker attempts to take over an existing connection between two network computers

Netcat

A network utility program that reads from and writes to network connections

Firewall

A program or dedicated hardware device that inspects network traffic passing through it and denies or permits that traffic based on a set of rules you determine at configuration

need-to-know

A property that indicates a specific a subject needs access to a specific object. This is necessary to access the object in addition to possessing the proper clearance for the object's classification

Security policy

A set of policies that establish how an organization secures its facilities and IT infrastructure. Can also address how the organization meets regulatory requirements

Outsourcing Concerns

-privacy -risk -data security -ownership -adherence to policy

Documentation requirements:

-sensitive assets list -the orgs security process -the authority of the persons responsible for security -the policies, procedures, and guidelines adopted by the org

Data Classification Standard: Value

-the value to the organization -the cost of replacement or loss -the value to the competitors -the value to the orgs reputation

Gramm-Leach-Bliley Act (GLBA)

A U.S. federal law requiring banking and financial institutions to protect customers' private data and have proper security controls in place.

Health Insurance Portability and Accountability Act (HIPPA)

A US federal law requiring health care institutions and insurance providers to protect patients private data and have proper security controls in place

Family Educational Rights and Privacy (FERPA)

A US federal law that protects the private data of students including their transcripts and grades, with which K-12 and higher education institutions must comply

Federal Information Security Management Act (FISMA)

A US federal law that requires US government agencies to protect citizens' private data and have proper security controls in place

Which type of attack involves the creation of some deception in order to trick unsuspecting users?

Fabrication

Warm site

Facility with environmental utilities and basic computer hardware

Evil Twin

Faking an open or public wireless network to use a packet sniffer on any user who connects to it

?True or False: A VPN router is a security appliance that is used to filter IP packets

False

True or False: A rootkit uses a directed broadcast to create a flood of network traffic for the victim computer.

False

True or False: Denial of service (DoS) attacks are larger in scope than Distributed Denial of Service (DDoS) attacks

False

True or False: Store-and-Forward communications should be used when you need to talk to someone immediately.

False

True or False: You should use easy-to-remember personal information to create secure passwords

False

True or False: Cryptography is the process of transforming data from cleartext to ciphertext.

False (Encryption not Cryptography)

True or False: The anti-malware utility is one of the most popular backdoor tools in use today

False: Netcat

True or False: A phishing attack "poisons" a domain name on a domain name server.

False: Pharming

True or False: Vishing is a type of wireless network attack

False: Social Engineering attacks

True or False: User-based permission levels limit a person to executing certain functions and often enforces mutual exclusivity

False: Task-based

True or False: Bricks-and-mortar stores are completely obsolete now.

False: They have global reach

True or False: Voice patter biometrics are accurate for authentication because voices can't easily be replicated by computer software

False: easy to replicate

What compliance regulation applies specifically to the educational records maintained by schools about students?

Family Education Rights and Privacy Act (FERPA)

What do organizations expect to occur with the growth of the IoT?

Higher Risks

Which organization pursues standards for the IoT devices and is widely recognized as the authority for creating standards of the Internet?

Internet Society

Which IoT challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion?

Interoperability

Four aspects of control

Identification, Authentication, Authorization, Accountability

biba integrity model

Access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity; this prevents users from corrupting data at a higher level than what the user may have access to and helps ensure data integrity

ISO/IEC 27005, "Information Security Risk Management"

An ISO standard that describes information security risk management in a generic manner. The documents include examples of approaches to information security risk assessment and lists of possible threats, vulnerabilities, and security controls.

RFC 1087 "Ethics and the Internet"

An acceptable-use policy statement as issued by the Internet Advisory Board and the US Government defining ethics and the Internet

role-based access control (RBAC)

An access control method bases access control approvals on the jobs the user is assigned

Memorandum of Understanding (MOU)

An agreement between two or more parties that expresses areas of common interests that result in shared actions

Blanket purchase agreement (BPA)

An agreement that defines a streamlined method of purchasing supplies or services

Masquerade attack

An attack in which one user or computer pretends to be another user or computer

Pharming

An attack that seeks to obtain personal or private financial information through domain spoofing

Distributed denial of service (DDoS)

An attack that uses ping or ICMP echo-request echo-replay messages to bring down the availability of a server or system. DDoS attacks initiate from more than one host device

Denial of Service (DoS)

An attack that uses ping or ICMP echo-request, echo-reply messages to bring down the availability of a server or system. DoS attacks are usually sourced from a single host device.

asynchronous token

An authentication token used to process challenge-response authentication with a server. The token takes the server's challenge value and calculates a response. The user enters the response to authenticate a connection.

Authority-level policy

An authorization method in which access resources are decided by the user's authority level

Security Assertion Markup language (SAML)

An open XML standard used for exchanging both authentication and authorization data.

Threat

Any action that could damage an asset

Mitigation

Any activities designed to reduce the severity of a vulnerability or remove it altogether

Degaussing

Applying a strong magnetic force to magnetic media usually makes electronics unusable

Authentication, Authorization, and Accounting (AAA)

Core services provided by one or more central servers to help standardize access control for network resources

In Mobile IP, what term describes a device that would like to communicate with a mobile node (MN)?

Correspondent node

In Mobile IP, what term describes a device that would like to communicate with a mobile node(MN)?

Correspondent node (CN)

Challenge-Handshake Authentication Protocol (CHAP)

Decentralized authentication protocol that hashes passwords with a one-time challenge number to defeat eavesdropping and replay attacks

Accountability

Defining the roles, responsibilities, and what key IT security employees and incident response team members must do

Which type of denial of service attack exploits the existence of software flaws to disrupt a service?

Logic attack

Infrastructure as a service (Iaas)

Provides users with the access to a physical or virtual machine. Users must select and load their own operating systems. They then manage all aspects of the machine, just as though it were a local computer.

Which formula is typically used to describe the components of information security?

Risk = Threat X Vulnerabilities

Earl is preparing a risk register for his organization's risk management program. Which data is LEAST likely to be included in a risk register?

Risk Survey results

Residual Risk

Risk that remains after you have installed counter measures and controls

Spim

Similar to spam of unsolicited messages, but through an instant messaging service rather than email

Cross-site request forgery(XSRF)

Similar to the XSS attack, an attacker provides script code that causes a trusted user who views the input script to send malicious commands to a web server

Holly would like to run an annual major disaster recovery test that is as thorough and realistic as possible. She also wants to ensure that there is no disruption of activity at the primary site. What option is best in this scenario?

Simulation Test

SLE

Single loss expectancy

Malware

Software designed to infiltrate one or more target computers and follow an attacker's instructions

constrained user interface

Software that allows users to enter only specific information and perform only specific actions

Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place?

Spim

Keystroke logger

Surveillance software or hardware that records to a log file every keystroke a user logs; also known as a key logger

Remote Wiping

The ability to remotely wipe or delete data on a device or storage media

Compliance

The act of following laws, rules, and regulations that apply to your organization and its use of IT systems, applications and data

proactive change management

The act of initiating changes to avoid expected problems

Vishing

The act of performing a phising attack by telephone in order to elicit personal information

Typosquatting

The act of registering and squatting a slightly wrong URL in hopes a user mistypes the intended URL

security kernel

The central part of a computing environment's hardware, software, and firmware that enforces access control for computer systems

Security gap

The difference between the security controls in place and the controls needed to address all vulnerabilities

Principal of least privilege

The idea that users should be granted only the levels of permission they need in order to perform their duties is called the ....

Certifier

The individual or team responsible for performing the security test and evaluation for the system. The certifier also prepares the report for the authorizing officer on the risk of operating the system

Care of Address (COA)

The local address for the MN when it connects to another network, the FA assigns the COA to the MN and sends it to the HA when the MN connects. In many cases, the COA is actually the FA address. The HA forwards any packets for the MN to the COA. The FA receives the packets and forwards them to the MN.

Impact

The magnitude of harm that could be caused by a threat exercising a vulnerability

Promiscuous Mode

The mode in which sniffers operate; it is non-intrusive and does not generate network traffic. This means that every data packet is captured and can be seen by the sniffer.

Organizational compliance

The organization must comply with its own policies, audits, culture and standards

What type of malicious software masquerades as legitimate software to entice the user to run it?

Trojan Horse

? True or False: IoT devices cannot share and communicate you IoT device data to other systems and applications without your authorization or knowledge

True

?True or False: Networks, routers, and equipment require continuous monitoring and management to keep WAN service available

True

A security awareness program should address the requirements and expectations of your security policy

True

A senior manager or business-process owner should lead a change control committee

True

Fuzzing is the practice of providing random input to software to see how it handles unexpected data

True

The negotiation process and creation of agreements is one of the first steps in the business partner onboarding process

True

The process of managing all changes to computer and device configurations is called configuration management

True

The red book describes components of trusted network infrastructure

True

True or False: A Chinese wall security policy defines a barrier and develops a set of rules that makes sure no subject gets to objects on the other side of the wall

True

True or False: A birthday attack is a type of cryptographic attack that is used to make brute-force attack of one-way hashes easier.

True

True or False: A phishing email is a fake or bogus email intended to trick the recipient into clicking on an embedded URL link or opening an email attachment.

True

True or False: A trusted operating system (TOS) provides features that satisfy specific government requirements for security.

True

True or False: An IT security policy framework is like an outline that identifies where security controls should be used

True

True or False: Authorization is the process of granting rights to use an organization's IT assets, systems, applications, and data to a specific user.

True

True or False: Authorization is the process of granting rights to use an organizations IT assets, systems, applications, and data to a specific user.

True

True or False: Bring your own device (BYOD) opens the door to considerable security risks

True

True or False: Cars that have Wi-Fi access and onboard computers require software patches and upgrades from the manufacturer.

True

True or False: Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it

True

True or False: Devices that combine the capabilities of mobile phones and personal digital assistants (PDAs) are commonly called smartphones

True

True or False: E-commerce systems and applications demand strict confidentiality, integrity, and availability (CIA) security controls.

True

True or False: Each 4g device has a unique Internet Protocol (IP) address and appears just like any other wired device on a network.

True

True or False: Encrypting the data within databases and storage devices gives an added layer of security

True

True or False: Failing to prevent an attack all but invites an attack

True

True or False: Hypertext Transfer Protocol (HTTP) is the communications protocol between web browsers and websites with data in cleartext.

True

True or False: IoT technology has a significant impact on developing economies, given that it can transform countries into e-commerce-ready nations

True

True or False: Metadata of IoT devices can be sold to companies seeking demographic marketing data about users and their spending habits

True

True or False: One of the first industries to adopt and widely use mobile applications was the healthcare industry

True

True or False: Organizations should start defining their IT security policy framework by defining as asset classification policy

True

True or False: Rootkits are malicious software programs designed to be hidden from normal methods of detection

True

True or False: The Director of IT security is generally in charge of ensuring that the Workstation Domain conforms to Policy

True

True or False: The Government Information Security Reform Act of 2000 focuses on management and evaluation of the security of unclassified and national security systems.

True

True or False: The most critical aspect of a WAN services contract is how the service provider supplies troubleshooting, network management, and security management services

True

True or False: The recovery point objective (RPO) is the maximum amount of data loss that is acceptable.

True

True or False: The system/application domain holds all the mission critical systems, applications, and data.

True

True or False: The term risk management describes the process of identifying, assessing, prioritizing, and addressing risks.

True

True or False: The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks.

True

True or False: Using a secure logon and authentication process is one of the six steps to prevent malware.

True

True or False: When servers need operating system upgrades or patches, administrators take them offline intentionally so they can perform the necessary work without risking malicious attacks

True

With proactive change management, management initiates the change to achieve a desired goal

True

With reactive change management, management responds to changes in the business environment

True

You should specify an off boarding process to follow when you terminate relationships with outsourced resources

True

Parallel Test

The same as a full-interruption test, except that processing does not stop at the primary site.

Controlling access: Accountability

Tracking or logging what authenticated and unauthenticated users do while accessing the system

True or False: A bricks-and-mortar strategy includes marketing and selling goods and services on the Internet

false: e-commerce

Kerberos

a computer network authentication protocol that allows nodes communicating over a nonsecure network to prove their identity to one another in a secure manner

multi-tenancy

a database feature that allows different groups of users to access the database without being able to access each other's data

synchronous token

a device used as a logon authenticator for remote users of a network

emergency operations group

a group that is responsible for protecting sensitive data in the event of a natural disaster or equipment failure, among other potential emergencies

temporal isolation

a method of restricting resource access to specific periods of time. You may see temporal isolation more commonly described as time of day restrictions

Zero-day

a new and previously unknown attack for which there are no current specific defenses.

Whaling

a phising attack that targets the executive user of most valuable employees, otherwise considered the "whale". Sometimes called spear phising

CCTA Risk analysis and management method (CRAMM)

a risk analysis method developed by the UK government. Best suited for large organizations

worm

a self-replicating piece of malicious software that can spread from device to device

procedure

a set of step-by-step actions to be performed to accomplish a security requirement, process, or objective

Waterfall model

a software development model that defines how development activities progress from one distinct phase to the next

event log

a software or application-generated record that some action has occurred

Collaboration

a software-based application like WebEx that supports audio conferencing and sharing of documents for realtime discussions with team members or colleagues

ARP poisoning

a spoofing attack, attacker spoofs the MAC address of a targeted device by sending false ARP resolution responses with a different MAC address

Interoperability

a term used to describe computers, devices, or applications that can be configured to work together

Vulnerability

a weakness that allows a threat to be realized of to have an effect on an asset

hardware configuration chart

an up-to-date map or layout of the configuration of the hardware components. Includes: -as-built diagram of the network, to help plan the sequence of of change and see the ripple effects it might generate -copies of all software configurations so that you can examine changes and updates planned for one device in terms of their impact on other devices

Threat

any action that could damage an asset

SLE - single loss expectancy

asset value * exposure factor = SLE

Bella-La Padula model

an access control model that provides multilayered security for access to systems, applications, and data based on hierarchy

Cryptographic attack (hash)

an algorithm that converts a large amount of data to a single (long) number

Dictionary password attack

an attack method that takes all the words from a dictionary file and attempts to log on by entering each dictionary entry as a password

Malicious Attack

an attack on a computer system or network asset succeeds by exploiting vulnerability in the system

passphrase

an authentication credential that is generally longer and more complex than a password. passphrases can also contain multiple words

continous authentication

an authentication method in which a user is authenticated at multiple times or event intervals

two-factor authentication

an authentication method that uses two types of authentication credentials

white-hat hackers

an information security of network professional who uses various penetration test tools to uncover or fix vulnerabilities

System owner

refers to the person or group that manages the infrastructure

Exposure Factor (EF)

represents the percentage of the asset value that will be lost if an incident were to occur.

spyware

software that gathers user information through the user's Internet connection without the user's knowledge

threshold mechanism

some value that indicates a change from normal to abnormal behavior. In the case of failed logon attempts, a threshold of five means that when a user fails to logon five time the action should be considered abnormal

Cyberattacker

someone that attacks a computer system or function

RPO - recovery point objective

the maximum acceptable level of data loss after a disaster

Data Classification Standard: Sensitivity

the measure of the effect that a breach of the integrity or the disclosure of information would have on the org. measured by: -liability or fines -reputation -credibility -loss of market share

Data classification Standard: Criticality

the measure of the importance of information to the mission of the org.

mobile node (MN)

the mobile device that moves from one network to another. The MN has a fixed IP address regardless of the current network

Regulatory compliance

the organization must comply with laws and government regulation

Crossover error rate (CER)

the point where a biometric device's sensitivity returns false rejections and false acceptance equally

likelihood

the probability that a potential vulnerability might be exercised within the construct of an associated threat environment

False Acceptance Rate (FAR)

the rate at which invalid subjects are accepted

The orange book talks about maintaining access control and confidentiality in a classified system

true

Organization for Economic Cooperation and Development (OECD)

-more than 30 countries -goal is economic cooperation and growth -eight privacy principles: --an org should collect only what it needs --an org should not share its information -- an org should keep its information up to data --an org should use its information only for the purpose for which it was collected --an org should properly destroy its information when no longer needed

Disclosure

1) Any instance of an unauthorized user accessing protected information 2) A reference, under HIPPA, to how a covered entity shares protected information with other organizations

SLC steps

1) Project initiation and planning 2)Functional requirements and definition 3)System design specification 4)Build (develop) and document 5)Acceptance testing 6)Implementation (transition to production) 7)Operations and maintenance 8)Disposal

Sequence of change control procedures:

1) request 2)Impact assessment 3)approval 4)build/test 5)implement 6)Monitor

The Children's Online Privacy Protection Act (COPPA) restricts the collection of information online from children. What is the cutoff age for COPPA regulation?

13

? Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service?

443

Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support the service?

80

syn flood

A DoS attack that fills up a computer's connection table by sending a flood of unacknowledged connection requests. Once the connection table fills up, the computer cannot respond to any new legitimate connection requests

Voice Over IP (VoIP)

A collection of communication protocols and technologies to deliver voice communications and sessions over IP networks

Voice over IP (VoIP)

A collection of communication protocols and technologies to deliver voice communications and sessions over IP networks

Gap Analysis

A comparison of security controls in place and the controls that are needed to address all identified threats

Cracker

A computer attacker who has hostile intent, possesses sophisticated skills, and may be interested in financial gain

Black-hat hacker

A computer attacker who tires to break IT security for the challenge and to prove technical prowess

Hacker

A computer expert who explores computing environments to gain knowledge

Gray-hat hacker

A computer hacker with average abilities who may one day become a black-hat hacker (wanna-be)

Wardialer

A computer program used to identify the phone numbers that can successfully make a connection with a computer modem

Service level agreement (SLA)

A contractual commitment by a service provider or support organization to its customers or users

public key infrastructure (PKI)

A general approach to handling encryption keys using trusted entities and digital certificates; the hardware, software, policies, and procedures to manage all aspects of digital certificates

Standard

A mandated requirement for a hardware or software solution that is used to deal with a security risk throughout the organization

Mandatory Access Control (MAC)

A means of restricting access to an object based on the object's classification and the user's security clearance

Mandatory access control (MAC)

A means of restricting access to an object based on the object's classification and the user's security clearance

discretionary access control (DAC)

A means of restricting access to objects based on the identity of subjects and/or groups to which they belong

logical access control

A mechanism that limits access to computer systems and network resources

physical access control

A mechanism that regulates access to physical resources, such as buildings or rooms

Single sign-on (SSO)

A method of access control that allows a user to log on to a system and gain access to other resources within the network via the initial logon. SSO helps a user avoid having to logon multiple times and remember multiple passwords

agile development

A method of developing software that is based on small project iterations, or sprints, instead of long project schedules

Simulation Test

A method of testing a BCP or DRP in which a business interruption is simulated, and the response team responds as if the situation were real

System lifecycle

A method used in systems engineering to describe the phases of a system's existence including:design, development, deployment, operation, and disposal.

Brute-force password attack

A method used to attempt to compromise logon and password access controls by attempting every combination. Brute-force password attacks usually follow a specific attack plan, including the use of social engineering to obtain user information

Compliance liaison

A person whose responsibility it is to ensure that employees are aware of and comply with an organization's security policies

script kiddie

A person with little or no skill who simply follows directions to carry out an attack without fully understanding the meaning of the steps performed

Business Continuity Plan - BCP

A plan for how to handle outages to IT systems, applications, and data access in order to maintain business operations

smart card

A plastic card with authentication credentials embedded in either a microchip of magnetic strip on the card

Clean desk policy

A policy stating that users must never leave sensitive information in plain view on an unattended desk or workstation

DIAMETER

A popular centralized access control protocol that succeeded RADIUS and provides access control for stable and static workforces

Business Impact analysis - BIA

A prerequisite analysis for the BCP that prioritizes business operations and functions and their associated IT systems, applications, and data and the impact of an outage or downtime

guideline

A recommendation for how to use or how to purchase a product or system

Foreign Agent (FA)

A router with additional capabilities connected to another network ( not the HA), the FA assigns the MN a local address. When the MN connects to another network that supports Mobile IP, it announces itself to the FA

Home Agent (HA)

A router with additional capabilities over standard routers, the HA keeps track of the MNs it manages. When an MN leaves the local network, the HA forwards packets to the MN's current network

Packet Sniffer

A software application that uses a hardware adapter card in promiscuous mode to capture all network packets sent across a network segment

Virus

A software program that attaches itself to or copies itself into another program for the purpose of causing the computer to follow instructions that were intended by the original program developer

Adware

A software program that collects information about Internet usage and uses it to present targeted advertisements to users

Protocol Analyzer

A software program that enables a computer to monitor and capture network traffic, including passwords and data in clear-text.

Password cracker

A software program that performs one of two functions: brute-force password attack to gain unauthorized access to a system or recovery of passwords stored in a computer system

Payment Card Industry Data Security Standard (PCIDSS)

A standard, not a compliance or law, for merchants and service providers regarding safeguarding the processing, storage, and transmission of cardholder data

Internet Engineering Task Force

A standards organization that develops and promotes Internet Standards

functional policy

A statement of an organization's management direction for security in such specific functional areas as email, remote access , and internet surfing

decentralized access control

A system that puts access control into the hands of people such as department managers who are closet system users; there is no one centralized entity to process access requests in this system

Business-to-Business (B2B)

A term used to describe a business that builds online systems with links for conducting business-to-business transactions, usually for integrated supply-chain purchases and deliveries

Business-to-consumer (B2C)

A term used to describe an online storefront for consumers to purchase goods and services directly.

Meta Data

A term used to refer to data about data

Internet of Things (IoT)

A term used to refer to the large number of networked devices that can now connect to the internet

Cookie

A text file sent from a website to a web browser to store for later use. Cookies contain details gleaned from visits to a website

Port Scanner

A tool used to scan IP host devices for open ports that have been enabled

spoofing

A type of attack in which one person, program, or computer disguises itself as another person, program, or computer to gain access to some resource

Hijacking

A type of attack in which that attacker takes control of a session between two machines and masquerades as one of them

Social engineering

A type of attack that relies on persuading a person to reveal information

Phishing

A type of fraud in which an attacker attempts to trick the victim into providing private information

Rootkit

A type of malware that modifies or replaces one or more existing programs to hide the fact that a computer has been compromised

trusted operating system (TOS)

A type of operating system that includes additional controls to address the additional security needs of systems that handle extremely sensitive information

Quantitative Risk Analysis

A type of risk assessment that assigns a numerical value, generally a cost value, to each risk, making risk impact comparisons more objective

Qualitative Risk Analysis

A type of risk assessment that describes risks and then ranks their relative potential impact on business operations

Vulnerability

A weakness that allows a threat to be realized or to have an effect on an asset

Disaster Recovery plan - DRP

A written plan for how to handle major disasters or outages and recover mission critical systems, applications, and data

Address Resolution Protocol (ARP)

ARP is used to map an Internet Protocol (IP) address to a physical or MAC address

Acceptable Use Policy (AUP)

An organization-wide policy that defines what is allowed and disallowed regarding use of IT assets by employees and authorized contractors

Bring Your own Device (BYOD)

An organizational policy of allowing or even encouraging employees, contractors, and others to connect their personal equipment to the corporate network; this offers cost savings but requires proper security controls, policies, and procedures

Backdoor

An undocumented and often unauthorized access method to a computer resource that bypasses normal access controls

Asset

Any item that has value to an organization or a person

Controlling Access: Identification

Assertions made by users about who they are

Brewer and Nash integrity model

Based on a mathematical theory published in 1989 to ensure fair competition. Dynamically changing access permissions.

Which password attack is typically used specifically against password files that contain cryptographic hashes?

Birthday attacks

Data owner

Classifying data is the duty of the person that owns the data.

Jody would like to find a solution that allows real-time document sharing and editing between teams. Which technology would best suit her needs?

Collaboration

Jody would like to find a solution that allows realtime document sharing and editing between teams. Which technology would best suit her needs?

Collaboration

Confidentiality, Availability, Integrity (CIA)

Confidentiality- The requirement to keep information private or safe Integrity- The Validity of information or data. Data with high integrity has not been altered Availability-A mathematical formula that quantifies the amount of uptime for a system compared to the amount of downtime

? Which network device is capable of blocking network connections that are identified as potentially malicious?

Demilitarized Zone (DMZ)

Which risk is most effectively mitigated by an upstream Internet Service Provider (ISP)?

Distributed Denial of Service (DDoS)

What is the first step in a disaster recovery effort?

Ensure that everyone is safe

True or False: In the Remote Access Domain, if private data or confidential data is compromised remotely, you should set automatic blocking for attempted logon retries.

False: Apply first level and second level tokens and biometrics

True or False: Cryptography is the process of transforming data from cleartext into ciphertext

False: Encryption

True or False: A security policy is a comparison of the security controls you have in place and the controls you need in order to address all identified threats.

False: Gap analysis

MAC address filtering

Firewall Filtering rules that filter wireless network traffic by the MAC address

Which element of the security policy framework offers suggestions rather than mandatory actions?

Guideline

Bob recently accepted a position as the information security and compliance manager for a medical practice. Which regulation is likely to most directly apply to Bob's employer?

HIPPA

Which law governs the use of the IoT by healthcare providers, such as physicians and hospitals

HIPPA

Which act governs the use of Internet of Things (IoT) by healthcare providers, such as physicians and hospitals?

Health Insurance Portability and Accountability Act (HIPAA)

Annual Rate of Occurrence - ARO

How often a loss is likely to occur every year, also called likelihood.

Business Driver

Include people, information, financials, and performance goals that support business objectives

ownership

In authentication, this is something you have, such as a smart card, key, badge, or token

Rachel is investigating an information security incident that took place at the high school where she works. She suspects that students may have broken into the student records system and altered their grades. If correct, which one of the tenets of information security did this attack violate?

Integrity

Account-lockout policy

Many systems are configured to disable a user ID after a certain number of consecutive failed logon attempts.

Sprint

One of the small project iterations used in the "agile" method of developing software, in contrast with the usual long project schedules of other methods of development software

Risk Survey

Organizations send lists of prepared questions to participants for input. A variety of people from different areas of the organization take the survey. The Delphi method is a specific type of survey in which responses are anonymized, shuffled, and sent back out to participants for comment.

Risk management guide for Information Technology Systems.

Part of the special publication 800 series reports, these products provide detailed guidance of what you should consider in risk management and risk assessment in computer security. The reports include checklists, graphics, formulas, and references to U.S. regulatory issues.

Physical destruction

Physically destroying the media on which data are stored

Risk-response plan

Plan risk response- starting with the highest priority risks Implement risk response Monitor and control risk response

Which element of the security policy framework requires approval from upper management and applies to the entire organization?

Policy

Remote Authentication Dial-In User Service (RADIUS)

Popular protocol, first introduced in the early 1990's, that supports remote user authentication for large numbers of users wishing to connect to central servers

PMBOK

Project Management Body of Knowledge - a collection of the knowledge and best practices of the project management profession

Which tool can capture the packets transmitted between systems over a network?

Protocol analyzer

Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario?

Rule-based access control

Which element of the IT security policy framework provides detailed written definitions for hardware and software and how they are to be used?

Standard

Opportunity Cost

The amount of money a company loses due to downtime, either intentional or unintentional

Downtime

The amount of time that an IT system, application, or data is not available to users

Phreaking

The art of exploring bugs and weaknesses that exist in the telephone system

Security administrator

The group of individuals responsible for planning, designing, implementing and monitoring an organizations security plan

Controlling Access: Authorization

The permissions of a legitimate user or process has on a system

cloud computing

The practice of using computing services that are hosted in a virtualized data center with remote access to the application and data

Government Information Security Reform Act of 2000

The precursor to the FISMA, the Security Reform Act required US government agencies to have an information security program, perform periodic risk assessments and made security awareness training mandatory for US government employees

Separation of duties

The process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall risk

Separation of Duties

The process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task

Risk Management

The process of identifying, assessing, prioritizing, and addressing risks

Key distribution centers (KDCs)

The process of issuing keys to valid users of cryptosystem so they can communicate

Change Control

The process of managing changes to computer/device configuration of application software

Configuration control

The process of managing the baseline settings of a system or device

Access Control

The process of protecting a resource so that it is used only by those allowed to use it; a particular method used to restrict or allow access to resources

Annual Loss Expectancy - ALE

The product of the ARO and the SLE

Controlling Access: Authentication

The proving of that assertion

Unified Messaging

The storage of fax, email, and voice communications in a single location

Certification

The technical evaluation of a system to provide assurance that you have implemented the system correctly. Also, an official statement that attests that a person has satisfied specific requirements. Requirements often include possessing a certain level of experience, completing a course of study, and passing an examination

Store-and-Forward Communications

The technique or relaying communications between two or more users by intermediate storage. Delivery from sender to a central storage is immediate, but final transmission to the recipient depends upon availability and a request for the stored information.

Cross-site scripting (XSS)

This is an attack in which an attacker inputs client-side script code to a web application

Correspondant Node (CN)

This is the node that wants to communicate with the MN.

Full-Interruption test

This is the only complete test. They interrupt the primary data center and transfer processing capability to an alternate site.

Which term describes an action that can damage or compromise an asset?

Threat

Florian recently purchased a set of domain names that are similar to those of legitimate websites and used the newly purchased sites to host malware. Which type of attack is Florian using?

Typosquatting

SPAM

Unwanted email or unsolicited messages

Positive Risk

Uses Risk Management

Negative risk

Uses Risk Management Risk = Threat * Vulnerabilities

The Internet Society

Vision: The internet is for everyone Mission: To promote the open development, evolution, and use of the Internet for the benefit of all people throughout the world.

Which of the following is an example of a hardware security control? a) Security Policy b) NTFS permission c) MAC filtering d) ID badge

d

Which of the following is an example of two-factor authentication? a) personal identification number (PIN) and password b) token and smart card c) password and security questions d) smart card and personal identification number (PIN)

d

Which of the following is NOT an area of critical infrastructure where the Internet of Things (IOT) is likely to spur economic development in less developed countries? a) Water Supply management b) Agriculture c) Wastewater Treatment d) E-commerce

d) e-commerce

De-identified data

data about an individual that contains no information that could be linked to a specific individuals identity

Chinese wall security policy

defines a wall, or barrier, and develops a set of rules that makes sure no subject gets to objects on the other side of the wall.

Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)

defines risk-based strategic assessment and planning technique for security. Is a self-directed approach.

Classification process

determines how you handle classified data

Classification Scope

determines what data you should classify

Cold site

facility with basic environmental utilities but no infrastructure components. Least expensive, longest switchover time.

view-based access control

limiting users' access to database views, as opposed to allowing users to access data in database tables directly.

Maria's company recently experienced a major system outage due to the failure of a critical component. During that time period, the company did not register any sales through it's online site. Which type of loss did the company experience as a result of lost sales?

opportunity cost

wiping

overwriting data on the media to ready data for reuse

Data ownership

personal data such as contacts, pictures, or emails are the intellectual property of the employee. Business emails and all attachments are the intellectual property of the organization.

Awareness

programs can remind staff about security policies. Can also measure how well the staff follows the policy

ticket-granting servers (TGSs)

provides a way to get more tickets for the same or other applications after the user is verified, so that step doesn't need to be repeated several times during the day. Tickets usually expire daily or after a few hours

Change control board

provides the oversight to protect the computing resources and the data contained within those applications and databases

Agile development

sprints, some deliverable once or more frequently each month

remediation

the act of fixing a known risk, threat, or vulnerability that is identified or found in an IT infrastructure

Espionage

the act of spying to obtain secret information, typically to aid another nation state.

Passive wiretap

the attacker does not make changes to the system

Accreditation

the formal agreement by the authorizing official to accept the risk of implementing the system

URL hijack

typosquatting

Logic Attack

use software flaws to crash or seriously hinder the performance of remote servers.


Related study sets

microeconomics unit 2 final review

View Set

Chapter Seven Review + Quiz Questions

View Set

Level Up: Step 1 - Query & Results History

View Set

Business 101- Management (Chapter 7)

View Set

Chapter 6 Consciousness (Fiest) questions, Chapter 5 Human Development, quiz 5 6

View Set

Life Policy Provisions, Rideers & Options

View Set

POLS 3650- Simple Statistics (SS)- Chapter 2- Garbage In, Garbage Out (GIGO)

View Set

Human Resource Management C232 - Practice Test

View Set

Investigation 4.3: Ecological Succession

View Set