Cyber Security - Ch1

True

A breach of possession may not always result in a breach of confidentiality

False

A champion is a project manager, who may be a departmental line manager or staff unit manager, and has expertise in project management and information security technical requirements

subject

A computer is the ______ of an attack when it is used to conduct the attack

object

A computer is the _______ of an attack when it is the target entity

True

A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information

1978

A famous study entitled "Protection Analysis: Final Report" was published in ________

procedures

A frequently overlooked component of an IS, _________ are written instructions for accomplishing a specific task

True

A frequently overlooked component of an information system, procedures are the written instructions for accomplishing a specific task

direct attack

A server would experience a _______ when a hacker compromises it to acquire information via a remote location using a network connection

waterfall

A type of SDLC in which each phase has results that flow into the next phase is called the ______ model

direct

A(n) ________ attack is a hacker using a personal computer to break into a system.

Enterprise

A(n) ________ information security policy outlines the implementation of a security program within the organization

Methodology

A(n) ________ is a formal approach to solving a problem by means of a structured sequence of procedures

community of interest

A(n) _____________ is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.

True

A(n) project team should consist of a number of individuals who are experienced in one or multiple facets of the technical and nontechnical areas

True

According to the CNSS, information security is "the protection of information and its critical elements."

False

An e-mail virus involves sending an e-mail message with a modified field

DevOps

An emerging methodology to integrate the effort of the development team and the operations team to improve the functionality and security of applications is known as ________

hardware, software, data, people, procedures, and networks

An information system is the entire set of _________, __________, ___________, __________, __________, and __________that make possible the use of information resources in the organization

threat

Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) ________

False

Applications systems developed within the framework of the traditional SDLC are designed to anticipate a software attack that requires some degree of application reconstruction

False

Computer assets are the focus of information security and are the information that has value to the organization, as well as the systems that store, process, and transmit the information

True

Confidentiality ensures that only those with the rights and privileges to access information are able to do so

Network security- protect the contents of the network Operations security- protect the activities of an operation Information security- protect the information assets of an organization it is in storage, being processed, or in transmission Personnel security- project the people who are allowed to access the organization and its assets Communications security- protect the media and communications technology Physical security- protect the objects and areas of the organization from misuse

Describe the multiple types of security systems present in many organizations

the Cold War

During _________, many mainframes were brought online to accomplish more complex and sophisticated tasks, so it became necessary to enable the mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers

Physical Design

During the _________ phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design

physical

During the early years, information security was a straightforward process composed predominantly of _________ security and simple document classification schemes

False

Hardware is often the most valuable asset possessed by an organization and is the main target of intentional attacks

True

Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system

confidentiality

In an organization, the value of __________ of information is especially high when it involves personal information about employees, customers, or patients.

hash

In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a ______ value

False

In general, protection is "the quality or state of being secure—to be free from danger."

True

In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that taking more would be noticed — but eventually the employee gets something complete or usable

top-down

In the ______ approach, the project is initiated by upper-level managers who issue policy, procedures, and processes, dictate the goals and expected outcomes, and determine the accountability for each required action

True

In the physical design phase, specific technologies are selected

integrity

Information has _______ when it is whole, complete, and uncorrupted

False

Information has redundancy when it is free from mistakes or errors and it has the value that the end user expects

False

Information security can be an absolute

True

Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems, which is often referred to as a bottom-up approach

False

Key end users should be assigned to a developmental team, known as the united application development team

False

MULTICS stands for Multiple Information and Computing Service

False

Network security focuses on the protection of physical items, objects, or area from unauthorized access and misuse

False

Network security focuses on the protection of the details of a particular operation or series of activities

True

Of the two approaches to information security implementation, the top-down approach has a higher probability of success

security

Organizations are moving toward more ___________ focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product.

Data owners: responsible for the security and use of a certain set of information Data custodians: responsible for the processing, transmissions, and storage of data Data users: individuals with an information security role

Outline types of data ownership and their respective responsibilities

Incident response

Part of the logical design phase of the SecSDLC is planning for partial or catastrophic loss. _____________ dictates what steps are taken when an attack occurs

System Administrator

People with the primary responsibility for administering the systems that house the information used by the organization perform the __________ role

False

Policies are written instructions for accomplishing a specific task

True

Recently, many states have implemented legislation making certain computer-related activities illegal

False

Risk evaluation is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization's security and to the information stored and processed by the organization

False

SecOps focuses on integrating the need for the development team to provide iterative and rapid improvements to system functionality and the need for the operations team to improve security and minimize the disruption from software release cycles

project

Software is often created under the constraints of _____ management, placing limits on time, cost, and manpower

False

The Analysis phase of the SDLC begins with a directive from upper management.

False

The Analysis phase of the SDLC examines the event or plan that initiates the process and specifies the objectives, constraints, and scope of the project

CIA

The CNSS model of information security evolved from a concept developed by the computer security industry known as the ____ triad

True

The Internet brought connectivity to virtually all computers that could reach a phone line or an internet connected local area network

False

The Security Development Life Cycle (SDLC) is a methodology for the design and implementation of an information system

CISO (chief information security officer)

The ______ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.

possession

The ______ of information is the quality or state of ownership or control of some object or item

analysis

The _______ phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems

waterfall

The _________ model consists of six general phases

software

The ___________ component of the IS comprises applications, operating systems, and assorted command utilities.

False

The bottom-up approach to information security has a higher probability of success than the top-down approach

vulnerabilities

The famous study entitled "Protection Analysis: Final Report" focused on a project undertaken by ARPA to understand and detect _________ in operating systems security

computer

The history of information security begins with the history of ________ security

False

The implementation phase is the longest and most expensive phase of the systems development life cycle (SDLC)

True

The information security function in an organization safeguards its technology assets

True

The investigation phase of the SecSDLC begins with a directive from upper management

Systems Development life cycle

The most successful kind of top-down approach involves a formal development strategy referred to as a _______________________

False

The physical design the the blueprint for the desired solution

False

The possession of information is the quality or state of having value for some purpose or end

True

The primary threats to security during the early years of computers were physical theft of equipment, espionage against the products of the systems, and sabotage

Information Security

The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________.

True

The roles of information security professionals are almost always aligned with the goals and mission of the information security community of interest

information

The senior technology officer is typically the chief _______ officer

True

The software component of an information system comprises applications, operating systems, and assorted command utilities

True

The value of information comes from the characteristics it possesses

True

To achieve balance-that is, to operate an information system that satisfies the user and the security professional-the security level must allow reasonable access, yet protect against threats

True

Using a methodology increases the probability of success.

False

Using a methodology will usually have no effect on the probability of success

False

When a computer is the subject of an attack, it is the entity being attacked

True

When unauthorized individuals or systems can view information, confidentiality is breached

Maintenance and change

Which phase is often considered the longest and most expensive phase of the systems development life cycle?

Arpanet

_____ is the predecessor to the Internet

Uptime

______ is the percentage of time a particular service is available

Authenticity

______ of information is the quality or state of being genuine or original, rather than a reproduction or fabrication

Indirect attacks

______ originate from a compromised system or resource that is malfunctioning or working under the control of a threat

Software

________ carries the lifeblood of information through an organization

Availability

________ enables authorized users — persons or computer systems — to access information without interference or obstruction and to receive it in the required format

Physical

_________ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse

NSTISSI No. 4011

____________ presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems

MULTICS

____________ was the first operating system to integrate security as its core functions