CYBR 3100 Test 1
What are the 3 stages that the CPMT (contingency planning management team) conducts the BIA (business impact analysis) in?
1. Identify recovery priorities for system resources 2. Determine mission/business processes & recovery criticality 3. Identify resource requirements
When BS 7799 first came out, several countries, including the United States, Germany, & Japan, refused to adopt it, claiming that it had fundamental problems. What were these problems?
1. The standard lacked the measurement precision associated with a technical standard. 2. It was not as complete as other frameworks. 3. The standard was hurriedly prepared given the tremendous impact its adoption could have on industry information security controls. 4. The global information security community had not defined any jurisdiction for a code of practice identified in ISO/IEC 17799. 5. There was no reason to believe that ISO/IEC 17799 was more useful than any other approach.
What are the goals of information security governance?
1. Strategic alignment of info security with business strategy to support organizational objectives. 2. Risk management by executing appropriate measures to manage & mitigate threats to information resources. 3. Resource management by using info security knowledge & infrastructure efficiently & effectively. 4. Performance measurement by measuring, monitoring, & reporting info security governance metrics to ensure that organizational objectives are achieved. 5. Value delivery by optimizing info security investments in support of organizational objectives.
An industry recommendation for password structure and strength that specifies password should be at least 10 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one special character
10.4 password rule
A famous study entitled "Protection Analysis: Final Report" was published in ____.
1978
False
A best practice proposed for a small to medium business will be similar to one used to help design control strategies for a large multinational company. Select one: True False
False
A champion is a project manager, who may be a departmental line manager or staff unit manager, and understands project management, personnel management, and information security technical requirements.
Subject
A computer is the ____ of an attack when it is used to conduct the attack.
Object
A computer is the ____________________ of an attack when it is the target entity.
False
A data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict the number of people who can access it. Select one: True False
Procedures
A frequently overlooked component of an IS, ____________________ are written instructions for accomplishing a specific task.
False
A hard drive feature know as "hot swap" is a RAID implementation in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails (T/F)
False
A managerial guidance SysSP is created by IT experts in a company to guide management in the implementation and configuration of technology. (T/F)
Dissemination, Review, Comprehension, Compliance, Enforcement
A policy needs what to be effective
False
A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on it. Select one: True False
c. data classification scheme
A(n) _________ is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it.. Select one: a. security clearance scheme b. risk management scheme c. data classification scheme d. data recovery scheme
d. FCO
A(n) _________ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment. Select one: a. IP b. CTO c. HTTP d. FCO
Enterprise
A(n) ____________________ information security policy outlines the implementation of a security program within the organization.
Methodology
A(n) ____________________ is a formal approach to solving a problem by means of a structured sequence of procedures.
False
A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster's scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternate location. _________________________ Select one: True False
True
A(n) project team should consist of a number of individuals who are experienced in one or multiple facets of the technical and nontechnical areas.
True
A(n) qualitative assessment is based on characteristics that do not use numerical measures. _________________________ Select one: True False
false
ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly. (T/F)
A subjects ability to use, manipulate, modify =, or affect another subject or object
Access
A specification of an organization's information asset, the users who may access and use it, and their rights and privileges for using the asset.
Access Control List (ACL)
support the mission of the organization, require comprehensive and integrated approach, and be cost-effective
According to NIST SP 800-14's security principles, security should ________.
False
According to Sun Tzu, if you know your self and know your enemy you have an average chance to be successful in an engagement. Select one: True False
An attribute of information that describes how data is free or errors and has the value that the user expects
Accuracy
malware intended to provide desired marketing and advertising, including popups and banners on a users screens
Adware
An __________ is a document containing contact information for the people to be notified in the event of an incident.
Alert roster
after-action review
An _________ is a detailed examination of the events that occurred from first detection to final recovery
incident
An _________ is an adverse even that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization
framework
An information security __________ is a specification of a model to be followed during the design, section, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training
Hardware, Software, Data
An information system is the entire set of ____, people, procedures, and networks that make possible the use of information resources in the organization.
In cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy
Annualized Loss Expectancy (ALE)
In cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis
Annualized Rate of Occurrence (ARO)
False
Applications systems developed within the framework of the traditional SDLC are designed to anticipate a software attack that requires some degree of application reconstruction.
____ is the predecessor to the Internet.
Arpanet
The organizational resource being protected
Asset
World first educational and scientific computing society
Association of Computing Machinery (ACM)
Intentional or unintentional act that can damage or otherwise compromise information and systems that support it
Attack
The adoption and implementation of a business model, method, technique, resource, or technology to prevent being outperformed by a competing organization; working to keep pace with the competition through innovation, rather than falling behind.
Avoidance of competitive disadvantage
A __________ plan ensures that critical business functions continue if a catastrophic incident or disaster occurs.
BC (business continuity)
True
Baselining is the comparison of past security activities and events against the organization's current performance. Select one: True False
True
Benchmarking is the process of comparing other organizations' activities against the practices used in one's own organization to produce results it would like to duplicate._________________________ Select one: True False
True
Best business practices are often called recommended practices. Select one: True False
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ________.
Blueprint
also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system's hard drive or removable storage media.
Boot Virus
A long-term decrease in electrical power availability.
Brownout
A service __________ is an agency that provides a service for a fee.
Bureau
A plan that shows the organization's intended efforts to continue critical functions when operations at the primary site are not feasible
Business Continuity Plan
An investigation and assessment of the various adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization's core processes and recovery priorities.
Business Impact Analysis (BIA)
The industry standard for computer security since the development of the mainframe. The standard is based on three characteristics that describe the utility of information confidentiality, integrity , and avaliability
C.I.A Triad
An executive-level position that oversees the organization's computing technology and strives to create efficiency in the processing and access of the organization's information.
Chief Information Officer (CIO)
Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO.
Chief Information Security Officer (CISO)
During the ____________________ War, many mainframes were brought online to accomplish more complex and sophisticated tasks so it became necessary to enable the mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers.
Cold
A(n) _________________________ is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.
Community of Interest
a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.
Community of Interest
The history of information security begins with the history of ____________________ security.
Computer
cornerstone of many computer-related federal laws and enforcement efforts
Computer Fraud and Abuse Act of 1986
Purpose of commercial advantage Private financial gain Furtherance of a criminal act
Computer Fraud is punishable if if falls into what categories?
The UK law that makes it illegal to hack into a person's computer and to disrupt deliberately someone else's computer.
Computer Misuse Act 1990
one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices
Computer Security Act of 1987
In an organization, the value of ____________________ of information is especially high when it involves personal information about employees, customers, or patients.
Confidentiality
an attribute of informations that describes how data is protected from disclosure r exposure to unauthorized individuals or systems
Confidentiality
True
Confidentiality ensures that only those with the rights and privileges to access information are able to do so.
The instructions a system administrator codes into a server, networking device, or security device to specify how it operates.
Configuration rules
security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization
Control, safeguard, or countermeasure
Executive management's responsibility to provide strategic direction, ensure accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use
Corporate Governance
False
Cost Benefit Analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended. Select one: True False
False
Cost mitigation is the process of preventing the financial impact of an incident by implementing a control. _________________________ Select one: True False
In 2014, NIST published a new Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of __________, based on vendor-neutral technologies.
Critical infrastructure services
A Web application fault that occurs when an application running on a Web server inserts commands into a user's browser session and causes information to be sent to a hostile server.
Cross-Site Scripting (XSS)
A hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
Cyberactivist/Hacktivist
Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state.
Cyberwarfare
Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, & availability of information & information assets during or just following an incident.
Damage assessment
items of fact collected by an organization
Data
Which of the following is a valid type of data ownership?
Data Users, Data Owners and Data Custodians
A subset of information security that focuses on the assessment and protection of information stored in data repositories like database management systems and storage media.
Database Security
A backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server. This server combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations.
Database Shadowing
__________ is an improvement to the process of remote journaling, in which databases are back up almost in real-time to multiple servers at local & remote sites.
Database shadowing
No particular standards, they are established as a matter of practice
De facto standards
Standards may be published, scrutinized, and ratified by a group, as in formal or ________standards.
De jure
Certified standards that actually have weight to them
De jure standards
A strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
Defense in Depth
__________ is a strategy for the protection of information assets that uses multiple layers & different types of controls (managerial, operational, & technical) to provide optimal protection.
Defense in depth
created in 2003 from the homeland security act of 2002
Department of Homeland Security
One of the basic tenets of security architectures is the layered implementation of security, which is called defense in __________.
Depth
Integrating the need for the development team to provide iterative and rapid improvements to systems functionality and the need for the operations team to improve security and minimize the disruption from software releases
DevOps
A variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target's personal information.
Dictionary password attack
The American contribution to an effort to improve copyright protection internationally
Digital Millennium Copyright Act (DMCA)
A(n) ____ attack is a hacker using a personal computer to break into a system.
Direct
A hacker using a PC to break into a system
Direct Attack
False
Direct attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat.
The intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate internet locations. Also known as DNS spoofing
Domain Name System (DNS) cache poisoning
Within security perimeters the organization can establish security __________, each with differing levels of security, between which traffic must be screened.
Domains
Physical Design
During the ____ phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design.
The __________ is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts. Sets out requirements that must be met by the information security blueprint or framework. Shapes the philosophy of security in the environment. AKA general security policy. pg 163-164
EISP (enterprise information security policy)
False
Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization. known as a threat prioritization. _________________________ Select one: True False
prevents trade secrets from being illegally shared
Economic Espionage Act (1996)
Keep the design as simple and small as possible
Economy of mechanism
A collection of statutes that regulates the interception of wire, electronic, and oral communications
Electronic Communications Privacy Act of 1986
A backup method that uses bulk batch transfer of data to an off-site facility; this transfer is usually conducted via leased lines or secure Internet connections.
Electronic Vaulting
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called __________.
Electronic vaulting
Another name for static electricity, which can damage chips and destroy motherboards, even though it might not be felt or seen with the naked eye. Difference of electric potential (Voltage) between two conductors.
Electrostatic Discharge (ESD)
Those whom the new system will most directly affect.
End users
True
Establishing a competitive business model, method, or technique enabled an organization to provide a product or service that was superior and created a(n) competitive advantage. _________________________ Select one: True False
The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment
Ethics
An __________ is any occurrence within the organization's operational environment.
Event
False
Every member of the organizations InfoSec department must have a formal degree or certification in information security (T/F)
__________ is the physical object or documented information that proves an action occurred or identifies the intent of a perpetrator.
Evidence
True
Exposure factor is the expected percentage of loss that would occur from a particular attack. _________________________ Select one: True False
Base access decisions on permission rather than exclusion
Fail-safe defaults
True
Failure to develop an information security system based on the organizations mission, vision, and culture guarantees the failure of the information security program (T/F)
A breach of possession always results in a breach of confidentiality.
False
A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, & the company is liable for the employee's actions.
False
An e-mail virus involves sending an e-mail message with a modified field.
False
Every member of the organization's InfoSec department must have a formal degree or certification in information security.
False
Hardware is often the most valuable asset possessed by an organization and it is the main target of intentional attacks.
False
Information has redundancy when it is free from mistakes or errors and it has the value that the end user expects.
False
Key end users should be assigned to a developmental team, known as the united application development team.
False
MULTICS stands for Multiple Information and Computing Service.
False
Risk evaluation is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization's security and to the information stored and processed by the organization.
False
The implementation phase is the longest and most expensive phase of the systems development life cycle (SDLC).
False
ACLs are more specific to the operation of a system than rule-based policies & they may or may not deal with users directly.
False, ACLs regulate: *Who* can use the system *What* authorized users can access *When* authorized users can access the system *Where* authorized users can access the system
A cold site provides many of the same services & options of a hot site, but at a lower cost.
False, cold sites provide only rudimentary services & facilities
Primary branch of US law enforcement. One of the primary missions is to investigate cyber crime
Federal Bureau of Investigation (FBI)
mandates that all federal agencies to protect their information assets
Federal Information Security Management Act (FISMA)
Regulates government agencies and holds them accountable if they release private information about individuals or businesses without permission
Federal Privacy Act of 1974
b. Unclassified
Federal agencies such as the NSA, FBI, and CIA use specialty classification schemes. For materials that are not considered 'National Security Information', __________ data is the lowest level classification. Select one: a. Confidential b. Unclassified c. Sensistive d. Public
contains many provisions that focus on facilitating affiliation among banks, securities firms, and insurance companies
Financial Services Modernization Act of 1999 Gramm-Leach Bliley Act
Redundancy can be implemented at a number of points throughout the security architecture, such as in __________.
Firewalls, proxy servers, and access controls
A security __________ is an outline of the overall information security strategy for the organization & a road map for planned changes to the information security environment of the organization.
Framework
allows any person to request access to federal agency records or information not determined to be a matter of national security.
Freedom of Information Act (FOIA)
Set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensured objectives are achieved and risks are properly managed.
Governance
protects the confidentiality and security of healthcare data by establishing and enforcing standards and by standardizing electronic data interchange
Health Insurance Portability and Accountability Act (HIPAA) Kennedy-Kassebaum Act
An alert roster in which the first person calls a few other people on the roster, who in turn call others. This method typically uses the organizational chart as a structure.
Hierarchical roster
professional association that focuses on auditing, control, and security
ISACA
non profit society of more that 10,000 information security professionals in over 100 countries
ISSA
__________, commonly referred to as fair & responsible use policies, are used to control constituents' use of a particular resource, asset, or activity. pg 164
ISSPs (issue-specific security policies)
In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to __________.
Identify & prioritize opportunities for improvement within the context of a continuous & repeatable process
False
Identifying human resources, documentation, and data information assets of an organization is less difficult than identifying hardware and software assets. Select one: True False
True
If the acceptance strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and portray an apathetic approach to security in general Select one: True False
Components are ordered, received, and tested
Implementation
False
In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack, with the SLE being the product of the asset's value and the annualized loss expectancy. Select one: True False
b. weighted factor analysis
In a(n) __________, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a score for each of the criteria and then summing and ranking those scores. Select one: a. data classification scheme b. weighted factor analysis c. risk management program d. threat assessment
True
In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization, Select one: True False
Hash
In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a ____ value.
False
In general, protection is "the quality or state of being secure—to be free from danger."
False
In information security, benchmarking is the comparison of past security activities and events against the organization's current performance. _________________________ Select one: True False
True
In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that taking more would be noticed — but eventually the employee gets something complete or useable.
a plan that shows the organization's intended efforts in the event of an incident
Incident Response Plan
Response
Incident ____________________ is the set of activities taken to plan for, detect, and correct the impact of an incident on information assets.
The rapid determination of how seriously a breach of confidentiality, integrity, and availability affected information and information assets during an incident or just following one.
Incident damage assessment
A hacker compromising a system and using it to attack other systems (ie. Botnet)
Indirect Attack
The act of an attacker or trusted insider who steals information from a computer system and demands compensation for its return or for an agreement not to disclose the information.
Information Extortion
The entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization.
Information System
Integrity
Information has ____________________ when it is whole, complete, and uncorrupted.
False
Information security can be an absolute.
Protecting the organization's ability to function, protecting the data and information the organization collects and uses, whether physical or electronic, Enabling the safe operation of applications running on the organization's IT systems, safeguarding the organization's technological assets
Information security important functions
The creation, ownership, and control of original ideas as well as the representation of those ideas.
Intellectual property (IP)
A hacker attempting to break into an IS system
Intentional Attack
nonprofit organization that focuses on the development and implementation of information security certifications and credentials
International Information Systems Security Certification Consortium
A structured process in which users, managers, and analysts work together for several days in a series of intensive meetings to specify or review system requirements.
Joint Application Design (JAD)
power to make legal decisions
Jurisdiction
False
Know yourself means identifying, examining, and understanding the threats facing the organization. Select one: True False
Providing only the minimum amount of privileges necessary to perform a job or function.
Least Privilege
Minimize mechanisms (or shared variables) common to more than one user and depended on by all users.
Least common mechanism
True
Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack. _________________________ Select one: True False
The ability of a legal entity to exercise influence beyond its normal range
Long Arm Jurisdiction
A single instance of an information asset suffering damage or destruction
Loss
False
Loss event frequency is the combination of an asset's value and the percentage of it that might be lost in an attack.. _________________________ Select one: True False
____ was the first operating system to integrate security as its core functions.
MULTICS
Backdoor used by programmers to debug and test programs.
Maintenance hook
A group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner.
Man-in-the-middle
A managerial guidance SysSP document is created by __________ to guide the implementation & configuration of technology.
Management
The stated purpose of ISO/IEC 27002 is to "offer guidelines & voluntary directions for information security __________."
Management
b. All of the above
Management of classified data includes its storage and _________. Select one: a. portability b. All of the above c. distribution d. destruction
__________ controls are info security safeguards that focus on administrative planning, organizing, leading, & controlling. They're designed by strategic planners & implemented by the security administration of the organization. Includes governance & risk management.
Managerial
A systems-specific security policy that expresses management's intent for the acquisition, implementation, configuration, and management of a particular technology, written from a business perspective.
Managerial guidance SysSP
The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption. The MTD includes all impact considerations.
Maximum Tolerable Downtime (MTD)
A graphical representation of the architectural approach widely used in computer and information security.
McCumber Cube
The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
Mean Time to Repair (MTTR)
The average amount of time until the next hardware failure.
Mean time to failure (MTTF)
____ presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems.
NSTISSI No. 4011
The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected local area ____________________.
Network
False
Network security focuses on the protection of the details of a particular operation or series of activities.
False
One advantage to benchmarking is that best practices change very little over time. Select one: True False
True
One way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed. _________________________ Select one: True False
the design of a security mechanism should be open rather than secret
Open Design
__________ controls address personnel security, physical security, and the protection of production inputs and outputs. They also guide the development of education, training, and awareness programs for users, administrators, and management.
Operational
True
Operational feasibility is also known as behavioral feasibility. _________________________ Select one: True False
hacker tools
Organizations generally have policies against installation of _____________ without written permission for the CISO
Incidence Response
Part of the logical design phase of the SecSDLC is planning for partial or catastrophic loss. ____ dictates what steps are taken when an attack occurs.
An attempt to learn or make use of information from the system that does not affect system resources
Passive Attack
Standards of performance to which participating organizations must comply. Applies to organizations that process payment cards, such as credit cards, debit cards, ATM cards, stored-value cards, gift cards, and other items.
Payment Card Industry Data Security Standard (PCI DSS)
The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the organization.
People
A set of information that could uniquely identify an individual
Personally Identifiable Information (PII)
The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information
Pharming
the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Phishing
A hacker who manipulates the public telephone system to make free calls or disrupt services.
Phreaker
During the early years, information security was a straightforward process composed predominantly of ____________________ security and simple document classification schemes.
Physical
Specific technologies are selected to support the alternatives identified and evaluated in the logical design.
Physical Design
The protection of physical items, objects, or areas from unauthorized access and misuse.
Physical Security
False
Policies are written instructions for accomplishing a specific task.
A __________ is a plan or course of action that conveys instructions from an organization's senior management to those who make decisions, take actions, and perform other duties.
Policy
examples of actions that illustrate compliance with policies
Practices
a form of social engineering in which one individual lies to obtain confidential data about another individual
Pretexting
The unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources
Privilege Escalation
The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements to protect the asset.
Protection profile or security posture
The key components of the security perimeter include firewalls, DMZs (demilitarized zones), __________ servers, & IDPSs.
Proxy
It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly
Psychological acceptability
A security policy should begin with a clear statement of __________.
Purpose (policy)
A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password files
Rainbow Tables
a computer software designed by hackers that locks people out of their computers or files and demands payment for access.
Ransomware
The point int time prior to a disruption or system outage to which mission/business process data can be recovered
Recovery Point Objective (RPO)
The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD.
Recovery Time Objective (RTO)
firewalls, proxy servers, access controls
Redundancy can be implemented at a number of pints throughout the security architecture such as
RAID stands for a __________ array of independent disk drives that stores information across multiple units to spread out data & minimize the impact of a single drive failure.
Redundant
A system of drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure
Redundant Array of Independent Disks (RAID)
The backup of data to an off-site facility in close to real time based on transactions as they occur.
Remote Journaling
the probability of an unwanted outcome, such as an adverse event or loss
Risk
a. acceptance
Risk _________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. Select one: a. acceptance b. appetite c. avoidance d. benefit
c. control
Risk _________ is the application of security mechanisms to reduce the risks to an organization's data and information systems. Select one: a. identification b. management c. control d. security
Same as jailbreaking
Rooting
professional research and education cooperative organization the also awards security certificates
SANS
A managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for an organization's employees.
SETA
__________ is a managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for organizations. The end goal is to reduce accidental security breaches by employees.
SETA (security education, training, and awareness)
Seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded organizations
Sarbanes-Oxley Act
Organizations are moving toward more ____-focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product.
Security
Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint.
Security Professionals
provides guidance for the use of encryption and provide protection from government intervention
Security and Freedom through Encryption Act of 1999
The boundary in the network within which an organization attempts to maintain security controls for security information threats from untrusted network areas
Security perimeter
People who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies.
Security policy developers
Provide mechanisms that separate the privileges used for one purpose from those used for another
Separation of privileges
An alert roster in which a single contact person calls each person on the roster
Sequential roster
A level of redundancy provided by mirroring entire servers called redundant servers
Server fault tolerance
A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee.
Service Bureau
A document or part of a document that specifies the expected level of service from a service provider. Usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime.
Service Level Agreement (SLA)
The collection, analysis, and distribution of information from foreign communications networks for intelligence and counterintelligence purposes and in support of military operations.
Signals Intelligence
The ____________________ component of the IS comprises applications, operating systems, and assorted command utilities.
Software
A methodological approach to the development of software that seeks to build security into the development life cycle rather than address it at later stages. Attempts to intentionally create software free of vulnerabilities and provide effective, efficient software that users can deploy with confidence
Software Assurance
Using the DevOPs methodologies of an integrated development and the operations approach that is applied to the specification, creation, and implementation of security control systems
SpecOps
A technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host.
Spoofing
Initiation, Development/Acquisition, Implementation/Assessment, Operations/Maintenance, Disposal
Stages in NIST approach to SDLC
Investigation, Analysis, Logical Design, Physical Design, Implementation, Maintenance and Change
Stages of the SDLC
__________ are more detailed statements of what must be done to comply with policy.
Standards
The organization's __________ plan documents the organization's intended long-term direction & efforts for the next several years.
Strategic
the process of defining and specifying the long tems direction to be taken by the organization
Strategic Planning
Some policies may also need a __________ clause indicating their expiration date.
Sunset
A component of policy or law that defines an expected end date for its applicability.
Sunset Clause
According to NIST SP 800-14's security principles, security should ________.
Support the mission of the organization, require a comprehensive and integrated approach, and be cost-effective.
__________ often function as standards or procedures to be used when configuring or maintaining systems. pg 168
SysSPs (system-specific security policies)
People with primary responsibility for administering systems that house the information used by the organization
Systems Administrators
A methodology for the design and implementation of an information system.
Systems Development Life Cycle (SDLC)
The most successful kind of top-down approach involves a formal development strategy referred to as a ____.
Systems Development Life Cycle (SDLC)
Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems.
Systems-Specific Security Policies (SysSPs)
A form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications.
TCP hijacking
Information security safeguards focused on the application of modern technology, systems, and processes to protect information assets. These safeguards include firewalls, virtual private networks, and IDPSs.
Technical Controls
False
The Analysis phase of the SecSDLC begins with a directive from upper management.
CIA
The CNSS model of information security evolved from a concept developed by the computer security industry known as the ____________________ triangle.
True
The ISO/IEC 27000 series is derived from an earlier standard, BS7799 (T/F)
accidental
The SETA program is a control measure designed to reduce the instances of ________ security breaches by employees
False
The Security Development Life Cycle (SDLC) is a methodology for the design and implementation of an information system.
SDLC
The ____ is a methodology for the design and implementation of an information system in an organization.
CISO
The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization.
a. defense
The _________ control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Select one: a. defense b. transfer c. mitigate d. termination
c. transfer
The __________ control strategy attempts to shift risk to other assets, other processes, or other organizations. Select one: a. defend b. accept c. transfer d. mitigate
c. performance gap
The __________ is the difference between an organization's observed and desired performance. Select one: a. issue delta b. objective c. performance gap d. risk assessment
c. IR
The __________ plan specifies the actions an organization can and should take while an adverse event (that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization) is in progress. Select one: a. BC b. DR c. IR d. BR
b. acceptance
The __________ strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. Select one: a. transfer b. acceptance c. mitigation d. defense
Analysis
The ____________________ phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems.
False
The bottom-up approach to information security has a higher probability of success than the top-down approach.
a. loss frequency
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range is called the __________. Select one: a. loss frequency b. benefit of loss c. likelihood d. annualized loss expectancy
True
The computer security resource center at NIST provides several useful document free of charge in it special publications area (T/F)
d. disadvantage
The concept of competitive _________ refers to falling behind the competition. Select one: a. shortcoming b. drawback c. failure d. disadvantage
d. risk identification
The first phase of risk management is _________. Select one: a. risk evaluation b. risk control c. design d. risk identification
d. CBA
The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) __________. Select one: a. ARO b. SLE c. ALE d. CBA
True
The investigation phase of the SecSDLC begins with a directive from upper management.
False
The possession of information is the quality or state of having value for some purpose or end.
true
The process of examining an incident candidate and determine whether it constitutes an actual incident is called incident classification (T/F)
True
The roles of information security professionals are aligned with the goals and mission of the information security community of interest.
Information
The senior technology officer is typically the chief ____________________ officer.
remote journaling
The transfer of live transactions in real time to an off-site facility is called ______________
True
The value of information comes from the characteristics it possesses.
a. dumpster diving
There are individuals who search trash and recycling - a practice known as _________ - to retrieve information that could embarrass a company or compromise information security. Select one: a. dumpster diving b. shoulder surfing c. corporate espionage d. pretexting
any event or circumstance that has the potential to adversely affect operations and assets
Threat
A category of objects, people, or other entities that represents the origin of danger to an asset - in other words, a category of threat agents
Threat Source
the specific instance or a component of a threat
Threat agent
An occurrence of an event caused by a threat agent
Threat event
True
To achieve balance — that is, to operate an information system that satisfies the user and the security professional — the security level must allow reasonable access, yet protect against threats.
True
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision date. (T/F)
A capability table specifies which subjects & objects users or groups can access.
True
A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information.
True
A disaster recovery plan is a plan that shows the organization's intended efforts to restore operations at the original site in the aftermath of a disaster.
True
Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training & rehearsal.
True
Each policy should contain procedures & a timetable for periodic review.
True
Failure to develop an information security system based on the organization's mission, vision, & culture guarantees the failure of the information security program.
True
Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system.
True
Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems, which is often referred to as a bottom-up approach.
True
NIST 800-14's Principles for Securing Information Technology Systems, can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program & to produce a blueprint for an effective security architecture.
True
Of the two approaches to information security implementation, the top-down approach has a higher probability of success.
True
Recently, many states have implemented legislation making certain computer-related activities illegal.
True
Security training provides detailed information & hands-on instruction to employees to prepare them to perform their duties securely.
True
The Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area.
True
The primary threats to security during the early years of computers were physical theft of equipment, espionage against the products of the systems, and sabotage.
True
The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification.
True
To remain viable, security policies must have (1) a responsible manager, (2) a schedule of reviews, (3) a method for making recommendations for reviews, & (4) a policy issuance & revision date.
True
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date.
True
To remain viable, security policies must have a responsible manager, a schedule of reviews, a method for making recommendations for reviews, & a policy issuance & planned revision date.
True
Located in the DHS and charged with protecting the financial sector infrastructure
US secret service
provides law enforcement agencies with broader latitude to combat terrorism related activities
USA PATRIOT ACT
A lightning strike that causes a building fire (or something like that)
Unintentional Attack
True
Using a methodology increases the probability of success.
A type of malware that is attached to other executable programs. Requires user interaction to replicate
Virus
A type of SDLC in which each phase of the process "flows from" the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.
Waterfall Model
False
When a computer is the subject of an attack, it is the entity being attacked.
c. standards of due care
When organizations adopt security measures for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances. This is referred to as __________. Select one: a. best practices b. benchmarking c. standards of due care d. baselining
Maintenance and Change
Which of the following phases is the longest and most expensive phase of the systems development life cycle?
True
You can create, a single comprehensive ISSP document covering all information security issues (T/F)
b. DR
_______ plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the flood waters recede. Select one: a. BR IncorrectIncorrect b. DR c. BC d. IR
d. MAC
________ addresses are sometimes called electronic serial numbers or hardware addresses. Select one: a. IP b. DHCP c. HTTP d. MAC
a. security clearance scheme
________ assigns a status level to employees to designate the maximum level of classified data they may access. Select one: a. security clearance scheme b. risk management scheme c. data recovery scheme d. data classification scheme
technical
________ controls are information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets
d. Risk
________ equals the probability of a successful attack times the expected loss from a successful attack plus an element of uncertainty. Select one: a. Loss Frequency b. Loss c. Loss Magnitude d. Risk
mangerial
_________ controls cover security processes that are designed by the strategic planners and implemented by the security administration of the organization
c. Operational
_________ feasibility analysis examines user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders. Select one: a. Political b. Organizational c. Operational d. Technical
a. Qualitative assessment
_________ is an asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures. Select one: a. Qualitative assessment b. Metric-centric model c. Quantitative assessment d. Value-specific constant
a. ARO
_________ is simply how often you expect a specific type of attack to occur. Select one: a. ARO b. CBA c. ALE d. SLE
mangerial
__________ controls are security processes that are designed by strategic planners and implemented by the security administrator of the organization
Software
____________________ carries the lifeblood of information through an organization.
Availability
____________________ enables authorized users — persons or computer systems — to access information without interference or obstruction and to receive it in the required format.
Authenticity
____________________ of information is the quality or state of being genuine or original, rather than a reproduction or fabrication.
The risk control strategy that indicates the organization is willing to accept the current level of risk
acceptance risk control strategy
An integration of access control lists (focusing on assets) and capability tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings. The matrix contains ACLs in columns for a particular device or asset and capability tables in rows for a particular user
access control matrix
the perpetrator offers to share the proceeds of some large payoff with the victim if the victim will make a "good faith" deposit or provide some partial funding first.
advance fee fraud
An event with negative consequences that could threaten the organization's information assets or operations
adverse event
A detailed examination and discussion of the events that occurred, from first detection to final recovery
after-action review
Collective data that relates to a group or category of people and that has been altered to remove characteristics or components that make it possible to identify individuals within the group.
aggregate information
A scripted description of the incident that usually contains just enough information so that each person knows what portion of the IR plan to implement without slowing down the notification process
alert message
A document that contains contact information for people to be notified in the event of an incident
alert roster
in a cost-benefit analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use.
annualized cost of a safeguard (ACS)
The combination of an asset's value and the percentage of it that might be loss in an attack
asset exposure
The process of assigning financial value or worth to each information asset.
asset valuation
The number of successful attacks that are expected to occur within a specified time period.
attack success probability
An attribute of information that describes how data is genuine or original rather than reproduced or fabricated.
authenticity
____ of information is the quality or state of being genuine or original.
authenticity
An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction.
availability
An interruption in service, usually from a service provider, which causes an adverse event within an organization.
availability disruption
a malware payload that provides access to a system by bypassing normal access controls.
back door
An assessment of performance of some action or process against which future performance is assessed
baseline
The process of conducting a baseline
baselining
An examination of how well a particular solution fits within the organizations culture and the extent to which users are expected to accept the solution
behavioral feasibility
An attempt to improve information security practices by comparing an organization's effort against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate.
benchmarking
Security efforts that are considered among the best in the industry.
best business practices
A long-term interruption (outage) in electrical power availability.
blackout
an abbreviation of robot, an automated software program that executes certain commands when it receives a specific input
bot
False
bottom-up is generally more successful that top-down (T/F)
A method of establishing security policies and/or practices that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems
bottum-up approach
an attempt to guess a password by attempting every possible combination of characters and numbers in it
brute force password attack
An application error that occurs when more data is sent to a program buffer than it is designed to handle.
buffer overrun (or buffer overflow)
The actions taken by senior management to develop and implement the BC policy, plan, and continuity teams
business continuity planning
The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams
business resumption plan
In a lattice-based access control, the row of attributes associated with a particular subject (such as a user).
capabilities table
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization
champion
An organizational policy that specifies employees must inspect their work areas and ensure that all classified information, documents, and materials are secured at the end of every work day.
clean desk policy
A facility that provides only rudimentary services, with no computer hardware or peripherals
cold site
An application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function.
command injection
The protection of all communications media, technology, and content
communications security
The adoption and implementation of an innovative business model, method, technique, resource, or technology in order to outperform competition
competitive advantage
The collection and analysis of information about an organization's business competitors through legal and ethical means to gain business intelligence and competitive advantage.
competitive intelligence
The process of collecting, analyzing, and preserving computer-related evidence.
computer forensics
in the early days of computers, this term specified the need to secure the physical location of computer technology for outside threats This term later came to represent concepts of information security as the scope of protecting information in an organization has expanded.
computer security
The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization
const-benefit analysis
A plan that shows that organizations intended effort in reaction to adverse events
contingency plan
The actions taken by senior management to specify the organization's efforts and actions if an adverse events becomes an incident or disaster
contingency planning
The group of senior managers and project members organized to conduct and lead all CP efforts.
contingency planning management team (CPMT)
The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident
cost avoidance
A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use.
cracker
Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software.
cracking
An organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of lie as a result of disaster
crisis mangment
fixed moral attitudes or customs of a particular group
cultural mores
Attacker whose motivation may be defined as ideological, or attacking for the sake of principles or beliefs.
cyberterrorist
Individuals who work directly with dta owners and are responsible for storage, maintenance, and protection of information
data custodians
Individuals who control (and are therefore responsible for) the security and use of a particular set of information. Data owners may rely on custodians for the practical aspects of protecting their information, specifying which users are authorized to access it, but they are ultimately responsible for it.
data owners
Commonly used as a surrogate for information security, data security is the focus of protecting data or information in its various states—at rest (in storage), in processing, and in transmission (over networks).
data security
Internal and external stakeholders (customers, suppliers, and employees) who interact with information in support of their organization's planning and operations.
data users
A collection of data organized in a manner that allows access, retrieval, and use of that data
database
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Also known as the avoidance strategy.
defense risk control strategy
An attack that attempts to overwhelm a computer target's ability to handle incoming communications, prohibiting legitimate users from accessing those systems
denial-of-software (DoS) attack
An adverse event that could threaten the viability of the entire organization
disaster
A plan that shows the organization's intended effort in the event of a disaster
disaster recovery plan
The actions taken by senior management to specify the organization's efforts in preparation for and recovery from a disaster.
disaster recovery planning
An approach to disk mirroring in which each drive has its own controller to provide additional redundancy.
disk duplexing
A RAID implementation (typically referred to as RAID Level 1) in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails
disk mirroring
A RAID implementation (typically referred to as RAID Level 0) in which one logical volume is created by storing data across several available hard drives in segments called stripes.
disk striping
A DoS attack carried out by multiple computers.
distributed-denial-of-service (DDoS) attack
The percentage of time a particular service is not available; the opposite of uptime.
downtime
Measures that an organization takes to ensure every employee knows what is acceptable and what is not.
due care
reasonable steps taken by a person in order to satisfy a legal requirement, especially in buying or selling something.
due dilligence
An information attack that involves searching through a target organization's trash and recycling bins for sensitive information.
dumpster diving
The high-level security policy that is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
enterprise information security policy (EISP)
A physical object or documented information entered into a legal proceeding that proves an action occurred or identifies the intent of a perpetrator
evidence
A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information.
expert hacker
A technique used to compromise a system
exploit
State of being expose, in infosec: when a vulnerability is known to an attacker
exposure
The expected percentage of loss that would occur from a particular attack
exposure factor
A short-term interruption in electrical power availability
fault
the desired end of a planning cycle
goals
Non Mandatory recommendations the employee may use as a reference in complying with policy
guidelines
a person who uses computers to gain unauthorized access to data.
hacker
A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster
hot site
A hard drive feature that allows individual drives to be replaced without fault and without powering down the entire system
hot swap
An adverse event that could result in loss of an information asset or asset, bu does not currently threaten the viability of the entire organization
incident
The process of examining an incident candidate and determining whether it constitutes an actual incident.
incident classification
The actions taken by senior management to develop and implement IR policy, plan, anc computer security incident response team
incident response planning
The collection and analysis of information about an organization's business competitors, often through illegal or unethical means, to gain an unfair competitive advantage.
industrial espionage
data that has been organized, structured, and presented to provide additional insights into its context, worth, and usefulness
information
Pieces of non-private data that, when combined, may create information that violates privacy.
information aggregation
The focus of information security; information that has value to the organization, and the systems that store, process, and transmit the information.
information asset
Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.
information security
a framework or security model customized to an organization, including implementation details
information security blueprint
A specification of a model to be followed during the design, selection and initial and ongoing implementation of all subsequent security controls
information security framework
The application of the principles of corporate governance to the information security function.
information security governance
Written instructions provided by management that informs employees and others in the workplace about proper behavior regarding the use of information and information assets
information security policy
A class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers.
integer bug
An attribute of data that describes how data is whole, complete, and uncorrupted
integrity
During this phase, the objective, constraints, and scope of the project are specified
invesigation
An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.
issue-specific security policy
Escalating privileges to gain administrator-level or root access control over a smartphone
jailbreaker
rules that mandate or prohibit certain behavior and are enforced by the state
laws
Entity's legal obligation or responsibility
liability
The probability that a specific vulnerability within an organization will be the target of an attack
likelihood
In this phase, the information gained from the analysis phase is used t begin creating a systems solution for a business problem. Contains no reference to specific technologies, vendors, or products.
logical design
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range.
loss frequency
A type of virus written in a specific macro language to target applications that use the language
maco virus
An attack designed to overwhelm the receiver with excessive quantities of e-mail.
mail bomb
longest and most expensive phase of the systems development life cycle
maintenance and change
Computer software specifically designed to perform malcious or unwanted actions
malware/malicious code/malicious software
information security safeguards that focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the organization's security administration. These safeguards include governance and risk management.
managerial controls
The average amount of time a computer repair technician needs to determine the cause of a failure.
mean time to diagnose (MTTD)
The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures
meantime between failure (MTBF)
As a subset of information assets, teh systems and networks that sore, process and transmit information
media
A virus that is capable of installing itself in a computer's operating system, starting when the computer is activated, and residing in the system's memory even after the host application is terminated.
memory-resident virus
A formal approach to solving a problem based on a structured sequence of procedures.
methodology
performance measures or metrics based on observed numerical data
metrics-based performance
The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation.
mitigation risk control strategy
A continuity strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster.
mutual agreement
A subset of communications security; the protection of voice and data networking components, connections, and content.
network security
The presence of additional and disruptive signals in network communications or electrical power delivery
noise
A virus that terminates after it has been activated, infected its host system, and replicated itself.
non-memory-resident virus
A relatively unskilled hacker who uses the work of expert hackers to perform attacks.
novice hacker
the entity being attacked
object of attack
Specific, short-term statements detailing how to achieve the organization's goals.
objectives
Information security safeguards focusing on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning.
operational controls
a plan for the organization's intended operational efforts on a day-today basis for the next several months
operational plan
The action taken by management to specify the short-term goals and objective of the organization in order to obtain specified tactical goals
operational planning
An examination of how well a particular solution fits within the organizations strategic planning objectives and goals
organizational feasibility
A script kiddie who uses automated exploits to engage in denial-of-service attacks.
packet monkey
A software program or hardware appliance that can intercept, copy, and interpret network traffic.
packet sniffer
An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems.
penetration tester
The difference between an organization's observed and desired performance
performance gap
____ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.
physical
Guidelines that dictate certain behavior within an organization
policy
An employee responsible for the creation, revision, distribution, and storage of a policy in an organization.
policy administrator
An examination of how well a particular solution fits within the organization's political environment
political feasibility
Malware (a virus or worm) that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures.
polymorphic threat
An attribute of information that describes the data's ownership or control is legitimate or authorized
possession
The ____________________ of information is the quality or state of ownership or control of some object or item.
possession
right of individuals to keep their information from being disclosed to others
privacy
step-by-step instructions for completing a task. Designed to assist employees
procedures
Performance measures or metrics based on intangible activities
process-based measures
A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government.
professional hacker
A small functional team of people who are experienced in one or multiple facets of the required technical and nontechnical areas for the project to which they are assigned.
project team
As asset valuation approach that uses categorical or non-numeric values rather that absolute numerical measures
qualitative assesment
An asset valuation approach that attempts to assign absolute numerical measures
quantitative assessment
The use of multiple types of instances of technology that prevent the failure of one system from compromising the security of information
redundancy
The risk of information assets that remains even after current controls have been applied
residual risk
A legal requirement to make compensation or payment from a loss or injury
restitution
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility
risk appetite
A determination of the extent to which an organization's information assets are exposed to risk
risk assessment
People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.
risk assessment specialists
The application of controls that reduce the risks to an organization's information assets to an acceptable level
risk control
The recognition, enumeration, and documentation of risks to an organization's information assets.
risk identification
the process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level
risk management
A short-term decrease in electrical power availability.
sag
A hacker of limited skill who uses expertly written software to attack a system.
script kiddie
A state of being secure and free from danger or harm. Also, the actions taken to make someone or something secure
security
A personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is "cleared" to access.
security clearance
An area of trust within which information assets share the same level of protection
security domain
The direct, covert observation of individual information or system use.
shoulder surfing
The calculated value associated with the most likely loss from an attack
single loss expectancy
Attackers posing as IT professionals attempt to gain access to information systems by contacting low-level employees and offering help with computer issues
social engineering password attack
unauthorized copying or distribution of copyrighted software
software piracy
unwanted e-mail (usually of a commercial nature sent out in bulk)
spam
A variation of phishing that target specific people or systems
spear phising attack
A short-term increase in electrical power availability, also known as a swell.
spike
Any technology that aids in gathering information about people or organizations without their knowledge
spyware
A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance.
standard
a plan for the organization's strategic effort over the next several years
strategic plan
the entity conducting the attack
subject of attack
A long-term increase in electrical power availability
surge
People with the primary responsibility for administering the systems that house the information used by the organization perform the ____ role.
system administrator
a plan for the organization's intended tactical efforts over the next few years
tactical plan
The actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives
tactical planning
a project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements.
team leader
An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources
technical feasibility
A systems-specific security policy that expresses technical details for the acquisition, implementation, configuration, and management of a particular technology, written from a technical perspective. Typically the policy includes details on configuration rules, systems policies, and access control.
technical specifications SysSP
The risk control strategy that eliminates all risk associated with an information asset by removing it from service
termination risk control strategy
An evaluation of the threats to information assets, including a determination of their potential to endager the organization
threat assessment
a pairing of an asset with a threat and an identification of vulnerabilities that exist between the two.
threats-vulnerabilities-assets (TVA) triples
A document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings
threats-vulnerabilities-assets (TVA) worksheet
A continuity strategy in which an organization co-leases facilities with business partner or sister organization
time-share
In the ____________________ approach, the project is initiated by upper-level managers who issue policy, procedures and processes, dictate the goals and expected outcomes, and determine accountability for each required action.
top-Down
A methodology of establishing security policies that is initiated by upper management.
top-down approach
A malware program that hides its true nature and reveals its designed behavior only when activated
torjan horse
The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations.
transference risk control strategy
Unauthorized entry into the real or virtual property of another party.
trespass
the percentage of time a particular service is available; the opposite of downtime.
uptime
An attribute of information the describes how data has value or usefulness for an end purpose
utility
A message that reports the presence of a nonexistent virus or worm and wastes valuable time as employees share the message
virus hoax
A potential weakness in an asset or its defensive control system(s).
vulnerability
A facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications
warm site
The ____ model consists of six general phases.
waterfall
The amount of effort necessary to make the business function operational after the technology element is recovered
work time recovery
A type of malware that is capable of activation and replication without being attached to an existing program
worm
An attack that makes used of malware that is not yet know by the anti-virus software
zero-day attack