Principles of Security Final

Risk _____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility.

appetite

A threat _____ is an evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack.

assessment

_____ law comprises a wide variety of laws pertaining to relationships among individuals and organizations.

Civil.

A ____ site provides only rudimentary services and facilities.

Cold.

The bottom-up approach to information security has a higher probability of success than the top-down approach.

False

Incident detail assessment determines the impact from a breach of confidentiality, integrity, and availability on information and information assets.

Incident Damage Assessment ( IDA )

The community of interest made up of IT managers and skilled professionals in systems design, programming, networks, and other related disciplines is called _____.

Information Technology Management and Professionals

_____ addresses are sometimes called electronic serial numbers or hardware addresses.

MAC.

A _____ filtering firewall can react to an emergent event and update or create rules to deal with the event.

dynamic

Understanding the _____ context means understanding the impact of elements such as the business environment, the legal/regulatory/compliance environment, as well as the threat environment.

external

The average amount of time until the next hardware failure is known as _____.

mean time to failure (MTTF)

A table of hash values and their corresponding plaintext values used to look up password values if an attacker is able to steal a system's encrypted password file is known as a(n) _____.

rainbow table

In most common implementation models, the content filter has two components: _____.

rating and filtering

Most common data backup schemes involve _____.

RAID , disk-to-disk-to-cloud

Using a service bureau is a BC strategy in which an organization contracts with a service agency to provide a facility for a fee.

Service Bureau

______ are malware programs that hide their true nature and reveal their designed behavior only when activated.

Trojan horses.

A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information.

True

The Secret Service is charged with safeguarding the nation's financial infrastructure and payments systems to preserve the integrity of the economy.

True

The organization should adopt naming standards that do not convey information to potential system attackers.

True.

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage _____.

By accident and/or through unintentional negligence.

The _____ is an intermediate area between a trusted network and an untrusted network.

DMZ

Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications?

Electronic Communications Privacy Act

A technique used to compromise a system is known as a(n) ___________.

Exploit.

"Knowing yourself" means identifying, examining, and understanding the threats facing the organization's information assets.

False

A disaster is any adverse event that could result in loss of an information asset or assets but does not currently threaten the viability of the entire organization.

False

Accountability is the matching of an authenticated entity to a list of information assets and corresponding access levels.

False

An advance-fee fraud attack involves the interception of cryptographic elements to determine keys and encryption algorithms.

False

Discretionary access control is an organizational approach that specifies resource use based on the assignment of data classification schemes to resources and clearance levels to users.

False

In a study on software license infringement, licenses from the United States were significantly more permissive than those from the Netherlands and other countries.

False

Intrusion detection consists of procedures and systems that detect, identify, and limit intrusions before returning operations to a normal state.

False

Network security focuses on the protection of physical items, objects, or areas from unauthorized access and misuse.

False

Risk mitigation is the process of assigning a risk rating or score to each information asset.

False

The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not.

False

The operational plan documents the organization's intended long-term direction and efforts for the next several years.

False

The primary mission of information security is to ensure that systems and their content retain their confidentiality.

False

The security framework is a more detailed version of the security blueprint.

False

A key difference between a policy and a law is that ignorance of a law is an acceptable defense.

False.

Changes to systems logs are a possible indicator of an actual incident.

False.

Hardware is often the most valuable asset possessed by an organization, and it is the main target of intentional attacks.

False.

Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident.

False.

When electronic information is stolen, the crime is readily apparent.

False.

​An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement.

False.

What is the subject of the Computer Security Act?

Federal Agency Information Security

As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ______.

Hoaxes.

There are three general causes of unethical and illegal behavior: _____, Accident, or Intent.

Ignorance

The EISP component of _____ provides information on the importance of information security in the organization and the legal and ethical obligation to protect critical information about customers, employees, and markets.

Need for Information Security

_____ controls address personnel security, physical security, and the protection of production inputs and outputs.

Operational.

Which type of organizations should prepare for the unexpected?

Organizations of every size and purpose should also prepare for the unexpected.

Individuals who control, and are therefore ultimately responsible for, the security and use of a particular set of information are known as data __________.

Owners.

_____ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments.

Public

Data backup should be based on a(n) ____ policy that specifies how long log data should be maintained.

Retention

The first phase of the risk management process is _____.

Risk Identification.

_____ is a contractual document guaranteeing certain minimal levels of service provided by a vendor.

Service agreement

_____ is any technology that aids in gathering information about a person or organization without their knowledge.

Spyware

A detailed statement of what must be done to comply with management intent is known as a _____.

Standard.

A computer is the __________ of an attack when it is used to conduct an attack against another computer.

Subject.

_____ often function as standards or procedures to be used when configuring or maintaining systems.

SysSPs

Which of the following versions of TACACS is still in use?

TACACS+

The _____ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network.

TCP

A breach of possession may not always result in a breach of confidentiality.

True

As an organization grows, it must often use more robust technology to replace the security technologies it may have outgrown.

True

Business impact analysis is a preparatory activity common to both CP and risk management.

True

Exposure factor is the expected percentage of loss that would occur from a particular attack.

True

Good firewall rules include denying all data that is not verifiably authentic.

True

Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied.

True

Packet-filtering firewalls scan network data packets looking for compliance or violations of the firewall's database rules.

True

Some policies may also need a sunset clause indicating their expiration date.

True

Technical mechanisms like digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media have been used to deter or prevent the theft of software intellectual property.

True

The computer security incident response team is composed solely of technical IT professionals who are prepared to detect, react to, and recover from an incident.

True

With the removal of copyright protection mechanisms, software can be easily and legally distributed and installed.

True

Each policy should contain procedures and a timetable for periodic review.

True.

Forces of nature, sometimes called acts of God, can present some of the most dangerous threats because they usually occur with very little warning and are beyond the control of people.

True.

Forensics can provide a determination of the source or origin of an event, problem, or issue like an incident.

True.

Good security programs begin and end with policy.

True.

Incident response is an organization's set of planning and preparation efforts for detecting, reacting to, and recovering from an incident.

True.

Laws, policies, and their associated penalties only provide deterrence if offenders fear the penalty, expect to be caught, and expect the penalty to be applied if they are caught.

True.

Reported attacks are a probable indicator of an actual incident.

True.

Risk control, also known as risk treatment, is the application of controls that reduce the risks to an organization's information assets to an acceptable level.

True.

The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.

True.

The roles of information security professionals focus on protecting the organization's information systems and stored information from attacks.

True.

Flaws or weaknesses in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to breach security are known as _____.

Vulnerabilities.

SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security _____.

blueprint

Human error or failure often can be prevented with training, ongoing awareness activities, and _____.

controls

A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes that _____.

controls have been bypassed, controls have proven ineffective, controls have failed

A crime involving digital media, computer technology, or related components is best called an act of _____.

digital malfeasance

A server would experience a(n) _____ attack when a hacker compromises it to acquire information via a remote location using a network connection.

direct

A short-term interruption in electrical power availability is known as a _____.

fault

What is the subject of the Sarbanes-Oxley Act?

financial reporting

Redundancy can be implemented at a number of points throughout the security architecture, such as in _____.

firewalls, proxy servers, access controls

The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as _____.

information security

The probability that a specific vulnerability within an organization will be attacked by a threat is known as _____.

likelihood

The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the _____ side of the organization.

people

Information about a person's history, background, and attributes that can be used to commit identity theft is known as _____ information.

personally identifiable

The protection of tangible items, objects, or areas from unauthorized access and misuse is known as _____.

physical security

Which of these is NOT a unique function of information security management?

programs

The dominant architecture used to secure network access today is the _____ firewall.

screened subnet

In _____ mode, the data within an IP packet is encrypted, but the header information is not.

transport

_____ signifies how often you expect a specific type of attack to occur.

ARO

_____ risk treatment is a strategy to do nothing to protect a vulnerability and to accept the outcome of its exploitation.

Acceptance

A(n) _____ is a document containing contact information for the people to be notified in the event of an incident.

Alert Roster.