Security - Chapter 1 ALL
Adone is attempting to explain to his friend the relationship between security and convenience. Which of the following statements would he use? "Security and convenience are not related." "Convenience always outweighs security." "Security and convenience are inversely proportional." "Whenever security and convenience intersect, security always wins."
"Security and convenience are inversely proportional."
reference architectures
"Supporting structures" for implementing security; also called industry-standard frameworks.
industry-standard frameworks
"Supporting structures" for implementing security; also called reference architectures.
Those who wrongfully disclose individually identifiable health information can be fined up to what amount per calendar year? $50,000 $250,000 $500,000 $1,500,000
$1,500,000
Why are Configuration issues an issue in IS?
- Hardware and software are often are not properly configured, thus allowing attacks to be successful. - Almost all devices come with out-of-the-box configuration settings, or default configurations, which are simple configurations that are intended to be changed by the user BUT they are often left in place. - some devices have weak configuration options that provide limited security choices.
What is important for every employee to know and practice?
- It is the job of every employee—both IT and non-IT—to know and practice basic security defenses.
Why are Widespread vulnerabilities an issue in IS?
- Vulnerabilities are VERY common and because of the sheer number of vulnerabilities it is difficult to identify and correct all of them. - not all hardware and software can be corrected once a vulnerability is uncovered, usually consumer devices
What is the Payment Card Industry Data Security Standard (PCI DSS)?
- a set of security standards that all companies that process, store, or transmit credit or debit card information must follow. - PCI applies to any enterprise or merchant, regardless of its size or number of card transactions, that processes transactions either online or in person. - The maximum penalty for not complying is $100,000 per month
What are State notification and security laws?
- almost all states (except for Alabama, New Mexico, and South Dakota) have passed a notification laws. - typically require businesses to inform residents within a specific period (typically 48 hours) if a breach of personal information has or is believed to have occurred. - several states are strengthening their information security laws.
What is cyberterrorism?
- any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against noncombatant targets by subnational groups or clandestine agents" - intended to cause panic or provoke violence among citizens.
What does a Security administrator do?
- both technical knowledge and managerial skills. - manages daily operations of security technology, and may analyze and design security solutions within a specific entity as well as identifying users' needs.
What is HIPAA?
- healthcare enterprises must guard protected healthcare information and implement policies and procedures to safeguard it, whether it be in paper or electronic format. - Those who wrongfully disclose individually identifiable health information can be fined up to $50,000 for each violation up to a maximum of $1.5 million per calendar year and sentenced up to 10 years in prison
What is the CompTIA Security+ certification?
- internationally recognized as validating a foundation level of security skills and knowledge - vendor-neutral credential that requires passing the current certification exam SY0-501.
What is Sarbanes-Oxley Act of 2002 (Sarbox)?
- is an attempt to fight corporate corruption. - covers the corporate officers, auditors, and attorneys of publicly traded companies. - Stringent reporting requirements and internal controls on electronic financial reporting systems are required. - Corporate officers who willfully and knowingly certify a false financial report can be fined up to $5 million and serve 20 years in prison.
What is the Gramm-Leach-Bliley Act (GLBA)?
- protects private data. - requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information. - All electronic and paper data containing personally identifiable financial information must be protected. - The penalty for noncompliance for a class of individuals is up to $500,000.
What does a Chief Information Security Officer (CISO) do?
- reports directly to the CIO - responsible for assessing, managing, and implementing security.
What does a Security manager do?
- reports to the CISO and supervises technicians, administrators, and security staff. - works on tasks identified by the CISO and resolves issues identified by technicians. - requires an understanding of configuration and operation but not necessarily technical mastery.
Why are Universally connected devices an issue in IS?
- virtually every technology device is connected to the Internet which makes it easy for an attacker halfway around world to silently launch an attack against a connected device.
According to the U.S. Bureau of Labor Statistics, what percentage of growth for information security analysts is the available job outlook supposed to reach through 2024? 10 15 18 27
18
vulnerability
A flaw or weakness that allows a threat agent to bypass security.
hactivists
A group of threat actors that is strongly motivated by ideology.
What are activists?
A group that is strongly motivated by ideology (for the sake of their principles or beliefs generally not considered to be a well-defined and well-organized group of threat agents
Advanced Persistent Threat (APT)
A new class of attack that uses innovative attack tools to infect a system and then silently extracts data over an extended period.
threat actor
A person or element that has the power to carry out a threat.
accept
A response to risk that acknowledges the risk but takes no steps to address it.
transfer
A response to risk that allows a third party to assume the responsibility of the risk.
avoid
A response to risk that identifies the risk and the decision is made to not engage in the risk-provoking activity.
resource exhaustion
A situation in which a hardware device with limited resources (CPU, memory, file system storage, etc.) is exploited by an attacker who intentionally tries to consume more resources than intended.
vulnerable business processes
A situation in which an attacker manipulates commonplace actions that are routinely performed; also called business process compromise.
risk
A situation that involves exposure to danger.
race condition
A software occurrence when two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences.
What are insiders?
A threat from an enterprise's own employees, contractors, and business partners These attacks are harder to recognize because they come from within the enterprise yet may be costlier than attacks from the outside.
new threat
A threat that has not been previously identified.
threat
A type of action that has the potential to cause harm.
What group are Advanced Persistent Threats associated with?
APTs are most commonly associated with nation state actors
What are the four different risk response techniques? Suppress Accept Deny Transfer Postpone Avoid Fulfill Mitigate
Accept Transfer Avoid Mitigate
improperly configured accounts
Account set up for a user that might provide more access than is necessary.
mitigate
Addressing risks by making risks less serious.
What class of attacks use innovative attack tools and once a system is infected it silently extracts data over an extended period? Inside Attacks Advanced Persistent Threat Embedded Attacks Modified Threat
Advanced Persistent Threat
Which tool is most commonly associated with nation state threat actors? Closed-Source Resistant and Recurrent Malware (CSRRM) Advanced Persistent Threat (APT) Unlimited Harvest and Secure Attack (UHSA) Network Spider and Worm Threat (NSAWT)
Advanced Persistent Threat (APT)
In information security, what can constitute a loss? theft of information a delay in transmitting information that results in a financial penalty the loss of good will or a reputation all of the above
All of the above
zero day
An attack in which there are no days of warning.;;
funding and resources
An attribute of threat actors that can vary widely.
misconfiguration
An incorrectly configured device.
asset
An item that has value
What are end-of-life systems?
And some systems are so old that vendors have dropped all support for security updates, or else charge an exorbitant fee to provide updates
What are cyberterrorists in IS?
Attack a nation's network and computer infrastructure to cause disruption and panic among citizens.
Why are Distributed attacks an issue in IS?
Attackers can use millions of computers or devices under their control in an attack against a single server or network. This "many against one" approach makes it virtually impossible to stop an attack by identifying and blocking a single source.
Why is greater sophistication of attacks an issue in IS?
Attacks are becoming more complex, making it more difficult to detect and defend against them. Many attackers use common protocols to distribute their attacks, making it more difficult to distinguish an attack from legitimate traffic. Other attack tools vary their behavior so the same attack appears differently each time, further complicating detection.
What is the category of threat actors that sell their knowledge of vulnerabilities to other attackers or governments? Cyberterrorists Competitors Correct! Brokers Resource managers
Brokers
What are the job expectations by the end of the decade?
By the end of the decade demand for security professionals worldwide will rise to 6 million, with a projected shortfall of 1.5 million unfilled positions.
attributes
Characteristic features of different groups of threat actors.
What are the 4 generally recognized security positions?
Chief Information Security Officer (CISO). Security manager Security administrator Security technician.
What are Vulnerable business processes?
Commonplace actions that are routinely performed that can be manipulated by an attacker
What is Simplicity in IS?
Complex security systems can be hard to understand, troubleshoot, and even feel secure about. A secure system should be simple for those on the inside to understand and use but look complex from the outside
What does CompTIA stand for?
Computing Technology Industry Association
Which of the following ensures that only authorized parties can view protected information? Authorization Confidentiality Availability Integrity
Confidentiality
What is confidentiality in IS?
Confidentiality ensures that only authorized parties can view the information.
weak configuration
Configuration options that provide limited security choices.
layered security
Creating multiple layers of security defenses through which an attacker must penetrate; also called defense-in-depth.
defense-in-depth
Creating multiple layers of security defenses through which an attacker must penetrate; also called layered security.
What term describes a layered security approach that provides the comprehensive protection? comprehensive-security diverse-defense limiting-defense defense-in-depth
Defense in depth
architecture/design weakness
Deficiencies in software due to poor design.
undocumented assets
Devices that are not formally identified or documented in an enterprise.
What is lack of vendor support?
Devices, particularly consumer devices, that have no support from the company that made the device either because manufacturer does want to or can't
risk response techniques
Different options available when dealing with risks.
An organization that practices purchasing products from different vendors is demonstrating which security principle? Obscurity Diversity Limiting Layering
Diversity
What are the 5 Fundamental Security Principles?
Diversity Obscurity Simplicity Layering Limiting
insiders
Employees, contractors, and business partners who can be responsible for an attack.
Gunnar is creating a document that explains risk response techniques. Which of the following would he NOT list and explain in his document? Extinguish risk Transfer risk Mitigate risk Avoid risk
Extinguish risk
True of False - Brokers steal new product research or a list of current customers to gain a competitive advantage.
FALSE
True or False - As security is increased, convenience is often increased.
FALSE
True or False - Successful attacks are usually not from software that is poorly designed and has architecture/design weaknesses.
FALSE
True or False - The Sarbanes-Oxley Act restricts electronic and paper data containing personally identifiable financial information.
FALSE
True or false - Smart phones give the owner of the device the ability to download security updates.
FALSE
True or false - The Security Administrator reports directly to the CIO.
False - the report to the CISO
What does people have to do with IS?
Form the security around the data. May be as basic as door locks or as complicated as network security equipment.
industry-specific frameworks
Frameworks/architectures that are specific to a particular industry or market sector.
open-source intelligence
Freely available automated attack software.
What is security?
Goal - the state of being free from danger, which is the goal of security. (NEVER possible!) Process - the measures taken to ensure safety (the real focus of security) Definition: necessary steps to protect from harm.
Which law requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information? Gramm-Leach-Bliley Sarbanes-Oxley California Database Security Breach USA Patriot
Gramm-Leach-Bliley
Which act requires banks and financial institutions to alert their customers of their policies in disclosing customer information? Sarbanes-Oxley Act (Sarbox) Financial and Personal Services Disclosure Act Health Insurance Portability and Accountability Act Gramm-Leach-Bliley Act (GLBA)
Gramm-Leach-Bliley Act (GLBA)
Which of the following is NOT a reason why it is difficult to defend against today's attackers? Delays in security updating Greater sophistication of defense tools Increased speed of attacks Simplicity of attack tools
Greater sophistication of defense tools
Under which laws are health care enterprises required to guard protected health information and implement policies and procedures whether it be in paper or electronic format? HIPAA HLPDA HCPA USHIPA
HIPAA
Why are Enterprise-based issues an issue in IS?
Hackers can manipulation of processes that an enterprise performs to crack a system
Why is Delays in security updating an issue in IS?
Hardware and software vendors are overwhelmed trying to keep pace with updating their products against attacks. This delay in distributing security updates adds to the difficulties in defending against attacks.
control diversity
Having different groups responsible for regulating access to a system.
What does HIPAA stand for?
Health Insurance Portability and Accountability Act
Which of the following is a common security framework? (Choose all that apply.) ISO COBIT RFC ASA
ISO COBIT RFC
What are some common security frameworks?
ISO, NIST, COBIT, ETSI, RFC, and ISA/IEC.
What are the pay increases for those people who have a Comptia security cert?
IT Cert = 3.5 percent more security Cert = 8.7 percent more
Why is User confusion an issue in IS?
Increasingly, users are called upon to make difficult security decisions regarding their computer systems, sometimes with little or no information to guide them. With little or no direction, these untrained users are inclined to provide answers to questions without understanding the security risks.
script kiddies
Individual who lacks advanced knowledge of computers and networks and so uses downloaded automated attack software to attack information systems.
How is financial cybercrime divided?
Individuals businesses/organizations/government
What are script kiddies? Individuals who develop attack scripts for educational use Individuals who receive software development recognition prior to employment Individuals who perform penetration testing in a well regulated environment Individuals who want to attack computers yet lack the knowledge needed to do so
Individuals who want to attack computers yet lack the knowledge needed to do so
Which of the following is an enterprise critical asset? System software Information Outsourced computing services Servers, routers, and power supplies
Information
national
Information security framework/architectures that are domestic.
international
Information security framework/architectures that are worldwide.
non-regulatory
Information security frameworks/ architectures that are not required.
regulatory
Information security frameworks/architectures that are required by agencies that regulate the industry.
user training
Instructing employees as to the security reasons behind security restrictions.
Who is the CompTIA Security+ certification is aimed at?
It is aimed at an IT security professional who has a recommended background of a minimum of two years' experience in IT administration with a focus on security.
What is the job outlook for information security analysts through 2024?
It is expected to grow by 18 percent, much faster than the average growth rate.
Why is IS rarely sent offshore or outsourced?
It is kept in house because security is such a critical element, security positions generally remain within the enterprise
What is system sprawl?
It is the widespread proliferation of devices across the enterprise
What are competitors in IS?
Launch attack against an opponents' system to steal classified information.
What is layering in IS?
Layering security so it one layer is penetrated several more layers must still be breached, and each layer is often more difficult or complicated than the previous. A layered approach has the advantage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks. aka - defense-in-depth,
What is Diversity in IS?
Making it so breaching one security layer does not compromise the whole system. Each layer of security must be different
Why is the Use of personal devices an issue in IS?
Many enterprises allow employees to use and connect their personal devices to the company's network This has made it difficult for IT departments to provide adequate security for an almost endless array of devices that they do not own.
Why is Weak security update distribution an issue in IS?
Many software vendors have invested very little money in a costly patch distribution system. Users are generally unaware that a security update even exists for a product because there is no reliable means for the vendor to alert the user. Also, these vendors often do not create small security updates that patch the existing software; instead, they fix the problem in an entirely new version of the software—and then require the user to pay for the updated version that contains the patch.
Alyona has been asked by her supervisor to give a presentation regarding reasons why security attacks continue to be successful. She has decided to focus on the issue of widespread vulnerabilities. Which of the following would Alyona NOT include in her presentation? Large number of vulnerabilities End-of-life systems Lack of vendor support Misconfigurations
Misconfigurations
Why is the Availability and simplicity of attack tools an issue in IS?
Modern software attack tools do not require sophisticated knowledge on the part of the attacker. Many of the tools have a graphical user interface (GUI) that allows the user to easily select options from a menu. These tools are generally freely available but some tools are sold for cold hard cash
What is organized crime in IS?
Moving from traditional criminal activities to more rewarding and less risky online attacks.
What are non-regulatory architecture?
NOT required by external agencies that regulate the industry
The Advanced Persistent Threat is usually associated with which threat actor? Script Kiddies Hacktivists Nation State Actors Insiders
Nation State Actors
Signe wants to improve the security of the small business where she serves as a security manager. She determines that the business needs to do a better job of not revealing the type of computer, operating system, software, and network connections they use. What security principle does Signe want to use? Obscurity Layering Diversity Limiting
Obscurity
From 2005 to 2017, how many electronic records have been breeched?
Over 907 MILLION!!!
Which regulation has been enacted to protect the processing, storing, or transmission of credit or debit card information? HIPAA Sarbox GLBA PCI DSS
PCI DSS
What does products have to do with IS?
Plans and policies established by an enterprise to ensure that people correctly use the products.
What are the 3 information security layers?
Products People Policies / procedures
Information security is achieved through a combination of what three entities? Confidentiality Products Integrity People Availability Policies and procedures
Products People Policies and procedures
Which of the following is NOT a successive layer in which information security is achieved? Products People Procedures Purposes
Purposes
What are industry-standard frameworks and reference architectures that are required by external agencies known as? Compulsory Mandatory Required Regulatory
Regulatory
availability
Security actions that ensure that data is accessible to authorized users.
confidentiality
Security actions that ensure that only authorized parties can view the information.
integrity
Security actions that ensure that the information is correct and no unauthorized person or malicious software has altered the data.
administrative controls
Security controls for developing and ensuring that policies and procedures are carried out; regulating the human factors of security.
Which of the following is NOT true regarding security? Security is a goal. Security includes the necessary steps to protect from harm. Security is a process. Security is a war that must be won at all costs.
Security is a war that must be won at all costs.
What information security position reports to the CISO and supervises technicians, administrators, and security staff? security manager security engineer security auditor security administrator
Security manager
What are brokers in IS?
Sell their knowledge of a vulnerability to other attackers or governments.
What about smartphones and updates?
Smartphones, unlike computers and laptops, do not give the owner of the device the ability to download security updates. Instead, these must be sent out from the wireless carriers and many carriers do not provide security updates on a timely basis, if at all.
What is improper input handling in a software?
Software that allows the user to enter data but does not filter or validate user input to prevent a malicious action
improper input handling
Software that allows the user to enter data but does not validate or filter user input to prevent a malicious action.
improper error handling
Software that does not properly trap an error condition and provides an attacker with underlying access to the system.
Why are Poorly designed software.an issue in IS?
Software that is poorly designed and has architecture/design weaknesses.
nation state actors
State-sponsored attackers employed by a government for launching computer attacks against foes.
end-of-life system
System for which vendors have dropped all support for security updates due to the system's age.
True of false - One of the challenges in combating cyberterrorism is that many of the prime targets are not owned and managed by the federal government.
TRUE
True or False - The CompTIA Security+ certification is a vendor-neutral credential.
TRUE
True or false - A vulnerability is a flaw or weakness that allows a threat to bypass security.
TRUE
True or false - To mitigate risk is the attempt to address risk by making the risk less serious.
TRUE
When you pass the CompTIA Security+ certification, what does that guarantee?
That you have the knowledge and skills required to: - identify risks and participate in risk mitigation activities; - provide infrastructure, application, operational and information security; - apply security controls to maintain confidentiality, integrity, and availability; - identify appropriate technologies and products; - troubleshoot security events and incidents; - operate with an awareness of applicable policies, laws, and regulations
external
The location outside an enterprise in which some threat actors perform.
internal
The location within an enterprise in which some threat actors perform.
What is the relationship between security and convenience?
The more security, the less convenient
default configurations
The out-of-the-box security configuration settings.
intent and motivation
The reasoning behind attacks made by threat actors.
Why doesn't security jobs typically do not involve "on-the-job training"?
The risk for screwing up is to too great
What are weak configurations?
The settings are very very basic that provide limited security choices.
system sprawl
The widespread proliferation of devices across an enterprise.
Why do cyberterrorists target power plants, air traffic control centers, and water systems? These targets are government-regulated and any successful attack would be considered a major victory. These targets have notoriously weak security and are easy to penetrate. They can cause significant disruption by destroying only a few targets. The targets are privately owned and cannot afford high levels of security.
They can cause significant disruption by destroying only a few targets.
Why shouldn't there be such a silver bullet for securing computers?
Things are always changing and as such, current solutions would not be viable all the time.
What does policies and procedures have to do with IS?
Those who implement and properly use security products to protect data.
organized crime
Threat actors that are moving from traditional organized criminal activities to more rewarding and less risky online attacks
sophisticated
Threat actors that have developed a high degree of complexity.
competitors
Threat actors that launch attack against an opponents' system to steal classified information.
What is an objective of state-sponsored attackers? To right a perceived wrong To amass fortune over fame To spy on citizens To sell vulnerabilities to the highest bidder
To spy on citizens
What are some of the difficulties in defending against attacks?
Universally connected devices Increased speed of attacks. Greater sophistication of attacks. Availability and simplicity of attack tools. Faster detection of vulnerabilities. Delays in security updating. Weak security update distribution. Distributed attacks. Use of personal devices. User confusion.
untrained users
Users with little or no instruction in making security decisions.
vendor diversity
Using security products provided by different manufacturers.
technical controls
Using technology that is carried out or managed by devices as a basis for controlling the access to and usage of sensitive data.
What is occurring when an attacker manipulates commonplace actions that are routinely performed in a business? Race Condition Resource Exhaustion Vulnerable Business Processes Undocumented Assets System Sprawl
Vulnerable Business Processes
Tatyana is discussing with her supervisor potential reasons why a recent attack was successful against one of their systems. Which of the following configuration issues would NOT be covered? Default configurations Weak configurations Vulnerable business processes Misconfigurations
Vulnerable business processes
Why is Faster detection of vulnerabilities an issue in IS?
Weaknesses in hardware and software can be more quickly uncovered and exploited with new software tools and techniques.
What is a zero day attack?
When a vulnerability is found and an attack started even before users or security professionals are aware of the vulnerability.
What is resource exhaustion?
When an attacker try to exploit hardware that has resource limitations and the system becomes slow or even unable to respond to other users, thus prevent valid users from accessing the device
lack of vendor support
When the company that made a device provides no support for the device.
What is a race condition? When a vulnerability is discovered and there is a race to see if it can be patched before it is exploited by attackers. When two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences. When an attack finishes its operation before antivirus can complete its work. When a software update is distributed prior to a vulnerability being discovered.
When two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences.
What are the reasons for a successful attack?
Widespread vulnerabilities Configuration issues. Poorly designed software. Hardware limitations. Enterprise-based issues.
Why are Increased speed of attacks an issue in IS?
With modern tools at their disposal, attackers can quickly scan millions of devices to find weaknesses and launch attacks with unprecedented speed. Most attack tools initiate new attacks without any human participation, thus increasing the speed at which systems are attacked.
What is a vulnerability?
a flaw or weakness that allows a threat actor to bypass security
What is a threat actor?
a person or element that has the power to carry out a threat
What is a risk?
a situation that involves exposure to some type of danger
What are 4 risk response techniques options?
accept transfer avoid mitigate
What do security managerial personnel do?
administer and manage plans, policies, and people
In information security, which of the following is an example of a threat actor? a force of nature such as a tornado that could destroy computer equipment a virus that attacks a computer network a person attempting to break into a secure computer network all of the above
all of the above
What is a silver bullet?
an action that provides an immediate solution to a problem by cutting through the complexity that surrounds it.
What is an asset?
an item that has value - they provide value to the enterprise; - they cannot easily be replaced without a significant investment in expense, time, worker skill, and/or resources; they can form part of the enterprise's corporate identity.
What is a Advanced Persistent Threat (APT)?
attacks use innovative attack tools (advanced) and once a system is infected it silently extracts data over an extended period (persistent).
What does it mean to mitigate a risk?
attempt to address risk by making the risk less serious
Which of the following ensures that data is accessible to authorized users? availability confidentiality integrity identity
availability
Why do cyberterrorists target banking industry, military installations, power plants, air traffic control centers, and water systems?
because they can significantly disrupt the normal activities of a large population
Which of the following are considered threat actors? (Choose all that apply.) brokers competitors administrators individuals
brokers competitors
What are attributes?
characteristic feature of a hacking group funding source intent and motivation source of work
What do security technical personnel do?
concerned with designing, configuring, installing, and maintaining technical security equipment
Which of the three protections ensures that only authorized parties can view information? security availability integrity confidentiality
confidentiality
List three of the characteristics of information that must be protected by information security? Confidentiality People Availability Products Integrity Policies and Procedures
confidentiality availability integrity
What are the 3 protections of data in IS?
confidentiality, integrity availability
What term best describes any premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against noncombatant targets by subnational groups or clandestine agents? cybercriminal cracking cyberterrorism hacking
cyberterrorism
In what kind of attack can attackers make use of millions of computers under their control in an attack against a single server or network? centered local remote distributed
distributed
Which of the following is a valid fundamental security principle? (Choose all that apply.) signature diversity simplicity layering
diversity simplicity layering
What is the goal of IS?
ensure that protective measures are properly implemented to ward off attacks and prevent the total collapse of the system when a successful attack does occur
What is availability in IS?
ensures that data is accessible to authorized users and not "locked up" so tight that they can't get to it
What is integrity in IS?
ensures that the information is correct and no unauthorized person or malicious software has altered the data
What are 2 reason why people hack?
fame (old way) fortune (now)
What are national architecture?
framework/architectures that are domestic
What are international architecture?
framework/architectures that are world wide
What are industry-standard frameworks?
frameworks/architectures are specific to a particular sector
What are open-source intelligence or scripts?
freely available automated attack software
What does a Security technician.do?
generally an entry-level position - provide technical support to configure security hardware, implement security software, and diagnose and troubleshoot problems.
What are reference architectures?
give an overall program structure and security management guidance to implement and maintain an effective security program, while others contain in-depth technical guidelines
What are sophisticated attacks?
hackers who have developed a high degree of complexity
What term is used to describe a group that is strongly motivated by ideology, but is usually not considered to be well-defined and well-organized? hactivists hacker script kiddies cyberterrorist
hactivist
What is obscurity in IS?
hiding to the outside world what is on the inside makes attacks that much more difficult.
What does it mean to avoid a risk?
identifying the risk but making the decision to not engage in the activity
What type of theft involves stealing another person's personal information, such as a Social Security number, and then using the information to impersonate the victim, generally for financial gain? cyberterrorism identity theft phishing social scam
identity theft
What is a misconfiguration?
incorrectly configure devices
What are script kiddies?
individuals who want to attack computers yet they lack the knowledge of computers and networks needed to do so, so they use freely available automated attack software from websites and using it to perform malicious acts
Which term below is frequently used to describe the tasks of securing information that is in a digital format? network security information security physical security logical security
information security
some groups of threat actors may work ______ or ______ an org.
inside (internal) outside (external)
Select the information protection item that ensures that information is correct and that no unauthorized person or malicious software has altered that data. availability confidentiality integrity identity
integrity
What is Identity theft?
involves stealing another person's personal information, such as a Social Security number, and then using the information to impersonate the victim, generally for financial gain
What level of security access should a computer user have to do their job? password protected least amount limiting amount authorized access
least amount
To date, the single most expensive malicious attack occurred in 2000, which cost an estimated $8.7 billion. What was the name of this attack? You Answered Nimda Slammer Love Bug Code Red
love bug
What is one of the big challenges of cyberterrorism?
many of the prime targets are not owned and managed by the federal government and because these are not centrally controlled, it is difficult to coordinate and maintain security
What term is used to describe state-sponsored attackers that are used for launching computer attacks against their foes? nation state threats cyber military nation state actors state hackers
national state actors
What is limiting in IS?
only those personnel who must use the data should have access to it AND the type of access they have should be limited to what those people need to perform their jobs.
Select the term that best describes automated attack software? open-source utility insider software open-source intelligence intrusion application
open-source intelligence
What are default configurations?
out-of-the-box configuration settings that are a very basic setup and meant to be changed by the user
What is a threat?
potential events or actions that represent a danger to information assets.
What does the term "information security" mean?
protecting information from harm tasks of securing information that is in a digital format, whether it be manipulated by a microprocessor, preserved on a storage device or transmitted over a network
What is information security's focus?
protecting the electronic information of enterprises and users
Which of the following describes various supporting structures for implementing security that provides a resource of how to create a secure IT environment? (Choose all that apply.) regulatory frameworks reference architectures industry-standard frameworks reference frameworks
reference architectures industry-standard frameworks
What are administrative controls?
regulating the human factors of security
What are regulatory architecture?
required by external agencies that regulate the industry
Which term is used to describe individuals who want to attack computers yet lack the knowledge of computers and networks needed to do so? cybercriminal hacker script kiddies cyberterrorist
script kiddies
Ian recently earned his security certification and has been offered a promotion to a position that requires him to analyze and design security solutions as well as identifying users' needs. Which of these generally recognized security positions has Ian been offered? Security administrator Security technician Security officer Security manager
security administrator
What are the 2 categories of information security personnel who are responsible for providing protection for an enterprise like a business or nonprofit organization?
security managerial personnel security technical personnel
Which position below is considered an entry-level position for a person who has the necessary technical skills? security technician security administrator CISO security manager
security technician
What are improperly configured accounts?
set up for a user that provide more access than is necessary, such as providing total access over the entire device when the access should be more limited
What term refers to an action that provides an immediate solution to a problem by cutting through the complexity that surrounds it? unicorn approved action secure solution silver bullet
silver bullet
Security systems that are hard to understand, troubleshoot, and even feel secure about can be a thief's ally. This prompts a case for implementation of which fundamental security principle? Layering Limiting Diversity Obscurity Simplicity
simplicity
What is improper error handling in a software?
software that does not properly trap an error condition and thus provide an attacker with underlying access to the system.
What are nation state actors?
state-sponsored attackers who launch computer attacks against their foes.
What process describes using technology as a basis for controlling the access and usage of sensitive data? technical controls administrative controls control diversity vendor diversity
technical controls
What are undocumented assets?
technology devices that are not documented
What is an attack vector?
the means by which an attack can occur
What does it mean to accept a risk?
the risk is acknowledged but no steps are taken to address it
What is an attack surface?
the sum of all the different attack vectors.
Why are Hardware limitations an issue in IS?
they could be exploited by an attacker who intentionally tries to consume more resources than intended.
Complete this definition of information security: That which protects the integrity, confidentiality, and availability of information __________. on electronic digital devices and limited analog devices that can connect via the internet or through a local area network through a long-term process that results in ultimate security using both open-sourced as well as supplier-sourced hardware and software that interacts appropriately with limited resources through products, people, and procedures on the devices that store, manipulate, and transmit the information
through products, people, and procedures on the devices that store, manipulate, and transmit the information
What does it mean to transfer a risk?
transfer the risk to a third party
What are technical controls?
using technology as a basis for controlling the access and usage of sensitive data
What type of diversity is being implemented if a company is using multiple security products from different manufacturers? multiple-product security manufacturer diversity vendor diversity vendor-control security
vendor diversity
How can you get diversity in IS?`
vendor diversity - use security products provided by different manufacturers Control diversity - groups who are responsible for regulating access to a system and those using it are different
What is a race condition?
when two concurrent threads of execution access a shared resource simultaneously, resulting in unintended consequences