Professional Documents
Culture Documents
Quzlet
Quzlet
Quzlet
4. information as- the focus of information security; information that has val-
set ue to the organization, and the systems the store, process,
and transmit the information.
11. intellectual prop- the creation, ownership, and control of original ideas as
erty (IP) well as the representation of those ideas
1 / 10
Chapter 2: The Need for Security
Study online at https://quizlet.com/_4vxiou
15. service level a document or part of a document that specifies the ex-
agreement (SLA) pected level of service from a service provider. An SLA
usually contains provisions for the minimum acceptable
availability and penalties or remediation procedures for
downtime.
24. competitive intel- the collection and analysis of information about an orga-
ligence nization's business competitors through legal and ethical
2 / 10
Chapter 2: The Need for Security
Study online at https://quizlet.com/_4vxiou
means to gain business intelligence and competitive ad-
vantage.
25. industrial espi- the collection and analysis of information about an orga-
onage nization's business competitors, often through illegal or
unethical means, to gain an unfair competitive advantage.
also known as corporate spying, or espionage for national
security reasons.
27. expert hacker a hacker who uses extensive knowledge of the inner
"elite hacker" workings of a computer hardware and software to gain
unauthorized access to systems ad information.
~often create automated exploits, scripts, and tools used
by other hackers.
30. novice hacker a relatively unskilled hacker who uses the work of expert
hackers to perform attacks.
~newbie, n00bs, kiddies, and packet monkeys
31. packet monkey a script kiddie who uses automated exploits to engage in
denial-of-service attacks
34. professional a hacker who conducts attacks for personal financial ben-
hacker efit or for a crime organization of foreign government.
36. script kiddie a hacker of limited skills who uses expertly written soft-
ware to attack a system
37. trespass unauthorized entry into the real or virtual property of an-
other party.
41. brute force pass- an attempt to guess a password by attempting every pos-
word attack sible combination of characters and numbers in it
43. dictionary pass- a variation of the brute force password attack that attempts
word attack to narrow the range of possible passwords guessed by
using a list of common passwords and possibly including
attempts based on the target'sperlsonal information
44. rainbow table a table of hash values and their corresponding plaintext
values that can be used to look up password values if an
4 / 10
Chapter 2: The Need for Security
Study online at https://quizlet.com/_4vxiou
attacker is able to steal a system's encrypted password
file
45. Electronic Dis- static electricity- can cause millions of dollars of damage
charge (ESD) by bringing dust in and it stick to products
49. social engineer- the process of using social skills to convince people to
ing reveal access credentials or other valuable information to
a hacker.
51. Information Ex- the act of an attacker or trusted insider who steal or
tortion interrupts access to the information from a computer sys-
tem and demands compensation for its return or for an
agreement not to disclose the information.
53.
5 / 10
Chapter 2: The Need for Security
Study online at https://quizlet.com/_4vxiou
Vandalism on a damages can range from consumer confidence, diminish-
website ing an organization's sales, net worth, and reputation.
58. boot virus "boot virus that targets the boot sector or Master Boot Record
sector virus" (MBR) of a computer system's hard drive or removable
storage media.
62. non-memory-resi-
dent virus
6 / 10
Chapter 2: The Need for Security
Study online at https://quizlet.com/_4vxiou
"non-resident virus that terminates after it has been activated, infected
virus" its host system, and replicated itself. NRM's do not reside
in host's operating system or memory after execution.
63. polymorphic Malware ( a virus or worm) that over time changes the
threat way it appears to antivirus software programs, making
it undetectable by techniques that look for preconfigured
signatures
65. Trojan Horse a malware program that hides its true nature and reveals
is designed behavior only when activated
69. zero-day attack an attack that makes use of malware that is to yet known
by the anti-malware software companies.
70. Vector: IP scan the infected system scans a range of IP addresses and
and attack service ports and targets several vulnerabilities known to
hackers or left over from other exploits
71. vector: web if the infected system has write access to any web pages,
browsing it makes all web content files infectious. Users who browse
to those pages infect their computers
7 / 10
Chapter 2: The Need for Security
Study online at https://quizlet.com/_4vxiou
each affected machine infects common executable or
script files on all computers to which it can write, which
spreads the virus code to cause further infection.
73. vector: unpro- using vulnerabilities in file systems and in the way
tected shares many organizations configure them, the infected machine
copies the viral component to all locations it can reach.
75. vector: simple used for remote management of network and computer
network manage- devices. By using the widely known and common pass-
ment protocol words there were employed in early versions of this proto-
(snmp) col, the attacking program cancan control of the device.
80. mail bomb an attack designed to overwhelm the receiver with exces-
sive quantities of e-mail
8 / 10
Chapter 2: The Need for Security
Study online at https://quizlet.com/_4vxiou
82. domain name intentional hacking and modification of a dns database to
system (DNS) redirect legitimate traffic to illegitimate internet locations
cache poisoning
"DNS spoofing"
84. packet snif- a software program or hardware appliance that can inter-
fer/sniffer cept, copy, and interpret network traffic
89. mean time be- average amount of time between hardware failures, calcu-
tween failure lated as the total amount of operation time for a specified
(MTBF) number of units divided by the the number of failures
90. mean time to di- average amount of time a computer repair technician
agnose (MTTD) needs to determine the cause of failure.
91. mean time to fail- average amount of time until the next hardware failure
ure (MTTF)
93. buffer overrun an application error that occurs when more data is sent to
"buffer overflow" a program buffer than it is designed to handle.
94. command injec- an application error that occurs when user input is passed
tion directly to a complier or interpreter without screening for
content that may disrupt or compromise the intended func-
tion
95. cross-site script- a web application fault that occurs when an application
ing (XXS) running on a web server inserts commands into a user's
browser session and causes information to be sent to a
hostile server.
97. secure sockets used to transfer sensitive data, such as credit card num-
layer (ssl) bers
10 / 10
Information Security - Chapter 2
Study online at https://quizlet.com/_2fuek2
9. service level agree- a document or part of a document that specifies the ex-
ment (SLA) pected level of service from a service provider; usually
contains provisions for minimum acceptable availability
and penalties or remediation procedures for downtime
12. competitive intelli- the collection and analysis of information about an orga-
gence nization's business competitors through legal and ethi-
1/3
Information Security - Chapter 2
Study online at https://quizlet.com/_2fuek2
cal means to gain business intelligence and competitive
advantage
13. industrial espi- the collection and analysis of information about an orga-
onage nization's business competitors, often through illegal or
unethical means, to gain an unfair competitive advan-
tage; also known as corporate spying, which is distin-
guished from espionage for national security reasons
2/3
Information Security - Chapter 2
Study online at https://quizlet.com/_2fuek2
21. information extor- the act of an attacker or trusted insider who steals infor-
tion mation from a computer system and demands compen-
sation for its return or for an agreement not to disclose
the information; aka cyberextortion
3/3
Chapter 2 Review
Study online at https://quizlet.com/_2gzujy
9. Threat Agent A person or other entity that may cause a loss in an asset's
value.
11. Intellectual Prop- The creation, ownership, and control of original ideas as
erty (IP) well as the representation of those ideas.
1/9
Chapter 2 Review
Study online at https://quizlet.com/_2gzujy
The unauthorized duplication, installation, or distribution
of copyrighted computer software, which is a violation of
intellectual property.
24. Competitive In- The collection and analysis of information about an orga-
telligence nization's business competitors through legal and ethical
means to gain business intelligence and competitive ad-
vantage.
2/9
Chapter 2 Review
Study online at https://quizlet.com/_2gzujy
25. Industrial Espi- The collection and analysis of information about an or-
onage ganization's business competitors, often through illegal or
unethical means, to gain an unfair competitive advantage.
Also known as corporate spying, which is distinguished
from espionage for national security reasons.
27. Expert Hacker A hacker who uses extensive knowledge of the inner work-
ings of computer hardware and software to gain unau-
thorized access to systems and information. Also known
as elite hackers, expert hackers often create automated
exploits, scripts, and tools used by other hackers.
30. Novice Hacker A relatively unskilled hacker who uses the work of expert
hackers to perform attacks. Also known as a neophyte,
n00b, or newbie. This category of hackers includes script
kiddies and packet monkeys.
31. Packet Monkey A script kiddie who uses automated exploits to engage in
denial-of-service attacks.
34.
3/9
Chapter 2 Review
Study online at https://quizlet.com/_2gzujy
Professional A hacker who conducts attacks for personal financial ben-
Hacker efit or for a crime organization or foreign government. Not
to be confused with a penetration tester.
36. Script Kiddie A hacker of limited skill who uses expertly written software
to attack a system. Also known as skids, skiddies, or script
bunnies.
43. Dictionary Pass- A variation of the brute force password attack that
word Attack attempts to narrow the range of possible passwords
guessed by using a list of common passwords and pos-
sibly including attempts based on the target's personal
information.
4/9
Chapter 2 Review
Study online at https://quizlet.com/_2gzujy
44. Rainbow Table A table of hash values and their corresponding plaintext
values that can be used to look up password values if an
attacker is able to steal a system's encrypted password
file.
48. Social Engineer- The process of using social skills to convince people to
ing reveal access credentials or other valuable information to
an attacker.
50. Information Ex- The act of an attacker or trusted insider who steals infor-
tortion mation from a computer system and demands compensa-
tion for its return or for an agreement not to disclose the
information. Also known as cyberextortion.
52. Cyberterrorist
5/9
Chapter 2 Review
Study online at https://quizlet.com/_2gzujy
A hacker who attacks systems to conduct terrorist activi-
ties via networks or Internet pathways.
55. Boot Virus Also known as a boot sector virus, a type of virus that
targets the boot sector or Master Boot Record (MBR)
of a computer system's hard drive or removable storage
media.
59. Non-memory-res- A virus that terminates after it has been activated, infected
ident Virus its host system, and replicated itself. NMR viruses do not
reside in an operating system or memory after executing.
Also known as a non-resident virus.
60. Polymorphic Malware (a virus or worm) that over time changes the
Threat way it appears to antivirus software programs, making
it undetectable by techniques that look for preconfigured
signatures.
6/9
Chapter 2 Review
Study online at https://quizlet.com/_2gzujy
61. Spyware Any technology that aids in gathering information about
people or organizations without their knowledge.
62. Trojan Horse A malware program that hides its true nature and reveals
its designed behavior only when activated.
70. Mail Bomb An attack designed to overwhelm the receiver with exces-
sive quantities of e-mail.
7/9
Chapter 2 Review
Study online at https://quizlet.com/_2gzujy
72. Domain Name The intentional hacking and modification of a DNS data-
System (DNS) base to redirect legitimate traffic to illegitimate Internet
Cache Poisoning locations. Also known as DNS spoofing.
74. Packet Sniffer A software program or hardware appliance that can inter-
cept, copy, and interpret network traffic.
78. Mean Time Be- The average amount of time between hardware failures,
tween Failure calculated as the total amount of operation time for a
(MTBF) specified number of units divided by the total number of
failures.
79. Mean Time to Di- The average amount of time a computer repair technician
agnose (MTTD) needs to determine the cause of a failure.
80. Mean Time to The average amount of time until the next hardware failure.
Failure (MTTF)
8/9
Chapter 2 Review
Study online at https://quizlet.com/_2gzujy
81. Mean Time to Re- The average amount of time a computer repair technician
pair (MTTR) needs to resolve the cause of a failure through replace-
ment or repair of a faulty unit.
82. Buffer Over- An application error that occurs when more data is sent to
run/Buffer Over- a program buffer than it is designed to handle.
flow
83. Command Injec- An application error that occurs when user input is passed
tion directly to a compiler or interpreter without screening for
content that may disrupt or compromise the intended func-
tion.
9/9
Chapter 3 - Legal Ethical and Professional Issues in Information Security
Study online at https://quizlet.com/_a8omp5
1/6
Chapter 3 - Legal Ethical and Professional Issues in Information Security
Study online at https://quizlet.com/_a8omp5
10. Which of the following acts is also widely known as Financial Services
the Gramm-Leach-Bliley Act? Modernization Act
15. The key difference between laws and ethics is that False
ethics carry the authority of a governing body and
laws do no. True/False
16. What is the subject of the Computer Security Act? Federal Agency
Information Secu-
rity
2/6
Chapter 3 - Legal Ethical and Professional Issues in Information Security
Study online at https://quizlet.com/_a8omp5
19. Since it was established in January 2001, every FBI True
field office has established an InfraGard program to
collaborate with public and private organizations and
the academic community. T/F
22. Laws and policies and their associated penalties only All of the above:
deter if which of the following condition is present?
Probability of
penalty being ad-
ministered.
Probability of be-
ing caught.
Fear of penalty
24. Which of the following acts defines and formalizes Computer Fraud
laws to counter threats from computer related acts and Abuse Act of
and offenses? 1986
25. The ______________ defines stiffer penalties for pros- USA PATRIOT Act
ecution of terrorist crimes.
27. Key studies reveal that legal penalties are the overrid- False
ing factor in leveling ethical perceptions within a small
population. T/F
31. Due care and due diligence require that an organi- True
zation make a valid effort to protect others and con-
tinually maintain this level of effort, ensuring these
actions are effective. T/F
4/6
Chapter 3 - Legal Ethical and Professional Issues in Information Security
Study online at https://quizlet.com/_a8omp5
have been committed for each of the following except
_________________.
39. Which of the following countries reported the least tol- Singapore
erant attitudes toward personal use of organizational
computing resources?
47. The ____________ of 1999 provides guidance on the Security and Free-
use of encryption and provides protection from gov- dom through En-
ernment intervention. cryption Act
6/6
Chapter 3 - Legal, Ethical, and Professional Issues in Information Securit
Study online at https://quizlet.com/_fzjyz
13. Jurisdiction
1/6
Chapter 3 - Legal, Ethical, and Professional Issues in Information Securit
Study online at https://quizlet.com/_fzjyz
courts right to hear a case if the wrong was
committed in its territory or involved its citizenry
(territorial)
14. Long arm jurisdiction right of any court to impose its authority over
an individual or organization if it can establish
jurisdiction (by minimum contacts)
19. Computer Security Act of one of the first attempts to protect federal com-
1987 puter systems by establishing minimum accept-
able security practices.
21. USA Patriot Act of 2001 A US federal law designed to strengthen the
federal government's ability to investigate, pros-
ecute, and seize the assets of terrorists.
22. USA Patriot Improvement made permanent fourteen of the sixteen expand-
and Reauthorization Act ed powers of the Department of Homeland Secu-
rity and the FBI in investigating terrorist activity.
2/6
Chapter 3 - Legal, Ethical, and Professional Issues in Information Securit
Study online at https://quizlet.com/_fzjyz
23. This is one of the hottest Privacy
topics in info security :
25. Federal Privacy Act of regulates government agencies and holds them
1974 accountable if they release private info about
individuals or businesses without permission.
27. What does HIIPA stand for Health Insurance Portability and Accountability
? Act of 1996
33. Fixed-medium
3/6
Chapter 3 - Legal, Ethical, and Professional Issues in Information Securit
Study online at https://quizlet.com/_fzjyz
Copyright is a form of protection grounded in the
U.S. Constitution and granted by law for original
works of authorship fixed in a tangible medium
of expression
36. World Trade Organization Administers the rules governing trade between
its 144 members. Helps producers, importers,
and exporters conduct their business and ensure
that trade flows smoothly.
37. What is the WTO`s mecha- It outlines requirements for governmental over-
nism ? sight and legislation of WTO member countries
to provide minimum levels of protection for intel-
lectual property.
39. Ethics and Info Security IT and IT Security do not have binding codes of
ethics.
Professional associations and certification agen-
cies work to establish the profession`s ethical
codes of conduct.
41. Deterrence - best method There are three general causes of unethical and
illegal behavior:
- ignorance
- accident
- intent
4/6
Chapter 3 - Legal, Ethical, and Professional Issues in Information Securit
Study online at https://quizlet.com/_fzjyz
46. How does the National In- 1. Maintains an intrusion alert network using en-
fraGard serve its mem- crypted e-mail
bers ?
2. Maintains a secure Web site for communica-
tion about suspicious activity or intrusions
48. Rand Report 609 A single paper sponsored by the DOD, which
attempted to define multiple controls and mecha-
5/6
Chapter 3 - Legal, Ethical, and Professional Issues in Information Securit
Study online at https://quizlet.com/_fzjyz
nisms necessary for the protection of a multilevel
computer system.
6/6
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
2 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
d. Countermea- and the additional safeguards that mitigate this impact.
sures Assets, threats, and vulnerabilities are part of risk analysis
exercise.
6. Unacceptable 1 and 2
risk is which of
the following? Choice (a) is the correct answer. Unacceptable risk is a
1. Attacker's cost situation where an attacker's cost is less than gain and
< gain where loss anticipated by an organization is greater than
2. Loss anticipat- its threshold level. Choice (d) results in accepting the risk.
ed > threshold The organization's goals should be to increase attacker's
3. Attacker's cost cost and to reduce an organization's loss.
> gain
4. Loss anticipat-
ed < threshold
a. 1 and 2
b. 2 and 3
c. 1 and 4
d. 3 and 4
3 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
tion
c. Risk assess-
ment
d. Risk manage-
ment
4 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
vulnerability cause harm. It is a condition that may allow the information
b. Threat plus at- system to be harmed by an attack.
tack A threat is any circumstance or event with the potential
c. Threat plus vul- to cause harm to a system in the form of destruction or
nerability modification of data or denial of service. An attack is an
d. Threat plus attempt to violate data security. A risk is the probability
breach that a particular threat will exploit a particular vulnerability
of a system. An exposure is an instance of vulnerabil-
ity in which losses may result from the occurrence of
one or more attacks. A countermeasure is any action,
control, device, procedure, technique, or other measure
that reduces the vulnerability of a threat to a system. A
breach is the successful circumvention or disablement of a
security control, with or without detection, which if carried
to completion, could result in a penetration of the system.
6 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
d. Risk contain-
ment
7 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
b. Impact minus cannot be specified accurately, it is only possible to ap-
frequency of oc- proximate the loss with an annual loss exposure, which
currence is the product of the estimated impact in dollars and the
c. Impact plus estimated frequency of occurrence per year. The product
frequency of oc- of the impact and the frequency of occurrence would be
currence the statement of loss.
d. Impact divided
by frequency of
occurrence
21.
8 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
Which of the fol- The Delphi method
lowing security
risk assessment Choice (b) is the correct answer. The Delphi method is a
techniques use group decision-making technique. The rationale for using
a group of ex- this technique is that it is sometimes difficult to get a
perts as the basis consensus on the cost or loss value and the probabil-
for making de- ities of loss occurrence. Group members do not meet
cisions or judg- face-to-face. Rather, each group member independently
ments? and anonymously writes down suggestions and submits
a. Risk assess- comments that are then centrally compiled. This process
ment audits of centrally compiling the results and comments is re-
b. The Delphi peated until full consensus is obtained. Risk assessment
method audits (choice a) are incorrect because these audits do
c. Expert sys- not provide the same consensus as reached by a group
tems of experts available in the Delphi method. Usually, audits
d. are performed by one or two individuals, not by groups.
Scenario-based Expert system (choice c) is incorrect because it is a
threats computer-based system developed with the knowledge
of human experts. It does not reach a consensus as a
group of people. Scenario based threats (choice d) are
incorrect because possible threats are identified based on
scenarios by a group of people. However, it does not have
the same consensus reached as in the Delphi method.
The process of submitting results and comments make the
Delphi method more useful than the other methods.
10 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
a. Measuring risk risk to an acceptable level (risk mitigation). Therefore,
b. Selecting measuring risk is part of risk assessment. Choices (b)
appropriate safe- through (d) are incorrect because they are elements of
guards c. Imple- risk mitigation. Risk mitigation involves three steps: deter-
menting and test mining those areas where risk is unacceptable; selecting
safeguards d. Ac- effective safeguards, and valuating the controls; and de-
cepting residual termining if the residual risk is acceptable.
risk
11 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
a risk manage- Risk assessment, the process of analyzing and interpret-
ment process? ing risk, is comprised of three basic activities: (1) de-
a. Risk identifica- termining the assessment's scope and methodology, (2)
tion collecting and synthesizing data, and (3) interpreting the
b. Risk assess- risk. A risk assessment can focus on many different areas
ment such as: technical and operational controls to be designed
c. Risk mitiga- into a new application and the use of telecommunications,
tion a data center, or an entire organization.
d. Risk mainte- Because of the nature of the scope and the extent of
nance risk assessment, it is the most difficult one to accomplish.
Risk identification and maintenance (choices a and d) are
not the most difficult to accomplish since they are the
by-products of the risk assessment process. Risk mitiga-
tion (choice c) involves the selection and implementation
of cost-effective security controls to reduce risk to a level
acceptable to management, within applicable constraints.
Again, risk mitigation comes after the completion of the
risk assessment process.
12 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
29. Which of the Guidelines
following is an
optional require- Choice (d) is the correct answer. Guidelines assist users,
ment for organi- systems personnel, and others in effectively securing their
zations? systems. Guidelines are suggestive and are not compul-
a. Policies sory within an organization.
b. Procedures
c. Standards
d. Guidelines
13 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
specifications cret category since they are somewhat public information,
d. Employee requiring protection from recruiters.
names
35.
14 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
What should be Review of non-disclosure agreements
done when an
employee leaves Choice (c) is the correct answer. When an employee
an organization? leaves an organization, he should be reminded of nondis-
a. Review of closure agreements that he signed upon his hiring. This
recent perfor- agreement includes measures to protect confidential and
mance evalua- proprietary information such as trade secrets and inven-
tion tions.
b. Review of
human resource
policies
c. Review
of non-disclo-
sure agreements
d. Review of or-
ganizational poli-
cies
15 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
38. Which of the fol- Availability
lowing security
goals is meant Choice (c) is the correct answer. Availability is for intended
for "intended uses only and not for any other uses.
uses only"?
a. Confidentiality
b. Integrity
c. Availability
d. Accountability
16 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
use only
d. Secret
18 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
47. A common tech- Policies and guidelines
nique for mak-
ing an organiza- Choice (b) is the correct answer. Policies generally outline
tion's IS systems fundamental requirements that top management consider
security policies to be imperative, while guidelines provide more detailed
more useful is rules for implementing the broader policies. Guidelines,
to distinguish be- while encouraged, are not considered to be mandatory.
tween:
a. Policies and
procedures
b. Policies and
guidelines
c. Principles and
practices
d. Policies and
standards
19 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
received appro- mation technology issues, including information security,
priate attention receive appropriate attention.
by senior man-
agement of an or-
ganization?
a. Establish
a technical-level
committee
b. Establish a
policy-level com-
mittee
c. Establish
a control-level
committee
d. Establish a
senior-level com-
mittee
20 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
51. To ensure that Policies to business risks
IS security poli-
cies serve as Choice (b) is the correct answer. Developing a compre-
the foundation hensive set of policies is the first step in establishing an
of information organization-wide security program. The policy should be
systems security linked to business risks and adjusted on a continuing basis
programs, orga- to respond to newly identified risks or areas of misunder-
nizations should standing.
link:
a. policies to
standards
b. policies to
business risks
c. policies to pro-
cedures
d. policies to con-
trols
52. A useful tech- Requiring a signed statement from all users that they have
nique for im- read the policies
pressing the
users about Choice (c) is the correct answer. A statement is required
the importance from new users at the time access to information system
of organiza- resources was first provided and from all users periodical-
tion-wide IS se- ly, usually once a year. Requiring a signed statement can
curity policies is: serve as a useful technique for impressing on the users
a. Making poli- the importance of understanding organizational policies.
cies available In addition, if the user was later involved in a security
through the Inter- violation, the statement can serve as evidence that he had
net been informed of organizational policies.
b. Ensuring poli-
cies are available
through physical
bulletin boards
c. Requiring a
signed statement
from all users
that they have
read the policies
21 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
d. Ensuring poli-
cies are available
through electron-
ic bulletin boards
22 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
are not defined in largely defined in terms of the value of having, or the cost
terms of which of of not having, an application system or needed informa-
the following? tion.
a. The value of
having an appli-
cation system
b. The cost of
developing and
maintaining an
application sys-
tem
c. The value of
having the need-
ed information
d. The cost of not
having an appli-
cation system
24 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
program should Choice (a) is the correct answer. Functional users own
be the responsi- the data in computer systems. Therefore, they have an
bility undivided interest and responsibility in establishing a data
of: ownership program. Choices (b) and (d) are incorrect
a. Functional because internal/external auditors have no responsibility
users in establishing a data ownership program even though
b. Internal audi- they recommend one. Choice (c) is incorrect because data
tors processors are custodians of the users' data.
c. Data proces-
sors
d. External audi-
tors
25 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
planning for such
training?
a. Job categories
b. Job functions
c. Specific sys-
tems
d. Specific ven-
dors
26 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
systems plan- to accomplish these plans. Tactical planning (choice b)
ning identifies, schedules, manages, and controls the tasks
necessary to accomplish individual computing resource
activities, using a shorter planning horizon than strategic
planning. It involves planning projects, acquisitions, and
staffing. Operational planning (choice c) integrates tactical
plans and support activities and defines the short-term
tasks that must be accomplished to achieve the desired
results.
28 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
industry (i.e., external environment).
Choices (a), (b), and (c) are examples of IT approaches
to augment the development of strategic plans and in-
clude enterprise IT models, work process redesign, and
business systems planning. Enterprise models (choice a)
provide a means for examining the current environment.
They do not foster the development of an organizational di-
rection (i.e., mission, vision). Hence, they do not meet the
criteria for strategic planning. Choice (b) is incorrect. Work
process redesign is synonymous with the following con-
cepts: business reengineering, business process improve-
ment, and business process design. This approach helps
managers to define relationships and activities within the
organization. Choice (c) is incorrect. Business systems
planning is used to identify information requirements, but
does not consider strategic methodologies. Information
planning approaches do not study organizational cultural
issues
or provide a strategic work focus.
30 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
framework for daily activity. The focus of operational plans
is on achieving service objectives. Tactical plans span
approximately one year's time. Tactical plans address a
detailed view of IT activities and focus on how to achieve
IT objectives. Tactical plans include budgetary information
detailing the allocation of resources or funds assigned to
IT components. Often, the budget is the basis for develop-
ing tactical plans. The scope of an IT tactical plan includes
budget plans (choice a), application system development
and maintenance plans (choice b), and technical support
plans (choice c).
31 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
of the follow- position (Step 4). Knowledge of the job duties and access
ing is the cor- levels that a particular position will require is necessary for
rect sequence of determining the sensitivity of the position. The responsi-
steps involved ble supervisor should correctly identify position sensitivity
in the staffing levels so that appropriate, cost-effective screening can
process? be completed (Step 1). Once a position's sensitivity has
1. Determining been determined, the position is ready to be staffed. Back-
the sensitivity of ground screening helps determine whether a particular
the position individual is suitable for a given position (Step 3).
2. Defining the
job duties
3. Filling the posi-
tion
4. Determining
the access levels
a. 1, 2, 3, 4
b. 2, 4, 3, 1
c. 2, 4, 1, 3
d. 1, 4, 2 3
32 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
73. If manual con- Automated software management
trols over pro-
gram changes Choice (a) is the correct answer. In general, automated
were weak, which controls compensate for the weaknesses in or lack of man-
of the following ual controls. An automated software management system
controls would helps in strengthening controls by moving programs from
be effective? production to test libraries and back. It minimizes human
a. Automat- errors in moving wrong programs or forgetting to move
ed software man- the right ones. Written policies, procedures, and standards
agement are equally necessary in manual and automated environ-
b. Written poli- ments.
cies
c. Written proce-
dures
d. Written stan-
dards
75. Software config- What constitute a software product at any point in time?
uration manage-
ment should pri- Choice (c) is the correct answer. Software configuration
marily address management (SCM) is a discipline for managing the evo-
which of the lution of computer products, both during the initial stages
following ques- of development and through to maintenance and final
33 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
tions? product termination. Visibility into the status of the evolving
a. How software software product is provided through the adoption of SCM
evolves during on a software project. Software developers, testers, pro-
system develop- ject managers, quality assurance staff, and the customer
ment? benefit from SCM information. SCM answers the following
b. How software questions: (1) What constitutes the software product at
evolves during any point in time? (2) What changes have been made to
system mainte- the software product? How a software product is planned,
nance? developed, or maintained does not matter because it de-
c. What consti- scribes the history of a software product's evolution (choic-
tutes a software es a, b, and d).
product at any
point in time?
d. How a soft-
ware product is
planned?
77.
34 / 35
Information Security and Risk Management
Study online at https://quizlet.com/_861xaz
Which of the fol- Audit
lowing areas of
software config- Choice (d) is the correct answer. There are four elements
uration manage- of configuration management. The first element is con-
ment is executed figuration identification (choice a), consisting of selecting
last? the configuration items for a system and recording their
a. Identification functional and physical characteristics in technical docu-
b. Change con- mentation. The second element is configuration change
trol control (choice b), consisting of evaluation, coordination,
c. Status ac- approval or disapproval, and implementation of changes
counting to configuration items after formal establishment of their
d. Audit configuration identification. The third element is configura-
tion status accounting (choice c), consisting of recording
and reporting of information that is needed to manage
a configuration effectively. The fourth element is software
configuration audit (choice d), consisting of periodically
performing a review to ensure that the SCM practices
and procedures are rigorously followed. Auditing is per-
formed last after all the elements are in place to determine
whether they are properly working.
35 / 35
Information Security - Chapter 3
Study online at https://quizlet.com/_c49m1d
4. Impact The damage that the event caused to the asset and/or
organization
13. Quantitative Risk A risk assessment that uses specific monetary amounts
Assessment to identify cost and asset value. It then uses the SLE and
ARO to calculate the ALE.
14. Qualitative Risk A risk assessment that uses judgment to categorize risks.
Assessment it is based on impact and likelihood of occurrence.
1/3
Information Security - Chapter 3
Study online at https://quizlet.com/_c49m1d
15. AV Asset Value
21. Preventive Con- Controls that stop threats from compromises and success-
trols ful attacks
22. Corrective Con- Controls that reduce/remove a threat from a system. Think
trols incident response and forensics
23. Deterrent Con- Controls that warn about risky behaviors, but still allow the
trols behavior to occur
26. Zero-Day Vulner- Software vulnerability that has been previously unreported
ability and for which no patch yet exists
32. Attack Vector The path or means by which an attacker gains access to
a computer.
3/3
Chapter 4 Information security
Study online at https://quizlet.com/_c02zz0
1/1
Information Security - Chapter 4
Study online at https://quizlet.com/_c4a4kt
2. Consensus/So- Using a position the "everyone else has been doing it"
cial Proof
13. Urgency Creating a sense of urgency where you don't have time to
think
1/3
Information Security - Chapter 4
Study online at https://quizlet.com/_c4a4kt
16. Arbitrary/remote An attack that allows an attacker to run programs and
code execution execute commands on a different computer.
17. Buffer Overflow A technique for crashing by sending too much data to the
buffer in a computer's memory
19. Cookies and At- Using cookies or other attachments (or the information
tachments they contain) to compromise security.
20. Cross-Site An attack that injects scripts into a Web application server
Scripting (XSS) to direct attacks at clients.
21. Cross-Site Re- An attack that uses the user's Web browser settings to
quest Forgery impersonate the user.
(XSRF)
23. Header Manipu- Uses other methods (hijacking, cross-site forgery, and
lation so forth) to change values in HTTP headers and falsify
access.
28. Business Impact A process that helps an organization identify critical sys-
Analysis (BIA) tems and components that are essential to the organiza-
tion's success.
29. Recovery Point The amount of data the organization is willing to reenter
Objective (RPO) or potentially lose
30. Recovery Time The length of time it will take to recover the data that has
Objective (RTO) been backed up.
3/3
Chapter 5: Planning for Security
Study online at https://quizlet.com/_a4imsw
...THE INCIDENT
Sequential or hierarchical
After-Action Review
28.
3/5
Chapter 5: Planning for Security
Study online at https://quizlet.com/_a4imsw
Contingency -Identify mission or business critical functions
Planning -Identify resources to support critical functions
Process -Anticipate potential contingencies or disasters
-Select contingency planning strategies
-Implement contingency strategies
-Test and revise the strategy
5/5
Principles of Information Security - Chapter 9 Physical Security
Study online at https://quizlet.com/_7f12d4
1. SOPs (standard Most guards have clear ____ that help them to act deci-
operating proce- sively in unfamiliar situations.
dures)
3. PROGRAMMA- ____ locks can be changed after they are put in service,
BLE allowing for combination or key
changes without a locksmith and even allowing the owner
to change to another access
method (key or combination) to upgrade security.
6. CONTACT AND ____ sensors work when two contacts are connected as,
WEIGHT for example, when a foot steps on a pressure-sensitive
pad under a rug, or a window being opened triggers a
pin-and-spring
sensor.
7. PLENUM Interior walls reach only part way to the next floor, which
leaves a space above the ceiling
of the offices but below the top of the storey. This space is
called a(n) ____.
10.
1/4
Principles of Information Security - Chapter 9 Physical Security
Study online at https://quizlet.com/_7f12d4
PHOTOELEC- ____ sensors project and detect an infrared beam across
TRIC an area.
14. WATER MIST ____ sprinklers are the newest form of sprinkler systems
and rely on ultra-fine mists
instead of traditional shower-type systems.
17. UPS A device that assures the delivery of electric power without
interruption is a(n) ____.
19. LINE-INTERAC- In the ____ UPS, the internal components of the standby
TIVE models are replaced with a pair of
inverters and converters.
20. REMOTE SITE ____ involves a wide variety of computing sites that are
COMPUTING distant from the base
organizational facility and includes all forms of telecom-
muting.
29. FIREWALLS Building codes require that each floor have a number of
____________________, or walls that limit the spread of
damage should a fire break out in an office.
32. FLAME
3/4
Principles of Information Security - Chapter 9 Physical Security
Study online at https://quizlet.com/_7f12d4
The ____________________ detector is a sensor that
detects the infrared or ultraviolet light produced by an open
flame.
38. NOISE Interference with the normal pattern of the electrical cur-
rent is also referred to as
___
4/4
Information Security chapter 9
Study online at https://quizlet.com/_7h2285
10. fail-secure lock an electromechanical device that stays locked and main-
tains the security of the control point if a power outage
occurs
11.
1/6
Information Security chapter 9
Study online at https://quizlet.com/_7h2285
identification (ID) a document used to verify that identity of a member of an
card organization, group, or domain
12. mantrap a small room or enclosure with separate entry and exit
points, designed to restrain a person who fails an access
authorization attempt
13. mechanical lock a physical lock that may rely on either a key or numerical
combination to rotate tumblers and release the heap. Also
known as a manual lock
20. air-aspirating de- a fire detection sensor used in high-sensitivity areas that
tector works by taking in air, filtering it, and passing it through a
chamber that contains a leaser beam. The alarm triggers
if the beam is broken.
2/6
Information Security chapter 9
Study online at https://quizlet.com/_7h2285
a fire supression agent that does not leave any residue
after use or interfere with the operation of electrical or
electronic equipment
22. deluge ssytem a fire suppression sprinkler system that keeps all individ-
ual sprinkler heads open and applies water to all areas
when activated.
23. dry-pipe system a fire suppression sprinkler system that has pressurized
air in all pipes. The air is released in the event of a fire,
allowing water to from from a central area
24. fire suppression devices that are installed and maintained to detect and
system respond to a fire, potential fire, or construction danger
25. fixed-tempera- a fire detection sensor that works by detecting the point
ture sensor at which the ambient temperature in an area reaches a
predetermined level
26. flame detector a fire detection system that works by detecting the infrared
or ultraviolet light produced by an open flame
27. gaseous (or fire suppression systems that operate through the delivery
chemical gas) of gasses rather than water
emission sys-
tems
28. ionization sensor a fire detection sensor that works by exposing the ambient
air to a small amount of a harmless radioactive material
within a detection chamber; an alarm is triggered when the
level of electrical conductivity changes within the chamber
31. rate-of-rise sen- a fire detection sensor that works by detecting an unusual-
sor ly rapid increase in the area temperature within a relatively
short period of time
32. smoke detection a category of fire detection system that focuses on detect-
system ing the smoke from a fire
33. sprinkler system a fire suppression system designed to apply a liquid, usu-
ally water, to all areas in which a fire has been detected
34. thermal detec- a category of fire detection systems that focuses on de-
tion system tecting the heat from a fire
35. water mist sprin- a fire suppression sprinkler system that relies on ultra-fine
kler mists to reduce the ambient temperature below that need-
ed to sustain a flame
36. wet-pipe system a fire suppression sprinkler system that contains pressur-
ized water in all pipes and has some form of valve in each
protected area
37. electrostatic dis- The release of ambient static electricity into a ground
charge (ESD)
4/6
Information Security chapter 9
Study online at https://quizlet.com/_7h2285
42. double conver- a UPS in which the protected device draws power from
sion online UPS an output inverter. The inverter is powered by the UPS
battery, which is constantly recharged from the outside
power.
43. ground fault cir- a special circuit device designed to immediately discon-
cuit interruption nect a power supply when a sudden discharge (ground
fault) is detected
46. Standby ferrores- a UPS in which the outside power source directly feeds
onant UPS the internal protected device. The UPS serves as a battery
backup, incorporating a ferroresonant transformer instead
of a converter switch, providing line filtering and reducing
the effect of some power problems, and reducing noise
that may be present in the power as it is delivered
47. standby (or of- an offline battery backup that detects the interruption of
fline) UPS power to equipment and activates a transfer switch that
provides power from batteries through a DC to AC con-
verter until normal power is restored or the computer is
shut down
5/6
Information Security chapter 9
Study online at https://quizlet.com/_7h2285
51. virtual organiza- a group of people brought together for a specific task, usu-
tion ally from different organizations, divisions, or departments
6/6
Information security chapter 9
Study online at https://quizlet.com/_6f1zvi
6. mechanical lock A physical lock that may rely on either a key or numerical
combination to rotate tumblers and release the hasp. Also
known as a manual lock.
10. biometric lock A lock that reads a unique biological attribute such as a
fingerprint, iris, retina, or palm and then uses that input as
a key.
1/5
Information security chapter 9
Study online at https://quizlet.com/_6f1zvi
11. closed circuit A video capture and recording system used to monitor a
television (CCTV) facility.
12. mantrap A small room or enclosure with separate entry and exit
points, designed to restrain a person who fails an access
authorization attempt.
13. Fail-secure lock An electromechanical device that stays locked and main-
tains the security of the control point if a power outage
occurs.
19. thermal detec- a category of fire detection systems that focuses on de-
tion system tecting the heat from a fire
20. Fire suppression Devices that are installed and maintained to detect and
system respond to a fire, potential fire, or combustion danger.
21. Fixed-tempera- A fire detection sensor that works by detecting the point
ture sensors at which the ambient temperature in an area reaches a
predetermined level.
22.
2/5
Information security chapter 9
Study online at https://quizlet.com/_6f1zvi
Photoelectric A fire detection sensor that works by projecting an in-
sensors frared beam across an area. If the beam is interrupted,
presumably by smoke, the alarm or suppression system
is activated.
23. rate-of-rise sen- A fire detection sensor that works by detecting an unusual-
sor ly rapid increase in the area temperature within a relatively
short period of time.
24. Smoke detection a category of fire detection systems that focuses on de-
systems tecting the smoke from a fire
25. Ionization sen- A fire detection sensors that works by exposing the ambi-
sors ent air to a small amount of harmless radioactive material
within a detection chamber; an alarm is triggered when the
level of electrical conductivity changes within the chamber.
26. Air-aspirating de- A fire detection sensor used in high-sensitivity areas that
tectors works by taking in air, filtering it, and passing it through a
chamber that contains a lesser beam. The alarm triggers
if the beam is broken.
27. flame detector a fire detection system that works by detecting the infrared
or ultraviolet light produced by an open flame
28. Deluge systems a fire suppression sprinkler system that keeps all individ-
ual sprinkler heads open and applies water to all areas
when activated.
29. Wet Pipe System a fire suppression sprinkler system that contains pressur-
ized water in all pipes and has some form of valve in each
protected area.
30. dry-pipe system A fire suppression sprinkler system that has pressurized
air in all pipes. The air is released in the event of a fire,
allowing water to flow from a central area.
31. sprinkler sys- A fire suppression system designed to apply a liquid, usu-
tems ally water, to all areas in which a fire has been detected.
3/5
Information security chapter 9
Study online at https://quizlet.com/_6f1zvi
32. pre-action sys- A fire suppression sprinkler system that employs a
tem two-phase response to a fire. When a fire is detected
anywhere in the facility, the system will first flood all pipes,
then activate only the sprinkler heads in the area of the
fire.
33. Water mist sprin- Afire suppression water sprinkler system that relies on
klers ultra-fine mists to reduce the ambient temperature below
that needed to sustain a fire.
34. clean agent A fire suppression agent that does not leave any residue
after use or interfere with the operation of electrical or
electronic equipment.
35. gaseous (or Fire suppression systems that operate through the deliv-
chemical gas) ery of gases rather than water
emission sys-
tems
39. standby or offline An offline battery backup that detects the interruption of
UPS power to equipment and activates a transfer switch that
provides power from batteries through a DC to AC con-
verter until normal power is restored or the computer is
shut down.
40. Ground Fault Cir- a special circuit device designed to immediately discon-
cuit Interruption nect a power supply when a sudden discharge (ground
fault) is detected
41. electrostatic dis- The release of ambient static electricity into a ground.
charge (ESD)
4/5
Information security chapter 9
Study online at https://quizlet.com/_6f1zvi
42. Standby ferrores- A UPS in which the outside power source directly feeds
onant UPS the internal protected device. The UPS serves as a battery
backup, incorporating a ferroresonant transformer instead
of a converter switch, providing line filtering and reducing
the effect of some power problems, and reducing noise
that may be present in the power as it is delivered.
45. Double conver- A UPS in which the protected device draws power from
sion online UPS an output inverter. The inverter is powered by the UPS
battery, which is constantly recharged from the outside
power.
50. virtual organiza- A group of people brought together for a specific task, usu-
tion ally from different organizations, divisions, or departments
5/5
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
5. data security The process of keeping data, both in transit and at rest,
safe from unauthorized access, alteration, or destruction
7. CIA triad (Confi- The industry standard for computer security since the
dentiality, Integri- development of the mainframe. The standard is based on
ty, Availability) three characteristics that describe the utility of informa-
tion: confidentiality, integrity, and availability.
8. CNSS model of
information se-
curity
1 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
12. Passive Attack Attack where the attacker does not interact with pro-
cessing or communication activities, but only carries out
observation and data collection, as in network sniffing.
15. Direct Attack a hacker using a PC to break into a system. Direct attacks
originate from the threat itself.
21. Protection pro- The entire set of controls and safeguards, including policy,
file or security education, training and awareness, and technology, that
posture the organization implements to protect the asset.
22. security program those procedures and activities designed to protect the
property or assets of guests, employees, and the busi-
ness
24. Subjects and ob- A computer can be either the subject of an attack—an
jects of attack agent entity used to conduct the attack—or the object of
3 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
an attack: the target entity. A computer can also be both
the subject and object of an attack. For example, it can
be compromised by an attack (object) and then used to
attack other systems (subject).
25. Threat Any event or circumstance that has the potential to ad-
versely affect operations and assets
26. Threat Source The intent and method targeted at the intentional ex-
ploitation of a vulnerability or a situation and method that
may accidentally trigger a vulnerability. Synonymous with
Threat Agent.
4 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
31. Availability of in- An attribute of information that describes how data is
formation accessible and correctly formatted for use without inter-
ference or obstruction.
32. Accuracy of in- An attribute of information that describes how data is free
formation of errors and has the value that the user expects.
37. Utility of informa- An attribute of information that describes how data has
tion value or usefulness for an end purpose.
38. Possession of in- An attribute of information that describes how the data's
formation ownership or control is legitimate or authorized.
5 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
41. Information Sys- The entire set of software, hardware, data, people, pro-
tem cedures, and networks that enable the use of information
resources in the organization
42. Physical Securi- The protection of physical items, objects, or areas from
ty unauthorized access and misuse.
48. Waterfall Model an SDLC approach that assumes the phases can be
completed sequentially with no overlap
6 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
50. Economy of The design of security measures embodied in both hard-
mechanism ware and software should be as simple and small as
possible
51. Fail-safe defaults Base access decisions on permission rather than exclu-
sion
52. Complete media- Every access must be checked against the access control
tion mechanism
53. Open design The design should not be secret, but rather depend on the
possession of keys or passwords.
55. Least privilege Every program and every user of the system should oper-
ate using the least set of privileges necessary to complete
the job
58. NIST Approach Each phase of the SDLC should include consideration for
to Securing the the security of the system being assembled as well as the
SDLC information it uses.
59. Initiation Phase security considerations are key to diligent and early inte-
of NIST gration, thereby ensuring that threats, requirements, and
potential constraints in functionality and integration are
considered.
62. Chief Informa- Typically considered the top information security officer in
tion Security Of- an organization. The CISO is usually not an executive-lev-
ficer (CISO) el position, and frequently the person in this role reports
to the CIO.
63. information se- should consist of a number of individuals who are expe-
curity project rienced in one or multiple facets of the required technical
team and nontechnical areas.
65. Data owners Members of senior management who are responsible for
the security and use of a particular set of information. The
data owners usually determine the level of data classifi-
cation (discussed later), as well as the changes to that
classification required by organizational change. The data
owners work with subordinate managers to oversee the
day-to-day administration of the data.
66. Data custodians Working directly with data owners, data custodians are
responsible for the information and the systems that
process, transmit, and store it. Depending on the size of
the organization, this may be a dedicated position, such
as the CISO, or it may be an additional responsibility of a
systems administrator or other technology manager. The
duties of a data custodian often include overseeing data
storage and backups, implementing the specific proce-
8 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
dures and policies laid out in the security policies and
plans, and reporting to the data owner.
67. Data users Everyone in the organization is responsible for the securi-
ty of data, so data users are included here as individuals
with an information security role.
69. Information as- The focus of information security; information that has
sets value to the organization, and the systems that store,
process, and transmit the information.
70. primary mission ensure that information assets—information and the sys-
of an information tems that house them—remain safe and useful
security program
75. Database Securi- A subset of information security that focuses on the as-
ty sessment and protection of information stored in data
repositories like database management systems and
storage media.
9 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
83. industrial espi- The collection and analysis of information about an orga-
onage nization's business competitors, often through illegal or
unethical means, to gain an unfair competitive advantage.
Also known as corporate spying, which is distinguished
from espionage for national security reasons.
10 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
86. hacker A person who accesses systems and information without
authorization and often illegally.
90. Dictionary pass- A variation of the brute force password attack that
word attack attempts to narrow the range of possible passwords
guessed by using a list of common passwords and pos-
sibly including attempts based on the target's personal
information.
91. Rainbow Tables A table of hash values and their corresponding plaintext
values that can be used to look up password values if an
attacker is able to steal a system's encrypted password
file.
93. Social Engineer- The process of using social skills to convince people to
ing reveal access credentials or other valuable information to
an attacker.
95. Phishing
11 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
A form of social engineering in which the attacker pro-
vides what appears to be a legitimate communication
(usually e-mail), but it contains hidden or embedded code
that redirects the reply to a third-party site in an effort to
extract personal or confidential information.
97. Information ex- The act of an attacker or trusted insider who steals or
tortion interrupts access to information from a computer system
and demands compensation for its return or for an agree-
ment not to disclose the information.
106. non-memory-res- A virus that terminates after it has been activated, infected
ident viruses its host system, and replicated itself. NMR viruses do not
reside in an operating system or memory after executing.
107. binary executa- these are programs that were originally created as a text
bles file using a programming language.
109. IP Scan and At- The infected system scans a range of IP addresses and
tack service ports and targets several vulnerabilities known to
hackers or left over from previous exploits, such as Code
Red, Back Orifice, or PoizonBox.
110. web browsing If the infected system has write access to any Web pages,
it makes all Web content files infectious, so that users who
browse to those pages become infected
13 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
users, whose mail-reading programs automatically run
the virus program and infect even more systems.
114. Simple Net- SNMP is used for remote management of network and
work Manage- computer devices. By using the widely known and com-
ment Protocol mon passwords that were employed in early versions of
(SNMP) Attack this protocol, the attacking program can gain control of the
device. Most vendors have closed these vulnerabilities
with software upgrades.
117. Trojan horses malware program that hides its true nature and reveals its
designed behavior only when activated.
118. polymorphic Malware (a virus or worm) that over time changes the
threat way it appears to antivirus software programs, making
it undetectable by techniques that look for preconfigured
signatures.
14 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
122. denial-of-ser- An attack that attempts to overwhelm a computer target's
vice (DoS) attack ability to handle incoming communications, prohibiting
legitimate users from accessing those systems.
124. mail bomb An attack designed to overwhelm the receiver with exces-
sive quantities of e-mail.
125. packet sniffer A software program or hardware appliance that can inter-
cept, copy, and interpret network traffic.
128. Domain Name The intentional hacking and modification of a DNS data-
System (DNS) base to redirect legitimate traffic to illegitimate Internet
cache poisoning locations. Also known as DNS spoofing.
131. mean time be- The average amount of time between hardware failures,
tween failure calculated as the total amount of operation time for a
(MTBF) specified number of units divided by the total number of
failures.
15 / 16
Cyber Security Essentials Module 1
Study online at https://quizlet.com/_9t8tcj
132. mean time to fail- The average amount of time expected until the first failure
ure (MTTF) of a piece of equipment.
133. Buffer Overruns An application error that occurs when more data is sent
to a program buffer than it is designed to handle.
134. Catching Excep- A program throws an exception when code deals with an
tions exception it is said to catch or handle it
135. Command Injec- An application error that occurs when user input is passed
tion directly to a compiler or interpreter without screening for
content that may disrupt or compromise the intended
function.
137.
16 / 16
Planning for Security
Study online at https://quizlet.com/_6q8b65
7. To remain viable security -To remain viable security policies must have:
must have what? -Individual responsible for the policy (policy
Admin)
-A schedule of reviews & revisions
-Method for making recommendations for revi-
sions
15. What is BCP? BCP occurs concurrently with DRP when dam-
age is major or long term requiring more than
simple restoration of information and informa-
tion resources
2/5
Planning for Security
Study online at https://quizlet.com/_6q8b65
BCP Continuity reaction->Alternate site opera-
tions
17. How are attacks classified Attacks are classified as incidents if they:
as incidents? -Could threaten Confidentiality Integrity or avail-
ability CIA of information resources
-Differential
-Each day the backup takes longer
-Two tapes needed
-Incremental
-Quickest daily backups
-Longest to restore Multiple tapes
28. Whats the benefit of involv- Agencies may be better equipped at processing
ing law enforcement? evidence
4/5
Planning for Security
Study online at https://quizlet.com/_6q8b65
-Companies and Organizations may be less ef-
fective in convicting suspects
-Law enforcement agencies are prepared to
handle any necessary warrants and subpoenas
-Law enforcement is skilled at obtaining witness
statements and other information collection
30. Can you summarize SETA Information security education, training, and
and Contingency plan- awareness (SETA) is control measure that re-
ning? duces accidental security breaches and in-
creases organizational resistance to many other
forms of attack
-Contingency planning (CP) made up of three
components: incident response planning (IRP),
disaster recovery planning (DRP), and business
continuity planning (BCP)
5/5
Legal, Ethical, and Professional Issues in Information Security
Study online at https://quizlet.com/_2oevjh
3. Key difference be- laws carry the authority of a governing body and ethics
tween laws and do not
ethics
9. Long arm Jurisdic- the long arm of the law extending across the country or
tion around the world to draw ac accused individual into its
court system
12. Criminal Law addresses activities and conduct harmful to society. en-
forced by state
1/4
Legal, Ethical, and Professional Issues in Information Security
Study online at https://quizlet.com/_2oevjh
13. Private Law encompasses family law, commercial law, and labor law,
and regulates the relationship between individuals and
organizations
16. National Informa- modified several sections of the previous act and in-
tion Infrastructure creased the penalties for selected crimes
Protection Act of
1996
17. Computer Security one of the first attempts to protect federal computer
Act of 1987 systems by establishing minimum acceptable security
practices
18. Privacy of Cus- the common carrier regulation states that any proprietary
tomer Information information shall be used explicitly for providing sercies
Section
19. Aggregate Infor- created by combining pieces of non private data. often
mation collected during software updates via cookies. hen com-
bines may violate privacy
20. Federal Privacy regulates government agencies and holds them ac-
Act of 1974 countable if they release private information about indi-
viduals or business without permission
23. Health Insurance protects the confidentiality and security of health care
Portability and Ac- data by establishing enforcing stands and by standard-
countability Act of izing electronic data interchange
1996 (HIPAA)
24. Economic Espi- attempts to prevent trade secrets from being illegally
onage Act shraed
25. Freedom of Infor- allows any person to request access to federal agency
mation Act records or information not determined to be a matter of
national security
26. Sarbanes-Oxley critical piece of legislation that affects the executive man-
Act of 2002 agement publicly traded corporation and public account
firms
28. Ethical differences can make it difficult to determine what is and is not
across cultures ethical, especially when it comes to the use of computers
31. was created after the Homeland security act of 2002 and
as passed after the September 11 attack
3/4
Legal, Ethical, and Professional Issues in Information Security
Study online at https://quizlet.com/_2oevjh
Department of
Homeland Securi-
ty (DHS)
33. National Security is responsible for signal intelligence and information sys-
Agency (NSA) tem security
34. U.S Secret Service an agency within the department of the Treasury, pro-
vides services to members of the US government . help-
ing with any related computer fraud and false identifica-
tion crimes.
4/4
principles of information security final
Study online at https://quizlet.com/_7j2wsf
4. Know yourself identify, examine, and understand the information and sys-
tems currently in place
5. Know the enemy identify, examine, and understand threats facing the orga-
nization
8. Components of -People
risk identification -Procedures
-Data
-Software
-Hardware
9. A threat assess- identifies and quantifies the risks facing each asset
ment process
10. Iterative process •begins with identification of assets, including all elements
of an organization's system (people, procedures, data and
information, software, hardware, networking)
12. Asset attributes name; IP address; MAC address; element type; serial
to be considered number; manufacturer name; model/part number; soft-
are ware version; physical or logical location; controlling entity
19. information as- assembles information about information assets and their
set classification impact
worksheet
20. weighted crite- assigns ranked value or impact weight to each information
ria analysis work- asset
sheet
21. ranked vulnera- assigns ranked value of risk rating for each uncontrolled
bility risk work- asset-vulnerability pair
sheet
23. The four risk 1. Apply safeguards that eliminate or reduce the remaining
strategies guide uncontrolled risks for the vulnerability (avoidance)
an organization 2. Transfer the risk to other areas or to outside entities
to (transference)
3. Reduce the impact should the vulnerability be exploited
(mitigation)
4. Inform themselves of all of the consequences and ac-
cept the risk without control or mitigation (acceptance)
25. Transfer is the control approach that attempts to shift the risk to
other assets, other processes, or other organizations.
26.
3/6
principles of information security final
Study online at https://quizlet.com/_7j2wsf
•Approach in- -Incident response plan (IRP): define the actions to take
cludes three while incident is in progress
types of plans -Disaster recovery plan (DRP): most common mitigation
procedure
-Business continuity plan (BCP): encompasses continua-
tion of business activities if catastrophic event occurs
28. The terminate directs the organization to avoid those business activities
control strategy that introduce uncontrollable risks.
30. Items that affect cost of development or acquisition; training fees; imple-
cost of a control mentation cost; service costs; cost of maintenance
or safeguard in-
clude
32. Asset valuation process of assigning financial value or worth to each infor-
mation asset
33. Expected loss -Annualized loss expectancy (ALE) = single loss ex-
per risk stated pectancy (SLE) × annualized rate of occurrence (ARO)
in the following
equation
4/6
principles of information security final
Study online at https://quizlet.com/_7j2wsf
36. ALE(post) -is estimated ALE based on control being in place for a
period of time
40. Standard of due •when adopting levels of security for a legal defense, orga-
care nization shows it has done what any prudent organization
would do in similar circumstances
42. When consider- -Does organization resemble identified target with best
ing best prac- practice?
tices for adoption -Are resources at hand similar?
in an organiza- -Is organization in a similar threat environment?
tion, consider
43. Best business security efforts that provide a superior level of information
practices protection
44. •Problems with -Organizations don't talk to each other (biggest problem)
the application -No two organizations are identical
of benchmarking -Best practices are a moving target
5/6
principles of information security final
Study online at https://quizlet.com/_7j2wsf
and best prac- -Knowing what was going on in information security indus-
tices try in recent years through benchmarking doesn't neces-
sarily prepare for what's next
6/6