CÂU HỎI ÔN TẬP

I. Chapter 1 - Introduction to Information Security (8 questions: 1-8)

1. Factors of information security systems (slide 33-37)
- Integrity
- Authentication
- Non-repudiation
2. Key Information Security Concepts (slide 39-60)
- Access
- Asset
- Attack
- Control, safeguard, or countermeasure
- Exploit
- Exposure
- Loss
- Protection profile or security posture
- Risk
- Subjects and objects of attack
- Threat
- Threat agent
- Threat event
- Threat source
- Vulnerability
3. Information characteristics (slide 61-69)
- Accuracy
- Authenticity
- Availability
- Confidentiality
- Integrity
- Personally identifiable information (PII)
- Possession
- Utility
4. Components of an Information System (slide 73-77)
– Software
– Hardware
– Data
– People
– Procedures
– Networks
5. Approaches to Information Security Implementation
• Bottom-up approach
• Top-down approach
6. Systems Development Life Cycle (slide 84-119): A top-down approach
- What is it?
 SDLC waterfall methodology, gồm các pha: Investigation, Analysis, Logical
Design, Physical Design, Implementation, Maintenance and Change
 Software Assurance: gồm Secure Software Assurance (SwA), Common
Body of Knowledge (CBK).
- Type of secure SDLC
 NIST Approach: gồm những pha nào
 Microsoft’s SDLC
7. Security Professionals
– Senior Management: Chief information officer (CIO); Chief information
security officer (CISO)
 – Information Security Project Team
– Data Responsibilities: Data owners; Data custodians; Data users
II. Chapter 2 - The Need for Security (10 questions: 9-18)
1. Key mission of an information security program?
2. Crucial tasks carried out by information security for an organization
• Protecting functionality: Who is in charge of enabling the security program
in an organization.
• Protecting data: what situations is data protected?
• Enabling safe operation of applications
• Safeguarding technology assets
3. Threat of attacks (Lưu ý về các ví dụ của mỗi loại thống kê trong bảng 2.5;
các từ bôi đỏ trong mỗi loại threat)
• Compromises to Intellectual Property
• Deviations in Quality of Service
• Espionage or Trespass
• Forces of Nature
• Human Error or Failure
• Information Extortion
• Sabotage or Vandalism
• Software Attacks
• Technical Hardware
• Failures or Errors
• Technological Obsolescence
• Theft
III. Chapter 3 - Legal, Ethical, and Professional Issues in Information
Security (10 questions: 19-28)
1. Laws
- Các khái niệm liên quan:
+ Liability
+ Restitution
+ Due care
+ Due diligence
+ Jurisdiction
+ Jurisdiction
- Các loại Law:
+ Civil law
+ Criminal law
+ Private law
+ Public law
- Luật/tiêu chuẩn ở Mỹ :
+ U.S copyright law
+ Payment Card Industry Data Security Standards (PCI DSS)
- Luật quốc tế (WTO)
+ Agreement on Trade-Related Aspects of Intellectual Property Rights
2. Ethics
- là gì? Khác law ở chỗ nào?
- Three general causes of unethical and illegal behavior: ignorance, accident, intent
- Deterrence: best method for preventing an illegal or unethical activity;
3. Policy
- Laws and policies only deter if three conditions are present:
+ Fear of penalty
+ Probability of being apprehended
+ Probability of penalty being applied
4. Các tổ chức nghề nghiệp, cấp chứng chỉ (Professional associations and
certification agencies)
- ISSA (Information Systems Security Association)
- SANS (System Administration, Networking, and Security Institute)
- ISACA (Information Systems Audit and Control Association)
- Association of Computing Machinery (ACM)
- International Information Systems Security Certification Consortium, Inc. (ISC)2
IV. Chapter 4 - Planning for Security (15 questions: 29-44)
1. Planning Levels
 Overall strategic planning
 Strategic planning
 Tactical planning
 Operational planning
2. The approach for information security planning?
Hierarchy/Multi-layered approach
3. Information Security Governance
- Five goals of information security governance
4. Information Security Policy
- types of security policy according to SP 800-14 NIST:
+ Enterprise information security policies
+ Issue-specific security policies
+ Systems-specific security policies
5. Information security blueprint
- còn gọi là information security framework hay information security model
- Types of security frameworks:
+ The ISO 27000 Series
+ NIST Security Models
+ Other Sources of Security Frameworks
 Professional societies
 Many organizations hold seminars and classes on best practices for
implementing security
- NIST Cybersecurity Framework:
 The intent of the Framework
 The fundamental components of NIST Cybersecurity Framework
- Key components in the security architecture:
 Spheres of Security
 Levels of Controls
 Defense in Depth
 Security Perimeter
6. Security Education, Training, and Awareness Program
- Security education, training, and awareness (SETA)
7. Continuity Strategies
- types of contingency plans:
+ incident response plans
+ disaster recovery plans
+ business continuity plans
V. Chapter 5 - Risk Management (5 questions: 45-49)
1. Risk management including
 Risk identification
 Risk assessment
 Risk control
2. Risk appetite
3. Residual risk
4. The Open FAIR Approach to Risk Assessment
 Identify scenario components
 Evaluate loss event frequency
 Evaluate probable loss magnitude
 Derive and articulate risk
5. The NIST Risk Management Framework
VI. Chapter 6: Security Technology: Access Controls, Firewalls and VPNs
(16 questions: 50-65)
1. access control
- Access control approaches

- 4 fundamental functions of access control system

 Identification
 Authentication
 Authorization
 Accountability
- Access Control Architecture Models
2. Firewall
- What is it?
- Firewalls can be categorized by
 Processing mode
o Packet-Filtering Firewall
 Static filtering
 Dynamic filtering
  Stateful packet filtering
o Application layer proxy
o Media Access Control Layer Firewalls
o Hybrid Firewall
 Development era
 Structure
o Single bastion hosts
o Screened Host Architecture
o Screened Subnet Architecture (with DMZ)
 DMZ in network?
3. VPN
- What is it?
- VPN using authentication and encryption mechanisms
+ authentication technology: Kerberos; RADIUS systems; Diameter, TACACS;
CHAP password systems; Kerberos
- VPN must accomplish:
 Encapsulation of incoming and outgoing data
 Encryption of incoming and outgoing data
 Authentication of remote computer and perhaps remote user as well
- A VPN can be implemented in
 Transport mode
 Tunnel mode
VII. Chapter 7: Security Technology: Access Controls, Firewalls and VPNs
(16 questions: 66-81)
1. Basic concepts
- Intrusion prevention
- Intrusion detection
- Intrusion reaction
- Intrusion correction
2. Intrusion Detection and Prevention Systems (IDPS)
- IDPS Terminology
- Why Use an IDPS?
- Types of IDPSs
- IDPS detection methods
- IDPS Response Behavior
- Strengths and Limitations of IDPSs
- Deployment and Implementation of an IDPS
- Measuring the Effectiveness of IDPSs
3. Honeypots, Honeynets, and Padded Cell Systems
4. Scanning and Analysis Tools:

- Scanning tools
- Footprinting
- Fingerprinting
VIII. Chapter 8: Security Technology: cryptography (19 questions: 82-100)
1. Basic concepts:
-Cryptology
- cryptography
- cryptanalysis
2. Terminology
- Algorithm
- Bit stream cipher
- Block cipher
- Cipher
- Ciphertext/cryptogram
- Code
- Decipher/Decryption
- Encipher/Encryption
- Key/cryptovariable
- Keyspace
- Link encryption
- Plaintext/cleartext
- Steganography
- Work factor
3. 5 key components of Cryptosystems
4. Cryptosystem are categorization
- The key used for cipher
- The cipher method
- The way to process plaintext
5. Phân biệt Substitution technique và Transposition technique
6. Phân biệt Monoalphabetic substitution cipher và Polyalphabetic
substitution cipher
7. Hệ mã Ceasar
- 5 thành phần cơ bản
- Thuật toán mã hóa, thuật toán giải mã
8. Hệ mã Vigenère
- 5 thành phần cơ bản.
- Thuật toán mã hóa, thuật toán giải mã
9. Các đặc điểm của hệ mã one-time pad
10. Phân biệt mã khối và mã dòng
- Block cipher
- Stream cipher
11. DES cipher
- Key
- Encryption
- Decryption
12. AES cipher
- Key
- Encryption
- Decryption
13. Model of Asymmetric Cryptosystem
14. RSA cipher
- Khóa (Key)
- Mã hóa (Encipher)
- Giải mã (Decipher)
15. Diffie-Hellman cipher
- Khóa (Key)
- Calculate the shared key
16. Hash functions
- Mục đích sử dụng
17. Digital Signature
Dùng để làm gì
18. PKI
- Dùng để làm gì
- PKI gồm những thành phần nào
- Digital certificate dùng để làm gì? Gồm những thông tin gì
19. Protocols for Secure Communications
- Tác dụng? sử dụng hệ mã nào?