Chapter 12: Information Security Maintenance

TRUE/FALSE

1. If an organization deals successfully with change and has created procedures and systems that can be
adjusted to the environment, the existing security improvement program will probably continue to
work well.

ANS: T PTS: 1 REF: 511

2. Digital forensics helps the organization understand what happened and how.

ANS: T PTS: 1 REF: 511

3. Over time, policies and procedures may become inadequate because of changes in agency mission and
operational requirements, threats, or the environment.

ANS: T PTS: 1 REF: 512

4. An effective security program demands comprehensive and continuous understanding of program and
system configuration.

ANS: F PTS: 1 REF: 513

5. Court decisions generally do not impact agency policy.

ANS: F PTS: 1 REF: 516

6. When the amount of data stored on a particular hard drive averages 30-40% of available capacity for a
prolonged period, consider an upgrade for the hard drive.

ANS: F PTS: 1 REF: 522

7. Documentation procedures are not required for configuration and change management processes.

ANS: F PTS: 1 REF: 536

8. A maintenance model such as the ISO model deals with methods to manage and operate systems.

ANS: F PTS: 1 REF: 536

9. External monitoring entails collecting intelligence from various data sources and then giving that
intelligence context and meaning for use by decision makers within the organization.

ANS: T PTS: 1 REF: 537

10. Often, US-CERT is viewed as the definitive authority for computer emergency response teams.

ANS: T PTS: 1 REF: 538

11. Many publicly accessible information sources, both mailing lists and Web sites, are available to those
organizations and individuals who have the time, expertise, and finances to make use of them.
 ANS: F PTS: 1 REF: 538

12. Over time, external monitoring processes should capture information about the external environment
in a format that can be referenced both across the organization as threats emerge and for historical use.

ANS: T PTS: 1 REF: 541

13. The value of internal monitoring is low when the resulting knowledge of the network and systems
configuration is fed into the vulnerability assessment and remediation maintenance domain.

ANS: F PTS: 1 REF: 541

14. The characteristics concerned with manufacturer and software versions are about technical
functionality, and they should be kept highly accurate and up-to-date.

ANS: T PTS: 1 REF: 542

15. The target selection step involves using the external monitoring intelligence to configure a test engine
(such as Nessus) for the tests to be performed.

ANS: F PTS: 1 REF: 555

16. An intranet scan starts with an Internet search engine.

ANS: F PTS: 1 REF: 557

17. All systems that are mission critical should be enrolled in PSV measurement.

ANS: T PTS: 1 REF: 558

18. All telephone numbers controlled by an organization should be tested for modem vulnerability, unless
the configuration of the phone equipment on premises can assure that no number can be dialed from
the worldwide telephone system.

ANS: F PTS: 1 REF: 560

19. The vulnerability database, like the risk, threat, and attack database, both stores and tracks information.

ANS: T PTS: 1 REF: 560

20. Remediation of vulnerabilities can be accomplished by accepting or transferring the risk, removing the
threat, or repairing the vulnerability.

ANS: T PTS: 1 REF: 561

21. In some instances, risk is acknowledged as being part of an organization’s business process.

ANS: T PTS: 1 REF: 561

22. Threats cannot be removed without requiring a repair of the vulnerability.

ANS: F PTS: 1 REF: 561

 23. Policy needs to be reviewed and refreshed from time to time to ensure that it’s sound.

ANS: T PTS: 1 REF: 562

24. Major planning components should be reviewed on a periodic basis to ensure that they are current,
accurate, and appropriate.

ANS: T PTS: 1 REF: 562

25. Rehearsal adds value by exercising the procedures, identifying shortcomings, and providing security
personnel the opportunity to improve the security plan before it is needed.

ANS: T PTS: 1 REF: 563

MODIFIED TRUE/FALSE

1. An effective information security governance program requires constant change.

_________________________

ANS: F, review

PTS: 1 REF: 512

2. ISO 27001 Information Security Handbook: A Guide for Managers provides managerial guidance for
the establishment and implementation of an information security program.
_________________________

ANS: F, NIST SP 800-100

PTS: 1 REF: 511

3. Each phase of the SDLC includes a(n) maximum set of information security–related activities required
to effectively incorporate security into a system. _________________________

ANS: F, minimum

PTS: 1 REF: 512

4. For configuration management (CM) and control, it is important to document the proposed or actual
changes in the security plan of the system. _________________________

ANS: T PTS: 1 REF: 513

5. Tracking awareness involves assessing the status of the program as indicated by the database
information and mapping it to standards established by the agency. _________________________

ANS: F, compliance

PTS: 1 REF: 516

6. A trouble ticket is closed when a user calls about an issue. _________________________

ANS: F, opened
 PTS: 1 REF: 532

7. In some organizations, facilities management is the identification, inventory, and documentation of the
current information systems status—hardware, software, and networking configurations.
_________________________

ANS: F, configuration

PTS: 1 REF: 532

8. CM assists in streamlining change management processes and prevents changes that could
detrimentally affect the security posture of a system before they happen.
_________________________

ANS: T PTS: 1 REF: 533

9. CERTs stands for computer emergency recovery teams. _________________________

ANS: F, response

PTS: 1 REF: 538

10. UN-CERT is a set of moderated mailing lists full of detailed, full-disclosure discussions and
announcements about computer security vulnerabilities. _________________________

ANS: F, Bugtraq

PTS: 1 REF: 539

11. Specific routine bulletins are issued when developing threats and specific attacks pose a measurable
risk to the organization. _________________________

ANS: F, warning

PTS: 1 REF: 540

12. The basic function of the external monitoring process is to monitor activity, report results, and escalate
warnings. _________________________

ANS: T PTS: 1 REF: 540

13. The primary goal of the external monitoring domain is to maintain an informed awareness of the state
of all of the organization’s networks, information systems, and information security defenses.
_________________________

ANS: F, internal

PTS: 1 REF: 541

14. Organizations should have a carefully planned and fully populated inventory of all their network
devices, communication channels, and computing devices. _________________________

ANS: T PTS: 1 REF: 542

15. To be put to the most effective use, the information that comes from the IDPS must be integrated into
the inventory process. _________________________

ANS: F, maintenance

PTS: 1 REF: 542

16. An example of the type of vulnerability exposed via traffic analysis occurs when an organization is
trying to determine if all its device signatures have been adequately masked.
_________________________

ANS: T PTS: 1 REF: 543

17. The process of identifying and documenting specific and provable flaws in the organization’s
information asset environment is called VA. _________________________

ANS: T PTS: 1 REF: 550

18. The internal vulnerability assessment is usually performed against all public-facing addresses, using
every possible penetration testing approach. _________________________

ANS: F, Internet

PTS: 1 REF: 555

19. You can document the results of the verification by saving a(n) profile. _________________________

ANS: F, trophy

PTS: 1 REF: 556

20. WLAN stands for wide local area network. _________________________

ANS: F, wireless

PTS: 1 REF: 559

21. The final process in the vulnerability assessment and remediation domain is the exit phase.
_________________________

ANS: F, remediation

PTS: 1 REF: 561

22. The optimum solution in most cases is to repair a(n) vulnerability. _________________________

ANS: T PTS: 1 REF: 561

23. The CISO uses the results of maintenance activities and the review of the information security
program to determine if the status quo can adequately meet the threats at hand.
_________________________

ANS: T PTS: 1 REF: 562

 24. When possible, major plan elements should be rehearsed. _________________________

ANS: T PTS: 1 REF: 562

25. A(n) war game puts a subset of plans in place to create a realistic test environment.
_________________________

ANS: T PTS: 1 REF: 563

MULTIPLE CHOICE

1. ____ are a component of the security triple.

a. Threats c. Vulnerabilities
b. Assets d. All of the above
ANS: D PTS: 1 REF: 511

2. When the memory usage associated with a particular CPU-based system averages ____% or more over
prolonged periods, consider adding more memory.
a. 30 c. 90
b. 60 d. 100
ANS: B PTS: 1 REF: 521

3. To evaluate the performance of a security system, administrators must establish system performance
____.
a. baselines c. maxima
b. profiles d. means
ANS: A PTS: 1 REF: 522

4. ____ baselines are established for network traffic and also for firewall performance and IDPS
performance.
a. System c. Performance
b. Application d. Environment
ANS: C PTS: 1 REF: 522

5. A(n) ____ item is a hardware or software item that is to be modified and revised throughout its life
cycle.
a. revision c. change
b. update d. configuration
ANS: D PTS: 1 REF: 532

6. A ____ is the recorded state of a particular revision of a software or hardware configuration item.
a. state c. configuration
b. version d. baseline
ANS: B PTS: 1 REF: 532

7. The primary mailing list, called simply ____, provides time-sensitive coverage of emerging
vulnerabilities, documenting how they are exploited, and reporting on how to remediate them.
Individuals can register for the flagship mailing list or any one of the entire family of its mailing lists.
 a. Bug c. Buglist
b. Bugfix d. Bugtraq
ANS: D PTS: 1 REF: 539

8. The ____ is a center of Internet security expertise and is located at the Software Engineering Institute,
a federally funded research and development center operated by Carnegie Mellon University.
a. Bug/CERT c. CC/CERT
b. Bugtraq/CERT d. CERT/CC
ANS: D PTS: 1 REF: 539

9. The ____ list is intended to facilitate the development of a free network exploration tool.
a. Nmap-hackers c. Security Focus
b. Packet Storm d. Snort-sigs
ANS: A PTS: 1 REF: 540

10. The ____ commercial site focuses on current security tool resources.
a. Nmap-hackers c. Security Laser
b. Packet Storm d. Snort-sigs
ANS: B PTS: 1 REF: 540

11. The ____ mailing list includes announcements and discussion of an open-source IDPS.
a. Nmap-hackers c. Security Focus
b. Packet Storm d. Snort-sigs
ANS: D PTS: 1 REF: 540

12. The optimum approach for escalation is based on a thorough integration of the monitoring process into
the ____.
a. IDE c. ERP
b. CERT d. IRP
ANS: D PTS: 1 REF: 540

13. Detailed ____ on the highest risk warnings can include identifying which vendor updates apply to
which vulnerabilities as well as which types of defenses have been found to work against the specific
vulnerabilities reported.
a. escalation c. monitoring
b. intelligence d. elimination
ANS: B PTS: 1 REF: 541

14. As an alternative view of the way data flows into the monitoring process, a(n) ____ approach may
prove useful.
a. DTD c. Schema
b. DFD d. ERP
ANS: B PTS: 1 REF: 541

15. One approach that can improve the situational awareness of the information security function uses a
process known as ____ to quickly identify changes to the internal environment.
a. baseline c. differential
b. difference analysis d. revision
 ANS: B PTS: 1 REF: 543

16. ____ is used to respond to network change requests and network architectural design proposals.
a. Network connectivity RA c. Application RA
b. Dialed modem RA d. Vulnerability RA
ANS: A PTS: 1 REF: 546

17. A(n) ____ is a statement of the boundaries of the RA.

a. scope c. footer
b. disclaimer d. head
ANS: A PTS: 1 REF: 547

18. ____ pen testing is usually used when a specific system or network segment is suspect and the
organization wants the pen tester to focus on a particular aspect of the target.
a. White box c. Gray box
b. Black box d. Green box
ANS: A PTS: 1 REF: 551

19. ____, a level beyond vulnerability testing, is a set of security tests and evaluations that simulate attacks
by a malicious external source (hacker).
a. Penetration testing c. Attack simulation
b. Penetration simulation d. Attack testing
ANS: A PTS: 1 REF: 551

20. There are ____ common vulnerability assessment processes.

a. two c. four
b. three d. five
ANS: D PTS: 1 REF: 550

21. The steps of the Internet vulnerability assessment include ____, which is when the penetration test
engine is unleashed at the scheduled time using the planned target list and test selection.
a. scanning c. test selection
b. target selection d. analysis
ANS: A PTS: 1 REF: 556

22. The ____ vulnerability assessment process is designed to find and document selected vulnerabilities
that are likely to be present on the internal network of the organization.
a. intranet c. LAN
b. Internet d. WAN
ANS: A PTS: 1 REF: 556

23. The ____ process is designed to find and document the vulnerabilities that may be present because
there are misconfigured systems in use within the organization.
a. ASP c. SVP
b. ISP d. PSV
ANS: D PTS: 1 REF: 558
 24. The ____ vulnerability assessment process is designed to find and document any vulnerability that is
present on dial-up modems connected to the organization’s networks.
a. modem c. dial-up
b. phone d. network
ANS: A PTS: 1 REF: 559

25. ____ allows for the major planning components to be reviewed on a periodic basis to ensure that they
are current, accurate, and appropriate.
a. System review c. Program review
b. Project review d. Application review
ANS: C PTS: 1 REF: 562

COMPLETION

1. Virtually all aspects of a company’s environment are ____________________.

ANS: dynamic

PTS: 1 REF: 510

2. Organizations should perform a(n) ____________________ assessment of their information security

programs.

ANS: annual

PTS: 1 REF: 512

3. A performance ____________________ is an expected level of performance against which all

subsequent levels of performance are compared.

ANS: baseline

PTS: 1 REF: 522

4. ____________________ is the process of reviewing the use of a system, not to check performance, but
rather to determine if misuse or malfeasance has occurred.

ANS: Auditing

PTS: 1 REF: 526

5. As the help desk personnel screen problems, they must also track the activities involved in resolving
each complaint in a help desk ____________________ system.

ANS: information

PTS: 1 REF: 531

6. The objective of the external ____________________ domain within the maintenance model is to
provide the early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that
the organization needs in order to mount an effective and timely defense.
 ANS: monitoring

PTS: 1 REF: 537

7. When an organization uses specific software products as part of its information security program, the
____________________ often provides either direct support or indirect tools that allow user
communities to support each other.

ANS: vendor

PTS: 1 REF: 537-538

8. The primary goal of the ____________________ monitoring domain is to maintain an informed

awareness of the state of all of the organization’s networks, information systems, and information
security defenses.

ANS: internal

PTS: 1 REF: 541

9. The process of collecting detailed information about devices in a network is often referred to as
____________________.

ANS: characterization

PTS: 1 REF: 542

10. The ____________________ interconnections are network devices, communications channels, and
applications that may not be owned by the organization but are essential to the continued operation of
the organization’s partnership with another company.

ANS: partner

PTS: 1 REF: 542

11. A(n) ____________________ analysis is a procedure that compares the current state of a network
segment (the systems and services it offers) against a known previous state of that same network
segment (the baseline of systems and services).

ANS: difference

PTS: 1 REF: 543

12. The primary objective of the planning and risk ____________________ domain is to keep a lookout
over the entire information security program.

ANS: assessment

PTS: 1 REF: 544

13. A key component in the engine that drives change in the information security program is a relatively
straightforward process called an information security ____________________ risk assessment.

ANS: operational
 PTS: 1 REF: 546

14. The primary goal of the vulnerability assessment and ____________________ domain is to identify
specific, documented vulnerabilities and remediate them in a timely fashion.

ANS: remediation

PTS: 1 REF: 550

15. The ____________________ tester’s ultimate responsibility is to identify weaknesses in the security
of the organization’s systems and networks and then present findings to the system owners in a
detailed report.

ANS:
pen
penetration

PTS: 1 REF: 551

16. The ____________________ vulnerability assessment process is designed to find and document the
vulnerabilities that may be present in the public-facing network of the organization.

ANS: Internet

PTS: 1 REF: 555

17. The Analysis step of Internet vulnerability assessment is when a knowledgeable and experienced
vulnerability analyst screens the test results for the ____________________ vulnerabilities logged
during scanning.

ANS: candidate

PTS: 1 REF: 556

18. A(n) ____________________ risk is one that is higher than the risk appetite of the organization.

ANS: significant

PTS: 1 REF: 556

19. The proven cases of real vulnerabilities can be considered vulnerability ____________________.

ANS: instances

PTS: 1 REF: 556

20. The ____________________ process step is identical to the one followed in Internet vulnerability
analysis.

ANS: record keeping

PTS: 1 REF: 557

 21. The ____________________ vulnerability assessment process is designed to find and document the
vulnerabilities that may be present in the wireless local area networks of the organization.

ANS: wireless

PTS: 1 REF: 559

22. In ____________________ selection, all areas of the organization’s premises should be scanned with a
portable wireless network scanner.

ANS: target

PTS: 1 REF: 559

23. Using scripted dialing attacks against a pool of phone numbers is often called war
____________________.

ANS: dialing

PTS: 1 REF: 560

24. The primary goal of the readiness and ____________________ domain is to keep the information
security program functioning as designed and to keep it continuously improving over time.

ANS: review

PTS: 1 REF: 562

25. Rehearsals that closely match reality are called ____________________ games.

ANS: war

PTS: 1 REF: 563

ESSAY

1. Why should agencies monitor the status of their programs?

ANS:
Agencies should monitor the status of their programs to ensure that:
- Ongoing information security activities are providing appropriate support to the agency mission
- Policies and procedures are current and aligned with evolving technologies, if appropriate
- Controls are accomplishing their intended purpose

PTS: 1 REF: 512

2. List the four steps to developing a CM plan.

ANS:
The four steps in developing the CM plan are:
- Establish baselines
- Identify configuration
- Describe configuration control process
 - Identify schedule for configuration audits

PTS: 1 REF: 515

3. List the five domains of the recommended maintenance model.

ANS:
The recommended maintenance model is based on five subject areas or domains:
- External monitoring
- Internal monitoring
- Planning and risk assessment
- Vulnerability assessment and remediation
- Readiness and review

PTS: 1 REF: 536