Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
135 Cards in this Set
- Front
- Back
What does ARPA stand for?
|
Advanced Research Procurement Agency
|
|
Which US Government body created ARPA
|
Department of Defence
|
|
Which DoD report attempted to define the multiple control mechanisims nessicary for the protection of a multilevel computer system?
|
The Rand Report R-609
|
|
What was the name of the now obsolete operating system designed for security objectives?
|
MULTICS
|
|
What is the security that addresses the issues needed to protect items, objects or areas?
|
Physical Security
|
|
What is the security that addresses the protection of individuals or groups authorized to access an organization
|
Personal Security
|
|
What is the securty that encompasses the protection of an organization's communications media, technology and content?
|
Communications Security
|
|
If information has a state of being genuine or original and is not a fabrication, it has the characteristic of _________.
|
Authenticity
|
|
The characteristic of information that deals with preventing disclosure is _________.
|
Confidentiality
|
|
Information security programs that being at grassroots level by system administrators to imporve security are often called a ___________ approach.
|
bottom-up
|
|
When projects are initiated at the highest levels of an organization and then pushed to all levels, they are said to follow a _________ approach.
|
top-down
|
|
Who is the person responsible for the security and use of a particular set of information?
|
The data owner
|
|
Who is the person responsible for the storage, maintenance and protection of the information?
|
The data custodian
|
|
What are the three most commonly encountered communities of interest which have roles and responsibilities in information security?
|
Information security management and professionals
Information technology management and professionals Organizational management and professionals |
|
What is the principal goal of an information security program?
|
to ensure that systems and their contents remain the same
|
|
Information security has more to do with ______ than with ______
|
management, technology
|
|
Many organizations find that their most valuable asset is their ________
|
data
|
|
What is the name given to applying computer and network resources to try exhaustive combinations?
|
brute force
|
|
What is the name given to trying all commonly used passwords?
|
dictionary attack
|
|
What is the name given to attempting to reverse-calculate passwords?
|
Password cracking
|
|
What is the name given to attacking a system by flooding it with a large volume of traffic to prevent if from accomplishing its design goal?
|
Denial of Service
|
|
What is it called when an attacker conceals their true identity and adopts some other identity.
|
Spoofing
|
|
__________ is another name for TCP hijacking
|
man in the middle
|
|
_________ is unsolicited commercial email.
|
Spam
|
|
What is it called when a denial of service attack is done by sending large quantities of email?
|
Mail bombing
|
|
What is a type of law that represents all of the laws that apply to a citizen or subject of a jurisdiction?
|
Civil law
|
|
What is the type of law that addresses violations harmful to society and that is enforced by prosecutions by the state?
|
Criminal law
|
|
What is the type of law that regulates the relationship between an individual and an organization?
|
Private law
|
|
What is the type of law that regulates the structure and administration of government agencies?
|
Public law
|
|
What defines socially acceptable behaviors?
|
Ethics
|
|
What define rules that mandate or prohibit certain behavior?
|
Laws
|
|
What is the law that regulats the overall role of the government in protecting the privacy of individuals?
|
Federal Privacy Act of 1974
|
|
What is the law that regulates the role of the health-care industry in proteting the privacy of individuals?
|
Health Insurance Portability and Accountability Act of 1996
|
|
What is the generally recognized term for the government protection afforded to intellectual property?
|
Copyright law
|
|
What is the law that provides any persion with the right to request access to federal agency records?
|
Freedom of Information Act of 1966
|
|
What is the name of a respected professional society founded in 1974 as the worlds first education and scientific computing society?
|
Association of Computing Machinery
|
|
Is the FBI responsible for signal intelligence and information system security of classified systems?
|
No
|
|
Is the NSA responsible for the security of all non nationally critial infrastructure?
|
No
|
|
Is the NSA responsible for signal intelligence and information system security of classified systems?
|
Yes
|
|
For information security purposes, what are the systems that use, store and transmit information?
|
Assets
|
|
Which community of intrest should have the best understanding of threats and attacks and often takes a leadership role in addressing risks?
|
Information security
|
|
Which community of intrest must assist in risk management by configuring and operating information systems in a secure fashion?
|
Information technology
|
|
Which community of interest must ensure sufficient resources are allocated to the risk managment process?
|
general managemnt
|
|
The purpose of a weighted factor analysts is to?
|
list assets in order of their importance to the organization
|
|
What do organizations implement in order to ensure ensure effort is spent protecting information that needs protecting?
|
data classification schemes
|
|
What do individuals aquire when they are assigned security labels for access to categories of information?
|
Security clearance
|
|
What is the name of the process of examining how each threat will affect an organization?
|
Threat assessment
|
|
What is the process an organization uses to assign a risk rating or score to each information asset?
|
Risk assessment
|
|
What is the overall rating of the probability that a specific vulnerability will be successfully exploited?
|
likelihood
|
|
What is the name of the amount of risk that remains after all controls are put in place as designed?
|
residual risk
|
|
What is it called when users are assigned a matrix of authroizations for particular areas?
|
Lattice-based access control
|
|
What is the risk control strategy that attempts to prevent the exploitation of a vulnerability?
|
Avoidance
|
|
What is the control approach that attempts to shift risk to other assets, other processes or other organizations?
|
Transference
|
|
Which plan should contain the actions an organization can and perhaps should take while the incident is in progress?
|
Incident response plan
|
|
What is the most common mitigation procedure?
|
Disaster recovery plan
|
|
What is the process of avoiding the financial impact of an incident by implementing a control?
|
Cost avoidance
|
|
What is the value associated with the most likely loss from an attack?
|
Single Loss Expectancy
|
|
What is the value calulated to show how often a specific type of attack is likley to occur in a given year?
|
The annualized rate of occurence
|
|
What is the value calculated to show the estimated overall loss potential per risk per year?
|
The annualized loss expectancy
|
|
What is the process of seeking out and studying the practices used in other organizations that produce the results you desire in your organization
|
Benchmarking
|
|
What is the name given to the analysis of measures against established standards?
|
Baselining
|
|
What addresses user acceptance and support, management acceptance and support and the overall requirements of organizational stakeholders?
|
Operation feasibility
|
|
What determines whether or not the organization has the technology necessary to implement and support the control alternatives
|
Technical feasibility
|
|
What directs how issues should be addressed and technologys used?
|
Policies
|
|
What are detailed statements of what must be done to comply with policy?
|
Standards
|
|
Which policy is also known as a general security policy, IT security policy and an information security policy?
|
Enterprise information security policy
|
|
Which policy addresses specific areas of technology, requires frequent updates and contains a statement on the organizations positions on a specific issue
|
Issue-specific security policy
|
|
What is implementing security in a layered approach is refered to as?
|
Defence in depth
|
|
What defines the edge between the outer limit of an organizations security and the beginning of the outside world?
|
The security permimter
|
|
What is a device that uses a rule set to selectivly discriminate against information flowing into or out of the organization?
|
Firewall
|
|
What should an organization implement in an effort to detect unauthorized activity within the inner network or on individual machines?
|
Intrusion detection systems
|
|
What is the name of given to planning for the identification, classification and recovery from an incident?
|
Incident response planning
|
|
What is the name given to a clearly identified attack on the organizations information assets that would threaten their confidentiality, integrety or availability?
|
incident
|
|
What deals with the preperation for and recovery from a disaster, either natural or manmade?
|
Disaster recovery planning
|
|
What consists of the actions taken to plan for, detect and correct the impact of an incident on information assets?
|
An Incident Response
|
|
What provides many of the same services and options as a Hot site, but does not typically include the applications the compay needs?
|
Warm site
|
|
What is the name given to a fully configured computer facility with all services, communication links and physical plant operations including heating and air conditioning?
|
Hot site
|
|
What is the next step down from a warm site and provides only rudimentary services and facilities with no computer hardware or peripherals?
|
Cold site
|
|
What type of firewall examines every incoming header and can selectively filter packets based on destination address, source address, packet type and other key information?
|
Packet filtering
|
|
What type of firewall filtering allows the firewall to react to an emergent event and update or create rules to deal with the event?
|
Dynamic
|
|
What is the commonly used name for an intermediate area between a trusted network and an untrusted network
|
Demilitarized zone
|
|
What is the primary objective of the physical design phase of the SecSDLC?
|
To select specific technologies to support the information security blueprint
|
|
Which system is most often used to authenticate the credentials of users who are trying to access an organizations network via dial-up connection?
|
RADIUS
|
|
In which mode of IPSEC is the data within an IP packet encrypted, while the header information is not?
|
Transport mode
|
|
What is the name given to a system that can detect an intrusion and attempt to stop them?
|
Intrusion Detection and prevention system (IDPS)
|
|
What is the term given to the failure of an IDS system to react to an actual attack event?
|
False Negative
|
|
What is the term given to an alarm that indicates an attack is in progress or has succesfully occured when in fact, there has been no such attack?
|
False Positive
|
|
What is the name of a widley used IDP detection method that uses search patterns?
|
Signature Based IDP
|
|
What is the name given to a IDP detection method that sample network activity and compare it to 'normal' traffic?
|
Statistical Anomaly-Based IDP
|
|
What is the name given to a decoy system designed to lure potential attackers away from critical systems and encourage attacks against themselves?
|
Honey pots
|
|
What is the name given to the organized research of internet addresses owned or controlled by a target organization?
|
Footprinting
|
|
What is the name given to the systematic survey of all of the target organizations addresses collected during the footprinting phase?
|
Fingerprinting
|
|
What is the name of the tool used to identify computers active on a network?
|
Port scanner
|
|
What is the name of the tool used to scan networks for highly detailed vulnerability information?
|
Vulnerability scanner
|
|
Is encryption a process of hiding information that has been in use for a long time?
|
No
|
|
Was Julius Caesar associated with an early version of the substitution cypher?
|
Yes
|
|
What is the process of converting an origonal message into a form that is unreadable to unauthorized individuals?
|
Encryption
|
|
What is the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext form the ciphertext?
|
Key
|
|
What is the name of the science of encryption?
|
Cryptology
|
|
What is the name of the process of making and using codes to secure the transmission of information?
|
Cryptography
|
|
Do hashing functions requrie the use of keys?
|
No
|
|
What is the name of the figerprint of the authors message that is to be compared with the receiver's locally calculated hash of the same message?
|
Message Digest
|
|
What is the entire range of values that can possibly be used to construct an individual key?
|
Keyspace
|
|
Which peice of information is used in conjunction with an algorithm to create the ciphertext from the plaintext or vice versa?
|
Key
|
|
Which algorithm was the first public key encryption algorithm plublished for commercial use?
|
RSA
|
|
Do popular cryptosystems use a hybrid combination of symmetric and asymmetric algorithms?
|
Yes
|
|
Are PKI systems based on public key cryptosystems with digital certificates and CA's?
|
Yes
|
|
Does Nonrepudiation mean that customers or partners can be held accountable for transactions, such as online purchases which they cannot later deny?
|
Yes
|
|
What is the process of hiding messages called?
|
Steganography
|
|
What kind of security addresses the design, implementation and maintanance of counter measures taht protect the physical resources of an organization?
|
Physical security
|
|
Which layer of management is responsible for the security of the facility in which the organization is housed, and the policys and standards for secure operation?
|
General Management
|
|
Which group are responsible for environmental and access security in the technology equipment locations and for the policies and standards fo secure equipment operation?
|
Information Technology Management and Professionals
|
|
Who have the ability to apply human reasoning?
|
Guards
|
|
Which animal is useful because of their keen sense of smell and hearing and can detect intrusions that human guards cannot?
|
Dogs
|
|
Which authentication system is not foolproof and can be easily duplicated, stolen and modified?
|
ID Cards and badges
|
|
Which control is devided into four categories: manual, programmable, electronic and biometric?
|
Lock and Key
|
|
What kind of control do the following fall into; Finger, and hand readers; iris and retina scanners; and void and signature readers?
|
biometric
|
|
Fires that invole combustible fules, such as wood, paper, textirels, rubber, cloth and trash belong to which class?
|
Class A
|
|
Fires fueled by combustible liquids or gasses, such as solvents, gasoline, paint, lacquer and oil belong to which class?
|
Class B
|
|
Fires with energized electrical equipment or applices belong to which class?
|
Class C
|
|
Fires fuled by combustible metals, such as magnesium ,lithium and sodium belong to which class?
|
Class D
|
|
What is a completed document or program module that can serve either as the beginning point for a later task or as an element in the finished project?
|
Deliverable
|
|
What is a specific point in the project plan when a task and its action steps are complete and have a noticeable impact ont he progress of the project plan as a whole?
|
Milestone
|
|
What kind of feedback loop ensures progress is measured periodically once a project is underway?
|
negative feedback loop
|
|
What is deploying a system by running the new methods alongside the old methods for a period of time called?
|
Parrallel implementation
|
|
What is the most common approach to deploing systems that involves rolling out a piece of the system?
|
phased implementation
|
|
What is the name of a development method that involves implementing all functions in a single part of the organization and resolving issues within that group before expanding to the rest of the organization
|
Pilot implementation
|
|
Who is typically the top information security employee in the organization
|
CISO
|
|
Who are accountable for the day-to-day operation fo the information security program?
|
Security Managers
|
|
Who are qualified individuals who are tasked to implement security software, diagnose and troubleshoot problems, and coordinate with systems administrators to ensure that security technology is operating to protect the organization?
|
Security technicians
|
|
Who is typically an expert in information security and may have been a CISO and or have CISSP credentials?
|
Security consultant
|
|
Which certifications require the applicant to complete a written practical assignment?
|
GIAC
|
|
What can determine the level of trust the business places in the individual
|
background check
|
|
What becomes an important security instrument after the candidate has accepted the job offer?
|
Employment contract
|
|
In order to heighten information security awareness and change workplace behavior, what should organizations incorperate information security components into?
|
Employee job descriptions, traning sessions and performance evaluations
|