1000 Flashcards
A network that does not have servers - so each device simultaneously functions as both a client and a server to all other devices connected to the network.
Peer-To-Peer (P2P) Network
A policy that outlines how the organization uses personal information it collects.
Privacy Policy
A written document that states how an organization plans to protect the company’s information technology assets.
Security Policy
Grouping individuals and organization into cluster or groups based on a like affiliation.
Social Networking
Web sites that facilitate linking individuals with common interests like hobbies - religion - politics - or school or work contacts.
Social Networking Sites
A type of action that has the potential to cause harm.
Threat
A person or element that has the power to carry out a threat.
Threat Agent
A flaw or weakness that allows a threat agent to bypass security.
Vulnerability
The likelihood that the threat agent will exploit the vulnerability.
Risk
An event that - in the beginning - is considered to be risk yet turns out not to be.
False Positive
List and describe the 3 strategies for controlling risks.
1- privilege management- is the process of assigning and revoking privileges to objects; it covers the procedures of managing object authorizations
2- change management- refers to a methodology for making modifications and keeping track of those changes
3- incident management- is defined as the “framework” and functions required to enable incident response and incident handling within an organization.
A subject’s access level over an object - such as a user’s ability to pen a payroll file.
Privilege
Periodic reviewing of a subject’s privileges over an object - in which the objective is to determine if the subject has the correct privileges.
Privilege Auditing
What is a CMT and what is is duties?
Change Management Team
1- review proposed changes
2- ensure risk and impact of the planned changes are understood
3- recommend approval - disapproval - deferral - withdrawal of a requested change
4- communicate proposed and approved changes to coworkers
The planning - coordination - communications - and planning functions that are needed in order to resolve an incident in an efficient manner.
Incident Handling
The components required to identify - analyze - and contain an incident.
Incident Response
What are the functions of an organization’s information security policy?
1- it can be an overall intention and direction. A security policy is a vehicle for communicating an organization’s information security culture and acceptable information security behavior.
2- it details specific risks and how to address them - and provide controls that executives can use to direct employee behavior.
3- it can help to create a security-aware organization culture
4- it can help to ensure that employee behavior is directed and monitored to ensure compliance with security requirements.
What must an effective security policy balance?
Trust and Control
What are the 3 approaches to trust?
1- Trust everyone all of the time- easiest model to enforce because there are not restrictions; impractical because it leaves system vulnerable to attacks
2- Trust no one at any time- most restrictive model; impractical because few employees would work for an organization that did not trust them
3- Trust some people some of the time- this approach exercises caution in the amount of trust given; access is provided as needed with technical controls to ensure the trust is not violated.
A collection of requirements specific to the system or procedure that must be met by everyone.
Standard
A collection of suggestions that should be implemented.
Guideline
A document that outlines specific requirements or rules that must be met.
Policy
What is the three-phase cycle in the development and maintenance of a security policy?
1- vulnerability assessment
2- create the security policy using information from risk management study
3- compliance monitoring and evaluation
What does a vulnerability assessment attempt to identify?
1- asset identification (what needs to be protected)
2- threat identification (what the pressures are against it)
3- vulnerability appraisal (how susceptible the current protection is)
4- risk assessment (what damages could result from the threats)
5- risk mitigation (what to do about it)
What MUST a security policy do?
1- be implementable and enforceable
2- be concise and easy to understand
3- balance protection with productivity
What SHOULD a security policy do?
1- state reasons the policy is necessary
2- describe what is covered by the policy
3- outline how violations will be handled
Ideally - who should comprise the team who designs a security policy?
1- Senior level administrator
2- member of management who can enforce the policy
3- member of the legal staff
4- representative from the user community
What is due care?
is the obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them. It is the care that a reasonable person would exercise under circumstances.
Defines requirements for using cryptography.
Acceptable encryption policy
Established guidelines for effectively reducing the threat of computer viruses on the organization’s network and computers.
Anti-virus policy
Outlines the requirements and provides the authority for an information security team to conduct audits and risk assessments - investigate incidents - to ensure conformance to security policies - or to monitor user activity.
Audit vulnerability scanning policy
Prescribes that no e-mail will be automatically forwarded to an external destination without prior approval from the appropriate manager or director.
Automatically forwarded e-mail policy
Defines requirements for storing and retrieving database usernames and passwords.
Database credentials coding policy
Defines standards for all networks and equipment located in the DMZ.
Demilitarized zone security policy
Creates standards for using corporate e-mail.
E-mail policy
Helps employees determine what information sent or received by e-mail should be retained and for how long.
E-mail retention policy
Defines the requirements for third-party organizations to access the organization’s networks.
Extranet policy
Establishes criteria for classifying and securing the organization’s information in a manner appropriate to its level of security.
Information sensitivity policy
Outlines standards for minimal security configuration for routers and switches.
Router security policy
Creates standards for minimal security configuration for servers.
Server security policy
Established requirements for Remote Access IPSec Virtual Private Network (VPN) connections to the organization’s network.
VPN security policy
Defines standards for wireless systems used to connect to the organization’s networks.
Wireless communication policy
What policy is considered to be the most important information security policy?
Acceptable Use Policy (AUP)
Which policy is also called a PII (personally identifiable information) policy?
Privacy Policy
A policy that addresses security as it relates to human resources.
Security-Related Human Resource Policy
A statement used in a security policy that states any investigation into suspicious employee conduct will examine all material facts.
Due diligence
A policy that addresses how passwords are created and managed.
Password Management and Complexity Policy
A policy that addresses the disposal of resources that are considered confidential.
Disposal and Destruction Policy
A person’s fundamental beliefs and principles used ot define what is good - right - and just.
Values
List the 3 classification of values.
1- moral (fairness - truth - justice - love)
2- pragmatic (efficiency - thrift - health - patience)
3- aesthetic (attractive - soft - cold)
Values that are attributed to a system of beliefs that help the individual distinguish right from wrong.
Morals
The study of what a group of people understand to be good and right behavior and how people make those judgements.
Ethics
A written code of conduct intended to be a central guide and reference for employees in support of day-to-day decision making.
Ethics Policy
Name 3 awareness and training topics.
1- compliance
2- secure user practices
3- awareness of threats
Active Internet connections that download a specific file that is available through a tracker.
BitTorrent
The collective pieces of a file downloaded from a BitTorrent.
Swarm
Which learning style do information technology professionals tend to fall in?
Kinesthetic
A symmetric cipher that was approved by the NIST in late 2000 as a replacement for DES.
Advanced Encryption Standard (AES)
Procedures based on a mathematical formula; used to encrypt data.
Algorithm
Encryption that uses two mathematically related keys.
Asymmetric Cryptographic Algorithm
A cipher that manipulates an entire block of plaintext at one time.
Block Cipher
A block cipher that operates on 64-bit blocks and can have a key length from 32 to 448 bits.
Blowfish
Data that has been encrypted.
Ciphertext
Unencrypted data.
Cleartext
The science of transforming information into a secure form while it is being transmitted or stored so that unauthorized persons cannot access it.
Cryptography
A symmetric block cipher that uses 56-bit key and encrypts data in 64-bit blocks.
Data Encryption Standard (DES)
The process of changing ciphertext into plaintext.
Decryption
An electronic verification of the sender.
Digital Signature
An algorithm that uses elliptic curves instead of prime numbers to compute keys.
Elliptic Curve Cryptography (ECC)
The process of changing plaintext to ciphertext.
Encryption
Free and open-source software that is commonly used to encrypt and decrypt e-mail messages.
GNU Privacy Guard (GPG)
A secure cryptographic processor.
Hardware Security Module (HSM)
The unique digital fingerprint created by a hashing algorithm.
Hash
A variation of a hash that encrypts the hash with a shared secret key before transmitting it.
Hashed Message Authentication Code (HMAC)
The process for creating a unique digital fingerprint signature for a set of data.
Hashing
A mathematical value entered into the algorithm to produce ciphertext.
Key
A common hash algorithm of several different versions.
Message Digest (MD)
A revision of MD4 that is designed to address it weaknesses.
Message Digest 5 (MD5)
The process of proving that a user performed an action.
Nonrepudiation
A password hash for Microsoft Windows systems that is no longer recommended for use.
NTLM (New Technology LAN Manager) Hash
An updated version of NTLM that uses HMAC with MD5.
NTLMv2 (New Technology LAN Manager Version 2) Hash
Using a unique truly random key to create ciphertext.
One-Time Pad (OTP)
Data input into an encryption algorithm.
Plaintext
A commercial product that is commonly used to encrypt e-mail messages.
Pretty Good Privacy (PGP)
An asymmetric encryption key that does have to be protected.
Private Key
Cryptographic algorithms that use a single key to encrypt and decrypt a message.
Private Key Cryptography
An asymmetric encryption key that does not have to be protected.
Public Key
Encryption that uses two mathematically related keys.
Public Key Cryptography
An asymmetric cryptography that attempts to use the unusual and unique behavior of microscopic objects to enable users to securely develop and share keys.
Quantum Cryptography
A hash algorithm that uses two different and independent parallel chains of computation and then combines the result at the end of the process.
RACE Integrity Primitives Evaluation Message Digest (RIPEMD)
An RC stream cipher that will accept keys up to 128 bits in length.
RC4
A family of cipher algorithms designed by Ron Rivest.
Rivest Cipher (RC)
An asymmetric algorithm published in 1977 and patented by MIT in 1983.
RSA
A secure hash algorithm that creates hash values of longer lengths than Message Digest (MD) algorithms.
Secure Hash Algorithm (SHA)
Hiding the existence of data within a text - audio - image - or video file.
Steganography
An algorithm that takes one character and replaces it with one character.
Stream Cipher
Encryption that uses a single key to encrypt and decrypt a message.
Symmetric Cryptographic Algorithm
