401_2 Flashcards
Why are most worms successful?
A prevalence of undefended perimeters
OSs are left unchanged and unpatched
One application automatically installing another.
What is the CIA triad?
Confidentiality, Integrity, and Availability
What is Risk?
The probability of a threat crossing or touching a vulnerability
What is the impact of vulnerabilities in the risk calculation?
Vulnerabilities reduces the risk
How does threat affect risk?
Threats drive the risk calculation
What is the key focus of risk?
Confidentiality / Disclosure
Integrity / Alteration
Availability / Destruction
What are the primary threats?
Malware
Insider
Natural Disasters
Terrorism
What is a threat?
Any activities that represent possible danger to information or operation.
Anything that would negatively impact CIA.
Threats are the agents of Risk
What is the relationship between vulnerabilities and threats?
Vulnerabilities are the gateway by which threats are manifested.
What is a vulnerability?
A weakness in a system or process that could be exploited by a threat
What are the primary vulnerability types?
Software
Electronic
Human
Physical
What are the 4 approaches to Defense-in-Depth?
Uniform protection
Protected enclaves
Information centric
Threat vector analysis
When discussing Defense-in-Depth, how does uniform protection treat all system?
As equally important
Gives no special consideration or protection to the critical intellectual property of an organization.
To what type of threat is the uniform protection approach to Defense-in-Depth most vulnerable?
Insider
What two things are needed to manage configurations?
A baseline
A way to detect when a change occurs to the baseline
What are the dangers associated with malware?
Destroying Data
Leaking Information
Providing Backdoor Access
An effective malware defense strategy should incorporate the following items.
- Antivirus software at multiple locations
- up-to-date virus signature files
- A practice of reviewing and installing security patches
- Lock-down of system configuration and dangerous application features
- Blocking file attachments (#1 to stop email viruses)
What are the 3 primary defensive techniques incorporated into an antivirus product?
Scanners
Activity monitors
Integrity checkers
What is another word for Activity monitors?
Behavior blockers
List 2 examples of integrity verification software
Tripwire
AIDE
What are some classic locations for antivirus products?
Workstations
File and print servers
Mail servers
Internet gateways
What is a security policy?
It establishes what you must do to protect information stored on computers and contains sufficient definition of “what” to do so you can identify, measure, or evaluate the “how.”
How does a security policy protect people?
Allows people to take necessary actions without fear of reprisal
compels the safeguarding of information
eliminates, or at least reduces, personal liability
How do you sell the need for a security policy to executives and users?
To sell to executives talk about the money
To sell to users talk about how it makes their job easier
Why does an organization need a security policy
Protects the org, the people, and the info
Establishes what must be done to protect information stored on computers
Protects people who are trying to do the right thing
What does a mission statement have to do with information security?
It allows security workers to be sensitive to the needs of the business
What is the foundation for evaluating policy?
A baseline of the existing documentation
What do policies address
The who, what,and why
What do procedures address
The how, where, and when
What is a policy
A directive that indicates a conscious decision to follow a path towards a specified objective.
What is a standard
Specifies a certain way something should be done or a certain brand or type of equipment that must be used.
What is a baseline in relationship to a standard
A baseline is a more specific implementation of a standard and gets into the specific technical details of how a system should be configured. I.e. Hardening Guides
What are guidelines
Suggestions to assist users, systems personnel, and others in effectively implementing policies and procedures. I.e., recommendations.
What needs to be included in a policy
Purpose Related documents or references Cancellation or expiration Background Scope Policy Statement Responsibility Action
How must a policy statement be written?
Clear, concise, and meet SMART objectives
Contain the guiding principles and 5 Ws (who, what, when, where, and why)
With what other policies should the security policy be consistent?
Mission Statement
Program Policy
Issue-Specific
System-Specific
What should be followed when creating a security policy?
State the issue
Identify the players (maintainer, HR, legal, management)
Find all relevant documentation that may exist
Define the policy - including all necessary sections
Identify penalties for non-compliance
Make sure it is enforceable
Submit for review and approval
What is an NDA
Non-Disclosure Agreement
What three elements must be sent in order to register a copyright with the Library of Congress
Properly completed application form
Application fee (currently $30)
“Deposit” (sample copy) of the work
What is a Business Continuity Plan (BCP)?
A plan for emergency response, backup operations, and post-disaster recovery maintained as a part of a security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.
What is a Disaster Recovery Plan (DRP)?
a plan that covers the tactical recovery of IT systems in the event of a disruption or disaster
Business continuity activities form a _______ over a crisis situation, while disaster recovery activities are a ________ of business continuity activities.
umbrella
subset
Name the six key components to a Business Continuity Plan?
Assess Evaluate Prepare Mitigate Respond Recover
What is the primary goal of the Business Impact Analysis?
To determine the maximum allowable (or tolerable) downtime for any given system.
List five mistakes that are commonly made in contingency planning
Lack of BCP testing Limited scope Lack of prioritization Lack of plan updates Lack of plan ownership Lack of communication Lack of security controls Inadequate evaluation of vendor suppliers Inadequate insurance (loss of life)
What are the two primary categories of data classification?
Public / Non Classified / Non Confidential
Private / Classified / Confidential
What are the five DoD and federal classification levels
Top Secret Secret Confidential Sensitive But Unclassified (SBU) Unclassified
With respect to access control what does acronym IAAA represent?
Identity
Authentication
Authorization
Accountability
Authentication is proving that you are who you say you are and is done in what four ways?
Something you know
Something you have
Something you are
Someplace you are
What are the four principles associated with access control that you should utilize to make sure your security is as robust as it can possibly be?
Least Privilege
Need to Know
Separation of Duties
Rotation of Duties
What are six common types of access control?
Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-based Access Control (RBAC) Ruleset-based Access Control (RSBAC) List-based Access Control (LBAC) Token-based Access Control (TBAC)
User accounts, data, and their relationships must be actively maintained is a process called ________ and consists of what four tasks?
Access Management
Account Administration, Maintenance, Monitoring, and Revocation
What are some common ways of implementing SSO?
Scripts
LDAP or AD
Secure Tokens
Kerberos
By what different names is irreversible encryption known?
On-way encryption
One-way hashing
Hashing
The strength of a hash used for password storage primarily depends on what five factors?
Quality of algorithm Key length (Hash length) CPU cycles Character set support Password length
What is password cracking?
The process of trying to guess or determine plaintext passwords, given only encrypted passwords