Cards from Book Flashcards
What are some examples of detective access controls?
Security guards, supervising users, incident investigations, and intrusion detection systems
What are some examples of physical access controls?
Guards, fences, motion detectors, locked doors, sealed windows, lights, backups, cable protection, laptop locks, swipe cards, dogs, CCTV, mantraps, and alarms
What are the three commonly recognized authentication factors?
Something you know, something you have, and something you are
What is a cognitive password?
A series of questions about facts or predefined responses that only the subject should know (for example, what is your birth date? What is your mother’s maiden name?)
Name at least eight biometric factors.
Fingerprints, face scans, iris scans, retina scans, palm topography, palm geography, heart/pulse pattern, voice pattern, signature dynamics, keystroke patterns
What are the issues related to user acceptance of biometric enrollment and throughput rate?
Enrollment times longer than 2 minutes are unacceptable; subjects will typically accept a throughput rate of about 6 seconds or faster.
What access control technique employs security labels?
Mandatory access controls. Subjects are labeled as to their level of clearance. Objects are labeled as to their level of classification or sensitivity.
The Bell–LaPadula, Biba, and Clark–Wilson access control models were all designed to protect a single aspect of security. Name the corresponding aspect for each model.
Bell–LaPadula protects confidentiality; Biba and Clark–Wilson protect integrity.
Name the three types of subjects and their roles in a security environment.
The user accesses objects on a system to perform a work task, the owner is liable for protection of data, the data custodian is assigned to classify and protect data.
Explain why the separation of duties and responsibilities is a common security practice.
It prevents any single subject from being able to circumvent or disable security mechanisms.
What is the principle of least privilege?
Subjects should be granted only the amount of access to objects that is required to accomplish their assigned work tasks.
Name the four key principles upon which access control relies.
Identification, authentication, authorization, accountability
How are domains related to decentralized access control?
A domain is a realm of trust that shares a common security policy. This is a form of decentralized access control.
Why is monitoring an important part of a security policy?
Monitoring is used to watch for security policy violations and to detect unauthorized or abnormal activities.
What are the functions of an intrusion detection system (IDS)?
An IDS automates the inspection of audit logs and real-time system events, detects intrusion attempts, and watches for violations of confidentiality, integrity, and availability.
What are the pros and cons of a host-based IDS?
It can pinpoint resources compromised by a malicious user. It can’t detect network-only attacks or attacks on other systems, has difficulty detecting DoS attacks, and can be detected by intruders.
What are the pros and cons of a network-based IDS?
It can monitor a large network and can be hardened against attack. It may be unable to handle large data flows, doesn’t work well on switched networks, and can’t pinpoint compromised resources.
What are the differences between knowledge-based and behavior-based detection methods used by IDS?
Knowledge-based uses a signature database and tries to match monitored events to that database. Behavior-based learns about the normal activities on your system through watching and learning.
What is a honeynet, and what is it used for?
Honeynets are fake networks used to lure intruders in order to create sufficient audit trails for tracking them down and prosecuting. Honeynets contain no real or sensitive data.
How does penetration testing improve your system’s security?
Penetration testing is a good way to accurately judge the security mechanisms deployed by an organization.
What is a denial-of-service attack?
An attack that prevents the system from receiving, processing, or responding to legitimate traffic or requests for resources and objects
What is a spoofing attack?
The attacker pretends to be someone or something other than whom or what they are. They can spoof identities, IP addresses, email addresses, and phone numbers. They often replace the valid source and/or destination IP address and node numbers with false ones.
What are countermeasures to spoofing attacks?
Countermeasures to spoofing attacks include patching the OS and software, enabling source/destination verification on routers, and employing an IDS to detect and block attacks.
What is a man-in-the-middle attack?
An attack in which a malicious user is positioned between the two endpoints of a communication’s link
What is a replay or playback attack?
A malicious user records the traffic between a client and a server and then retransmits them to the server with slight variations of the timestamp and source IP address. It is similar to hijacking.
What is a sniffer attack?
Any activity that results in a malicious user obtaining information about a network or the traffic over that network. Data is captured using a sniffer or protocol analyzer.
What is a spamming attack?
Directing floods of messages to a victim’s email inbox or other messaging system. Such attacks cause DoS issues by filling up storage space and preventing legitimate messages from being delivered.
What are some countermeasures to common attack methods?
Patching software, reconfiguring security, employing firewalls, updating filters, using IDSs/IPSs, improving security policy, using traffic filters, improving physical access control, using system monitoring/auditing
Name the seven layers of the OSI model by their layer name and layer number.
Application (7), Presentation (6), Session (5), Transport (4), Network (3), Data Link (2), and Physical (1)
List the security features offered by the Network layer of the OSI model.
The Network layer (Layer 3) offers confidentiality, authentication, and integrity.
What is the maximum throughput rate and maximum usable distance for 10Base2 cable?
10Base2 cable has a throughput of 10 Mbps and can be run up to distances of 185 meters.
Name the common network topologies.
Ring, bus, star, and mesh
What are the four layers of the TCP/IP protocols, and how do they relate to the OSI model layers?
The four layers of TCP/IP are Application (layers 5–7 of OSI), Transport (layer 4 of OSI), Internet (layer 3 of OSI), and Link (layers 1 and 2 of OSI).
What are the five generation types of firewalls?
Static packet filtering, application-level gateway, stateful inspection, dynamic packet filtering, and kernel proxy
Name at least five networking device types other than firewalls.
Routers, switches, hubs, repeaters, bridges, gateways, proxies
What is a proxy, and what is it used for?
Any system that performs a function or requests a service on behalf of another system. Proxies are most often used to provide clients with Internet access while protecting their identity.
Name at least 10 network and protocol security mechanisms.
IPSec, SKIP, SWIPE, SSL, S/MIME, SET, PEM, PGP, PPP, SLIP, PPTP, L2TP, CHAP, PAP, RADIUS, TACACS, S-RPC
Name at least six protocol services used to connect to LAN and WAN communication technologies.
Frame Relay, SMDS, X.25, ATM, HSSI, SDLC, HDLC, ISDN
How are PVC, SVC, DTE, and DCE used in a Frame Relay network?
Frame Relay requires the use of a DTE and a DCE at each connection point. PVC is always available; SVC is established using the best paths currently available.
What are three remote access authentication mechanisms?
RADIUS, DIAMETER, and TACACS
What is tunneling, and why is it used?
A process that protects the contents of packets by encapsulating them in another protocol. This creates the logical illusion of a communications tunnel through an untrusted intermediary network.
What is a VPN?
A virtual private network (VPN) is a communication tunnel that provides point-to-point transmission of both authentication and data traffic over an intermediary network.
What are the four primary VPN protocols?
PPTP, L2F, L2TP, and IPSec (Note: SSL is a valid VPN protocol as well, but it’s not necessarily recognized on the exam as such.)
What are the two modes available through IPSec, and what do they do?
In transport mode, the IP packet data is encrypted, but the header is not. In tunnel mode, the entire IP packet is encrypted, and a new header is added to govern transmission through the tunnel.
What is NAT?
Network Address Translation (NAT) allows the private IP addresses defined in RFC 1918 to be used in a private network while still being able to communicate with the Internet.
What is transparency?
A characteristic of a service, security control, or access mechanism that ensures it is unseen by users
What are some important aspects to consider when designing email security?
Nonrepudiation, access control, message integrity, source authentication, verified delivery, acceptable use policies, privacy, management, and backup and retention policies
What is the most serious threat of email?
Email is the most common delivery mechanism for viruses, worms, Trojan horses, documents with destructive macros, and other malicious code.
What are possible mechanisms for adding security to email?
S/MIME, MOSS, PEM, and PGP
What are elements of effective user training against social-engineering attacks?
Always err on the side of caution whenever communications are odd or unexpected. Always request proof of identity. Classify information for voice communications. Never change passwords over the phone.
What are the most common threats against communication systems?
Denial of service, eavesdropping, impersonation, replay, and modification
What are some countermeasures to eavesdropping?
Maintaining physical access security, using encryption, employing one-time authentication methods
What is an ARP attack?
The modification of ARP mappings. When ARP mappings are falsified, packets are not sent to their proper destination. ARP mappings can be attacked through spoofing. Spoofing provides false MAC addresses for requested IP addressed systems to redirect traffic to alternate destinations.
What is privacy?
Prevention of unauthorized intrusion, knowledge that information deemed personal or confidential won’t be shared with unauthorized entities, freedom from being observed without consent
What are the requirements for accountability?
Identification, authentication, authorization, and auditing
What is nonrepudiation?
Nonrepudiation prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.
What is layering?
Layering is the use of multiple controls in a series. The use of a multilayered solution allows for numerous controls to be brought to bear against whatever threats come to pass.
How is abstraction used?
Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions.
What is data hiding?
Data hiding is preventing data from being known by a subject. Keeping a database from being accessed by unauthorized visitors is a form of data hiding.
What is change control or change management?
A mechanism used to systematically manage change. Typically, it involves extensive logging, auditing, and monitoring of activities related to security controls and security solutions.
What are the goals of change management?
Implementation of changes in an orderly manner, formalized testing, ability to reverse changes, ability to inform users of changes, systematical analysis of changes, minimization of negative impact of changes
What is data classification?
Data classification is the primary means by which data is protected based on categories of secrecy, sensitivity, or confidentiality.
What criteria are used to classify data?
Usefulness, timeliness, value or cost, maturity or age, lifetime or expiration period, disclosure damage assessment, modification damage assessment, national security implications, storage
What is the government/military data classification scheme?
Top secret, secret, confidential, sensitive but unclassified, unclassified
What is the commercial business/private sector classification scheme?
Confidential, private, sensitive, public
Name at least seven security management concepts and principles.
CIA Triad, confidentiality, integrity, availability, privacy, identification, authentication, authorization, auditing, accountability, and nonrepudiation
What are the elements of a termination procedure policy?
Have at least one witness; escort terminated employee off the premises immediately; collect identification, access, or security devices; perform exit interview; disable network account
What is the function of the data owner security role?
The data owner is responsible for classifying information for protection within the security solution.
What is the data custodian security role?
The data custodian is assigned the tasks of implementing the prescribed protection defined by the security policy and upper management.
What is the function of the auditor security role?
The auditor is responsible for testing and verifying that the security policy is properly implemented and the derived security solutions are adequate.
What should the documents that make up a formalized security structure include?
Policies, standards, baselines, guidelines, and procedures
What is generally involved in the processes of risk management?
Analyzing an environment for risks, evaluating each risk as to its likelihood and damage, assessing the cost of countermeasures, and creating a cost/benefit report to present to upper management
What should be considered when establishing the value of an asset?
Cost of purchase, development, maintenance, acquisition, and protection; value to owners/users/competitors; equity value; market valuation; liability of asset loss; and usefulness
Name at least five possible threats that should be evaluated when performing a risk analysis.
Viruses; buffer overflows; coding errors; user errors; intruders (physical and logical); natural disasters; equipment failure; misuse of data, resources, or services; loss of data; physical theft, denial of service
What is single loss expectancy, and how is it calculated?
The cost associated with a single realized risk against a specific asset. SLE = asset value (AV) * exposure factor (EF). The SLE is expressed in a dollar value.
What is annualized loss expectancy, and how is it calculated?
The possible yearly cost of all instances of a specific realized threat against a specific asset. ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO).
What are the basics distinctions between qualitative and quantitative risk analysis?
Quantitative risk analysis assigns real dollar figures to the loss of an asset. Qualitative risk analysis assigns subjective and intangible values to the loss of an asset.
What are the four possible responses by upper/senior management to risk?
Reduce/mitigate, assign/transfer, accept, or reject/deny
What is residual risk?
Once countermeasures are implemented, the risk that remains is known as residual risk. Residual risk is the risk that management has chosen to accept rather than mitigate.
What is total risk?
The amount of risk an organization would face if no safeguards were implemented. A formula for total risk is threats * vulnerabilities * asset value = total risk.
What is the controls gap?
The difference between total risk and residual risk. The controls gap is the amount of risk that is reduced by implementing safeguards.
What are the three learning levels of security?
Awareness, training, and education
What are the three types of plans employed in security management planning?
A strategic plan is a long-term plan that is fairly stable. The tactical plan is a midterm plan that provides more details. Operational plans are short term and highly detailed.
How many primary keys may each database table have?
One
What type of malicious code spreads through the sharing of infected media?
Viruses
What term is used to describe intelligent code objects that perform actions on behalf of a user?
Agent
What term is used to describe code sent by a server to a client for execution on the client machine?
Applet
What language by Sun Microsystems is often used for applet programming and development?
Java
What type of database key enforces relationships between tables?
Foreign key
What security principle ensures that multiple records are created in a database table for viewing at different security levels?
Polyinstantiation
What process evaluates the technical and nontechnical security features of an IT system?
Certification and accreditation
What type of accreditation evaluates the systems and applications at a specific, self-contained location?
Site accreditation
In which phase of the Software Capability Maturity Model do you often find hardworking people charging ahead in a disorganized fashion?
Initial
In which layer of the ring protection scheme do user applications reside?
Layer 3
What system mode requires that the system process only one classification level at a time and all system users have clearance and need to know that information?
Dedicated security mode
What is another term for the master boot record?
Boot sector
What type of virus embeds itself in application documents?
Macro virus
What can antivirus programs do when they encounter a virus infection?
Delete the file, disinfect the file, or quarantine the file.
What type of virus modifies itself each time it infects a new system in an attempt to avoid detection?
Polymorphic virus
What type of malicious code launches itself when certain conditions (such as a specific date) are met?
Logic bomb
What were the mechanisms of action used by Robert T. Morris’s Internet Worm of 1988?
The worm exploited vulnerabilities in the Sendmail debug mode and finger daemon, launched password attacks, and exploited trust relationships between systems.
Where are passwords stored in a UNIX system?
In the /etc/passwd or /etc/shadow file
What term is used to describe hackers rooting through trash looking for useful information?
Dumpster diving
What is the cornerstone of computer security?
Education
What are the three phases of the three-way handshake used by TCP/IP?
SYN, SYN/ACK, ACK
How does the teardrop attack operate?
It sends overlapping packet fragments to the victim machine.
What is the term used to describe a secret method used by a programmer to gain access to the system?
Trap door (or back door)
When is the XOR function true?
When only one of the input bits is true
What term describes a mathematical function that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values?
One-way function
True or false? All ciphers are meant to obscure the meaning of a message.
True
True or false? All codes are meant to obscure the meaning of a message.
False
What occurs when a change in the plain text results in multiple changes spread throughout the cipher text?
Diffusion
What is the code name of the project in which the National Security Agency successfully broke a Soviet one-time pad system in the 1940s?
VENONA
What type of cipher is the Caesar cipher?
Simple substitution
True or false? Modern cryptosystems rely on the secrecy of the encryption algorithm.
False
What is the length of the key used by the standard DES algorithm?
56 bits
How many rounds of encryption does DES utilize?
16
True or false? The IDEA algorithm is available free for noncommercial use.
True
What encryption algorithm was selected for the Advanced Encryption Standard (AES)?
Rijndael
What is the Diffie-Hellman algorithm is most commonly used for?
Key exchange
True or false? The Hashed Message Authentication Code provides nonrepudiation.
False
What are the three encryption algorithms supported by the Digital Signature Standard?
DSA, RSA, and ECDSA
What ITU standard describes the contents of a digital certificate?
X.509
What is the process by which you are issued a digital certificate?
Enrollment
Who issues digital certificates?
Certificate authorities (CAs)
True or false? PEM provides protection against replay attacks.
False
What protocol uses the RSA encryption algorithm to provide encrypted mail support for a number of common commercial email packages?
S/MIME
True or false? S-HTTP secures individual messages between a client and a server.
True
What cryptographic methods are used by the Secure Electronic Transaction (SET) protocol?
RSA public key cryptography and DES private key cryptography in connection with digital certificates
What are the four components of IPSec?
Authentication Header (AH), Encapsulating Security Payload (ESP), IP Payload Compression protocol (IPComp), and Internet Key Exchange (IKE)
What type of cryptographic attack is used against algorithms that don’t incorporate temporal protections?
Replay attack
What are some common reasons a certificate might need to be revoked?
The certificate was compromised, the certificate was erroneously issued, the certificate details changed, and there was a change of security association.
What type of cryptography relies on the use of public and private keys?
Asymmetric
What technology allows multiple users to make use of the same process without interfering with each other?
Multithreading
What are some of the terms used to describe the CPU mode that gives access to the full range of supported instructions?
System mode, privileged mode, supervisory mode, and kernel mode
What is the greatest security risk to RAM modules?
Theft
What addressing scheme supplies the CPU with the actual address of the memory location to be accessed?
Direct addressing
Magnetic/optical media devices are classified as what type of memory?
Secondary
Memory devices designed to retain their data when power is removed are known as .
nonvolatile
What two ways can storage devices be accessed?
Randomly and sequentially
What is the greatest security risk to computer monitors?
TEMPEST technology
What is another term often used for firmware?
Microcode
Where are the operating system–independent primitive instructions that a computer needs to start and load the operating system stored?
BIOS
What concept ensures that data existing at one level of security is not visible to processes running at different security levels?
Data hiding
What are the important factors in personnel management?
Hiring practices, ongoing job performance reviews, and termination procedures
What security mechanisms are countermeasures to collusion?
Job rotation, separation of duties, mandatory vacations, workstation change
Why is antivirus protection important?
Viruses are the most common form of security breach in the IT world. Any communications pathway can and is being exploited as a delivery mechanism for a virus or other malicious code.
What is need to know?
Need to know is the requirement to have access to, knowledge of, or possession of data or a resource in order to perform specific work tasks.
What principle states that users should be granted the least amount of access to the secure environment as possible for them to be able to complete their work tasks?
Principle of least privilege
What are due care and due diligence?
Due care is using reasonable care to protect the interest of an organization. Due diligence is practicing the activities that maintain the due care effort.
How are security and illegal activities related?
A secure environment should provide mechanisms to prevent the committal of illegal activities, which are actions that violate a legal restriction, regulation, or requirement.
With what level of security precautions should backup media be treated?
Backup media should be handled with the same security precautions as any other asset with the same data classification.
What are the goals of managing backup media?
Preventing disclosure, destruction, or alteration of data.
What are the processes that can be applied to used media in order to prepare the media for reuse in various environments?
Erasing, clearing, and overwriting media that will be used in the same classification environments; purging, sanitizing, and degaussing if media is used in different classification environments
What are the classifications of security control types?
Preventive, deterrent, detective, corrective, recovery, compensation, directive
What is the purpose of auditing?
To ensure compliance with security policy and to detect abnormalities, unauthorized occurrences, or outright crimes
What types of activities are labeled as auditing?
Recording of event/occurrence data, examination of data, data reduction, use of event/occurrence alarm triggers, log analysis, logging, monitoring, using alerts, intrusion detection
What is the purpose of compliance testing?
To ensure that all of the necessary and required elements of a security solution are properly deployed and functioning as expected
How are audit trails used?
To reconstruct an event, to extract information about an incident, to prove or disprove culpability
What types of activities can be used as penetration tests?
War dialing, sniffing, eavesdropping, radiation monitoring, dumpster diving, social engineering, port scanning, ping scanning
What are some ways to keep inappropriate content to a minimum?
Address the issue in the security policy, perform awareness training, use content filtering tools to filter source or word content.
Why is it important to protect against resource waste?
If the storage space, computing power, or networking bandwidth capacity is consumed by inappropriate or non-work-related (non-profit-producing) data, the organization loses money.
Why is it important to protect against privilege abuse?
It can cause the disclosure of sensitive information, violating the principle of confidentiality.
What countermeasures are moderately effective against errors and omissions?
Input validators and user training
How can you protect data against fraud and theft?
The use of access controls (auditing and monitoring, for example) reduce fraud and theft.
What are some safeguards against sabotage?
Intensive auditing, monitoring for abnormal or unauthorized activity, keeping lines of communication open between employees and managers, and compensating and recognizing employees for excellence
Why isn’t there an effective direct countermeasure against the threat of malicious hackers or crackers?
Most safeguards and countermeasures protect against one specific threat or another, but it is not possible to protect against all possible threats that a cracker represents.
What is malicious code?
Malicious code is any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system.
True or false? Senior management should be included in the BCP process from the beginning.
True
What resource is in greatest demand during the BCP testing, training, and maintenance process?
Manpower
What type of decision making is mainly concerned with metrics such as dollar values and downtime?
Quantitative
What Business Impact Analysis/Assessment variable is used to describe the longest period of time a resource can be unavailable without causing irreparable harm to the business?
Maximum tolerable downtime (MTD)
What is the formula for computing single loss expectancy?
SLE = AV * EF [Single Loss Expectancy = Asset Value * Exposure Factor]
What is the formula for computing annualized loss expectancy?
ALE = SLE * ARO [Annualized Loss Expectancy = Single Loss Expectancy * Annual Rate of Occurrence]
What are some of the qualitative factors that must be taken into account when assessing the cost of a disaster?
Loss of goodwill among client base, loss of employees after prolonged downtime, social/ethical responsibilities to the community, and negative publicity
What is the first thing you should do when a disaster strikes?
Ensure that people are safe
What are the two possible responses to a risk?
Acceptance and mitigation
Provide two examples of devices that might be used to harden a system.
Computer-safe fire suppression systems and uninterruptible power supplies
What is the goal of business continuity planning (BCP)?
To ensure the continuous operation of a business in the face of an emergency situation
What are some of the elements that should be included in emergency response guidelines?
Immediate response procedures, notification procedures, and secondary response procedures
What are the five steps of the business impact assessment process?
Identification of priorities, risk identification, likelihood assessment, impact assessment, and resource prioritization
What process brings order to the chaotic events surrounding the interruption of an organization’s normal activities by an emergency?
Disaster recovery planning (DRP)
Name some common natural disasters.
Earthquakes, floods, storms, tornadoes, and fires
What organization sponsors the National Flood Insurance Program and is a good source of historical flood information?
Federal Emergency Management Agency (FEMA)
What disaster recovery system is often highly dependent on the public water supply?
Fire suppression system
What type of disaster recovery separates recovery sites by business teams?
Workgroup recovery
What are the three major options for alternative processing sites?
Hot sites, warm sites, and cold sites
What type of recovery site is particularly suited to workgroup recovery options?
Mobile site
True or false? Organizations participating in a mutual assistance agreement are typically located in the same geographic region.
True
True or false? There is an accepted standards document defining the requirements for an electronic vaulting solution.
False
What is the most common document type used for emergency response plans?
Checklists
What are the three major types of filesystem backups?
Full backups, incremental backups, and differential backups
What can be used to protect a company against the failure of a developer to provide adequate support?
Software escrow agreements
It is sometimes useful to separate disaster tasks from disaster tasks.
recovery, restoration (in either order)
True or false? In most circumstances, it is illegal for an employer to monitor an employee’s email.
False
If a witness is not able to uniquely identify an object, how else may it be authenticated in court?
By establishing a chain of evidence
What type of evidence is an authenticated computer log?
Documentary evidence
What are the three major evidence admissibility requirements?
Evidence must be relevant, material, and competent.
What law created the category of mission-critical computer systems?
Government Information Security Reform Act
What are the two requirements for acceptance of a trademark application?
The trademark must not be confusingly similar to another trademark, and it must not be descriptive.
What are the three requirements for acceptance of a patent application?
The invention must be new, useful, and nonobvious.
How long does trade secret protection last?
Indefinitely
What type of license agreements are written on the outside of software packaging and require no action from the user other than opening the package?
Shrink-wrap
What amendment to the U.S. Constitution forms the basis for privacy rights?
Fourth Amendment
What law requires that websites provide parents with the opportunity to review any information collected from their children?
Children’s Online Privacy Protection Act
What law grants privacy rights to students enrolled in educational institutions that accept government funding?
Family Educational Rights and Privacy Act
Which type of computer crime attacks an organization’s computer system to extract confidential information?
Business attack
Which type of computer crime would likely be timed to occur simultaneously with a physical attack to reduce the ability to effectively respond to the physical attack?
Terrorist attack
What term refers to any hardware, software, or data that can be used to prove the identity and actions of an attacker?
Evidence
What term describes any violation or threatened violation of a security policy?
Incident
Which type of incident generally does not cause direct damage to the victim?
Scanning. The purpose of a scanning attack is to collect information. The real damage to the system occurs in later attacks.
How do you protect your system from a malicious code incident?
Make sure your security policy restricts the introduction of untested files to your computer system. Have a good scanner with an up-to-date signature database. Frequently scan all files.
Which two types of incidents are the easiest to stop by dynamically altering filtering rules?
Scanning and denial of service. They can both potentially be stopped by filtering out the offending packets.
What must you do to make sure evidence is kept viable for use in a trial?
You must ensure that the evidence has not changed, and you must be able to validate its integrity.
Where should you begin looking to find information about an incident that occurred in the recent past?
The first place to look is in the system and network log files.
If an incident has occurred that has violated no laws or regulations, how do you determine whether to report it?
The incident reporting guidelines should be in your security policy.
Is adherence to the (ISC)2 Code of Ethics recommended, mandatory, or optional for CISSPs?
Adherence to the (ISC)2 Code of Ethics is mandatory, and acceptance of the Code of Ethics is a condition of certification.
What is the leading reason many incidents are not reported?
Because they are not recognized as incidents
What are the three main types of physical security controls?
Administrative physical security controls, technical physical security controls, physical controls for physical security
What is the primary purpose of lighting as a physical security device?
To discourage casual intruders, trespassers, prowlers, and would-be thieves
What are the benefits of security guards?
They are able to adapt and react to any condition or situation, are able to learn and recognize attack patterns, can adjust to a changing environment, and are able to make decisions and judgment calls.
What are the disadvantages of security guards?
Not all environments support them; prescreening, bonding, and training is not always effective; they are expensive, subject to illness, take vacations, and are vulnerable to social engineering.
What are the benefits and disadvantages of guard dogs?
They can be deployed as a perimeter security control and as detection and deterrent agents, they are costly and require high maintenance, and their use involves insurance and liability issues.
What are the 11 electrical terms and definitions you should be aware of?
Fault, blackout, sag, brownout, spike, surge, inrush, noise, transient, clean, ground
What are the types of noise or interference and their sources?
Common mode noise is generated by the difference in power between the hot and ground wires. Traverse mode noise is generated by the difference in power between the hot and neutral wires.
What are the typical HVAC requirements for a computer room?
A computer room should be kept at 60 to 75 degrees Fahrenheit (15 to 23 degrees Celsius). Humidity in a computer room should be maintained at between 40 and 60 percent.
What type of damage occurs when static electricity discharges exceed 40 volts?
Destruction of sensitive circuits
What is a Type C fire extinguisher used for, and what is it made of?
A Type C fire extinguisher is for use on electrical devices and uses CO2 or Halon.
What are the four types of water-based fire suppression systems?
Wet pipe system, dry pipe system, deluge system, preaction system
What are the alternatives for Halon?
FM-200 (HFC-227ea), CEA-410 or CEA 308, NAF-S-III (HCFC Blend A), FE-13 (HCFC-23), Aragon (IG55) or Argonite (IG01), Inergen (IG541), and low-pressure water mists
Which security vulnerability conveys information by altering the performance of a system component or modifying a resource’s timing in a predictable manner?
Covert timing channel
What is a separate object that is associated with a resource and describes its security attributes?
Security token
In the Clark–Wilson security model, what is a procedure that scans data items and confirms their integrity?
Integrity verification procedure (IVP)
In the Biba integrity model, what is the Simple Integrity Axiom, which states that a subject cannot read an object of a lower integrity, also called?
No read down
Which organization developed the Bell–LaPadula security model?
The U.S. Department of Defense
What is the collection of TCB components that work together to implement the reference monitor functions?
Security kernel
What does ITSEC call the system that is being evaluated?
The target of evaluation (TOE)
What TCSEC category is reserved for systems that have been evaluated but do not meet the requirements of any other category?
Category D (minimal protection)
Which IPSec protocol provides integrity, authentication, and nonrepudiation to the secure message exchange?
Authentication Header (AH)
Which type of controls considers static attributes of the subject and the object to determine the permissibility of an access?
Mandatory access controls
What term is used to refer to the user or process that makes a request to access a resource?
Subject
What is the imaginary boundary that separates the TCB from the rest of the system?
Security perimeter
What term describes the technical evaluation of each part of a computer system to assess its concordance with security standards?
Certification
What is the difference between analog and digital signals?
Analog communications occur with a continuous signal that varies in frequency, amplitude, and so on. Digital communications occur through the use of a state change of on-off pulses.
What is the difference between synchronous and asynchronous communications?
Synchronous communications rely upon a timing or clocking mechanism. Asynchronous communications rely on a stop and start delimiter bit to manage transmission of data.
What is the difference between baseband and broadband communications?
Baseband technology uses a direct current to support a single communication channel. Broadband technology uses frequency modulation to support multiple simultaneous signals.
Describe broadcast, multicast, and unicast communications.
A broadcast supports communications to all possible recipients. A multicast supports communications to multiple specific recipients. A unicast supports only a single communication to one recipient.
What is the difference between packet switching and circuit switching?
In circuit switching, a dedicated physical pathway is created between the two parties. Packet switching occurs when the message is broken up into segments and sent across the intermediary network.
What are the characteristics of PPP?
The Point-to-Point Protocol (PPP) is an encapsulation protocol designed to support the transmission of IP traffic over dial-up or point-to-point links. PPP supports CHAP and PAP for authentication.
What are the characteristics of SLIP?
Serial Line Internet Protocol (SLIP) offers no authentication, supports only half-duplex communications, has no error detection capabilities, and requires manual link establishment and teardown.
What is CORBA?
Common Object Request Broker Architecture (CORBA) is an international standard (sanctioned by the International Organization for Standardization) for distributed computing.
What’s the most desirable default setting for access control?
Denial. When access is not specifically granted, it should be denied by default. This is also known as implicit deny.
What type of approach to security is considered better than a fortress mentality approach?
Defense in depth, multiple layers of security, concentric circles of security
What form of password attack consists first of a dictionary attack and then a brute-force attack based on the dictionary list?
A hybrid attack. Sometimes called a one-upped password attack.
What is the most acceptable form of biometrics to end users?
Iris scans
What is the most unacceptable form of biometric control to end users?
Retina scans
What is the stored sample of a biometric factor called?
A reference profile or a reference template
With what other forms of single sign-on can Kerberos be combined?
Any or all of them, including SESAME, KryptoKnight, NetSP, thin clients, directory services, and scripted access
How is the ticket-granting ticket used by Kerberos generated?
The user’s password is hashed, and a timestamp is added.
What is a centralized database of resources available to the network?
A directory service
What are examples of rule-based access control?
MAC, RBAC, TBAC
What form of access control can combine levels of security domains with compartments of additional control and isolation?
MAC (specifically, a hybrid MAC environment)
What form of access control is best suited to those organizations with a high rate of employee turnover?
RBAC
When an intrusion is detected, what should be the first response?
Contain or constrain the intrusion.
Once an intrusion has occurred, what is the most secure process for restoring the environment?
Format and reinstall from scratch.
What form of IDS is easier for an intruder to discover and disable?
Host-based IDS
What feature of network infrastructure is also usable as a countermeasure against rogue IDS and sniffers?
Switches
What network device works primarily at the Application layer?
Gateway
What are the most common causes of network failure?
Cable failures and misconfigurations
What type of cabling must be used to comply with building code safety requirements?
Plenum-rated cable
How many sockets does TCP have?
65, 536 (2^16) sockets (aka ports), numbered from 0 to 65,535
What is the IP header protocol field value for TCP? UDP? ICMP? IGMP?
6, 17, 1, 2
What protocol is used by ping, pathping, and traceroute?
ICMP
What is the APIPA range?
169.254.0.1 to 169.254.255.254 along with the default Class B subnet mask of 255.255.0.0
What port is used by IMAP?
143
What port is used by DHCP?
Port 68 for client request broadcast and port 67 for server point-to-point response
Network devices at what layer and above separate collision domains?
Layer 2
Network devices at what layer and above separate broadcast domains?
Layer 3
Which VPN protocol supports multiple simultaneous connections?
IPSec
What is the primary weakness of satellite communications?
Large terrestrial footprint
What makes the usable throughput of ISDN less than the stated bandwidth?
The D channel is used only for call management, not data.
What type of system is a common target of attackers who want to disseminate email spam?
Open relay SMTP servers
What is the primary method to improve fax security?
Disable automatic printing of received faxes.
What is the form of new system deployment testing called when the new system and the old system are run simultaneously?
Parallel run
When an asset no longer needs or warrants a high security sensitivity label, what should occur?
Declassification
What is the name of the security management approach in which senior management calls the shots?
Top-down approach
What is the cost/benefit analysis equation for countermeasures?
(ALE before safeguard – ALE after implementing the safeguard) – annual cost of safeguard = value of the safeguard to the company
What type of relationships can be established with relational databases? With hierarchical databases? With distributed databases?
One-to-one, one-to-many, and many-to-many
What are the six basic SQL commands?
Select, Update, Delete, Insert, Grant, and Revoke
What is a placeholder for SQL literal values such as numbers or character strings?
Bind variable
What database security feature uses locking to prevent simultaneous write access to cells?
Concurrency
What database security feature can be used to subvert aggregation, inferencing, and contamination vulnerabilities?
Database partitioning
What feature of databases allows two or more rows in the same table to appear to have identical primary key elements but contain different data for use at differing classification levels?
Polyinstantiation
What acts as an interface between back-end database systems and user applications?
ODBC
What attack collects numerous low-level security items or low-value items and combines them together to create something of a higher security level or value?
Aggregation
What is more secure than a data warehouse and designed to store metadata?
Data mart
What type of application analyzes business data and presents it in such a way to make business decisions easier for users?
Decision support system
What security problem cannot be prevented or compensated for by environmental controls or hardware devices?
Bad coding
What is a valid security response when an application violates OS-imposed security, such as interfering with other processes or accessing hardware directly?
Stopping the environment, a STOP error, a BSOD
What is it called when programmers decompile vendor code in order to understand the intricate details of its functionality?
Reverse engineering
What is the communications to or input of an object?
Message
What is the internal code that defines the actions an object performs in response to a message?
Method
What are the results or output exhibited by an object based upon processing a message through a method?
Behavior
What is the collection of the common methods from a set of objects that is used to define the behavior of those objects?
Class
What is it called when an object is an example of a class because the object contains a method from that class?
Instance
What characteristic describes an object that exhibits different behaviors based upon the same message and methods because of variances in external conditions?
Polymorphism
Highly objects are not as dependent on other objects.
cohesive
Lower provides better software design because objects are more independent.
coupling
What is a type of bar chart that shows the interrelationships over time between projects and schedules?
Gantt chart
What is a project-scheduling tool that is used to judge the size of a software product in development and calculate the standard deviation for risk assessment?
Program Evaluation Review Technique (PERT)
What form of testing examines the internal logical structures of a program?
White-box testing
What form of testing examines the input and output of a program without focusing on the internal logical structures?
Black-box testing
What form of testing examines the extent of the system testing in order to locate untested program logic?
Test data method
Which form of antivirus response not only removes the virus from the system but also repairs any related damage?
Cleaning
What is the name of the assumption that all algorithms should be public but all keys should remain private?
Kerchoff principle
What is the range of valid values of keys for an algorithm called?
Key space
What defines the hardware and software requirements of cryptographic modules in use by the federal government?
Federal Information Processing Standards (FIPS-140)
What acts as a placeholder variable in mathematical functions and is used in random number generation?
Nonce
What is a random bit string (a nonce) that is the same length as the block size that is XORed with the message and adds strength to cryptography systems?
Initialization vector (IV)
What is the most significant bit in a string?
The leftmost bit
What is it called when a plain-text message generates identical cipher-text messages using the same algorithm but different keys?
Clustering or key clustering
What is a concept of communication whereby a specific type of information is exchanged but no real data is exchanged?
Zero-knowledge proof
What is the basic idea that the information or privilege required to perform an operation is divided among multiple users (it is an application of separation of duties)?
Split knowledge
What is an example of split knowledge employed to protect key escrow?
M of N Control
What is a way of measuring the strength of a cryptography system by measuring the effort in terms of cost and/or time?
Work function or work factor
What is an example of a polyalphabetic substitution cipher?
Vigenère cipher
What attack is often successful against substitution ciphers?
Frequency analysis
What attack is often successful against polyalphabetic substitution ciphers?
Period analysis
What form of encryption is used to protect communications that occur in real time?
Stream ciphers
What form of encryption can provide secure communications between two parties when they have no prior method of communicating securely?
Asymmetric cryptography
What modes of DES employ an IV?
CBC, CFB, OFB
What are the valid key sizes for RC5?
0 to 2,048 bits
If a message is signed and encrypted, what security services are you providing?
Confidentiality, integrity, authenticity/access control, and nonrepudiation
Who has the responsibility to ensure that communications are secured?
The sender
What protocol is used to provide cryptographically secure wireless network access?
Wireless Application Protocol (WAP)
What is the standard that wireless networking technology is based on?
802.11
What cryptographic attack attempts to find a weakness in the algorithm?
Analytic attack
What cryptographic attack attempts to find a weakness in the software code?
Implementation attack
What cryptographic attack attempts to exploit weaknesses in the computer hardware or operating system?
Statistical attack
A system is one in which all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.
trusted
is simply defined as the degree of confidence in satisfaction of security needs.
Assurance
What are the security requests of a client called under Common Criteria?
Protection profile
What are the security features of a designed system called under Common Criteria?
Security target
What method of verifying or establishing a trusted label of system security requires a DAA?
Accreditation
What is the name of the accreditation process of the Department of Defense?
Defense Information Technology Security Certification and Accreditation Process (DITSCAP)
What are the three forms of accreditation offered by National Information Assurance Certification and Accreditation Process (NIACAP)?
Site, type, system
What is often added to passwords under Linux to make their resultant hash even more secure?
Salts
When a disaster strikes but your ability to perform work tasks is only threatened, not actually interrupted, what response should be used?
BCP
What is always your top priority when dealing with a disaster of any type or significance?
Safety of personnel
What feature of insurance can improve your ability to replace lost or damaged assets?
Actual Cost Value (ACV)
What is the most common cause of unplanned downtime?
Hardware failures
What are some examples of alternate processing facilities that should be considered when designing a DRP?
Hot, warm, and cold sites; mobile sites; service bureaus; multiple sites; and reciprocal agreements
What forms of backup always set the archive bit to 0?
Full and incremental
What backup media is appropriate for personal backups but not for network backups?
Writable CDs and DVDs
What form of backup, when used to restore data, will always result in some amount of data loss?
Periodic backups
What law requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order regardless of the technology in use?
Communications Assistance for Law Enforcement Act (CALEA) of 1994
What law extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage?
Economic and Protection of Proprietary Information Act of 1996
controls are your first line of defense, while are your last line of defense.
Physical, people
What is the functional order of controls when deployed for physical security?
Deterrence, then denial, then detection, then delay
What type of lock consists of three elements: an electromagnet, a credential reader, and a door-closed sensor?
Electronic access control (EAC)
Reviewing the recorded images from CCTV is what type of security control?
Detective
What is the primary difference between memory cards and smart cards?
Processing capability
At what stage of a fire is a flame visible?
Stage 3: Flame
What is the most common cause of fires in a data center?
Overloaded electrical distribution outlets
Where should fire detectors be placed?
In dropped ceilings, raised floors, server rooms, private offices and public areas, HVAC vents, elevator shafts, the basement, and so on
What is the most common cause of failure of a water-based suppression system?
Human error
Name one or more examples of vector routing protocol.
RIP, IGRP, BGP
Name an example of a link state routing protocol.
OSPF
At what layer does SSL and TLS function?
Transport layer (OSI layer 4)
Name at least four technologies commonly called wireless.
802.11 networking, Bluetooth (802.15), mobile phones, and cordless phones
What are the three unlicensed frequencies (at least in the United States as designated by the FCC)?
900 MHz, 2.4 GHz, and 5 GHz
Name three wireless frequency access technologies.
FHSS, DSSS, and OFDM
What protocol can be used to enable mobile phone access to Internet resources?
Wireless Application Protocol (WAP)
What is the IEEE standard for Bluetooth?
802.15
What is the IEEE standard for WiMax?
802.16
What is another name for the area of Bluetooth connectivity?
Personal area network (PAN)
What is the primary security feature of Bluetooth pairing?
A four-digit PIN
What two items are required for infrastructure mode wireless networking?
Wireless access points and wireless clients
What mode is used when a wireless network link is established without the use of an access point?
Ad hoc or peer-to-peer
What is the minimum amount of information needed by a wireless client to connect to a network hosted by a wireless access point?
SSID
Name four examples of infrastructure mode wireless networking.
Stand-alone, wired extension, enterprise extended, and bridge
How many wireless networking channels exist on devices in the United States? In Europe? In Japan?
United States: 11, Europe: 13, Japan: 17
What is the native authentication and encryption scheme of 802.11?
Wired Equivalent Privacy (WEP)
Name two alternatives to WEP for 802.11.
WPA and WPA-2 (802.11i)
What two forms of authentication are supported by 802.11?
Open System Authentication (OSA) and Shared Key Authentication (SKA)
What is the minimum length of a TCP header?
20 bytes
How long is a UDP header?
8 bytes
What are the four TCP header flags that are used in virtual circuit setup and teardown?
SYN, ACK, FIN, and RES (or RST)
What two ICMP type field values are employed in a successful ping activity?
8: echo request, 0: echo reply
What is Control Objectives for Information and Related Technology (COBIT)?
A security concept infrastructure used to organize the complex security solution of companies.
What form of testing examines the internal logical structures of a program from a developer’s perspective?
White-box testing
What form of testing examines the input and output of a program without access to the internal logical structures?
Black-box testing
What form of testing examines the input and output of a program with access to the internal logical structures?
Grey-box testing
What kinds of items qualify as access controls?
Any hardware, software, or organizational administrative policy or procedure that maintains confidentiality, integrity, and/or accountability also counts as an access control.
What is the proper term for ensuring that information is accessible only to authorized parties?
Confidentiality
What is the proper term for the assurance that information and security controls used to protect information are accessible and usable when needed?
Availability
What is it called when an authorized party indicates its intention to fulfill some contractual obligation and forgoes its right to dispute that fulfillment after the fact?
Nonrepudiation
Items of information used to establish or prove authorized identities are known as what kind of factors?
Authentication
What kind of access control enforces access policy determined by the owner of the object to which the control applies?
Discretionary access control (DAC)
What kind of access control is determined by the system in which the object resides rather than its owner?
Mandatory access control (MAC)
Which access control scheme requires organizational roles to be defined along with various task requirements and applicable object permissions?
Role-based access control (RBAC)
Which access control scheme requires administrative rules to be defined along with the various conditions under which they apply as well as applicable object permissions?
Rule-based access control
What is the practice of defense in depth called when it involves a multilayered security infrastructure that includes multiple combined individual applications and processes?
Concentric circle strategy
What is the term for exercising reasonable care in protecting organizational assets and interests, including development of a formalized security structure consisting of policies, procedures, and protocols?
Due care
When users are granted only the minimum access necessary to complete some task or process, what principle is involved?
The principle of least privilege
What kinds of processes must be applied when confidential storage media is prepared for reuse in questionably secure environments?
Declassification
What is the name for the demagnetization process used to erase disk drives or tapes to wipe out all previously stored data?
Degaussing
What kind of control does any security tool provide when it’s used to guide the security implementation within an organization?
Directive control
What kind of control does any mechanism, tool, or practice provide if it deters or mitigates undesirable actions or events?
Preventive control
What kind of control should be used to verify the effectiveness of other security controls?
Detective control
What kind of check should be applied to ensure that all necessary elements of a security solution are properly deployed and functioning as expected?
Compliance checking
What do you call a person who is trained in responsible network security methods, who employs a philosophy of nondestructive and nonintrusive penetration testing, but who may also use underground or “black-hat” tools?
Ethical hacker
What is the proper name for a criminal act committed against an organization by a current or former employee who exploits knowledge gained on the job in its perpetration?
Sabotage
What is the proper name for the illegal intent behind obtaining and profiting from sensitive information that belongs to some third party (government, corporation, individual, and so on)?
Espionage
When a person attempts to deceive an insider within an organization to divulge sensitive information or to perform sensitive actions on their behalf, what might this be called?
Social engineering
When a penetration test team is privy to detailed information about organizational assets, including hardware and software inventory, but not to other information (accounts, users, naming conventions, and so on), how might this team be described?
Partial-knowledge team
When a penetration test team is privy only to what it itself can learn about the target organizations for the test, how might this team be described?
Zero-knowledge team (performs black-box testing)
What term identifies the data extraction technique whereby elements of data are extracted from a much larger body of data to construct a meaningful representation of its overall contents?
Sampling
What governs how long records are kept to substantiate system security assessments and support system analysis?
Record retention
What does BCP stand for, and what does it mean?
Business continuity planning (BCP) is the preventive practice of establishing and planning for threats to business flow, including natural and unnatural risk and threats to daily operations.
What does DRP stand for, and what does it mean?
Disaster recovery planning (DRP) is the practice of establishing and executing recovery actions as part of an emergency response following a disaster.
What term describes damage from disruptive and irresistible forces of nature (such as earthquakes, floods, storms, and so on)?
Natural disaster
What term describes damage resulting from arson, human error, acts of terrorism, or power outages and other utility failures?
Man-made disaster
What kind of strategy drives defining practices, policies, and procedures to restore a business to normal operation in the wake of some kind of outage or disaster?
Recovery strategy
What label applies to a partial standby facility for which power and other infrastructure elements are available, but for which no operational computing facilities are supplied in advance of a disaster?
Cold site
What label applies to a standby facility that is ready to take over for a primary facility as soon as notice is received that the primary facility has gone down?
Hot site
What label applies to a site that is already provisioned with hardware and software to take over for a primary facility but that needs to obtain and install a backup or image of client-specific data before going online?
Warm site
How might you describe a site housed in self-contained transportable units with all the control, hardware, and software elements necessary to establish an operational, safe computing environment?
Mobile site
What roles can a service bureau play in disaster recovery?
Service bureaus lease computer time via contractual agreements and can meet an organization’s entire IT needs in the event of disaster or catastrophic failure.
What is critical path analysis?
A systematic effort to identify relationships between mission-critical applications, processes, and operations and all of the necessary supporting elements
Name three examples of administrative physical security controls.
Facility construction and selection, site management, personnel controls, security awareness training, emergency response, and procedures
Name three examples of technical physical security controls.
Access controls; intrusion detection; alarm systems; closed-circuit television (CCTV); monitoring systems; heating, ventilation, and air conditioning (HVAC) systems; power supplies; fire detection and suppression systems
Name at least three physical controls for physical security.
Fencing, lighting, locks, construction materials, mantraps, watchdogs, guards
What term describes the act of gathering information about a system by observing the display or watching an operator at the keyboard?
Shoulder surfing
What term describes the act of using another person’s security ID to gain unauthorized entry into a facility?
Masquerading
When one person follows another though a secured gate or doorway without presenting identification or otherwise being authenticated, what is this entry technique called?
Piggybacking
What kinds of system is designed to detect intrusions, breaches, or attack attempts as they are underway or after the fact?
Intrusion detection system (IDS)
What does UPS stand for, and what does it mean?
An uninterruptible power supply (UPS) is a type of self-charging battery that can be used to supply consistent clean power to sensitive equipment.
What does EMI stand for, and what does it mean?
Electromagnetic interference refers to any noise generated by electric current and can affect any means of data transmission or storage that relies on electromagnetic transport mechanisms.
Describe the models of systems development.
The waterfall model is a sequential development process that results in the development of a finished product. Developers may step back only one phase in the process if errors are discovered. The spiral model uses several iterations of the waterfall model to produce a number of fully specified and tested prototypes. Agile development models place an emphasis on the needs of the customer and quickly developing new functionality that meets those needs in an iterative fashion.
Describe the purpose of software development maturity models.
Maturity models help software organizations improve the maturity and quality of their software processes by implementing an evolutionary path from ad hoc, chaotic processes to mature, disciplined software processes.
What are the important elements of change and configuration management?
The three basic components of change control are request control, change control, and release control.
What is TEMPEST?
TEMPEST is a standard for the study and control of electronic signals produced by various types of electronic hardware, such as computers, televisions, phones, and so on. Its primary goal is to prevent EMI and RFI radiation from leaving a strictly defined area to eliminate the possibility of external radiation monitoring, eavesdropping, and signal sniffing.
What is static software testing?
Static testing evaluates the security of software without running it by analyzing either the source code or the compiled application. Static analysis usually involves the use of automated tools designed to detect common software flaws, such as buffer overflows.
What type of software testing is most appropriate when the tester does not have access to the underlying source code?
Dynamic testing
What does malicious code often create on an infected system to allow the developers of the malicious code to remotely access the system at a later time?
Back door
What name is given to the cryptographic concept of making the relationship between the plain text and the key so complex that an attacker can’t use known plain text attacks to determine the key?
Confusion
What type of organizations need to comply with PCI DSS?
Those that store, process, or transmit credit card account information.
What trend makes it especially important to incorporate an assessment of security controls in contracting and procurement reviews?
The increased use of third-party and cloud services
What are the branches of forensic analysis?
Media analysis, network analysis, software analysis, and hardware/embedded device analysis
What is it when a user has more access, privilege, or permission than their assigned work tasks dictate?
Excessive privileges (also known as the violation of least privilege)
What is it called when a user accumulates privileges over time as their job roles and assigned tasks changes but unneeded privileges are not revoked?
Creeping privileges
Which access control scheme requires administrative rules to be defined along with the various conditions under which they apply as well as applicable object permissions?
Rule-based access control
Name at least three physical controls for physical security.
Fencing, lighting, locks, construction materials, mantraps, watchdogs, guards
What term is used to refer to the user or process that makes a request to access a resource?
Subject
What kind of control does any mechanism, tool, or practice provide if it deters or mitigates undesirable actions or events?
Preventive control
What process identifies the actual value of assets so that assets can be prioritized?
Asset valuation
What process identifies and categorizes potential threats?
Threat modeling
What process is used to identify weaknesses?
Vulnerability analysis
When evaluating access control attacks, what are three primary elements that must be identified?
Assets, threats, and vulnerabilities
A group of attackers is sponsored by a government. They are highly motivated, skilled, and patient and focused on a single target. What is this group called?
Advanced Persistent Threat (APT)
What is often added to passwords to make their resultant hash secure and resistant to rainbow attacks?
Salts
What is a nonstatistical sampling method that only records or alerts on events that exceed a threshold?
Clipping levels
What is a group of records from one or more databases or logs that can be used to reconstruct events after an incident?
Audit trail
What is the purpose of an access review and audit?
Checks to ensure that users do not have excessive privileges and that accounts are managed appropriately
What can a user entitlement review detect?
Violation of the principle of least privilege policy, as incidents of excessive privileges or creeping privileges
What types of accounts are focused on during a user entitlement review?
Privileged accounts such as administrator or root user accounts
Who should have access to audit reports?
Only people who have a need to know
What determines how often an audit should be performed?
Risk
What policy requires users to spend at least a week away from their jobs on an annual basis to help prevent fraud?
Mandatory vacations
What method will remove all data with assurances that it cannot be removed using any known methods?
Purging, sanitization, or destruction
What methods can be used to protect mobile devices such as a smart phone?
Encryption, GPS, password-protected screen locks, and remote wipe
What can be used to remove data on a lost smart phone?
Remote wipe
What should be done before disposing of a desktop computer at the end of its lifecycle?
Sanitization
What is the term that identifies data on a disk after the data has supposedly been erased?
Data remanence
What are the steps of a patch management program?
Evaluate, test, apply, and audit patches
What can be used to verify patches have been applied?
Vulnerability scanner
What should be done to verify patches have been applied?
Audit patches, or use a vulnerability scanner to verify patches have been applied
What tool can check for weaknesses in systems?
Vulnerability scanner
What would be completed to check an entire organization for weaknesses?
Vulnerability assessment
What does imaging provide in relation to configuration management?
Baseline
What helps prevent outages that can occur from unauthorized modifications?
Change management
What helps prevent inadvertent weakening of security from unauthorized outages?
Change management
What are the five steps in incident response quoted in the CISSP CIB?
Detection, Response, Reporting, Recovery, and Remediation and Review
In which stage of incident response should a root cause analysis be conducted?
Remediation and Review
While containing an incident, what is the next important consideration?
Protection of evidence
An attack has a negative effect on the confidentiality, integrity, or availability of an organization’s assets. What is this called?
Computer security incident
What is it called when malware is installed on a user’s system after visiting a website?
Drive-by download
What three generic elements can help prevent malware infections?
Education, policies, and tools
An attacker has launched an attack using a vulnerability known only to him. What is this called?
Zero-day exploit
What type of attack disrupts the TCP three-way handshake?
SYN flood attack
What are computers in a botnet commonly called?
Zombies
What is the best protection against a computer joining a botnet?
Up-to-date antivirus software
What type of IDS detects attacks based on known methods?
Knowledge-based (also called signature-based or pattern-matching)
What type of IDS detects attacks based by comparing it to a baseline?
Behavior-based (also called statistical-intrusion detection or anomaly detection)
After a network is upgraded, what must be done with a behavior-based IDS?
Upgrade the baseline
What is required before starting a penetration test?
Knowledge and consent of management
What is often the first step of a penetration test?
Vulnerability test or vulnerability scan
When a penetration test team is privy to detailed information about organizational assets, including hardware and software inventory, but not to other information (accounts, users, naming conventions, and so on), how might this team be described?
Partial-knowledge team (performs gray-box testing)
A penetration testing team has full knowledge about a target. What is this team called?
Full-knowledge team (performs white-box testing)
