ch 15

Question 1

A situation that involves exposure to some type of danger

Answer 1

Risk

Question 2

To create a level of protection that mitigates the vulnerabilities to the threats and reduces the potential consequences

Answer 2

Managing risk

Question 3

A formal process of examining the seriousness of a potential threat as well as the likelihood that it will be carried out

Answer 3

Threat assessment

Question 4

what classification of threat is the action that affects the long term goal of the organization

Answer 4

strategic

Question 5

what classification of threat is the following (or not following) a regulation or standard

Answer 5

compliance

Question 6

what classification of threat is the action of impact of financial decisions or market factors

Answer 6

financial

Question 7

what classification of threat is the following events that impact the daily business of the organisation

Answer 7

operational

Question 8

what classification of threat is the events that affect information technology systems

Answer 8

technical

Question 9

what classification of threat is the following actions related to the management of the organisation

Answer 9

managerial

Question 10

a network that moves a product from the supplier to the customer
Should be viewed as assets to the enterprise and their threats should be cataloged

Answer 10

Supply chain

Question 11

Involves an automated software vulnerability scan through a system

Answer 11

• Testing

Question 12

Attempts to actually penetrate the system to perform a simulated attack

Answer 12

Intrusive vulnerability scan

Question 13

Uses only available information to hypothesize the status of the vulnerability

Answer 13

Non-intrusive vulnerability scan

Question 14

Designed to exploit any weaknesses in systems that are vulnerable
Penetration testing authorization should be obtained

Answer 14

Penetration test (pentest)

Question 15

Methodology for making modifications and keeping track of changes
Ensures proper documentation of changes so future changes have less chance of creating a vulnerability

Answer 15

Change management

Question 16

Two major types of changes that need proper documentation

Answer 16

Changes to system architecture

Changes to file or document classification

Question 17

(C M T)

Answer 17

Change management team

Question 18

Subject’s access level over an object, such as a file

Answer 18

Privilege

Question 19

Body responsible for overseeing the changes

Answer 19

Change management team (C M T)

Question 20

Process of assigning and revoking privileges to objects

Answer 20

Privilege management

Question 21

Periodically reviewing a subject’s privileges over an object

Objective: determine if subject has the correct privileges

Answer 21

Privilege auditing

Question 22

Components required to identify, analyze, and contain an incident

Answer 22

Incident response

Question 23

Planning, coordination, communications, and planning functions needed to resolve incident

Answer 23

Incident handling

Question 24

The “framework” and functions required to enable incident response and incident handling within an organization

Answer 24

Incident management

Question 25

uses an “educated guess” based on observation

Typically assigns a numeric value (1-10) or label (High, Medium, or Low) that represents the risk

Answer 25

Qualitative risk calculation

Question 26

attempts to create “hard” numbers associated with the risk of an element in a system by using historical data
Can be divided into the likelihood of a risk and the impact of a risk being successful

Answer 26

Quantitative risk calculation

Question 27

(M T B F)

Answer 27

Mean Time Between Failure

Question 28

(M T T R)

Answer 28

Mean Time To Recovery

Question 29

(M T T F)

Answer 29

Mean Time To Failure

Question 30

(F I T)

Answer 30

Failure In Time

Question 31

(A R O)

Answer 31

Annualized Rate of Occurrence

Question 32

Historical data can be used to determine the likelihood of a risk occurring within a year

Answer 32

Annualized Rate of Occurrence (A R O)

Question 33

Comparing the monetary loss associated with an asset in order to determine the amount of money that would be list if the risk occurred

Answer 33

Risk Impact

Question 34

expected monetary loss every time a risk occurs

Answer 34

Single Loss Expectancy (S L E)

Question 35

expected monetary loss that can be expected for an asset due to risk over a one-year period

Answer 35

Annualized Loss Expectancy (A L E)

Question 36

(S L E)

Answer 36

Single Loss Expectancy

Question 37

(A L E)

Answer 37

Annualized Loss Expectancy

Question 38

SLE=AV x EF

Answer 38

Single Loss Expectancy (S L E)

Question 39

ALE=SLE x ARO

Answer 39

Annualized Loss Expectancy (A L E)

Question 40

Any device or process that is used to reduce risk

Answer 40

Security control

Question 41

– processes for developing and ensuring that policies and procedures are carried out

Answer 41

Administrative controls

Question 42

– security controls carried out or managed by devices

Answer 42

Technical controls

Question 43

makes a third party responsible for the risk

Answer 43

Transference

Question 44

• involves identifying the risk and making the decision to not engage in the activity

Answer 44

Risk avoidance

Question 45

the attempt to address the risk by making it less serious

Answer 45

Mitigation

Question 46

Can be defined as that which replaces human physical activity

Answer 46

Automation

Question 47

the ability to continue to function as the size or volume of the enterprise data center expands to meet the growing demands

Answer 47

Scalability

Question 48

– the ability to revert to its former size after expanding

Answer 48

Elasticity

Question 49

– sustained and continual surveillance

Answer 49

Continuous monitoring

Question 50

available to help I T security personnel configure hardware devices and software to repel attacks

Answer 50

Secure configuration guides

Question 51

useful for configuring web servers, O S s, application servers, and network infrastructure devices

Answer 51

Vendor-specific guides

Question 52

Reviewing the configuration of systems to determine if security settings are correct

Answer 52

Configuration validation

Question 53

A copy of a properly configured and secured computer software system that can be replicated to other computers
Eliminates the need for configuring individualized security settings

Answer 53

Master image

Question 54

A type of document in which the standardized content has already been created
The user needs only to enter specialized and variable components
Reduces the amount of data to be entered and helps minimize errors that could introduce a risk

Answer 54

Template

Question 55

used to ensure that unwanted data is not carried forward (clean image is used)

Answer 55

Non-persistence tools

Question 56

what is a “lighweight” bootable image on a USB flash drive or optical media

Answer 56

live boot media

Question 57

what is restoring a device to previous secure condition

Answer 57

revert to unknown state

Question 58

what is undoing recent changes that cause errors or weaken security

Answer 58

rollback to unknown configuration

Question 59

what is an instance (image) of a virtual machine

Answer 59

snapshot

Question 60

Practices for reducing risk:

Answer 60

Security policies
Awareness and training
Agreements
Personnel management

Question 61

Communicates a consensus of judgment
Defines appropriate behavior for users
Identifies what tools and procedures are needed

Answer 61

Definition of a Policy

Question 62

A written document that states how an organization plans to protect the company‘s information technology assets

Answer 62

• Security Policy

Question 63

An overall intention and direction, formally expressed by the organization’s management
Details specific risks and how to address them
Provides controls to direct employee behavior
Helps create a security-aware organizational culture

Answer 63

Security policy functions

Question 64

Three approaches to trust

Answer 64

Trust everyone all of the time
Trust no one at any time
Trust some people some of the time

Question 65

(A U P)

Answer 65

Acceptable Use Policy

Question 66

Policy that defines actions users may perform while accessing systems
Users include employees, vendors, contractors, and visitors
Typically covers all computer use, including mobile devices

Answer 66

Acceptable Use Policy (A U P)

Question 67

grouping individuals and organizations into clusters or groups based on some sort of affiliation

Answer 67

Social media network

Question 68

outlines acceptable employee use of social media be enforced

Answer 68

Social media policy

Question 69

training styles

Answer 69

Visual
Auditory
Kinesthetic

Question 70

Formal contractual relationships as they related to security policy and procedures
Part of the standard operating procedures, or those actions and conduct that are considered normal

Answer 70

Interoperability agreements

Question 71

(S L A)

Answer 71

Service Level Agreement

Question 72

specifies what services will be provided and the responsibilities of each party

Answer 72

Service Level Agreement (S L A)

Question 73

(B P A)

Answer 73

Blanket Purchase Agreement

Question 74

a prearranged purchase or sale agreement between a government agency and a business

Answer 74

Blanket Purchase Agreement (B P A

Question 75

(M O U)

Answer 75

Memorandum of Understanding

Question 76

describes an agreement between two or more parties

Answer 76

Memorandum of Understanding (M O U)

Question 77

(I S A)

Answer 77

Interconnection Security Agreement

Question 78

an agreement that is intended to minimize security risks for data transmitted across a network

Answer 78

Interconnection Security Agreement (I S A)

Question 79

(N D A)

Answer 79

Non-disclosure agreement

Question 80

– a legal contract that specifies how confidential material will be shared between parties but restricted to others

Answer 80

Non-disclosure agreement (N D A)

Question 81

The process of authenticating the information supplied to a potential employer by a job applicant in the applicant’s resume, application, and interviews

Answer 81

background check

Question 82

A “wrap-up” meeting between management representatives and the person leaving an organization either voluntarily or through termination

Answer 82

exit interview