Chapter 1

Question 1

A response to risk that acknowledges the risk but takes no steps to address it.

Answer 1

accept

Question 2

Security controls for developing and ensuring that policies and procedures are carried out; regulating the human factors of security.

Answer 2

administrative controls

Question 3

A new class of attack that uses innovative attack tools to infect a system and then silently extracts data over a an extended period.

Answer 3

advanced persistent threat (APT)

Question 4

Deficiencies in software due to poor. design

Answer 4

architecture/design weaknesses

Question 5

an item that has value.

Answer 5

asset

Question 6

Characteristic features of different groups of threat actors.

Answer 6

attributes

Question 7

security actions that ensure that data is accessible to authorized users.

Answer 7

availability

Question 8

A response to risk that identifies the risk and the decision is made to not engage in the risk-provoking activity.

Answer 8

avoid

Question 9

Threat actors that launch attack against an opponents’ system to steal classified information.

Answer 9

competitors

Question 10

the highest data label level of sensitivity.

Answer 10

confidentiality

Question 11

having different groups responsible for regulating access to a system.

Answer 11

control diversity

Question 12

the out-of-the-box security config settings

Answer 12

default config

Question 13

Creating multiple layers of security defenses through which an attacker must penetrate; also called layered security.

Answer 13

defense-in-depth

Question 14

system for which vendors have dropped all support for security updates due to the system’s age.

Answer 14

end-of-life system

Question 15

the location outside an enterprise in which some threat actors perform.

Answer 15

external

Question 16

an attribute of threat actors that can vary widely.

Answer 16

funding and resources

Question 17

a group of threat actors that is strongly motivated by ideology

Answer 17

hactivists

Question 18

software that does not properly trap an error condition and provides an attacker with underlying access to the system.

Answer 18

improper error handling

Question 19

software that allows the user to enter data but does not validate or filter user input to prevent a malicious action.

Answer 19

improper input handling

Question 20

account set up for a user that might provide more access than is necessary.

Answer 20

improperly config accounts

Question 21

Frameworks/architectures that are specific to a particular industry or market sector.

Answer 21

industry-specific frameworks

Question 22

“support structures” for implementing security; also called reference architectures

Answer 22

industry-standard frameworks

Question 23

employees, contractors, and business partners who can be responsible for an attack.

Answer 23

insiders

Question 24

security actions that ensure that the information is correct and no unauthorized person or malicious software has altered the data.

Answer 24

integrity

Question 25

the reasoning behind attacks made by threat actors.

Answer 25

intent and motivation

Question 26

the location within an enterprise in which some threat actors perform.

Answer 26

internal

Question 27

information security framework/architectures that are worldwide.

Answer 27

international

Question 28

when a company that made a device provides no support for the device.

Answer 28

lack of vendor support

Question 29

creating multiple layers of security defenses through which an attacker must penetrate; also called defense-in-depth.

Answer 29

layered security

Question 30

an incorrectly configured device.

Answer 30

misconfig

Question 31

addressing risks by making risks less serious.

Answer 31

mitigate

Question 32

state-sponsored attackers employed by a government for launching computer attacks against foes.

Answer 32

nation state actors

Question 33

information security framework/architectures that are domestic.

Answer 33

national

Question 34

a threat that has not been previously identified.

Answer 34

new threat

Question 35

information security frameworks/architectures that are not required.

Answer 35

non-regulatory

Question 36

freely available automated attack software.

Answer 36

open-source intel

Question 37

threat actors that are moving from traditional organized criminal activities to more rewarding and less risky online attacks.

Answer 37

organized crime

Question 38

A software occurrence when two concurrent threads of execution access a shared resources simultaneously, resulting in unintended consequences.

Answer 38

race condition

Question 39

“supporting structures” for implementing security; also called industry-standard frameworks.

Answer 39

reference architectures

Question 40

information security frameworks/architectures that are required by agencies that regulate the industry.

Answer 40

regulatory

Question 41

a situation in which a hardware device with limited resources (CPU, memory, file system storage, etc.) is exploited by an attacker who intentionally tries to consume more resources than intended.

Answer 41

resource exhaustion

Question 42

a situation that involves exposure to danger.

Answer 42

risk

Question 43

different options available when dealing with risks.

Answer 43

risk response techniques

Question 44

individual who lacks advanced knowledge of computers and networks and so uses downloaded automated attack software to attack information systems.

Answer 44

script kiddies

Question 45

threat actors that have developed a high degree of complexity.

Answer 45

sophisticated

Question 46

the widespread proliferation of devices across an enterprise.

Answer 46

system sprawl

Question 47

using technology that is carried out or managed by devices as a basis for controlling the access to and usage of sensitive data.

Answer 47

technical controls

Question 48

a type of action that has the potential to cause harm.

Answer 48

threat

Question 49

a person or element that has the power to carry out a threat.

Answer 49

threat actor

Question 50

a response to risk that allows a third party to assume the responsibility of the risk.

Answer 50

transfer

Question 51

devices that are not formally identified or documented in an enterprise.

Answer 51

undocumented assets

Question 52

users with little or no instruction in making security decisions.

Answer 52

untrained users

Question 53

instructing employees as to the security reasons behind security restrictions.

Answer 53

user training

Question 54

using security products provided by different manufactures.

Answer 54

vendor diversity

Question 55

a flaw or weakness that allows a threat agent to bypass security.

Answer 55

vulnerability

Question 56

a situation in which an attacker manipulates commonplace actions that are routinely performed; also called business process compromise.

Answer 56

vulnerable business processes

Question 57

configuration options that provide limited security choices.

Answer 57

weak config

Question 58

an attack in which there are no days of warning.

Answer 58

zero day