Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CyberSecurity Essentials AIT-660 > Chapter 5 > Flashcards

Chapter 5 Flashcards

1
Q
  1. Discuss and describe the CIA Triad.
A

The CIA Triad is the combination of confidentiality, integrity, and availability. This term is used to indicate the three key components of a security solution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. What are the requirements to hold a person accountable for the actions of their user account?
A

The requirements of accountability are identification, authentication, authorization, and auditing.

Each of these components needs to be legally supportable to truly hold someone accountable for their actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Describe the benefits of change control management.
A

The benefits of change control management include preventing unwanted security reduction because of uncontrolled change, documenting and tracking of all alterations in the environment, standardization, conforming with security policy, and the ability to roll back changes in the event of an unwanted or unexpected outcome.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. What are the seven major steps or phases in the implementation of a classification scheme?
A

(1) Identify the custodian, and define their responsibilities.
(2) Specify the evaluation criteria of how the information will be classified and labeled.
(3) Classify and label each resource. Although the owner conducts this step, a supervisor should review it.
(4) Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria.
(5) Select the security controls that will be applied to each classification level to provide the necessary level of protection.
(6) Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity.
(7) Create an enterprise-wide awareness program to instruct all personnel about the classification system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Name the six primary security roles as defined by ISC2 for CISSP
A

The six security roles are senior management, IT/security staff, owner, custodian, operator/user, and auditor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. What are the four components of a complete organizational security policy and their basic purpose?
A

The four components of a security policy are policies, standards, guidelines, and procedures.

  • Policies are broad security statements.
  • Standards are definitions of hardware and software security compliance.
  • Guidelines are used when there is not an appropriate procedure.
  • Procedures are detailed step-by-step instructions for performing work tasks in a secure manner.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. Which of the following contains the primary goals and objectives of security?

A. A network’s border perimeter

B. The CIA Triad

C. A stand-alone system

D. The Internet

A

B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. Vulnerabilities and risks are evaluated based on their threats against which of the following?

A. One or more of the CIA Triad principles

B. Data usefulness

C. Due care

D. Extent of liability

A

A. Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects?

A. Identification

B. Availability

C. Encryption

D. Layering

A

B. Availability means that authorized subjects are granted timely and uninterrupted access to objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Which of the following is not considered a violation of confidentiality?

A. Stealing passwords

B. Eavesdropping

C. Hardware destruction

D. Social engineering

A

C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Which of the following is not true?

A. Violations of confidentiality include human error.

B. Violations of confidentiality include management oversight.

C. Violations of confidentiality are limited to direct intentional attacks.

D. Violations of confidentiality can occur when a transmission is not properly encrypted.

A

C. Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Confidentiality is dependent upon which of the following?

A. Accountability

B. Availability

C. Nonrepudiation

D. Integrity

A

D. Without integrity, confidentiality cannot be maintained.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can____________ the data, objects, and resources.

A. Control

B. Audit

C. Access

D. Repudiate

A

C. Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. Which of the following describes the freedom from being observed, monitored, or examined without consent or knowledge?

A. Integrity

B. Privacy

C. Authentication

D. Accountability

A

B. One definition of privacy is freedom from being observed, monitored, or examined without consent or knowledge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. All but which of the following items require awareness for all individuals affected?

A. Restricting personal email

B. Recording phone conversations

C. Gathering information about surfing habits

D. The backup mechanism used to retain email messages

A

D. Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. What element of data categorization management can override all other forms of access control?

A. Classification

B. Physical access

C. Custodian responsibilities

D. Taking ownership

A

D. Ownership grants an entity full capabilities and privileges over the object they own. The ability to take ownership is often granted to the most powerful accounts in an operating system because it can be used to overstep any access control limitations otherwise implemented.

17
Q
  1. What ensures that the subject of an activity or event cannot deny that the event occurred?

A. CIA Triad

B. Abstraction

C. Nonrepudiation

D. Hash totals

A

C. Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.

18
Q
  1. Which of the following is the most important and distinctive concept in relation to layered security?

A. Multiple

B. Series

C. Parallel

D. Filter

A

B. Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective.

19
Q
  1. Which of the following is not considered an example of data hiding?

A. Preventing an authorized reader of an object from deleting that object

B. Keeping a database from being accessed by unauthorized visitors

C. Restricting a subject at a lower classification level from accessing data at a higher classification level

D. Preventing an application from accessing hardware directly

A

A. Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you.

20
Q
  1. What is the primary goal of change management?

A. Maintaining documentation

B. Keeping users informed of changes

C. Allowing rollback of failed changes

D. Preventing security compromises

A

D. The prevention of security compromises is the primary goal of change management.

21
Q
  1. What is the primary objective of data classification schemes?

A. To control access to objects for authorized subjects

B. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity

C. To establish a transaction trail for auditing accountability

D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality

A

B. The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.

22
Q
  1. Which of the following is typically not a characteristic considered when classifying data?

A. Value

B. Size of object

C. Useful lifetime

D. National security implications

A

B. Size is not a criterion for establishing data classification. When classifying an object, you should take value, lifetime, and security implications into consideration.

23
Q
  1. What are the two common data classification schemes?

A. Military and private sector

B. Personal and government

C. Private sector and unrestricted sector

D. Classified and unclassified

A

A. Military (or government) and private sector (or commercial business) are the two common data classification schemes.

24
Q
  1. Which of the following is the lowest military data classification for classified data?

A. Sensitive

B. Secret

C. Sensitive but unclassified

D. Private

A

B. Of the options listed, secret is the lowest classified military data classification. Keep in mind that items labeled as confidential, secret, and top secret are collectively known as classified, and confidential is below secret in the list.

25
Q
  1. Which commercial business/private sector data classification is used to control information about individuals within an organization?

A. Confidential

B. Private

C. Sensitive

D. Proprietary

A

B. The commercial business/private sector data classification of private is used to protect information about individuals.

26
Q
  1. Data classifications are used to focus security controls over all but which of the following?

A. Storage

B. Processing

C. Layering

D. Transfer

A

C. Layering is a core aspect of security mechanisms, but it is not a focus of data classifications.

27
Q

What is Top-Down Management Approach

A

Top-down approach
Senior management is responsible for initiating and defining policies
Policies provide direction for the lower levels of the organization’s hierarchy

Middle management is responsible for fleshing out the security policy into standards, baselines, guidelines, and procedures

Operational managers or security professionals must then implement the configurations prescribed in the security management documentation

Finally, the end users must comply with all the security policies

28
Q

What is Due Care & Due Diligence

A

Due care
Using reasonable care to protect the interests of an organization

Due diligence
Practicing the activities that maintain the due care effort

29
Q

What is Nonrepudiation

A

Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred
Nonrepudiation prevents a subject from claiming
not to have sent a message
not to have performed an action
not to have been the cause of an event

It is made possible through identity, authentication, authorization, accountability, and auditing

30
Q

A security policy is…

A

a document that
defines the scope of security needed by the organization
discusses the assets that need protection and the extent to which security solutions should go in order to provide necessary protection
outlines the security goals and practices that should be employed to protect the organization’s vital interests
defines roles, responsibilities, compliance requirements
defines acceptable risk levels

31
Q

Standards define…

A

Standards define mandatory requirements for the homogenous use of hardware, software, technology, and security controls

32
Q

Baselines defines…

A

A baseline defines a minimum level of security that every system throughout the organization must meet

33
Q

Guidelines offers…

A

Guidelines offer recommendations on how standards and baselines can be implemented

34
Q

A Procedure is…

A

A procedure is a detailed, step-by-step document that describes the exact actions necessary to implement a specific security mechanism, control, or solution

35
Q

Data Classification is..

A

is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality

CyberSecurity Essentials AIT-660 (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions