Exam 1 (Material from Chapters 1 - 4)

Question 1

Internet vs World Wide Web

Answer 1

The World Wide Web is a specific subset of the Internet.

Question 2

A _____ is the level of exposure to some event that has an effect on an asset

Answer 2

risk

Question 3

Definition of a vulnerability

Answer 3

A weakness that allows a threat to be realized or to have an effect on an asset

Question 4

Definition of a threat

Answer 4

Any action, either natural or human induced, that could damage an asset

Question 5

_____ are hardware, operating system, and application software that work together to collect, process, and store data for individuals and organizations.

Answer 5

Information systems

Question 6

What is the collection of activities that protect the information system and the data stored in it?

Answer 6

Information systems security

Question 7

What are some of the things we are securing?

Answer 7

Privacy of individuals
Corporate intellectual property
Online B2C and B2B transactions
Government intellectual property

(More examples on slide 11 from CH01 slides)

Question 8

What is confidentiality?

Answer 8

Only authorized users can view information

Question 9

What is integrity?

Answer 9

Only authorized users can change information

Question 10

What is availability?

Answer 10

Information is accessible by authorized users whenever they request the information

Question 11

Confidential information includes?

Answer 11

• Private data of individuals
• Intellectual property of businesses
• National security for countries and governments

Question 12

What is cryptography?

Answer 12

Practice of hiding data and keeping it away from unauthorized users

Question 13

What is encryption?

Answer 13

The process of transforming data from cleartext into ciphertext

Question 14

What is ciphertext?

Answer 14

The scrambled data that results from encrypting cleartext

Question 15

Availability Time Measurements

Answer 15

Uptime
Downtime
Availability [A = (Total Uptime)/(Total Uptime + Total Downtime)]
Mean time to failure (MTTF)
Mean time to repair (MTTR)
Mean time between failures (MTBF)
Recovery point objective (RPO)
Recovery time objective (RTO)

Question 16

What are the seven domains of a typical IT infrastructure?

Answer 16

• User Domain
• Workstation Domain
• LAN Domain
• LAN-to-WAN Domain
• WAN Domain
• Remote Access Domain
• System/Application Domain

Question 17

Common Threats in the User Domain

Answer 17

• Unauthorized access
• Lack of user awareness
• User apathy toward policies
• Security policy violations
• User inserting CD/DVD/USB with personal files
• User downloading photos, music, or videos
• User destroying systems, applications, and data
• Disgruntled employee attacking organization or committing sabotage
• Employee romance gone bad
• Employee blackmail or extortion

Question 18

Common Threats in the Workstation Domain

Answer 18

• Unauthorized workstation access
• Unauthorized access to systems, applications, and data
• Desktop or laptop operating system and software vulnerabilities
• Desktop or laptop application software vulnerabilities and patches
• Viruses, malicious code, and other malware
• User inserting CD/DVD/USB with personal files
• User downloading photos, music, or videos
• Security risk due to user violation of acceptable use policy (AUP)
• Bring Your Own Device (BYOD)

Question 19

Common Threats in the LAN Domain

Answer 19

• Unauthorized access to LAN
• Unauthorized access to systems, applications, and data
• LAN server operating system software vulnerabilities
• LAN server application software vulnerabilities and software patch updates
• Unauthorized access by rogue users on wireless LANs (WLANs)
• Compromised confidentiality of data on WLANs
• LAN servers with different hardware, operating systems, and software make them difficult to manage and troubleshoot

Question 20

Common Threats in the LAN-to-WAN Domain

Answer 20

• Unauthorized network probing and port scanning
• Unauthorized access through the LAN-to-WAN Domain
• Denial of service (DoS)/distributed denial of service (DDoS) attacks
• IP router, firewall, and network appliance operating system vulnerability
• IP router, firewall, and network appliance configuration file errors or weaknesses
• Remote user download of sensitive data
• Download of unknown file type attachments from unknown sources
• Unknown email attachments and embedded URL links received by local users
• Lost productivity due to local users surfing the web

Question 21

Common Threats in the WAN Domain (Internet)

Answer 21

• Open, public, and accessible data
• Most Internet traffic sent as cleartext
• Vulnerable to eavesdropping
• Vulnerable to malicious attacks
• Vulnerable to DoS and DDoS attacks, TCP synchronize (SYN) flooding, and IP spoofing attacks
• Vulnerable to corruption of information/data
• Insecure Transmission Control Protocol/Internet Protocol (TCP/IP) applications
• Hackers, attackers, and perpetrators email Trojans, worms, and malicious software

Question 22

Common Threats in the WAN Domain (Connectivity)

Answer 22

• Commingling of WAN IP traffic on the same service provider router and infrastructure
• Maintaining high WAN service availability
• Maximizing WAN performance and throughput
• Using Simple Network Management Protocol (SNMP) applications and protocols maliciously (ICMP, Telnet, SNMP, DNS, etc.)
• SNMP alarms and security monitoring 24/7/365

Question 23

Common Threats in the Remote Access Domain

Answer 23

• Brute-force user ID and password attacks
• Multiple logon retries and access control attacks
• Unauthorized remote access to IT systems, applications, and data
• Private or confidential data compromised remotely
• Data leakage in violation of data classification standards
• A mobile worker’s laptop is stolen
• Mobile worker token or other authentication stolen

Question 24

Common Threats in the System/Application Domain

Answer 24

• Unauthorized access to data centers, computer rooms, and wiring closets
• Downtime of servers to perform maintenance
• Server operating systems software vulnerability
• Insecure cloud computing virtual environments by default
• Susceptibility of client-server and web applications
• Unauthorized access to systems
• Data breach where private data is compromised
• Corrupt or lost data
• Loss of backed-up data as backup media are reused
• Recovery of critical business functions potentially too time consuming to be useful
• Downtime of IT systems for an extended period after a disaster

Question 25

What is the weakest link in security?

Answer 25

Humans

Question 26

What are some strategies for reducing risk?

Answer 26

• Check background of job candidates carefully
• Evaluate staff regularly
• Rotate access to sensitive systems, applications, and data among staff positions
• Test applications and software and review for quality
• Regularly review security plans
• Perform annual security control audits

Question 27

Who defined a policy regarding acceptable use of Internet geared toward U.S. citizens

Answer 27

U.S. government and Internet Architecture Board (IAB)

Question 28

A _____ is a short written statement that defines a course of action that applies to entire organization

Answer 28

policy

Question 29

A ____ is a detailed written definition of how software and hardware are to be used

Answer 29

standard

Question 30

___ are written instructions for how to use policies and standards.

Answer 30

Procedures

Question 31

A ______ is a suggested course of action for using policy, standard, or procedure

Answer 31

guideline

Question 32

Data Classification Standards

Answer 32

• Private data
  — Data about people that must be kept private
• Confidential
  — Information or data owned by the organization
• Internal use only
  — Information or data shared internally by an organization
• Public domain data
  — Information or data shared with the public

Question 33

U.S. federal government data classification standards:

Answer 33

• Top secret
  — Applies to information that the classifying authority finds would cause grave damage to national security if it were disclosed
• Secret
  — Applies to information that the classifying authority finds would cause serious damage to national security if it were disclosed
• Confidential
  — Applies to information that the classifying authority finds would cause damage to national security

Question 34

____ activities should align with the organization’s strategic goals

Answer 34

Risk Management

Question 35

T/F: Risks can be positive or negative

Answer 35

True

Question 36

What is a common pitfall when building a risk management plan?

Answer 36

Limiting the scope of the risk identification process to just inside the organization. Organizations sometimes forget to consider vendors or supply chain.

Question 37

Risk = ______ x _________

Answer 37

Risk = Threat x Vulnerability

Question 38

A ___ is an opportunity to exploit a vulnerability.

Answer 38

Threat

Question 39

An exploited vulnerability results in an ___.

Answer 39

Impact

Question 40

A ____ is a description of how you will manage risk.

Answer 40

Risk methodology

Question 41

What is a risk register?

Answer 41

A list of identified risk

Question 42

The process of identifying, assessing, prioritizing, and addressing risks is apart of what?

Answer 42

Risk Management

Question 43

This is an analysis of an organization’s functions and activities that classifies them as critical or noncritical

Answer 43

Business impact analysis

Question 44

This identifies the impact to the business if one or more IT functions fails and identifies the priority of different critical systems

Answer 44

Business impact analysis

Question 45

What are the BIA Recovery Goals and Requirements?

Answer 45

Recovery point objective (RPO)
Recovery time objective (RTO)
Business recovery requirements
Technical recovery requirements

Question 46

This is the target state of recovered data that allows an organization to continue normal processing; the maximum amount of data loss that is acceptable

Answer 46

Recovery Point Objective (RPO)

Question 47

What is the maximum allowable time in which to recover the function

Answer 47

Recovery Time Objective (RTO)

Question 48

This identifies any other business functions that must already be in place for the specified recovery function to occur and help in determining the recovery sequence

Answer 48

Business recovery requirements

Question 49

This defines technical prerequisites that are needed to support each critical business function

Answer 49

Technical recovery requirements

Question 50

This is a written plan for a structured response to any events that result in an interruption to critical business activities or functions

Answer 50

Business continuity plan (BCP)

Question 51

What are the order of priorities for a business continuity plan?

Answer 51

Order of priorities:
Safety and well-being of people
Continuity of critical business functions and operations
Continuity of components within the seven domains of an IT infrastructure

Question 52

What are the elements of a complete BCP?

Answer 52

• Statement defining the policy, standards, procedures, and guidelines for deployment
• Project team members with defined roles, responsibilities, and accountabilities
• Emergency response procedures and protection of life, safety, and infrastructure
• Situation and damage assessment
• Resource salvage and recovery
• Alternate facilities or triage for short- or long-term emergency mode of operations and business recovery

Question 53

This directs the actions necessary to recover resources after a disaster

Answer 53

Disaster Recovery Plan (DRP)

Question 54

This extends and supports the BCP by identifying events that could cause damage to resources that are necessary to support critical business functions

Answer 54

Disaster Recovery Plan (DRP)

Question 55

Explain a hot site, warm site, cold site, and mobile site.

Answer 55

Hot site
– Has environmental utilities, hardware, software, and data like original data center

Warm site
– Has environmental utilities and basic computer hardware

Cold site
– Has basic environmental utilities but no infrastructure components

Mobile site
– Trailer with necessary environmental utilities that can operate as warm or cold site

Question 56

What are the 5 DRP tests?

Answer 56

Checklist test
Structured walk-through
Simulation test
Parallel test
Full-interruption test

Question 57

The difference between the security controls in place and controls you need to address vulnerabilities

Answer 57

Security gap

Question 58

The comparison of the security controls in place and the controls you need to address all identified threats

Answer 58

Gap analysis

Question 59

What are the steps for conducting gap analysis?

Answer 59

• Identify the applicable elements of the security policy and other standards
• Assemble policy, standard, procedure, and guideline documents
• Review and assess the implementation of the policies, standards, procedures, and guidelines
• Collect inventory information for all hardware and software components
• Interview users to assess knowledge of and compliance with policies
• Compare the current security environment to policies in place
• Prioritize identified gaps for resolution
• Document and implement the remedies to conform to policies

Question 60

Name the compliance laws

Answer 60

• Family Education Rights and Privacy Act (FERPA)
• Federal Financial Institutions Examination Council (FFIEC)
• Children’s Online Privacy Protection Act of 1998 (COPPA)
• Gramm-Leach-Bliley Act (GLBA)
• Government Information Security Reform Act (Security Reform Act) of 2000
• The USA PATRIOT Act of 2001
• Federal Information Security Management Act (FISMA)
• Sarbanes-Oxley Act (SOX)
• California Security Breach Information Act (SB 1386) of 2003
• Health Insurance Portability and Accountability Act (HIPAA)
• Federal Information Security Modernization Act (FISMA)
• European Union General Data Protection Regulation (GDPR) of 2016
• Payment Card Industry Data Security Standard (PCI DSS)
• California Consumer Privacy Act (CCPA) of 2018

Question 61

T/F: Cannot undo a confidentiality violation

Answer 61

True

Question 62

Give examples of how to keep data confidential.

Answer 62

Authentication controls:
– Passwords and PINs
– Smart cards and tokens
– Biometric devices
– Digital certificates
– Challenge-response handshakes
– Kerberos authentication
– One-time passwords

Authorization controls:
– Authentication server rules and permissions
– Access control lists
– Intrusion detection and prevention
– Physical access control
– Connection and access policy filters
– Network traffic filters

Question 63

What are some BYOD Concerns?

Answer 63

Data ownership
Support ownership
Patch management
Antivirus management
Forensics
Privacy
Acceptable use policy
Onboard camera/video
Onboarding/ offboarding
Adherence to corporate policies
User acceptance
Architecture/ infrastructure considerations
Legal concerns

Question 64

What are the risk management key principles?

Answer 64

• Do not spend more to protect an asset than it is worth.
• Every countermeasure requires resources to implement and therefore should be aligned with a specific risk.

Question 65

Definition: The likelihood that something bad will happen to an asset

Answer 65

risk

Question 66

Something bad that might happen to an organization is a what?

Answer 66

Threat

Question 67

Any exposure that could allow a threat to be realized is a what?

Answer 67

Vulnerability

Question 68

The amount of risk or harm caused by a threat or vulnerability that is exploited by a perpetrator is the definition of what?

Answer 68

Impact

Question 69

A measurable occurrence that has an impact on the business is a ____?

Answer 69

Event

Question 70

Any event that violates or threatens to violate your security policy is a ____.

Answer 70

Incident

Question 71

___ includes both safeguards and countermeasures.

Answer 71

Control

Question 72

____ address gaps or weaknesses in controls that could lead to a realized threat.

Answer 72

Safeguards

Question 73

Counters or addresses a specific threat is the definition of what?

Answer 73

Countermeasure

Question 74

Component parts of risk:

Answer 74

• Assets
• Vulnerabilities
• Threats

Question 75

Perform ___ to identify new or changed risks over time

Answer 75

risk assessments

Question 76

More than a quarter of all reported attacks are by _______

Answer 76

insiders

Question 77

The impact of insider attacks is proportionately _____ than attacks by outsiders

Answer 77

worse

Question 78

T/F: Risk can be reduced to zero

Answer 78

False. Risk can never be reduced to zero.

Question 79

_____ focuses on planning to anticipate and respond to risk without interrupting the most critical business functionality

Answer 79

Contingency planning

Question 80

Explain the risk management process.

Answer 80

• Identify risks
• Assess and prioritize risks
• Plan risk response
• Implement Risk Responses
• Monitor and Control Risk Responses

Question 81

How do you identify risks?

Answer 81

• Brainstorming
• Surveys
• Interviews
• Working groups
• Checklists
• Historical information

Question 82

What are the risk register components?

Answer 82

• A description of the risk
• The expected impact if the associated event occurs
• The probability of the event’s occurring
• Steps to mitigate the risk
• Steps to take should the event occur
• Rank of the risk

Question 83

______ assessments are where the cost or value of the identified risk and its financial impact are examined

Answer 83

Quantitative risk

Question 84

This attempts to describe risk in financial terms and put a dollar value on each risk

Answer 84

Quantitative risk assessment

Question 85

______ risk assessments are examined by assigning a rating for each identified risk

Answer 85

Qualitative

Question 86

_____ assessments ranks risks based on their probability of occurrence and impact on business operations

Answer 86

Qualitative risk

Question 87

Quantitative assessments are hard or soft data?

Answer 87

hard

Question 88

Qualitative assessments are hard or soft data?

Answer 88

soft

Question 89

What is the formula for single loss expectancy(SLE)?

Answer 89

SLE = Asset Value * Exposure Factor

Question 90

What is the formula for annualized rate of occurrence (ARO)?

Answer 90

ARO = Number of incidents per year

Question 91

What is the formula for annualized loss expectancy (ALE)?

Answer 91

ALE = Single loss expectancy(SLE) * annualized rate of occurrence (ARO)

Question 92

In Qualitative Risk Analysis you judge risk on two scales. What are these two scales?

Answer 92

• Probability or likelihood
• Impact

Question 93

What are some examples of negative risks?

Answer 93

Reduce (reduction/mitigation)
Transfer (transference/assignment)
Accept (acceptance)
Avoid (avoidance)

Question 94

What are some examples of positive risks?

Answer 94

Exploit (exploitation)
Share (sharing)
Enhance (enhancement)
Accept (acceptance)

Question 95

______ = Total Risk - Mitigating controls

Answer 95

Residual Risk

Question 96

_____ manage the activity phase of security—the things people do

Answer 96

Administrative controls

Question 97

___ controls correspond to the life cycle of a security program

Answer 97

Activity phase

Question 98

T/F: Countermeasures might pose new risk to the organization

Answer 98

True

Question 99

Protecting ______ is a top-of-mind consideration for any organization

Answer 99

intellectual property

Question 100

The central asset of many organizations are:

Answer 100

Patents
Drug formulas
Engineering plans
Sales and marketing plans
Scientific formulas
Recipes

Question 101

____ assets are among highest-profile assets in any organization

Answer 101

Financial

Question 102

Loss of ___ assets due to malicious attacks is a worst-case scenario for all organizations

Answer 102

financial

Question 103

_____ can have long-term effects on a company’s reputation and brand image

Answer 103

Finances and Financial Data breaches

Question 104

_____ must be available for use when organizations need them

Answer 104

critical services

Question 105

____ is the time during which a service is not available due to failure or maintenance

Answer 105

downtime

Question 106

____ is the result of technical failure, human error, or attack

Answer 106

Unintentional downtime

Question 107

___ is the amount of money a company loses due to either intentional or unintentional downtime

Answer 107

Opportunity cost

Question 108

T/F: Companies that suffer from security breaches and malicious attacks that expose assets are likely to face serious negative consequences in the public eye even if the company’s response were swift and solved the problem effectively

Answer 108

True

Question 109

____ hackers try to break IT security and gain access to systems with no authorization to prove technical prowess or potentially steal sensitive data

Answer 109

Black-hat

Question 110

____ hackers are information systems security professionals who have authorization to identify vulnerabilities and perform penetration testing

Answer 110

White-hat

Question 111

White-hat hackers are also known as what?

Answer 111

ethical hackers

Question 112

____ hackers are with average abilities who may one day become black-hat hackers but could also choose to become white-hat hackers

Answer 112

Gray-hat

Question 113

____ transfers software companies’ risk to its end users from having vulnerable software and being held liable for a software vulnerability

Answer 113

End-User Licensing Agreement (EULA)

Question 114

Hackers continuously look for known software ____ as a means to find an exploitable weakness

Answer 114

vulnerabilities

Question 115

____ is the gap in time between the announcement of a vulnerability and the application of a patch

Answer 115

Vulnerability window

Question 116

____ is a vulnerability window of zero days because there is no patch yet for a known software vulnerability

Answer 116

Zero day

Question 117

What are the three threat types listed in the slides?

Answer 117

Disclosure threats
Alteration threats
Denial or destruction threats

Question 118

What are the four categories of attacks?

Answer 118

Fabrications
Interceptions
Interruptions
Modifications

Question 119

What Are Common Attack Vectors?

Answer 119

Attacks on availability
Attacks on people
Attacks on IT assets

Question 120

Focus on _____ and implement security controls that can help mitigate the risk caused by threats and vulnerabilities

Answer 120

countermeasures

Question 121

Best strategy for countermeasures is to identify _____ and reduce them to avoid attacks

Answer 121

vulnerabilities

Question 122

What are two ways that people like to communicate?

Answer 122

Real-time communications
– Occurs instantaneously

Store-and-forward communications
– Acceptable delay in transmitting communication

Question 123

IoT Applications That Impact Humans

Answer 123

Health monitoring and updating
Home security and smart home control systems
Online calendars
Near real-time tracking and monitoring via global positioning systems (GPS)
Online banking, bill paying, and financial transactions
Online e-commerce purchases
Automobiles with smart computers and always-on Wi-Fi Internet access

Question 124

IoT’s Impact on Business

Answer 124

Retail stores
Virtual workplace
Remote sensors
Traffic-monitoring applications
Business-to-consumer (B2C) service delivery model
Anything as a Service (AaaS) IoT applications

Question 125

What is B2C?

Answer 125

Business-to-consumer

Question 126

Customers purchase goods and services directly from their website describes what?

Answer 126

Business-to-consumer (B2C)

Question 127

What is B2B?

Answer 127

Business-to-business

Question 128

Businesses conduct sales with other businesses describes what?

Answer 128

Business-to-business(B2B)

Question 129

Payment Card Industry Data Security Standard (PCI DSS) protects what?

Answer 129

private customer data

Question 130

What are some internet business challenges?

Answer 130

Growing the business through the Internet
Changing an existing conventional business into an e-business
Building secure and highly available websites and e-commerce portals
Building a web-enabled customer-service strategy
Finding new customers with Internet marketing

Question 131

What are some issues with mobile computing?

Answer 131

Network speed
Usability
Security

Question 132

T/F: Mobile IP enables user to move between local area network (LAN) segments and stay connected without interruption

Answer 132

True

Question 133

What is a MN?

Answer 133

Mobile Node

Question 134

What is a HA?

Answer 134

Home agent

Question 135

What is a FA?

Answer 135

Foreign Agent

Question 136

What is a COA?

Answer 136

Care of address

Question 137

What is a CN?

Answer 137

Correspondent node

Question 138

A mobile node connect to what?

Answer 138

A Foreign Agent

Question 139

A home agent assigns a ____ to a mobile node?

Answer 139

Care of address (COA)

Question 140

A care of address is a ____ for the mobile node?

Answer 140

Local address

Question 141

A correspondent node sends a message to the ____?

Answer 141

Mobile node

Question 142

Privacy challenges must be addressed by manufacturers and defined in the right-of-use and software ______?

Answer 142

End-User Licensing Agreement (EULA)

Question 143

The End-User Licensing Agreement (EULA) must contain:

Answer 143

• Privacy policy statement
• Definition of data, metadata, or analytical data use and rights
• Ability for a user to provide consent to a manufacturer’s or application service provider’s privacy policy statement
• Determine the domain of privacy

Question 144

_____ ensures interoperability and standards can be pursued for IoT solutions

Answer 144

Internet Engineering Task Force (IETF)

Question 145

______ has significant financial impacts if not properly addressed

Answer 145

Interoperability

Question 146

T/F: Goal is to bring down the cost of IoT devices and supporting applications so they are affordable

Answer 146

True

Question 147

Privacy data is subject to the ____ of state you live in as well as state that the IoT hosting company resides in

Answer 147

privacy laws

Question 148

T/F: IoT vendor or solutions provider are required to adhere to security control requirements and data protection laws

Answer 148

True

Question 149

A void in _____ and ______ for IoT devices can create an environment of bad IoT devices

Answer 149

interoperability
standards