IAS

Question 1

“The quality or state of being secure—to be free
from danger”

Answer 1

Security

Question 2

Types of security

Answer 2

Physical security
– Personal security
– Operations security
– Communications security
– Network security
– Information security

Question 3

Critical Characteristics of Information

Answer 3

Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Utility
– Possession

Question 4

Components of an Information System

Answer 4

Software
– Hardware
– Data
– People
– Procedures
– Network

Question 5

SDLC

Answer 5

Systems Development Life Cycle

Question 6

methodology for design and implementation of
information system within an organization

Answer 6

Systems Development Life Cycle (SDLC):

Question 7

: formal approach to problem solving
based on structured sequence of procedures

Answer 7

Methodology

Question 8

SLDC 6 general phrases

Answer 8

investigation
analysis
logical design
physical design
implementation
maintenance and change

Question 9

Preliminary cost-benefit analysis is developed

Answer 9

Investigation

Question 10

determine what new system is expected
to do and how it will interact with existing systems

Answer 10

Analysis

Question 11

Data support and structures capable of providing
the needed inputs are identified

Creates and develops blueprints for information
security

Answer 11

Logical Design

Question 12

• Technologies to support the alternatives identified
  and evaluated in the logical design are selected
• Components evaluated on make-or-buy decision

Answer 12

Physical Design

Question 13

• Needed software created
• Components ordered, received, and tested
• Users trained and documentation create

Answer 13

Implementation

Question 14

• Longest and most expensive phase
• Consists of tasks necessary to support and modify
  system for remainder of its useful life

Answer 14

Maintenance and Change

Question 15

Information Security Project Team

Answer 15

• A number of individuals who are experienced in
  one or more facets of required technical and
  nontechnical areas:
  – Champion
  – Team leader
  – Security policy developers
  – Risk assessment specialists
  – Security professionals
  – Systems administrators
  – End user

Question 16

: responsible for the security and use of
a particular set of information

Answer 16

Data owner

Question 17

: responsible for storage,
maintenance, and protection of information

Answer 17

Data custodian

Question 18

: end users who work with information to
perform their daily jobs supporting the mission of
the organization

Answer 18

Data users

Question 19

: an object, person, or other entity that
represents a constant danger to an asset

Answer 19

Threat

Question 20

“ownership of ideas and
control over the tangible or virtual representation of
those ideas

Answer 20

Intellectual property (IP):

Question 21

Malware attacks

Answer 21

Viruses
– Worms
– Trojan horses
– Logic bombs
– Back door or trap door
– Polymorphic threats
– Virus and worm hoaxes

Question 22

– Develops software scripts and program exploits
– Usually a master of many skills
– Will often create attack software and share with
others

Answer 22

Expert hacker

Question 23

– Many more unskilled hackers than expert hackers
– Use expertly written software to exploit a system
– Do not usually fully understand the systems they
hack

Answer 23

Unskilled hacker

Question 24

: “cracks” or removes software protection
designed to prevent unauthorized duplication

Answer 24

Cracker

Question 25

: hacks the public telephone network

Answer 25

Phreaker

Question 26

: much more sinister form of hacking

Answer 26

Cyberterrorism

Question 27

• Illegal taking of another’s physical, electronic, or
  intellectual property

Answer 27

Theft

Question 28

– Acts or actions that exploits vulnerability (i.e., an
identified weakness) in controlled system

Answer 28

Attacks

Question 29

: includes execution of viruses,
worms, Trojan horses, and active Web scripts with
intent to destroy or steal information

Answer 29

– Malicious code

Question 30

– : transmission of a virus hoax with a real
virus attached; more devious form of attack

Answer 30

Hoaxes

Question 31

• Types of attacks

Answer 31

Back door
Password crack
Brute force:
Dictionary:
Denial-of-service (DoS):
Distributed denial-of-service (DDoS)
Spoofing:
Man-in-the-middle:
Spam
Mail bombing:
Sniffers
Phishing:
Pharming:
Social engineering:

Question 32

– : gaining access to system or network
using known or previously unknown/newly
discovered access mechanis

Answer 32

Back door

Question 33

–: attempting to reverse calculate a
password

Answer 33

Password crack

Question 34

: trying every possible combination of
options of a password

Answer 34

Brute force

Question 35

: selects specific accounts to attack and
uses commonly used passwords (i.e., the dictionary)
to guide guesses

Answer 35

Dictionary

Question 36

attacker sends large
number of connection or information requests to a
target
* Target system cannot handle successfully along with
other, legitimate service requests
* May result in system crash or inability to perform
ordinary functions

Answer 36

– Denial-of-service (DoS):

Question 37

: coordinated
stream of requests is launched against target from
many locations simultaneously

Answer 37

Distributed denial-of-service (DDoS)

Question 38

: technique used to gain unauthorized
access; intruder assumes a trusted IP address

Answer 38

Spoofing

Question 39

: attacker monitors network
packets, modifies them, and inserts them back into
network

Answer 39

Man-in-the-middle

Question 40

: unsolicited commercial e-mail; more a
nuisance than an attack, though is emerging as a
vector for some attacks

Answer 40

– Spam

Question 41

: also a DoS; attacker routes large
quantities of e-mail to target

Answer 41

Mail bombing

Question 42

: program or device that monitors data
traveling over network; can be used both for
legitimate purposes and for stealing information from
a network

Answer 42

Sniffers

Question 43

– : an attempt to gain personal/financial
information from individual, usually by posing as
legitimate entity

Answer 43

Phishing

Question 44

: redirection of legitimate Web traffic (e.g.,
browser requests) to illegitimate site for the purpose
of obtaining private information

Answer 44

Pharming

Question 45

using social skills to convince
people to reveal access credentials or other valuable
information to attacker

Answer 45

– Social engineering:

Question 46

: rules that mandate or prohibit certain
societal behavior

Answer 46

Laws

Question 47

: define socially acceptable behavior

Answer 47

Ethics

Question 48

: fixed moral attitudes or customs of
a particular group; ethics based on these

Answer 48

Cultural mores

Question 49

: legal obligation of an entity extending
beyond criminal or contract law; includes legal
obligation to make restitution

Answer 49

Liability

Question 50

: to compensate for wrongs committed
by an organization or its employees

Answer 50

Restitution

Question 51

: insuring that employees know what
constitutes acceptable behavior and know the
consequences of illegal or unethical actions

Answer 51

Due care

Question 52

: making a valid effort to protect
others; continually maintaining level of effort

Answer 52

Due diligence

Question 53

: court’s right to hear a case if the wrong
was committed in its territory or involved its
citizenry

Answer 53

Jurisdiction

Question 54

: right of any court to impose
its authority over an individual or organization if it
can establish jurisdiction

Answer 54

Long arm jurisdiction

Question 55

: body of expectations that describe
acceptable and unacceptable employee behaviors
in the workplace

Answer 55

Policies

Question 56

Criteria for policy enforcement:

Answer 56

– Dissemination (distribution)
– Review (reading)
– Comprehension (understanding)
– Compliance (agreement)
– Uniform enforcement

Question 57

Types of Law

Answer 57

Civil:
* Criminal
* Private:
* Public:

Question 58

governs nation or state; manages
relationships/conflicts between organizational
entities and people

Answer 58

Civil:

Question 59

: addresses violations harmful to society;
actively enforced by the state

Answer 59

Criminal

Question 60

: regulates relationships between individuals
and organizations

Answer 60

Private

Question 61

: regulates structure/administration of
government agencies and relationships with
citizens, employees, and other governments

Answer 61

Public

Question 62

• One of the hottest topics in information security
• Is a “state of being free from unsanctioned
  intrusion”
• Ability to aggregate data from multiple sources
  allows creation of information databases previously
  impossible

Answer 62

Privacy

Question 63

– Federal Trade Commission: “occurring when
someone uses your personally identifying
information, like your name, Social Security number,
or credit card number, without your permission, to
commit fraud or other crimes”

Answer 63

Identity Theft