Information Assurance

Question 1

is data endowed with relevance and purpose

Answer 1

Information

Question 2

Useful characteristics that the information should possess

Answer 2

Timely
Accurate
Complete
Verifiable
Consistent
Available

Question 3

the following are all aspects of
system quality:

Answer 3

functionality
adequacy
interoperability
correctness
security
reliability
usability
efficiency
maintainability
portability

Question 4

what characteristics should information possess to be useful?

Answer 4

accurate,
timely,
complete,
verifiable,
consistent,
available

Question 5

all distinct
conceptual resources:

Answer 5

Noise
Data
Information
Knowledge

Question 6

raw facts with an unknown coding system

Answer 6

Noise

Question 7

raw facts with a known coding system

Answer 7

Data

Question 8

processed data

Answer 8

Information

Question 9

: accepted facts, principles, or rules of thumb that are
useful for specific domains. Knowledge can be the
result of inferences and implications produced from
simple information facts.

Answer 9

Knowledge

Question 10

Actions taken that protect and defend information and
information systems by ensuring their availability,
integrity, authentication, confidentiality and
non-repudiation. This includes providing for restoration
of information systems by incorporating protection,
detection and reaction capabilities.

Answer 10

IA

Question 11

is the study of how to protect your
information assets from destruction, degradation, manipulation and
exploitation. But also, how to recover should any of those happen.
Notice that it is both proactive and reactive.

Answer 11

Information Assurance

Question 12

According to the DoD definition, these are some aspects of
information needing protection:

Answer 12

Availability
Integrity
Confidentiality
Authentication
Non-repudation

Question 13

assurance that the sender is provided with proof
of a data delivery and recipient is provided with proof
of the sender’s identity, so that neither can later deny
having processed the data.

Answer 13

Non-repudiation:

Question 14

security measures to establish the validity of a
transmission, message, or originator.

Answer 14

Authentication:

Question 15

assurance that information is not disclosed to
unauthorized persons;

Answer 15

Confidentiality:

Question 16

protection against unauthorized modification or
destruction of information;

Answer 16

Integrity:

Question 17

timely, reliable access to data and information
services for authorized users;

Answer 17

Availability:

Question 18

According to Debra Herrmann (Complete Guide to Security and
Privacy Metrics), IA should be viewed as spanning four security
engineering domains:

Answer 18

physical security
personnel security
IT security
operational security

Question 19

The simple truth is that IT security cannot be
accomplished in a vacuum, because there are a multitude
of dependencies and interactions among all four security
engineering domains

Answer 19

(Herrmann, p. 10

Question 20

refers to the protection of hardware, software,
and data against physical threats to reduce or prevent disruptions
to operations and services and loss of assets.

Answer 20

“Physical security

Question 21

is a variety of ongoing measures taken to
reduce the likelihood and severity of accidental and intentional
alteration, destruction, misappropriation, misuse, misconfiguration,
unauthorized distribution, and unavailability of an organization’s
logical and physical assets, as the result of action or inaction by
insiders and known outsiders, such as business partners.”

Answer 21

“Personnel security

Question 22

is the inherent technical features and functions that
collectively contribute to an IT infrastructure achieving and
sustaining confidentiality, integrity, availability, accountability,
authenticity, and reliability.

Answer 22

“IT security

Question 23

involves the implementation of standard
operational security procedures that define the nature and
frequency of the interaction between users, systems, and system
resources, the purpose of which is to
1 achieve and sustain a known secure system state at all times,
and
2 prevent accidental or intentional theft, release, destruction,
alteration, misuse, or sabotage of system resources.”

Answer 23

Operational security

Question 24

According to Raggad’s taxonomy of information security, a
computing environment is made up of five continuously interacting
components:

Answer 24

activities,
people,
data,
technology,
networks.

Question 25

According to Blyth and Kovacich, IA can be thought of as
protecting information at three distinct levels:

Answer 25

Physical
Information Infrastructure
perceptual

Question 26

knowledge and understanding in human decision
space.

Answer 26

perceptual

Question 27

data and data processing activities in physical space;

Answer 27

Physical

Question 28

information and data manipulation
abilities in cyberspace;

Answer 28

information infrastructure:

Question 29

The lowest level focus of IA , computers,
physical networks, telecommunications and supporting systems
such as power, facilities and environmental controls. Also at this
level are the people who manage the systems.

Answer 29

Physical Level

Question 30

The second level focus of IA,
This covers information and data manipulation ability maintained
in cyberspace, including: data structures, processes and programs,
protocols, data content and databases

Answer 30

information structure level

Question 31

The third level focus of IA, also called social
engineering. This is abstract and concerned with the management
of perceptions of the target, particularly those persons making
security decisions.

Answer 31

perceptual level,

Question 32

COMPSEC

Answer 32

computer security

Question 33

COMSEC

Answer 33

communications and network security;

Question 34

ITSEC: (which includes both COMPSEC and COMSEC);

Answer 34

Information Technology Security Evaluation Criteria

Question 35

OPSEC

Answer 35

operations security

Question 36

An
attacker on any information system will use
the simplest means of subverting system
security.

Answer 36

Principle of Easiest Penetration

Question 37

The flip side of Information Assurance

Answer 37

Information Warfare (IW)

Question 38

involves managing an opponent’s perception through
deception and psychological operations. In military circles,
this is called Truth Projection

Answer 38

Type 1

Question 39

involves denying, destroying, degrading, or distorting
the opponent’s information flows to disrupt their ability to
carry out or co-ordinate operations.

Answer 39

Type II

Question 40

gathers intelligence by exploiting the opponent’s use
of information systems.

Answer 40

Type III

Question 41

the offensive players in the world of IW come in six
types:

Answer 41

Insider
Hacker
Criminals
Corporations
Governments and agencies
Terrorists

Question 42

usually politically motivated and may seek to cause
maximal damage to information infrastructure as well
as endanger lives and property.

Answer 42

Terrorists

Question 43

seek the military, diplomatic, and
economic secrets of foreign governments, foreign
corporations, and adversaries. May also target
domestic adversaries.

Answer 43

Governments and agencies

Question 44

target information that may be of value to them:
bank accounts, credit card information, intellectual
property, etc.

Answer 44

Criminals:

Question 45

actively seek intelligence about competitors or steal
trade secrets.

Answer 45

Corporations

Question 46

consists of employees, former employees and
contractors.

Answer 46

Insiders

Question 47

one who gains unauthorized access to or breaks into
information systems for thrills, challenge, power, or
profit

Answer 47

Hackers

Question 48

While experts may disagree on the definition of cyber
war, there is significant evidence that nations around the
world are developing, testing and in some cases using or
encouraging cyber means as a method of obtaining
political advantage.

Answer 48

–McAfee Virtual Criminology Report
2009

Question 49

A plausible worst-case worm could cause $50 billion or
more in direct economic damage by attacking widely used
services in Microsoft Windows and carrying a highly
destructive payload.”

Answer 49

–Nicholas Weaver and Vern
Paxson, 6/14/04

Question 50

America’s failure to protect cyberspace is one of the most
urgent national security problems facing the new
administration that will take office in January 2009. … It
is a battle we are losing. Losing this struggle will wreak
serious damage on the economic health and national
security of the United States.

Answer 50

–CSIS report on Securing
Cyberspace for the 44th Presidency, Dec. 2008

Question 51

Note that IA is both proactive and reactive involving:

Answer 51

: protection,
detection, capability restoration, and response

Question 52

“ensure the availability,
integrity, authenticity, confidentiality, and non-repudiation of
information”

Answer 52

IA environment protection pillars:

Question 53

“timely attack detection and reporting is
key to initiating the restoration and response processes.”

Answer 53

Attack detection:

Question 54

“relies on established procedures and mechanisms for
prioritizing restoration of essential functions. Capability
restoration may rely on backup or redundant links, information
system components, or alternative means of information
transfer.”

“A post-attack analysis should be conducted to determine the
command vulnerabilities and recommended security
improvements.

Answer 54

Capability restoration:

Question 55

“involves determining actors and their
motives, establishing cause and complicity, and may involve
appropriate action against perpetrators… contributes … by
removing threats and enhancing deterrence.”

Answer 55

Attack response

Question 56

If adversaries intended to attack nations in cyber space,
they would select targets which would cause the largest
impacts and losses to their opponents with the least
effort. It is therefore a very reasonable assumption that
adversaries would attack critical infrastructure systems
via the Internet. –

Answer 56

–McAfee Virtual Criminology Report
2009, p. 16

Question 57

“worldwide interconnection
of communication networks, computers, databases, and
consumer electronics that make vast amounts of information
available to users.”

Answer 57

Global Information Infrastructure:

Question 58

those within or serving
the U.S., for government, commerce and research

Answer 58

National Information Infrastructure:

Question 59

those within or serving
the DoD (e.g. nodes on SIPRNET and NIPRNET)

Answer 59

Defense Information Infrastructure:

Question 60

Civilian systems are “essential to the minimum operations o
f
the economy and government”
Examples: telecommunications, energy, banking,
transportation and emergency services

Answer 60

Presidential Decision Directive (PDD-63) of 1998

Question 61

is the resource being protected,

Answer 61

Physical assets
Logical assets
system assets

Question 62

devices, computers,
people

Answer 62

Physical Assets

Question 63

: information, data (in
transmission, storage, or processing), and
intellectual property;

Answer 63

Logical Assets

Question 64

any software, hardware,
data, administrative, physical,
communications, or personnel resource
within an information system

Answer 64

System assets

Question 65

Often a security solution/policy is phrased in terms of the following
three categories:

Answer 65

Objects
Subjects
Actions

Question 66

: the items being protected by the system (documents,
files, directories, databases, transactions, etc.)

Answer 66

Objects

Question 67

entities (users, processes, etc.) that execute activities
and request access to objects.

Answer 67

Subjects

Question 68

operations, primitive or complex, that can operate on
objects and must be controlled

Answer 68

Actions

Question 69

is the possibility that a particular threat
will adversely impact an information system by
exploiting a particular vulnerability. The
assessment of risk must take into account the
consequences of an exploit.

Answer 69

Risk

Question 70

is a process for an
organization to identify and address the risks
in their environment.

Answer 70

Risk management

Question 71

is the implementation (policy,
procedures, technology) of the security effort within an
organization.

Answer 71

security posture or security profile

Question 72

is a type of consequence, involving
accidental exposure of information to an agent not authorized
access.

Answer 72

Inadvertant disclosure

Question 73

is the outcome of an attack. In a purposeful threat,
the threat actor has typically chosen a desired consequence for the
attack, and selects the IA objective to target to achieve this.

Answer 73

consequence

Question 74

targets availability

Answer 74

Disruption

Question 75

targets integrity

Answer 75

Corruption

Question 76

targets confidentiality

Answer 76

Exploitation

Question 77

is an instance when the system is vulnerable to attack.

Answer 77

Exposure

Question 78

is a situation in which the attacker has succeeded.

Answer 78

compromise

Question 79

is a recognized action—specific, generalized or
theoretical—that an adversary (threat actor) might be expected to
take in preparation for an attack.

Answer 79

indicator

Question 80

is an attempt to gain access, cause damage to or
otherwise compromise information and/or systems that support it.

Answer 80

Attack

Question 81

an attack in which the attacker observes
interaction with the system.

Answer 81

Passive attack

Question 82

at attack in which the attacker directly interacts
with the system.

Answer 82

Active attack

Question 83

an attack where there is not a deliberate
goal of misuse

Answer 83

Unintentional attack

Question 84

the active entity, usually a threat actor, that
interacts with the system.

Answer 84

Attack subject

Question 85

the targeted information system asset.

Answer 85

Attack object:

Question 86

is the set of ways in
which an adversary can enter the system and potentially caus
e
damage

Answer 86

attack surface

Question 87

is an instance when the system is vulnerable to attack

Answer 87

Exposure

Question 88

is a situation in which the attacker has succeeded.

Answer 88

compromise

Question 89

is a recognized action—specific, generalized or
theoretical—that an adversary (threat actor) might be expected to
take in preparation for an attack.

Answer 89

indicator

Question 90

is one for which there is no known threat
(vulnerability is there but not exploitable).

Answer 90

dangling vulnerability

Question 91

is one that does not pose a danger as there is no
vulnerability to exploit (threat is there, but can’t do damage).

Answer 91

dangling threat

Question 92

is a weakness or fault in a system that exposes
information to attack.

Answer 92

vulnerability

Question 93

is a method for taking advantage of a known
vulnerability

Answer 93

exploit

Question 94

is a collection of computing environments connected by
one or more internal networks under the control of a single
authority and security policy, including personnel and physical
security.

Answer 94

enclave

Question 95

is a nonhostile environment that may be
protected from external hostile elements by physical, personnel,
and procedural countermeasures.

Answer 95

benign environment

Question 96

for assets is one that has known threats.
Example: locating an asset in a war zone or a flood zone, or
placing an unprotected machine on the Internet.

Answer 96

hostile environment

Question 97

is a specific instance of a threat, e.g. a specific
hacker, a particular storm, etc.

Answer 97

threat actor

Question 98

is a category of entities, or a circumstance, that poses a
potential danger to an asset (through unauthorized access,
destruction, disclosure, modification or denial of service).

Answer 98

threat

Question 99

is the process by which an asset is managed from its
arrival or creation to its termination or destruction.

Answer 99

lifecycle

Question 100

is a generic term that implies a mechanism in place to
provide a basis for confidence in the reliability/security of the
system.

Answer 100

Trust

Question 101

are the security features of a system that
provide enforcement of a security policy

Answer 101

Trust mechanisms

Question 102

is a collection of all the trust
mechanisms of a computer system which collectively enforce the
policy.

Answer 102

trusted computing base (TCB)

Question 103

is a measure of confidence that the security features,
practices, procedures, and architecture of a system accurately
mediates and enforces the security policy

Answer 103

Assurance

Question 104

risks not avoided or transferred are retained by
the organization. E.g. sometimes the cost of
insurance is greater than the potential loss.
Sometimes the loss is improbable, though
catastrophic.

Answer 104

Risk acceptance

Question 105

not performing an activity that would incur risk.
E.g. disallow remote login.

Answer 105

Risk avoidance

Question 106

taking actions to reduce the losses due to a risk;
many technical countermeasures fall into this
category

Answer 106

Risk mitigation:

Question 107

: shift the risk to someone else. E.g. most insurance
contracts, home security systems

Answer 107

Risk transfer