IS3350 CHAPTER 1 Flashcards
Management and regulatory controls are usually policies, standards, guidelines, and procedures. They can also be the laws an organization must follow. This is called ___.
ADMINISTRATIVE SAFEGUARDS
The security goal of ensuring that you can access information systems and their data when you need them. They must be available in a dependable and timely manner. This is called ___.
AVAILABILITY
The designs, blueprints, or plans that make an organizations product or service unique is ___.
COMPETITIVE EDGE
The security goal of ensuring that only authorized persons can access information systems and their data. This is called ___.
CONFIDENTIALITY
Any protective action that reduces information security risks. These actions may eliminate or lesson vulnerabilities, control threats, or reduce risk. Safeguards is another term for controls. This is called ___.
CONTROL
The science and practice of hiding information so that unauthorized persons can’t read it is called ___.
CRYPTOGRAPHY
Attack that disrupts information systems so that they’re no longer available to users is called ___.
DENIAL OF SERVICE (DoS) ATTACK
A successful attack against a vulnerability is called ___.
EXPLOIT
An attacker that has no current relationship with the organization they’re attacking is called ___.
EXTERNAL ATTACKER
Intelligence, knowledge, and data. You can store information in paper or electronic form is called ___.
INFORMATION
The study and practice of protecting information. The main goal of information security is to protect its confidentiality, integrity, and availability is called ___.
INFORMATION SECURITY
The security goal of ensuring that no changes are made to information systems and their data without permissions is called ___.
INTEGRITY
An attacker that has a current relationship with the organization he or she is attacking. It can be an angry employee. This is called ___.
INTERNAL ATTACKER
A rule that systems should run with the lowest level of permissions needed to complete tasks. This means users should have the least amount of access needed to do their jobs is called ___.
LEAST PRIVILEGE
This term refers to any software that performs harmful, unauthorized , or unknown activity and is called ___.
MALWARE
A physical security safeguard that controls entry into a protected area. This entry method has two sets of doors on either end of a small room and is called ___.
MANTRAP
This is a rule that users should have access to only the the information they need to do their jobs and called ___.
NEED TO KNOW
A piece of software or code that fixes a programs’ security vulnerabilities. These are available for many types of software, including operating systems and is called ___.
PATCH
Controls keep unauthorized individuals out of a building or other controlled areas. You can also use these to keep unauthorized individuals from using an information system. This is called ___.
PHYSICAL SAFEGUARD
The amount of risk left over after safeguards lessen a vulnerability or threat is called ___.
RESIDUAL RISK
A business decision to accept an assessed risk and take no action against it is called ___.
RISK ACCEPTANCE
A business decision to apply safeguards to avoid a negative impact is called ___.
RISK AVOIDANCE
A business decision to apply safeguards to lessen a negative impact is called ___.
RISK MITIGATION
A business decision to transfer a risk to a third party to avoid that risk is called ___.
RISK TRANSFER
Any protective action that reduces information security risks. They may eliminate or lesson vulnerabilities, control threats, or reduce risk and are also known as controls are called ___.
SAFEGUARD
A rule that two or more employees must split critical task functions. Thus, no one employee know all of the steps required to complete the critical task is called ___.
SEPARATION OF DUTIES
Looking over the shoulder of another person to obtain sensitive information. The attacker doesn’t have permission to see it. This usually describes an attack in which a person tries to learn sensitive information by viewing keystrokes on a monitor or keyboard is called ___.
SHOULDER SURFING
In an information system, a piece of hardware or application critical to the entire system’s functioning. If that single item fails, then a critical portion or the entire system could fail and is called ___.
SINGLE POINT OF FAILURE
An attack that relies on human interaction. They often involve tricking other people to break security procedures so the attacker can gain information about computer systems. This type of attack isn’t technical and is called ___.
SOCIAL ENGINEERING
Controls implemented in an information system’s hardware and software. Technical controls include passwords, access control mechanisms, and automated logging. They improve the system’s security and is called ___.
TECHNICAL SAFEGUARD
Any danger that takes advantage of a vulnerability and are unintentional or intentional are called ___.
THREAT
A weakness or flaw in an information system. Exploiting a vulnerability harms information security. You reduce them by applying security safeguards are called ___.
VULNERABILITY
The period between discovering a vulnerability and reducing or eliminating it is called ___.
WINDOW OF VULNERABILITY
A vulnerability exploited shortly after it is discovered. The attacker exploits it before the vendor releases a patch and is called ___.
ZERO-DAY VULNERABILITY
- What are the goals of an information security program?
- Authorization, integrity, and confidentiality
- Availability, authorization, and integrity
- Availability, integrity, and confidentiality
- Availability, integrity, and safeguards
- Access control, confidentiality, and safeguards
Availability, integrity, and confidentiality
- An employee can add other employees to the payroll database. The same person also can change all employee salaries and print payroll checks for all employees. What safeguard should you implement to make sure that this employee doesn’t engage in wrongdoing?
- Need to know
- Access control lists
- Technical safeguards
- Mandatory vacation
- Separation of duties
Separation of duties
- An organization obtains an insurance policy against cybercrime. What type of risk response is this?
- Risk mitigation
- Residual risk
- Risk elimination
- Risk transfer
- Risk management
Risk transfer
- Which of the following is an accidental threat?
- A backdoor into a computer system
- A hacker
- A well-meaning employee who inadvertently deletes a file
- An improperly redacted document
- A poorly written policy
A well-meaning employee who inadvertently deletes a file
- What is the window of vulnerability?
- The period between the discovery of a vulnerability and mitigation of the vulnerability
- The period between the discovery of a vulnerability and exploiting the vulnerability
- The period between exploiting a vulnerability and mitigating the vulnerability
- The period between expiating a vulnerability and eliminating the vulnerability
- A broken window
The period between the discovery of a vulnerability and mitigation of the vulnerability
- A technical safeguard is also known as ___.
Logical control
- Which of the following isn’t a threat classification?
- Human
- Natural
- Process
- Technology and Operational
- Physical and Environmental
Process
- Which of the following is an example of a model for implementing safeguards?
- Confidentiality
- Integrity
- Authentication
- Availability
- Privacy
Availability
- Which of the following is an example of a model for implementing safeguards?
- ISO/IEC 27002
- NIST SP 80-553
- NIST SP 800-3
- ISO/IEC 20072
- ISO/IEC 70022
ISO/IEC 27002
- Which of the following is not a type of security safeguard?
- Corrective
- Preventative
- Detective
- Physical
- Defective
Defective
- It is hard to safeguard against which of the following types of vulnerabilities?
- Information leakage
- Flooding
- Buffer overflow
- Zero-day
- Hardware failure
Zero-day
- What are the classification levels for US national security information?
- Public, Sensitive, Restricted
- Confidential, Secret, Top Secret
- Confidential, Restricted, Top Secret
- Public, Secret, Top Secret
- Public, Sensitive, Secret
Confidential, Secret, Top Secret
- Which safeguard is most likely violated if a system administrator logs into an administrator user account in order to surf the Internet and download music files?
- Need to know
- Access control
- Least privilege principle
- Using best available path
- Separation of duties
Least privilege principle
- Which of the following are vulnerability classifications?
- People
- Process
- Technology
- Facility
- All the above
People
Process
Technology
Facility
- What is a mantrap?
- A method to control access to a secure area
- A removable cover that allow access to underground utilities
- A logical access control mechanism
- An administrative safeguard
- None of the above
A method to control access to a secure area