IS3350 CHAPTER 1 Flashcards by Barbara Crable

Management and regulatory controls are usually policies, standards, guidelines, and procedures. They can also be the laws an organization must follow. This is called ___.

ADMINISTRATIVE SAFEGUARDS

How well did you know this?

Not at all

Perfectly

The security goal of ensuring that you can access information systems and their data when you need them. They must be available in a dependable and timely manner. This is called ___.

AVAILABILITY

How well did you know this?

Not at all

Perfectly

The designs, blueprints, or plans that make an organizations product or service unique is ___.

COMPETITIVE EDGE

How well did you know this?

Not at all

Perfectly

The security goal of ensuring that only authorized persons can access information systems and their data. This is called ___.

CONFIDENTIALITY

How well did you know this?

Not at all

Perfectly

Any protective action that reduces information security risks. These actions may eliminate or lesson vulnerabilities, control threats, or reduce risk. Safeguards is another term for controls. This is called ___.

CONTROL

How well did you know this?

Not at all

Perfectly

The science and practice of hiding information so that unauthorized persons can’t read it is called ___.

CRYPTOGRAPHY

How well did you know this?

Not at all

Perfectly

Attack that disrupts information systems so that they’re no longer available to users is called ___.

DENIAL OF SERVICE (DoS) ATTACK

How well did you know this?

Not at all

Perfectly

A successful attack against a vulnerability is called ___.

EXPLOIT

How well did you know this?

Not at all

Perfectly

An attacker that has no current relationship with the organization they’re attacking is called ___.

EXTERNAL ATTACKER

How well did you know this?

Not at all

Perfectly

Intelligence, knowledge, and data. You can store information in paper or electronic form is called ___.

INFORMATION

How well did you know this?

Not at all

Perfectly

The study and practice of protecting information. The main goal of information security is to protect its confidentiality, integrity, and availability is called ___.

INFORMATION SECURITY

How well did you know this?

Not at all

Perfectly

The security goal of ensuring that no changes are made to information systems and their data without permissions is called ___.

INTEGRITY

How well did you know this?

Not at all

Perfectly

An attacker that has a current relationship with the organization he or she is attacking. It can be an angry employee. This is called ___.

INTERNAL ATTACKER

How well did you know this?

Not at all

Perfectly

A rule that systems should run with the lowest level of permissions needed to complete tasks. This means users should have the least amount of access needed to do their jobs is called ___.

LEAST PRIVILEGE

How well did you know this?

Not at all

Perfectly

This term refers to any software that performs harmful, unauthorized , or unknown activity and is called ___.

MALWARE

How well did you know this?

Not at all

Perfectly

A physical security safeguard that controls entry into a protected area. This entry method has two sets of doors on either end of a small room and is called ___.

MANTRAP

How well did you know this?

Not at all

Perfectly

This is a rule that users should have access to only the the information they need to do their jobs and called ___.

NEED TO KNOW

How well did you know this?

Not at all

Perfectly

A piece of software or code that fixes a programs’ security vulnerabilities. These are available for many types of software, including operating systems and is called ___.

PATCH

How well did you know this?

Not at all

Perfectly

Controls keep unauthorized individuals out of a building or other controlled areas. You can also use these to keep unauthorized individuals from using an information system. This is called ___.

PHYSICAL SAFEGUARD

How well did you know this?

Not at all

Perfectly

The amount of risk left over after safeguards lessen a vulnerability or threat is called ___.

RESIDUAL RISK

A business decision to accept an assessed risk and take no action against it is called ___.

RISK ACCEPTANCE

A business decision to apply safeguards to avoid a negative impact is called ___.

RISK AVOIDANCE

A business decision to apply safeguards to lessen a negative impact is called ___.

RISK MITIGATION

A business decision to transfer a risk to a third party to avoid that risk is called ___.

RISK TRANSFER

Any protective action that reduces information security risks. They may eliminate or lesson vulnerabilities, control threats, or reduce risk and are also known as controls are called ___.

SAFEGUARD

A rule that two or more employees must split critical task functions. Thus, no one employee know all of the steps required to complete the critical task is called ___.

SEPARATION OF DUTIES

Looking over the shoulder of another person to obtain sensitive information. The attacker doesn't have permission to see it. This usually describes an attack in which a person tries to learn sensitive information by viewing keystrokes on a monitor or keyboard is called ___.

SHOULDER SURFING

In an information system, a piece of hardware or application critical to the entire system's functioning. If that single item fails, then a critical portion or the entire system could fail and is called ___.

SINGLE POINT OF FAILURE

An attack that relies on human interaction. They often involve tricking other people to break security procedures so the attacker can gain information about computer systems. This type of attack isn't technical and is called ___.

SOCIAL ENGINEERING

Controls implemented in an information system's hardware and software. Technical controls include passwords, access control mechanisms, and automated logging. They improve the system's security and is called ___.

TECHNICAL SAFEGUARD

Any danger that takes advantage of a vulnerability and are unintentional or intentional are called ___.

THREAT

A weakness or flaw in an information system. Exploiting a vulnerability harms information security. You reduce them by applying security safeguards are called ___.

VULNERABILITY

The period between discovering a vulnerability and reducing or eliminating it is called ___.

WINDOW OF VULNERABILITY

A vulnerability exploited shortly after it is discovered. The attacker exploits it before the vendor releases a patch and is called ___.

ZERO-DAY VULNERABILITY

1. What are the goals of an information security program? 1. Authorization, integrity, and confidentiality 2. Availability, authorization, and integrity 3. Availability, integrity, and confidentiality 4. Availability, integrity, and safeguards 5. Access control, confidentiality, and safeguards

Availability, integrity, and confidentiality

2. An employee can add other employees to the payroll database. The same person also can change all employee salaries and print payroll checks for all employees. What safeguard should you implement to make sure that this employee doesn't engage in wrongdoing? 1. Need to know 2. Access control lists 3. Technical safeguards 4. Mandatory vacation 5. Separation of duties

Separation of duties

3. An organization obtains an insurance policy against cybercrime. What type of risk response is this? 1. Risk mitigation 2. Residual risk 3. Risk elimination 4. Risk transfer 5. Risk management

Risk transfer

4. Which of the following is an accidental threat? 1. A backdoor into a computer system 2. A hacker 3. A well-meaning employee who inadvertently deletes a file 4. An improperly redacted document 5. A poorly written policy

A well-meaning employee who inadvertently deletes a file

5. What is the window of vulnerability? 1. The period between the discovery of a vulnerability and mitigation of the vulnerability 2. The period between the discovery of a vulnerability and exploiting the vulnerability 3. The period between exploiting a vulnerability and mitigating the vulnerability 4. The period between expiating a vulnerability and eliminating the vulnerability 5. A broken window

The period between the discovery of a vulnerability and mitigation of the vulnerability

6. A technical safeguard is also known as ___.

Logical control

7. Which of the following isn't a threat classification? 1. Human 2. Natural 3. Process 4. Technology and Operational 5. Physical and Environmental

Process

8. Which of the following is an example of a model for implementing safeguards? 1. Confidentiality 2. Integrity 3. Authentication 4. Availability 5. Privacy

Availability

9. Which of the following is an example of a model for implementing safeguards? 1. ISO/IEC 27002 2. NIST SP 80-553 3. NIST SP 800-3 4. ISO/IEC 20072 5. ISO/IEC 70022

ISO/IEC 27002

10. Which of the following is not a type of security safeguard? 1. Corrective 2. Preventative 3. Detective 4. Physical 5. Defective

Defective

11. It is hard to safeguard against which of the following types of vulnerabilities? 1. Information leakage 2. Flooding 3. Buffer overflow 4. Zero-day 5. Hardware failure

Zero-day

12. What are the classification levels for US national security information? 1. Public, Sensitive, Restricted 2. Confidential, Secret, Top Secret 3. Confidential, Restricted, Top Secret 4. Public, Secret, Top Secret 5. Public, Sensitive, Secret

Confidential, Secret, Top Secret

13. Which safeguard is most likely violated if a system administrator logs into an administrator user account in order to surf the Internet and download music files? 1. Need to know 2. Access control 3. Least privilege principle 4. Using best available path 5. Separation of duties

Least privilege principle

14. Which of the following are vulnerability classifications? 1. People 2. Process 3. Technology 4. Facility 5. All the above

People Process Technology Facility

15. What is a mantrap? 1. A method to control access to a secure area 2. A removable cover that allow access to underground utilities 3. A logical access control mechanism 4. An administrative safeguard 5. None of the above

A method to control access to a secure area