Network Security Concepts and Policies Flashcards

1
Q

How can unauthorized access by a hacker to a company’s information hurt that company?

A

1) It can cause damage or destruction to proprietary data
2) It can negatively affect company productivity
3) It can impede the capability to compete
4) It can harm relationships with customers and business partners who question the capability of the company to protect it’s confidential information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Though Individuals and corporations benefit from the elastic deployment of services in the cloud, what have these dramatic changes in business services done?

A

They have exacerbated the risks in protecting data and the entities using it (Individuals, businesses, governments, etc).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are four (4) things to consider when planning network security?

A

1) Examine the need for security
2) Look at what you are trying to protect
3) Examine the different trends for attacks and protection
4) Examine principles of secure network design

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

As companies move more of their business functions to the public network what should they do?

A

There is a need for them to take precautions to ensure that:

1) the data cannot be compromised
2) The data is not accessible to anyone who is not authorized to see it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the Basic Security Assumptions?

A

1) Modern networks are very large, interconnected and run both ubiquitous and proprietary protocols. Therefore, they care often open to access, and a potential attacher can with relative ease attach to, or remotely access, such networks. Widespread IP inter-networking increases the probability that more attacks will be carried out over large, heavy interconnected networks such as the internet.
2) Computer systems and applications that are attached to these networks are becoming increasingly complex. In terms of security, it becomes more difficult to analyze, secure, and properly test the security of the computer system and applications. It is even more so when virtualization is involved. When these systems and their applications are attached to the large network, the risk to computing dramatically increases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the three (3) things that must be guaranteed in order to provide adequate protection of network resources?

A

1) Confidentiality - guarantees that only authorized users can view sensitive information.
2) Integrity - guarantees that only authorized users can change sensitive information and provides a way to detect whether data has been tampered with during transmission; this might also guarantee authenticity of data.
3) Availability of systems and data - provides uninterrupted access by authorized users to important computing resources and data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When designing network security what are the 4 things a designer must be aware of?

A

1) The threats (possible attacks) that could compromise security
2) The associated risks of the threats (how relevant those threats are for a particular system)
3) The cost to implement the proper security countermeasures for a threat
4) A cost vs benefit analysis to determine whether it’s worthwhile to implement the security countermeasure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

True or false?

Although viruses, worms and hackers monopolize the headlines about information security, risk management is the most important aspect of security architecture for administrators.

A

True

Risk management is based on specific principles and concepts that are related to asset protection and security management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is an asset?

A

An asset is something of value to an organization.

By knowing which assets you are trying to protect, as well as their value, location, and exposure, you can more effectively determine the time, effort, and money to spend in securing those assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a vulnerability?

A

It is a weakness in a system or it’s design that could be exploited by a threat.

Vulnerabilities can be found in protocols, operating systems, applications, written security policies, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a threat?

A

A threat is any potential danger to assets. It is realized when someone or something identifies a specific vulnerability and exploits it, creating exposure.

A latent threat is one that exists theoretically but has not yet been exploited.

The entity that takes advantage of the vulnerability is known as a threat agent or threat vector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a risk?

A

A likelihood that a particular threat using a specific attack will exploit a particular vulnerability of a system that results in an undesirable consequence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

If you have A vulnerability but there is no threat toward the vulnerability, technically you have no risk.

A

If you have a vulnerability but there is no threat toward the vulnerability, technically you have no risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is an exploit?

A

An Exploit is an attack performed against a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a countermeasure?

A

A countermeasure is a safeguard/protection that mitigates the potential risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What kind of data has little or no confidentiality, integrity or availability requirements and therefore little effort is made to secure it.

A

Unclassified Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What kind of data if leaked could have undesirable effects on the organization?

A

Restricted data.

This classification is common among NATO countries but not used by all nations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What kind of data must comply with confidentiality requirements

A

Confidential Data. It is the lowest level of classified data in this scheme.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What kind of data would you take significant effort to keep secure because its disclosure could lead to serious damage?

A

Secret Data.

The number of individuals who have access to Secret Data is usually considerably fewer than the number who are authorized to access confidential data.

20
Q

What kind of data would you make great effort and sometimes incur considerable costs to guarantee its secrecy since disclosure could lead to exceptionally grave damage.

A

Top Secret Data

Usually a small number of individuals have access to top-secret data, on condition that there is a need to know.

21
Q

What data classification, popular among governments, designates data that could prove embarrassing if revealed, but no great security breach would occur.

A

Sensitive But Unclassified (SBU)

SBU is a broad category that also includes the “For Official Use Only” designation.

22
Q

Private Sector Classification Scheme:

What classification designates data that’s often displayed in marketing literature or on publicly accessible websites?

A

Public

23
Q

Private Sector Classification Scheme:

What classification designates data that if disclosed potentially leads to embarrassment but no serious security breach?

A

Sensitive

Data in this classification is similar to the SBU classification in the government model

24
Q

Private Sector classification Scheme:

What data classification designates data that is important to an organization.

A

Private

You make an effort to maintain the secrecy and accuracy of this data.

25
Q

Private Sector Classification Scheme:

What data classification designates data that companies make the greatest effort to secure? e.g. Trade secrets, employee personnel files

A

Confidential

26
Q

What factors are considered when classifying data?

A

Value - #1 Criterion. Not all data has the same value
Age - For many types of data, its importance changes with time
Useful life - Data is usually valuable for only a set window of time. After the window expires its usually declassified.
Personal association - data of this type usually involves something of a personal nature. Steps are usually taken to protect this data until the person is deceased.

27
Q

What are the most common roles associated with data?`

A

Owner
Custodian
User

28
Q

Which role is ultimately responsible for the information?

A

Owner

Usually a senior-level manager who is in charge of a business unit. The owner:
Classifies the data
Selects the custodian of the data
Directs the actions of the custodian
Should periodically review classified data
Is Ultimately responsible.

29
Q

Which role is usually a member of the IT staff who has the day-to-day responsibility for data maintenance?

A

Custodian

The custodian marks the data to enforce the security controls (decided by owner).
Custodian maintains availability of data by regularly backing up data and ensuring backup media are secure.
Review security settings of the data as part of their maintenance responsibility.

30
Q

Which role bears no responsibility for the classification or maintenance of classified data?

A

Users

Users bear responsibility for using the data in accordance with established operational procedures in order to maintain the security of the data while it’s in their possession.

31
Q

What are the broad categories used to classify vulnerabilities?

A
Policy flaws
Design errors
Protocol weaknesses
Software vulnerabilities
Misconfiguration
Hostile code
Human Factor
32
Q

What are the three countermeasure category classifications

A

Administrative - Controls are are largely policies and procedures
Technical - Controls that involve electronics, hardware, software, etc
Physical - Controls that are mostly mechanical

33
Q

The following controls are examples of which control category?

Security Awareness training
Security Policies and standards
Change controls and configuration controls
Security Audits and tests
Good hiring practices
Background checks of contractors and employees

A

Administrative Controls

34
Q

The following controls are examples of which control category?

Security Awareness training
Security Policies and standards
Change controls and configuration controls
Security Audits and tests
Good hiring practices
Background checks of contractors and employees

A

Administrative Controls

35
Q

The following controls are examples of which control category?

Firewalls
Intrusion Prevention Systems
Virtual Private Network (VPN) concentrators and clients
TACACS+ and RADIUS servers
One-Time Password (OTP) solutions
Smart carts
Biometric authentication devices
Network Admission Control (NAC) systems
Routers with ACLs
A

Technical Controls

36
Q

The following controls are examples of which control category?

Locked doors
Intruder detection systems
Locks
Safes
Racks
Uninterruptible power supplies (UPS)
Fire-Suppression systems
Positive air-flow systems
A

Physical controls

37
Q

What are the three (3) types of controls?

A

Preventive: the control prevents access
Deterrent: the control deters access
Detective: the control detects access

All three categories of controls (Administrative, Technical or Physical) can be one of the three types (Preventive, deterrent or detective).

38
Q

True or false? A security control is any mechanism that you put in place to reduce risk of compromise of any of the three CIA objectives.

A

True

39
Q

Preventative controls exist to prevent compromise.

A good security design also prepares for failure, recognizing that prevention will not always work. Detective controls enable you to detect a security breach and to determine how the network was breached.

Without detective controls it’s extremely difficult to determine what you need to change.

A

True

40
Q

Deterrent controls are designed to scare away a certain percentage of adversaries to reduce the number of incidents.

A

True

41
Q

What are the two key questions involved in risk management?

A

What does the cost-benefit analysis of your security system tell you?

How will the latest attack techniques play out in your network environment

42
Q

What are the 4 ways to deal with [Security] risks?

A

Mitigate
Ignore
Accept
Transfer

43
Q

What 4 activities contribute to reducing/mitigating risks?

A

Limitation/Avoidance - Creating a secure environment by not allowing actions that would cause risks to occur… eg. installing a firewall, using encryption systems, strong authentication.

Assurance - Ensuring policies, standards and practices are followed.

Detection - Detecting intrusion attempts and taking appropriate action to terminate the intrusion.

Recovery - Restoring the system to operational state

44
Q

What are the key factors you should consider when designing a secure network?

A
Business needs
Risk Analysis
Security Policy
Industry best practices
Security Operations
45
Q

What are the key factors you should consider when designing a secure network?

A
Business needs
Risk Analysis
Security Policy
Industry best practices
Security Operations