Study Guide Ch 1

Question 1

Confidentiality

Answer 1

the principle that objects are not disclosed to unauthorized subjects

Question 2

Integrity

Answer 2

the principle that objects retain their veracity and are intentionally modified by only authorized subjects

Question 3

Availability

Answer 3

the principle that authorized subjects are granted timely and uninterrupted access to object

Question 4

Countermeasures for confidentiality include:

Answer 4

encryption,
network traffic padding, strict access control, rigorous authentication procedures,
data classification,
extensive personnel training

Question 5

Attacks against confidentiality include:

Answer 5

capturing network traffic stealing password files 
social engineering, 
port scanning, 
shoulder surfing, eavesdropping, 
sniffing

Question 6

Mechanisms which support integrity include:

Answer 6

controls which restrict access to data, objects, and resources

activity logging

Question 7

Attacks against integrity include:

Answer 7

viruses, logic bombs, unauthorized access,
errors in coding and applications,
malicious modification, intentional replacement,
and system back doors

Question 8

Countermeasures for maintaining integrity

Answer 8

strict access control, rigorous authentication procedures,
intrusion detection systems, object/data encryption, hash total verification, interface restrictions, input/function checks,
and extensive personnel training.

Question 9

threats to availability

Answer 9

device failure,

software errors,

environmental issues,

DoS attacks,

object destruction,

communication interruptions

Question 10

Availability countermeasures include:

Answer 10

monitoring performance and network traffic,

using firewalls and routers to prevent DoS attacks,

implementing redundancy for critical systems,

maintaining and testing backup systems

Question 11

Identification

Answer 11

the process by which a subject professes an identity and accountability is initiated

Question 12

How does identification work?

Answer 12

Providing an identity can involve typing in a username; swiping a smart card; waving a proximity device, etc

Question 13

Authentication

Answer 13

The process of verifying or testing that the claimed identity is valid

Question 14

How does authentication work?

Answer 14

Authentication verifies the identity of the subject by comparing one or more factors against the database of valid identities

Question 15

Authorization

Answer 15

defining the allows and denials of resource and object access for a specific identity

Question 16

Auditing

Answer 16

the programmatic means by which a subject’s actions are tracked and recorded for the purpose of holding the subject accountable

Question 17

What does the enforcement of the security policy depend on?

Answer 17

An organization’s security policy can be properly enforced only if accountability is maintained

Question 18

Non repudiation

Answer 18

Non repudiation ensures that the subject of an activity or event cannot deny that the event occurred

Question 19

What is security management based on?

Answer 19

Strategic, tactical and operational planning

Question 20

Strategic Plan

Answer 20

a long-term plan that is fairly stable and defines the goals, mission and objectives of the organization

Question 21

Tactical plan

Answer 21

a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan

Question 22

Operational Plan

Answer 22

a short-term, highly detailed plan based on the strategic and tactical plans.

Question 23

Elements of a formal security policy structure

Answer 23

security policy, 
standards, 
baselines, 
guidelines, 
and procedures

Question 24

The primary security roles

Answer 24

senior manager, organizational owner, 
upper management, 
security professional, 
user, data owner, 
data custodian, 
auditor

Question 25

Senior manager

Answer 25

ultimately responsible for the security maintained by an organization

Question 26

Security professional

Answer 26

has the functional responsibility for security, including writing the security policy and implementing it

Question 27

Data Owner

Answer 27

the person who is responsible for classifying information

Question 28

Data Custodian

Answer 28

the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management

Question 29

User

Answer 29

assigned to any person who has access to the secured system

Question 30

Auditor

Answer 30

responsible for reviewing and verifying that the security policy is properly implemented

Question 31

How does education fit into the security processes of an organization?

Answer 31

Education is a more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks

Question 32

What is layering?

Answer 32

the use of multiple controls in series

Question 33

Define data hiding

Answer 33

preventing data from being discovered or accessed by a subject

Question 34

Abstraction

Answer 34

Abstraction is used to collect similar elements into groups, classes, or roles

Question 35

Encryption

Answer 35

Encryption is the art and science of hiding the meaning or intent of a communication from unintended recipients

Question 36

benefits of using a data classification scheme

Answer 36

• It demonstrates an organization’s commitment to protecting valuable resources and assets.
• It assists in identifying those assets that are most critical or valuable to the organization.
• It lends credence to the selection of protection mechanisms.
• It is often required for regulatory compliance or legal restrictions.
• It helps to define access levels, types of authorized uses, and parameters for declassification and/or destruction of resources that are no longer valuable.
• It helps with data life-cycle management

Question 37

Benefits of change management

Answer 37

• Changes are always controlled.
• A formalized testing process
• All changes can be reversed
• Users are informed of changes before they occur
• The effects of changes are systematically analyzed.
• The negative impact of changes on capabilities, functionality, and performance is minimized.
• Changes are reviewed and approved by a CAB (change approval board).

Question 38

The goal of change management

Answer 38

to ensure that any change does not lead to reduced or compromised security

Question 39

Data classification

Answer 39

the process of organizing items, objects, subjects into categories

Question 40

Government data classification scheme

Answer 40

Top Secret 
Secret 
Confidential 
SBU
Unclassified

Question 41

Commercial data classification scheme

Answer 41

Confidential
Private
Sensitive
Public

Question 42

Define Threat modeling

Answer 42

the security process where potential threats are identified, categorized, and analyzed

Question 43

3 Approaches to Identifying Threats

Answer 43

Focused on Assets
Focused on Attackers
Focused on Software

Question 44

STRIDE

Answer 44

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Question 45

Threat modeling steps

Answer 45

Identify threats
Diagram
Reduce/Decompose
Prioritize/Mitigation

Question 46

The DREAD rating system

Answer 46

Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Question 47

COBIT

Answer 47

Control Objectives for Information and Related Technology

Question 48

Data Hiding

Answer 48

preventing data from being discovered or accessed by positioning the data in a logical storage compartment that is not accessible