Various 2 Flashcards
The time when computer systems are susceptible to compromise while the system is loading and before the security front end becomes active is called? Computer software is also vulnerable to configuration changes at this time.
Initial program load (IPL)
An internationally recognized, government-mandated standard for crisis command during disaster recovery and business continuity events
Incident Command System (ICS)
A short sequence of six to eight characters used in type 1 (weak) authentication
Password
Creates reports that may be used only for internal purposes. These reports contain a known bias, which reduces their corresponding representations to a low or moderate value.
Internal audit
A malicious hacker program designed to unsuspectingly install a backdoor without the consent of the system user. This will subvert the operating system kernel security and operate in stealth to hide its existence.
Root kit
A check file of a fixed length created by a source file of any length. The purpose is to indicate whether the source file may have been changed.
Message hash
Having no significant bearing on the final outcome, also known as trivial information
Irrelevant
What are the names of the keys used for PKI?
The public key and the private (secret) key
Criteria based on impact, anticipated duration of outage, or immediate lack of sufficient information to calculate the actual impact. It’s always better to overreact when compared to the consequences of delay.
Activation criteria for business continuity and disaster recovery
The most common method of providing secure access to the network for a remote user that uses encryption
IPsec virtual private network (VPN)
To grant a right to perform some type of action
Authorization
The progressive development of software through a succession of multiple versions
Iterative development
An organization that is responsible for issuing and maintaining certificates
Certificate authority (CA)
The persons and organization being audited
Auditee
The lowest level of control, usually governing system use or internal program controls. These types of controls are easily subverted if higher-level controls governing the operating environment are missing or ineffective.
Application controls
The term used when an auditor has no reservations with their findings, and there are no special restrictions on the use of the audit report.
Unqualified opinion
The process of streamlining existing operations in an effort to improve efficiency and reduce cost. Benefits may be derived by eliminating unnecessary steps as the organization has progressed through the learning curve, or by expanding capability for more work.
Business process reengineering (BPR)
A less formal process used to determine value or relevance to the intended use. The results will be of low to moderate value. These results are used for internal purposes only.
Assessment
Multiple communication channels that are multiplexed over a single cable
Broadband
A historical score of business process performance. Unfortunately, the score may indicate that a failure has occurred before corrective action can be taken.
Key performance indicator (KPI)
When two or more obligators (persons or organizations) bind themselves without actual partnership or corporate designation in a specific venture with the risk, liability, and potential profits shared between the parties. All parties share a communal liability for the failure of the other party.
Joint venture
An engineering technique used to steal the secrets of your competitor for the purpose of developing your own product. Usually a violation of the software user license agreement.
Reverse engineering
Changing the normal function of keys to execute different commands
Keyboard remapping
What is the name of the protection method used when encryption keys are re-encrypted with a different algorithm using a different key to obscure the original key?
Key wrapping
Electronic access to a system without being physically present
Logical access
A best practice for recording the analysis of problems and improvements that worked
Lessons learned
A biometrics technique that maps the unique pattern of veins in the back of the human eyeball
Retinal scan
What is the purpose of a certification practice statement (CPS)?
The CPS is a formal document outlining the issuer’s certificate policy and enforcement policy.
The process of copying the current data files for records retention but ignoring deleted files and temporary system data in swap space
Logical backup
What are the most important actions to be taken when someone is terminated or laid off?
Disable user accounts, physically remove access to desktops, and collect any company property remaining in their possession
Early hierarchical design created by IBM for connecting different computers
Systems Network Architecture (SNA)
A method of transmitting data through a variety of different paths en route to its destination. The user is billed by the data packets sent and not by the route or distance traveled.
Packet-switched
Connection of redundant network links
Meshed network
A potential danger that, if realized, will have a negative effect on assets
Threat
A computer system or network device to be evaluated under the Common Criteria standard (ISO 15408)
Target of evaluation (TOE)
A term for utility software that operates on the program interfaces and is invisible to both the user and the database server. Performs an intermediary service between two programs.
Middleware
Lower-level controls placed on specific procedures
Detailed controls
The ability for hardware and software systems from different manufacturers to communicate with each other
Interoperability
To conserve processing, space occupied by these files is simply marked as eligible for overwriting. The contents remain on the disk.
Deleted files
A programmed procedure inside a computer software application designed to cause damage on the occurrence of a particular event, date, or time. Extremely difficult to locate.
Logic bomb
A secret point of entry into a system. Usually a hidden access technique left in the software by the developer for future use by their technical support staff.
Trapdoor
A technical system designed to alert personnel to activity that may indicate the presence of a hacker. Provides a type of network hacker alarm.
Intrusion detection and prevention system (IDPS)
A unique process, tool, formula, pattern, or knowledge possessed by its creator and hidden from everyone else for the purpose of obtaining an advantage in the market
Trade secret
A standardized reference listing of all the programmer’s data descriptions and files used in a computer program
Data dictionary
The probability of error. A rating of 95 percent is considered a ________ in IS auditing.
Confidence coefficient
Which method will provide faster restoration of data files: an incremental backup or a differential backup?
A differential backup
Evaluates the management of a system, including its configuration. The purpose is to determine how well the system is managed by collecting evidence indicating the computer’s specific configuration settings.
System audit
A program applet designed by Microsoft with access throughout the entire system. More dangerous than Java applets because it can circumvent or defeat the security of Microsoft Windows.
ActiveX
The risk that errors may be introduced or may not be identified and corrected in a timely manner
Control risk
A program designed to send system event logs to a remote system. Log files are protected from the attacker, and the extra copy of log files will enforce separation of duties.
Syslog
A special area on the hard disk designated as a temporary location for data to be offloaded from RAM. This improves system performance by moving selected tasks out of the way while other data is processed.
Swap space
What type of internal control protects your assets and information from physical access by unauthorized personnel?
Preventive control implemented by using physical methods
A small group of computers and devices sharing the same broadcast domain
A subnet, also known as a subnetwork
A systematic process of collecting evidence to test or confirm a statement or to confirm a record of transaction
Audit
To sharpen the details of an average population by using a stratified mean (such as demographics) to further define the data into small units
Defuzzification
What are the advantages of using fiber optics instead of unshielded twisted-pair cabling (UTP)?
Fiber optics are immune to interference and difficult to tap, and can be used on longer runs.
The address of a router used to communicate with systems located on a different subnet or a different network
Default gateway
Refers to evidence that specifically proves or disproves a particular point
Best evidence
What is the principal difference between the DoS and DDoS attacks?
The distributed DoS (DDoS) attack uses multiple computers focused on attacking one target.
A set of related data files
Data set
The implementation of a computer program using a cryptographic algorithm and keys to encrypt and decrypt messages
Cryptographic system
Another name for records management
Data retention
The system sensor that acquires a biometric image and converts it into biometric minutiae for digital storage or comparison
Biometric template generator
Used in disaster recovery testing to simulate the basic recovery process in order to clean any errors from the procedure
Functional testing
What is the purpose of a mantrap?
Mantraps are designed to prevent an unauthorized person from gaining access by piggybacking behind an authorized user.
A special bit-by-bit backup of physical media that records all the contents, including deleted files and current contents of swap space or slack space
Bitstream imaging
A collection of persistence data items that are maintained in a grouping
Database
Name of the procedure and formula used to direct communications across the available path
Routing protocol
An access control system based on rules that require the user to have an explicit level of access that matches the appropriate security label. The only way to increase access is by a formal promotion of the user ID to the next security level.
Mandatory access control (MAC)
Compares a biometric image template just acquired by the sensor to the biometric minutiae already stored inside the biometrics database
Biometric template matcher
A committee or reporting hierarchy to convey questionable situations involving management to the highest level of authority, often the board of directors
Management oversight
A networking topology that creates two paths between the senders and receivers. The most common implementation is IBM for a local area network. The public telephone company uses a similar topology for redundant connections between central offices.
Ring topology
A formal policy concerning the intended use of biometric data, including a supporting operating standard of how the data is collected, stored, protected, transmitted, used, and disposed of
Biometric management
What is S/MIME used to encrypt?
Secure/Multipurpose Internet Mail Extensions (S/MIME) is used to encrypt email. S/MIME is the replacement for the older Privacy Enhanced Mail (PEM).
Formal approval by management to accept all the responsibilities and consequences for a system to be used in production for a period of 90 days, 180 days, or 365 days (annual)
Accreditation
What is a table of user login IDs specifying their individual level of access to computer resources?
Access control list (ACL)
Changes to data in the database are held in a temporary file. This transaction can be reversed (discarded) until the program writes the change into the master file. What is this temporary log file called?
After-image
A type of exercise used in planning to uncover previous assumptions and interesting quirks used in the decision process. Assumptions may no longer be valid. You may discover additional defects in the decision criteria.
Scenario approach
The process of verifying a user’s identity. The user’s claim will be tested against a known reference. If a match occurs, the user claim is verified as true and allowed to proceed. A mismatch will deny the request.
Authentication
A temporary record of work in progress. This database journal file contains the original data before a new transaction is written.
Before-image
Intentionally hiding malicious software inside a normal program
Trojan horse
The principle that says if the database transaction fails, the change is discarded and the original data is kept.
ACID principle. A = atomicity (all or nothing), C = consistency, I = isolation, D = durability (data written to disk).
Terminology referring to the agreed-upon reference point
Baseline
The lowest layer of the OSI model that deals with cabling and electrical signals
Physical layer
Microsoft’s technique for software developers to digitally sign downloadable ActiveX applets. It does not protect the user from malicious software or poorly written programs.
Authenticode
A formal process of verifying that the system meets the user’s requirements during the SDLC Implementation phase
User acceptance testing
A formal statement of policy signed by management and acknowledged by the user with their signature. Normally this policy is enforced by the HR department. This policy should state that computer use is for company business only and that noncompany activities, including those related to religion or topics of questionable use, are prohibited.
Acceptable use policy (AUP)
The process of reviewing risks, threats, and vulnerabilities to determine appropriate controls
Risk assessment
A type of test designed to gauge possible penetration through the system security mechanisms by exploiting a known weakness or security flaw
Penetration testing
A micromanagement methodology to force development within a series of short time boxes. Primarily used for the development of prototypes.
Agile development
The possibility that material errors may exist that the auditor is unable to detect
Audit risk
The family of automated test software using a computerized audit procedure with specialized utilities
Computer-assisted audit tools (CAAT)
A temporary memory location used to stage data before or after processing
Buffer
Group of additional internal controls that reduce the potential for loss by error or omission. Used when the primary control choice is not possible.
Compensating control
A nickname for individuals who execute scripted programs or utilities without comprehensive knowledge of the internal mechanisms being executed
Script kiddies
A physical location that may be used for disaster recovery of noncritical processes. The entire computing environment must be shipped in and then assembled.
Cold site
Name of the chosen acceptable performance objective in the Common Criteria standard for systems under evaluation. Failing this target would result in a lower assurance rating.
Security target (ST)
An encrypted message displayed in unreadable text that appears as gibberish
Ciphertext
Which communications method charges for transmissions based on distance?
Circuit-switched, also known as leased line
Name of the web-based program that runs on the server, also known as server-side includes
Servlet
