Various Flashcards
A hidden software-access mechanism that will bypass normal security controls to grant access into the program
Trapdoor
Work tasks and data processing that were lost by a disaster, disruption, or failure
Lost work in process (LWIP)
A shared connection used in common by other devices
Bus
Level of permission granted to individual user for reading data, writing data, or executing specific programs
Access rights
Samples collected by the auditor to prove or disprove the audit findings
Audit evidence
Older term for the building that houses the data center
Information processing facility (IPF)
The initial loading of software to start a computer
Boot strapping, also known as initial program load (IPL)
Matching the combined security of subject (user or program), object (data), and context of usage (need or purpose) to determine whether the request should be approved or denied
Attribute-based access control (ABAC)
A unique serial number burned into the network interface card by the manufacturer. The address operates in the Data-Link layer (layer 2) of the OSI model.
Media Access Control (MAC) address
Test run by software quality assurance to check the system security mechanisms by exploiting known vulnerabilities
Penetration testing
What is it called when the auditor places restrictions on the nature, use, or content of their findings? The audit may have encountered problems in scope, time, thoroughness of tests, or content of available evidence.
Qualified opinion
What is the list of objectives, tasks in sequence, skills matrix, written procedures, written test procedures, and forecast illustrating scope, time, and cost estimates?
Audit plan
This is the most restrictive level of access that grants users the minimum amount of access to perform their jobs.
Least privilege
Technique used by programmers in computer software to disable the functionality of the program based on a specific date
Time bomb
What is the term used to describe the development of well-defined specifications while ensuring adherence to those specifications?
Quality. Quality starts during initial design with the gathering of specifications. Quality originates in the beginning, not by postinspection after the product (or service) is created.
A type of audit to determine whether internal controls are present and functioning effectively
Compliance audit
What is an attack that has not been seen before called?
Zero-day attack
Which access control model allows the system owner to establish access privileges to the system?
Discretionary access control (DAC)
What is the term for a continuous threat of breach through electronic attacks?
Persistent electronic threat
What is the purpose of the chain of custody, and why is it so important when you are collecting evidence?
The chain of custody ensures control in the preservation of evidence. It ensures that extra care is taken not to alter or taint the sample.
The protection of information held in secret for the benefit of authorized users
Confidentiality
An attempt to overpower the system or attempt every possible combination until access is granted
Brute-force attack
Information synonymous with public records or unprotected data that is accessible by anyone
Unclassified
What is it called when you manage a series of individual projects to create an ongoing operation, also known as a functional support program?
Program management
What is another name for a proxy server?
A circuit-level firewall
What do you call a set of commands and macros developed into a custom template inside an integrated development environment (IDE) programming tool?
Pseudocode
The process of determining risks affecting the actual steps necessary to produce the desired product or service, as in use by the organization
Business impact analysis (BIA)
What is two-factor authentication?
Using two methods for authentication. One method is something you know; the other method is something you have, such as an ATM card, electronic token, or physical characteristics (fingerprint, iris scan).
Name for specific mid-level controls over any technology shared across multiple departments. IT systems exist in almost all departments, and therefore IT-type controls must also exist in each department regardless of who is in charge.
Pervasive controls
What type of plan addresses the continued operation of an organization after a disaster occurs?
Business continuity plan (BCP)
Special command used on the network to request a response from a specific machine on the same subnet
Ping
What is the name of the administrative process for subdividing services to allocate for a user?
Provisioning
This refers to the cost savings for doing it right the first time. Proper training and planning are examples of how this conserves money and time by avoiding the additional costs of failure.
Price of conformance (POC)
Where in the network should public web servers be located?
The screened subnet (DMZ)
When a computer program sends data as input to another database program operated by someone else, with or without their permission
SQL injection
The process of driving through a neighborhood with technical tools to detect insecure wireless access points
War driving
A type of audit used to evaluate the process method by measuring the inputs, sequence of activities, and output to determine whether the process method meets the published requirements (specifications)
Process audit
The boundaries and limitations of the individual audit. Normally, this indicates particular systems or functions that will be reviewed during the audit.
Audit scope
This attack targets an individual server, user, database, or network device.
Spear-phishing
Software that is readily available via nonproprietary programming methods in its design. The recipient will receive the human-readable source code with the ability to make any internal changes they desire.
Open system
What does the acronym IDS stand for?
Intrusion detection system (IDS)
Eavesdropping and other covert techniques used to collect information
Passive attack
What is cryptography?
The process of either hiding information from other people or authenticating valid users. It’s an area of high interest to governments, businesses, and individuals.
What it’s called when an online vendor provides the use of commercial software through subscription
Software as a Service (SaaS)
A planned method of testing and tracking minor software updates prior to implementing them into production. The cost of separate testing can be justified by using the price of failure (price of nonconformance).
Patch management
Kerberos is an example of what?
Single sign-on (SSO)
A public record of a unique design or function to which the author or inventor is granted exclusive rights for a limited period of time. The entire design and complete method of building a working copy must be fully disclosed to the public.
Patent
What is the difference between a virus and a worm?
Typically, worms are malicious programs that operate independently exploiting authentication holes between systems. Viruses attach to programs or files and travel when the host file is transferred.
What is the most important first step in understanding the auditee’s IT infrastructure?
A network diagram with complete documentation of the existing systems
The first person to arrive on the scene during an emergency, regardless of training or experience. Even a four-year-old child calling 911 for help will direct the emergency response activities until relieved by a more qualified person.
Incident commander (IC)
A process of ranking information based on its value or requirements for secrecy
Data classification
The selection of projects based on the principles of “highest and best use” of available resources for generating the best return on investment (ROI). This is similar to trading stock investments or baseball cards to improve the overall value of the collection.
Portfolio management
What type of control specifies policies and guidelines for hiring, promotion, termination, data backup, and audits?
Administrative control
The process of manually verifying that records match
Manual reconciliation
An individual with a significant amount of direct experience, or special training with direct experience, and the ability to deduce a correct conclusion when everyone else would form an incorrect conclusion
Expert
A hardware or software device that is watching the communications traffic flowing across the network to other systems
Network-based device
A newer security protocol used in wireless networks with automatic encryption-key generation and authentication
Extensible Authentication Protocol (EAP) in IEEE 802.11i Robust Security Networks
The likelihood that an unfortunate event will occur and cause a loss to assets
Risk
Information in the computer’s working memory (RAM) that will be lost when the power is shut off
Volatile data
A message that is completely readable to a human
Clear text
Discipline of following forthright and honest conduct without impropriety, deceit, or conflicting agenda
Ethics
The timely disclosure of information relevant to the situation. In computer systems, this also refers to the time window in which data is available before being lost or overwritten during normal processing.
Evidence timing
An old diagnostic protocol that allows the sender to specify the communications path to be used in spite of the network router settings configured by the network administrator. Can circumvent firewalls and should be disabled on network devices.
Source routing
This term describes the application of a procedure or method, hopefully in support of an organizational objective.
Tactical
The process of physically marking insecure wireless access points to the Internet
War chalking
Anything of value. May be tangible or intangible in the form of money, physical goods, products, resources, recipes, or procedures.
Asset
Duplicate or redundant components operating in parallel
Mirrored
A test to evaluate performance against a known workload or industry-accepted standard
Benchmarking
These are software programs, interfaces, and utilities that operate invisibly between users to form a workflow connecting their data.
Middleware
How can you justify the costs involved for quality?
By comparing cost savings to the added costs of failure (price of nonconformance)
What is the certificate revocation list (CRL)?
A list of revoked and expired certificates issued by the certificate authority (CA)
This occurs in biometrics when the system is calibrated to favor either speed or increased accuracy.
Crossover error rate (CER)
System or resource being available for users whenever they care to use it
Uptime
The individual charged with protecting data from a loss of availability, loss of integrity, or loss of confidentiality
Data custodian
A special template of biometric data converted into a count of specific characteristics that are unique to each user
Minutiae
This is designed using application of encryption and/or digital certificates to enforce licensing of electronic files (music, movies, e-books, and so forth).
Digital rights management (DRM)
A database designed so that knowledge of the format and structure of data is not required. Very flexible and may be quite complex.
Object-oriented database (OODB)
Scanning of hand geometry and fingerprint readers are examples of what type of authentication?
Biometric authentication
This principle ensures that the user will not make a false denial of participating in a transaction.
Nonrepudiation
An audit conducted by a person who is not related to the auditee. This audit represents a high value of assurance that can be used for external purposes, including regulatory licensing.
Independent audit
Adjusting the sensitivity of a biometric system to use a 50/50 compromise of false acceptance and false rejection
Equal error rate (EER)
A unique entry into a database record that is required for the record to be valid
Primary key
Name of the entire process for ensuring proper safeguards and control with the goal of providing complete integrity
Records management
A formal specification of rules for interfaces and procedures used in communication
Protocol
A technique used by antivirus software to replace the original end-of-file (EOF) marker with a new EOF marker generated by the antivirus program. Anything attempting to attach itself to the new EOF marker indicates a virus attack.
Inoculation, or immunization
This programming technique allows one program, such as a shopping cart, to drive another website. It’s used by 98 percent of e-commerce on the Internet.
Cross-site scripting (XSS)
Unique data used as a randomizer in encryption algorithms. This cryptovariable must be kept secret from all other users in order to protect the confidentiality of encrypted files.
Private key
An internal processing environment for running a program inside another program session. It partitions resources to create a secure environment to protect the rest of the computer system from harm.
Virtual machine
A malicious file that usually attaches itself to other programs with the purpose of spreading infection through program execution or through transportation by using email
Virus
New employees are being hired into positions that require a high degree of trust. What administrative control should be performed as part of a security policy?
Background checks and possibly fidelity bonding
Used in business continuity and disaster recovery planning to identify potential violations that must be avoided or that require special handling to minimize penalties
Legal deadline (LD)
Low voltage for an extended period of time
Brownout
A new generation of software or a design change resulting in a new version. Releases tend to occur in 12- to 24-month intervals.
Major software release
The culmination of software, hardware, procedures, and data files that will permit timely recovery from a failure or disaster
Backup and restore capability
Term for application software hosted by remote vendors across the Internet to subscribers, where details of security are not actually known to be verifiable fact
Cloud computing
An advanced software development tool used for writing programs. It provides built-in functions for capturing the software design, commands, and macros for creating program code and debug testing.
Integrated development environment (IDE)
Evidence that can be reassembled in chronological order to retrace a transaction or series of transactions
Audit trail
A physical distance between two doorways that is designed to trap an unauthorized individual between the closed doors. Fully caged turnstiles can provide a similar means to capture potential intruders.
Mantrap
When data is properly ranked somewhere within a protection scheme
Classified
A review of the system after it is placed in operation to determine whether it fulfilled its original objectives. New objectives may be identified that require the system to be modified to attain compliance with the new requirements.
Postimplementation review
The longest period of downtime that an organization can survive from a specific outage involving a system, process, or resource
Maximum acceptable outage (MAO)
List four items that are vital to recovering from a disaster.
Offsite data backup, copy of vital records, an alternative work location (hot site, warm site, or cold site), and the disaster recovery plan
When a hacker is running a remote-controlled network composed of computers owned by unsuspecting users
Bot-net (aka roBOT-NETwork)
A small corrective update issued by the software developer to fix problems found in a major version previously released
Patch, also known as a minor software update
A family classification of computer software designed to intentionally cause malicious damage
Malicious software, also known as malware
An overlay setting used to parse the IP address into two distinct portions that represent the unique network address and the unique host address. Without this setting, the computer will be confused and unable to communicate on the network.
Netmask
What is the special acquisition device used to create unique minutia data representing an individual user?
Biometric template sensor
A mandatory set of steps used as a cookbook recipe for a desired result. Provides the day-to-day low-level execution necessary to support a standard.
Procedure
What is the name for programmed rules inside the database used to evaluate data by sorting for possible correlations?
Heuristics
Used to designate a prorated dollar amount or weight of effectiveness to an entire subject population
Variable sampling
This compares the user’s minutia data against their reference sample stored in the encrypted database.
Biometric template matcher
Automated software discovery of all the active hosts on a network
Host enumeration
A project management technique used to determine the critical path and to forecast the time and resources necessary to complete a project
Program Evaluation Review Technique (PERT)
Lack of awareness or absence of knowledge. The fastest way to be convicted for violating a law or other obligation.
Ignorance
What is the difference between IPsec transport mode and tunnel mode?
Tunnel mode hides the internal network’s IP address information and payload by using encryption. Transport hides only the data portion of the IP packet by using the encapsulated security payload (ESP) with encryption.
A combination of using in-house work and of outsourcing selected processes
Hybrid sourcing
Unbiased honesty by a person dealing with other people or in the records of transactions
Integrity
An individual pretends to be a person of authority and pulls rank to intimidate a user into giving up their username and password for network access. What type of attack is this representative of?
Social engineering
Eliminating the opportunity for a person to reject or renounce their participation
Nonrepudiation
A high-level statement by management specifying an objective with mandatory compliance for all persons of lower authority
Policy
Persistent data retained on the hard disk and other storage media after system shutdown
Nonvolatile data
A database of information derived from the knowledge of individuals who perform the related tasks. Used in decision support systems.
Knowledge base
An administrative grouping of program objects with similar attributes or related behavior. Similar to the classification of insects by their shared attributes.
Object class
A method of access control based on job role and required tasks
Nondiscretionary access control
A small downloaded program using ActiveX, Java, XML, or a similar programming language
Applet
A committee that consists of business executives for the purpose of conveying current business priorities and objectives to IT management. The committee provides governance for major projects and the IT budget.
IT steering committee
A decision based on current conditions, which, when met, dictate starting the disaster recovery or business continuity plans. Any delay or failure to do so would indicate negligence.
Activation
The inherent potential for harm in the business or industry itself, as the organization attempts to fulfill its objectives
Business risk
A large-scale, traditional, multiuser, multiprocessor system designed with excellent internal controls
Mainframe computer
A specification of physical characteristics, electrical signals, formats, and procedures used to communicate between systems
Interface
Refers to the auditor not being related to the audit subject. The desire is for the auditor to be objective and free of conflict because they are not related to the audit subject.
Auditor independence
A symmetric-key (preshared key) encryption protocol originally designed to promote wireless security. Because of poor design, the radio beacon advertises the entire encryption key to any listening device.
Wired Equivalent Privacy (WEP)
Public-key cryptography is also known as what?
Asymmetric cryptography
An overt attack against the system or system data files
Active attack
A declaration or activity designed to instill confidence. Also known as a promise with evidence.
Assurance
Which type of network firewall is usually the simplest to configure but has the worst logging capabilities?
A packet-filtering network firewall (generation 1)
A device used in forensic investigations to prevent any changes to the original data on the hard disk or media during bitstream imaging
Write blocker
Is it possible to implement nonrepudiation with symmetric/secret keys?
No. The same key is used at both ends without a way to tell who executed the transaction.
A temporary and uniquely generated encryption key used for a short period of time
Temporal key
Which access control model grants a user a predetermined level of access based on the role the user holds in the organization?
Role-based access control (RBAC) model
An effective speed metric for processing a complete set of specific transactions
Throughput
What is another term for a screened subnet?
Demilitarized zone (DMZ)
Firewalls should always be configured to prevent the downloading of this type of program
ActiveX
A malicious, self-replicating computer program that spreads itself through the system as infected computer programs are executed
Virus
Special handling for information crossing a political border. Risks include legality of the information, differences in legal requirements, and extra protection necessary to prevent unauthorized disclosure.
Transborder data communication
Any disruptive event, especially those that may cause harm
Incident
A system development technique used to create initial versions of software functionality. Focused on proving a method or gaining early user acceptance, usually without any internal controls.
Prototype
The person(s) performing the audit by gathering evidence, testing, and reporting the findings. This person should not be related to the subject of the audit, to prevent bias.
Auditor
What is it called when information contained in two or more data tables is valid across the links inside the database?
Referential integrity
