Vocabulary Part 1 Flashcards
Risk mitigation
is the practice of the elimination of, or the significant decrease in the level of risk presented.
A risk assessment, which is a tool for risk management, is
a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls.
A risk assessment is carried out, and the results
are analyzed.
Risk analysis is used
to ensure that security is cost-effective, relevant, timely, and responsive to threats.
Security can be quite complex, even for well-versed security professionals, and it is easy to apply
too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives.
Risk analysis helps companies
prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.
What are the four main goals of risk analysis?
(1) Identify assets and their value to the organization.
(2) Identify vulnerabilities and threats.
(3) Quantify the probability and business impact of these potential threats.
(4) Provide an economic balance between the impact of the threat and the cost of the countermeasure.
Analyzing resources of a system is one standard for locating covert channels because the basis of a covert channel is a shared resource. What are the four properties that must hold true for a storage channel to exist?
- Both sending and receiving process must have access to the same attribute of a shared object.
- The sending process must be able to modify the attribute of the shared object.
- The receiving process must be able to reference that attribute of the shared object.
- A mechanism for initiating both processes and properly sequencing their respective accesses to the shared resource must exist.
The Urgent Pointer is used
when some information has to reach the server ASAP.
The Urgent Pointer is usually used in Telnet,
where an immediate response (e.g. the echoing of characters) is desirable.
When a packet is plucked out of the processing queue and acted upon immediately,
it is known as an Out Of Band (OOB) packet and the data is called Out Of Band (OOB) data.
Covert Channels are NOT
directly synonymous with backdoors.
A covert channel is simply using a communication protocol in a way
it was NOT intended to be used or sending data without going through the proper access control mechanisms or channels.
An example of a covert channel in a Mandatory Access Control systems is a user secretly that has found a way to communicate confidential information to another user without going through the normal channels.
In this case, how could the Urgent bit be used:
- It could be to attempt a Denial of service where the host receiving a packet with the Urgent bit set will give immediate attention to the request and will be in wait state until the urgent message is receive, if the sender does not send the urgent message then it will simply sit there doing nothing until it times out. Some of the
TCP/IP stacks used to have a 600 seconds time out, which means that for 10 minutes nobody could use the port. By sending thousands of packet with the
URGENT flag set, it would create a very effective denial of service attack. - It could be used as a client server application to transmit data back and forward without going through the proper channels. It would be slow but it is possible to use reserved fields and bits to transmit data outside the normal communication channels.
Risk mitigation is the practice of
the elimination of, or the significant decrease in the level of risk presented.
Risk Mitigation involves
applying appropriate control to reduce risk.
List recommendations that an IS auditor could provide to lessen the risk of exposing personal and financial information that is highly sensitive and confidential in an organization?
Put countermeasures in place, such as:
(1) firewalls,
(2) Intrusion detection/prevention systems, and
(3) other mechanisms to deter malicious outsiders from accessing this highly sensitive information
In underage drivers, risk mitigation could take the form of
(1) driver education for the youth
(2) establishing a policy not allowing the young driver to use a cell phone while driving,
(3) not letting youth of a certain age have more than one friend in the car as a passenger at any given time.
Risk transfer is the practice of
passing on the risk in question to another entity, such as an insurance company.
Risk acceptance is the practice of
accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.
Risk avoidance is the practice of
coming up with alternatives so that the risk in question is not realized.
Deterrent Control are intended:
to discourage a potential attacker.
Access controls can act as a deterrent to threats and attacks
bc the existence of the control is enough to keep some potential attackers from attempting to circumvent the control.
The examination of proposed test plans is
part of the testing phase.
Items to be addressed during the design and development phase include:
(1) studying flowcharts;
(2) evaluating input, output, and process controls;
(3) examining proposed audit trails; and
(4) reviewing how the system will deal with erroneous input.
Business continuity planning is
an ongoing process that should be revisited each time there is a change to the environment.
Blind testing describes a situation
where only one party knows
Double-blind testing describes a situation
where neither party knows
Implementation is the stage at which
user acceptance is usually performed.
A direct changeover requires the establishment of
a cut-off date so that all users must switch to the new system by then.
A pilot scenario is used
when an entire new system is used at one location.
A phased changeover is
a gradual process.
A parallel changeover
brings the new system online while the old is still in operation.
A SAS 70 report
verifies that the outsourcing or business partner has had its control objectives and activities examined by an independent accounting and auditing firm.
A privacy shield is used for
EU protection of data.
COBIT is a good-practice framework created by the international professional association:
ISACA for information technology (IT) management and IT governance.
COBIT is a
good-practice framework.
COBIT is
for information technology (IT) management and IT governance
ITIL is a
set of detailed practices for IT service management.
ITIL seeks to
align IT services with the needs of the business.
Kerberos is
an example of single sign-on
All describe methods of centralized authentication:
Diameter, RADIUS, and TACACS
Fuzzing is a form of
black box testing that is carried out when the source code is not available.
A code review is performed
when the code is available.
Reverse engineering is
used to tear apart existing code.
A decompiler is used
to examine the internal operation of an application.
Reviewing network diagrams is usually the best place for an auditor to start when performing a
Network audit.
What resource should provide an IT auditor a foundational understanding of the network?
Network diagrams
Intrusion detection is
the best method of monitoring and detecting break-ins or attempts to attack via the Internet.
Packet filtering is a
a type of stateless inspection and can make a decision on only a set of static rules.
Stateful inspection is not
Specifically designed to detect and report hacking activities.
Decision support systems (DSSs) are
software-based applications that help analyze data to answer less structured problems.
DSS typically uses
knowledge databases, models, and analytical techniques to make decisions.
DSS does not use structured models
to solve complex problems.
A DSS is designed to support
traditional decision-making activities and unstructured problems.
Dropbox is an example of
a public cloud service.
A private cloud model is based on the concept
that the cloud is owned and operated by a private entity.
A community cloud model can be used
by several entities.
A hybrid cloud model can be
a combination of any of the other cloud models.
The most critical concern of keeping the copies of critical information current at an offsite location is
The process of maintaining data back ups.
A mantrap is
a system of doors that is arranged so that when one opens, the others remain locked.
Mantraps are typically used
in high-security facilities.
A honeypot describes a system
used to lure in an attacker.
A turnstile is used
to control access.
A DMZ is used
in networking.
Following implementation
a cost-benefit analysis or ROI calculation should be performed.
The audit trail should be designed during
the design phase.
An ERD should be performed during
the requirements phase.
Final acceptance testing should be performed during
the implementation phase.
Entity relationship diagrams are built using
two essential components that include entities and relationships.
Trend variance detection tools are best used
to scan for deviations from normal activity.
Bypass label processing can be used
to bypass the normal process of reading a file security label.
Attack detection tools
look for known attack signatures.
Audit reduction tools
reduce the volume of information to be reviewed.
A disclaimer is used
when an auditor cannot obtain appropriate evidence to base an opinion.
Bottom-up policy development
addresses the concerns of operational employees because it starts with their input and concerns and examines risk.
All these items are tied to top-down policy development:
(1) alignment of policy with strategy
(2) tends to be a very slow process
(3) does not address concerns of employees
A top-down approach
aligns with company policy, is a slow process, and might not fully address the concerns of employees.
MD5 is
is a hashing algorithm.
Hashing algorithms, like MD5, are
used to verify integrity.
DES is a symmetric algorithm and
offers confidentiality.
AES is also a symmetric algorithm that
offers confidentiality.
RSA is
an asymmetric algorithm.
RSA, an asymmetric algorithm, generally offers
confidentiality, authentication, and nonrepudiation.
Valid application testing methodologies include:
(1) snapshots
(2) mapping
(3) tracing and tagging
(4) using test data, and
(5) base case system evaluation.
Entity integrity
is an example of a data integrity control.
Fourth-generation languages (4GL) are most commonly
for databases.
Examples of 4GLs include:
FOCUS, Natural, and dBase.
2GL is
assembly language.
3GL includes languages such as
as FORTRAN and Pascal.
5GLs are
very high-level languages such as Prolog.
Custody is related to
access to cash, merchandise, or inventories.
Verifying cash, approving purchases, and approving changes are forms of
authorization.
Record keeping deals with
preparing receipts, maintaining records, and posting payments.
Reconciliation deals with
comparing monetary amounts, counts, reports, and payroll summaries.
Asymmetric encryption offers
easy key exchange.
Asymmetric encryption
is not as efficient as symmetric encryption.
Asymmetric encryption is NOT
a part of a hashing algorithm.
Asymmetric encryption can NOT be used for
bulk data.
Penetration testing typically follows a structured approach, such as
the stages outlined in NIST 800-42.
SOX deals with
financial records.
PCI-DSS covers
the protection of credit card data.
SSAE-16 is
an auditing standard.
SSAE-16 is not used for
penetration testing.
