The Investigation phase of the SecSDLC begins with a directive from upper management (T/F)
The physical design is the blueprint for the desired solution (T/F)
(Confidentiality) ensures that only those with the rights and privileges to access information are able to do so. (T/F)
In the ___ phase of the systems development life cycle, solutions are tested, implemented, and tested again. ---
D) Physical Design
____ Ensures authorized users - persons or cpu systems - can access information without interference or obstruction, and in the required format
Compared to Web site defacement, vandalism from within a network is less malicious in intent and more public (T/F)
With the theft of electronic information, the evidence of a crime is readily apparent (T/F)
A worm can deposit copies of itself onto all Web servers that the infected system can write to, so that users who subsequently visit those sites become infected (T/F)
A firewall is a device that keeps certain kinds of network traffic out of a private network (T/F)
Enforcement of copyright laws has been attempted through a number of technical security mechanisms, such as the using of digital watermarks and embedded code, requiring of copyright codes, and even the intentional adding of bad sectors on software media (T/F)
Which of the following functions does information security perform for an organization?
a. Protects the organization’s ability to function.
b. Enables the safe operation of applications implemented on the organization’s IT systems.
c. Protects the data the organization collects and uses.
d. All of the above.
D) All of the above
A(n) ____ is an attack in which a coordinated stream of requests is launched against a target
from many locations at the same time.
A) Denial of Service
B) Distributed denial of service
In the well-known ____ attack, an attacker monitors (or sniffs) packets from the network,
modifies them, and inserts them back into the network
D) Man in the middle
. ____________________ is a technique used to gain unauthorized access to computers, wherein
the intruder sends messages to a computer that has an IP address that indicates that the
messages are coming from a trusted host and not the actual source computer.
Within the context of information security, ____________________ is the process of using
interpersonal skills to convince people to reveal access credentials or other valuable information
to the attacker.
. A(n) ____________________ is an application error that occurs when more data is sent to a
program buffer than it is designed to handle
Buffer Overflow or Overrun
List at least 6 general categories of threats
1. Acts of human error or failure.
2. Compromises to intellectual property.
3. Deliberate acts of espionage or trespass.
4. Deliberate acts of information extortion.
5. Deliberate acts of sabotage or vandalism.
6. Deliberate acts of theft.
7. Deliberate software attacks.
8. Forces of nature
9. Deviations in quality of service.
10. Technical hardware failures or errors.
11. Technical software failures or errors.
12. Technological obsolescence.
Describe an example of SQL injection using SQL syntax
SELECT USERID, NAME
Where USERID = JOE OR 1=1
(All rows will be returned)
Once the threats have been identified, an assets identification process is undertaken (T/F)
You can use only qualitative measures to rank values. (T/F)
The amount of money spent to protect an asset is often based in part on the value of the asset (T/F)
If every vulnerability identified in the organization is handled through mitigation, it may reflect
an organization’s inability to conduct proactive security activities and an apathetic approach to
security in general (T/F)
(Risk control) is the process of examining and documenting the security posture of an
organization’s information technology and the risks it faces. (T/F)
False - Identification
Risk (evaluation) assigns a risk rating or score to each information asset.
(Transference) is the control approach that attempts to shift the risk to other assets, other
processes, or other organizations
The most common of the mitigation procedures is the (disaster) recovery plan
A(n) (Disaster Recovery) plan dictates the actions an organization can and perhaps should take
while an incident is in progress
False - Incident Response
(ALE) determines whether or not the control alternative being evaluated is worth the associated
cost incurred to control the specific vulnerability.
False - CBA
Risk ____ is the process of applying safeguards to reduce the risks to an organization’s data and
B) - Control
The first phase of risk management is ____.
A) Risk Identification
C) Risk Control
D) Risk Evaluation
A) Risk Identifiaction
When deciding which information assets to track, which of the following asset attributes should
D) All of the above
D) all ov the above
In a(n) _____, each information asset is assigned a score for
each critical factor
C) Weighted factor analysis
D) Data classification scheme
C) Weighted factor analysis
The actions an organization can and perhaps should take while the incident is in progress should
be defined in a document referred to as the ____.
____ usually include all preparations for the recovery process, strategies to limit losses during the
disaster, and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters
. ____ is the choice to do nothing to protect a vulnerability and to accept the outcome of its
A) Avoidance of risk
D) Acceptance of risk
D) Acceptance of risk
The formal process used in decision making regarding the adoption of specific controls is called
B) CBA C) ALE D) SLE
. The probability of a threat occurring is usually a loosely derived table indicating the probability
of an attack from each threat type within a given time frame. This value is commonly referred to
as the ____.
B) CBA C) ALE D) SLE
____________________ requires two major undertakings: risk identification and risk control
You can calculate the relative importance of each asset using a straightforward process known as
____________________ is the risk control strategy that attempts to prevent the exploitation of
____________________ is the control approach that attempts to reduce the impact caused by
the exploitation of vulnerability through planning and preparation.
Asset ____________________ is the process of assigning financial value or worth to each
A single loss ____________________ is the calculation of the value associated with the most
likely loss from an attack.
. List three worksheets required for risk assessment
1) Information asset classification worksheet
2)Weighted factor analysis worksheet
3)Ranked vulnerability risk worksheet
A standard is a plan or course of action used to convey instructions from an organization’s
senior-most management to those who make decisions, take actions, and perform other duties. (T/F)
Quality security programs begin and end with policy (T/F)
Failure to incorporate the organization’s mission, vision, and culture in the development of an
information security system practically guarantees the failure of the information security program.
Every member of the organization needs a formal degree or certificate in information security (T/F)
Security training involves providing members of the organization with detailed information and
instruction to prepare them to perform their duties securely. (T/F)
A(n) (integrated) information security policy is also known as a general security policy
False - Enterprise
The (standard) should being with a clear statement of purpose
False - Policy
The security (blueprint) is the basis for the design, selection, and implementation of all security
policies, education and training programs, and technological controls.
A(n) (contingency) plan is prepared by the organization to anticipate, react to, and recover from
events that threaten the security of information and information assets in the organization, and,
subsequently, to restore the organization to normal modes of business operations
A(n) (IRP) ensures that critical business functions continue, if a catastrophic incident or disaster
occurs by establishing operations at an alternate site.
False - BCP
The ____ is based on and directly supports the mission, vision, and direction of the organization
and sets the strategic direction, scope, and tone for all security efforts.
____ are frequently codified as standards or procedures to be used when configuring or
The security ____ is an outline of the overall information security strategy for the organization
and a roadmap for planned changes to the information security environment of the organization
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology
Systems, provides best practices and security principles that can direct the security team in the
development of a security ____.
The creation and operation of the SETA program is the responsibility of the ____.
D) End Users
A(n) ____ deals with the identification, classification, response, and recovery from an incident
Packet filtering firewalls scan network data packets looking for compliance with or violation of
the rules of the firewall’s database. (T/F)
The application firewall runs special software that acts as a proxy for a service request (T/F)
The Web server is often exposed to higher levels of risk when placed in the DMZ than when it
is placed in the un-trusted network (T/F)
When Web services are offered outside the firewall, HTTP traffic should be denied from
reaching the internal networks through the use of some form of proxy access or DMZ
The screened subnet protects the DMZ systems and information from outside threats by
providing a network of intermediate security (T/F)
The DMZ cannot be a dedicated port on the firewall device linking a single bastion host (T/F)
(Static) filtering is common in network routers and gateways.
When a dual-homed host approach is used, the bastion host contains (four) NICs.
False - Two
A(n) (dual-homed) host probably has the ability to translate between many different protocols at
their respective data link layers, including Ethernet, Token Ring, and Fiber Distributed Data
In a DMZ configuration, connections into the trusted internal network are allowed only from
the DMZ (bastion) host servers.
A(n) (perimeter) is a segment of the DMZ where additional authentication and authorization
controls are put into place to provide services that are not available to the general public
False - Extranet
Most firewalls use packet (header) information to determine whether a specific packet should be
allowed to pass through or should be dropped.
In order to keep the Web server inside the internal network, direct all HTTP requests to the
proxy server, and configure the internal filtering router/firewall only to allow the (proxy) server to
access the internal Web server.
____ firewalls examine every incoming packet header and can selectively filter packets based on
header information such as destination address, source address, packet type, and other key
A) Packet Filtering
B) Application Gateways
C) Circuit Gateways
D) MAC Layer Firewalls
A) Packet filtering
The restrictions most commonly implemented in packet filtering firewalls are based on ____.
a. IP source and destination address
b. Direction (inbound or outbound)
c. TCP or UDP source and destination port requests
d. All of the above
D) All of the above
. ____ filtering requires that the filtering rules governing how the firewall decides which packets
are allowed and which are denied are developed and installed.
____ firewalls keep track of each network connection between internal and external systems.
The application firewall is also known as a(n) ____________________ server.
The architecture of a(n) ____________________ firewall provides a DMZ.
What is the typical relationship among the untrusted network, the firewall, and the trusted
The untrusted network is usually the Internet or another segment of public access network while
the trusted network is typically a privately owned network. The firewall serves as a mechanism to
filter traffic from the untrusted network that comes into the trusted network to gain some
assurance that that traffic is legitimate
What is the relationship between a TCP and UDP packet? Will any specific
transaction usually involve both types of packets?
UDP packets are, by design, connectionless. TCP packets usually involve the creation of a
connection from one host computer to another. It would be unusual for a single transaction to
involve both TCP and UPD ports.
Intrusion detection and prevention systems perform monitoring and analysis of system events
and user behaviors (T/F)
Intrusion detection consists of procedures and systems that are created and operated to detect
system intrusions and protect against attack (T/F)
A false positive is the failure of an IDPS system to react to an actual attack event (T/F)
NIDPSs can reliably ascertain if an attack was successful or not (T/F)
A HIDPS is optimized to detect multi-host scanning, and is it able to detect the scanning of
non-host network devices, such as routers or switches (T/F)
The statistical anomaly-based IDPS collects statistical summaries by observing traffic that is
known to be normal (T/F)
A(n) (NIDPS) functions on the host system, where encrypted traffic will have been decrypted and
is available for processing.
False - HIDPS
Preconfigured, predetermined attack patterns are called (signatures)
When a collection of honey pots connects several honey pot systems on a subnet, it may be
called a (honey net)
A padded cell is a hardened honey (net)
False - Pot
A(n) ____ works like a burglar alarm in that it detects a violation of its configuration (analogous
to an opened or broken window) and activates an alarm.
____ are usually passive devices and can be deployed into existing networks with little or no
disruption to normal network operations.
B) HIDPSs C) AppIDPSs
____ benchmark and monitor the status of key system files and detect when an intruder creates,
modifies, or deletes monitored files.
____ are decoy systems designed to lure potential attackers away from critical systems and
encourage attacks against themselves.
A) Honey Pots
B) Honey Cells
C) Padded Cells
D) Padded Nets
A) Honey Pots
All IDPSs use one of three detection methods: ____________________-based, statistical
anomaly-based or a stateful packet inspection approach.
A signature-based IDPS is sometimes called a(n) ____________________-based IDS
How does a false positive alarm differ from a false negative one? From a security perspective,
which is least desirable?
A false positive seems like an alert, but is in fact, routine activity. A false negative seems like
normal activity and is in fact an alert-level action. From a security viewpoint, false positives are
just a nuisance but false negatives are a failure in the mission of the system.
How does a signature-based IDS differ from a behavior-based IDS?
A signature-based system looks for patterns of behavior that match a library of known behaviors.
A behavior-based system watches for activities that suggest an alert-level activity is occurring
based on sequences of actions or the timing between otherwise unrelated events.
Hashing functions require the use of keys (T/F)
When an asymmetric cryptographic process uses the sender’s private key to encrypt a message,
the sender’s public key must be used to decrypt the message. (T/F)
The permutation cipher simply rearranges the values within a block to create the ciphertext (T/F)
Popular cryptosystems use a hybrid combination of symmetric and asymmetric algorithms (T/F)
Nonrepudiation means that customers or partners can be held accountable for transactions, such
as online purchases, which they cannot later deny (T/F)
(Encryption) is the process of converting the ciphertext into a message that conveys readily
False - Decryption
A(n) (key) is the programmatic steps used to convert an unencrypted message into an encrypted
sequence of bits that represent the message. (T/F)
False - Algorithm
To (encipher) means to decrypt or convert ciphertext into the equivalent plaintext.
False - Decipher
(Hash) algorithms are publicly known functions that create a value by converting variable-length
messages into a single fixed-length value.
A method of encryption that requires the same secret key to encipher and decipher the message
is known as (public) key encryption (or symmetric encryption).
False - Private
As DES became known as being too weak for highly classified communications, (Double) DES
was created to provide a level of security far beyond that of DES
False - Triple
The most popular modern version of (steganography) involves hiding information within files that
appear to contain digital pictures or other images.
____ is the process of converting an original message into a form that is unreadable to
____ is the information used in conjunction with an algorithm to create the ciphertext from the
plaintext or derive the plaintext from the ciphertext.
____ functions are mathematical algorithms that generate a message summary or digest to
confirm the identity of a specific message and to confirm that there have not been any changes
to the content.
____ is an integrated system of software, encryption methodologies, protocols, legal agreements,
and third-party services that enables users to communicate securely
A) MAC B) PKI C) DES D) AES
. ____ are encrypted messages that can be mathematically proven to be authentic
A) Digital Signatures
C) Message certificates
D) Hash functions
A) Digital Signatures
The process of hiding messages is called ____________________.
When using a(n) ____________________ cipher, you replace one value with another
The ____________________ cipher simply rearranges the values within a block to create the
Transposition or Permutation
The ____________________ operation is a function of Boolean algebra in which two bits are
compared, and if the two bits are identical, the result is a binary 0.
Exclusive OR or XOR
The message ____________________ is a fingerprint of the author’s message that is to be
compared with the receiver’s locally calculated hash of the same message.
The successor to 3DES is the ____________________ Encryption Standard
Digital ____________________ are public key container files that allow computer programs to
validate the key and identify to whom it belongs.
Netscape developed the ____________________ Layer protocol to use public key encryption
to secure a channel over the public Internet, thus enabling secure communications.
Secure Socket or Secure Sockets
A(n) ____________________ authority operates under the trusted collaboration of the
certificate authority and can be delegated day-to-day certification functions, such as verifying
registration information about new registrants, generating end-user keys, revoking certificates,
and validating that users possess a valid certificate.
Digital ____________________ are encrypted messages that can be mathematically proven to
Digital ____________________ are electronic documents that can be part of a process of
identification associated with the presentation of a public key.
Why is it important to exchange keys “out of band” in symmetric encryption?
So that they are not intercepted and used to read the secret message.
What is the difference between digital signatures and digital certificates?
A certificate is a wrapper for a key value. A signature is a combination of a message digest and
other information used to assure non-repudiation
Describe digital certificates
Digital certificates are public-key container files that allow computer programs to validate the
key and identify to whom it belongs. The certificate is often issued by a third party that certifies
the authenticity of the information it contains. A digital signature attached to the certificate’s
container file certifies the file’s origin and integrity. A certificate authority (CA) issues, manages,
authenticates, signs, and revokes users’ digital certificates, which typically contain the user name,
public key, and other identifying information.
Want to see the other 130 Flashcards in IS Security Midterm?JOIN TODAY FOR FREE!