1000 Flashcards by Landon Todd

A network that does not have servers - so each device simultaneously functions as both a client and a server to all other devices connected to the network.

Peer-To-Peer (P2P) Network

How well did you know this?

Not at all

Perfectly

A policy that outlines how the organization uses personal information it collects.

How well did you know this?

Not at all

Perfectly

A written document that states how an organization plans to protect the company’s information technology assets.

Security Policy

How well did you know this?

Not at all

Perfectly

Grouping individuals and organization into cluster or groups based on a like affiliation.

Social Networking

How well did you know this?

Not at all

Perfectly

Web sites that facilitate linking individuals with common interests like hobbies - religion - politics - or school or work contacts.

Social Networking Sites

How well did you know this?

Not at all

Perfectly

A type of action that has the potential to cause harm.

Threat

How well did you know this?

Not at all

Perfectly

A person or element that has the power to carry out a threat.

Threat Agent

How well did you know this?

Not at all

Perfectly

A flaw or weakness that allows a threat agent to bypass security.

Vulnerability

How well did you know this?

Not at all

Perfectly

The likelihood that the threat agent will exploit the vulnerability.

Risk

How well did you know this?

Not at all

Perfectly

An event that - in the beginning - is considered to be risk yet turns out not to be.

False Positive

How well did you know this?

Not at all

Perfectly

List and describe the 3 strategies for controlling risks.

1- privilege management- is the process of assigning and revoking privileges to objects; it covers the procedures of managing object authorizations
2- change management- refers to a methodology for making modifications and keeping track of those changes
3- incident management- is defined as the “framework” and functions required to enable incident response and incident handling within an organization.

How well did you know this?

Not at all

Perfectly

A subject’s access level over an object - such as a user’s ability to pen a payroll file.

Privilege

How well did you know this?

Not at all

Perfectly

Periodic reviewing of a subject’s privileges over an object - in which the objective is to determine if the subject has the correct privileges.

Privilege Auditing

How well did you know this?

Not at all

Perfectly

What is a CMT and what is is duties?

Change Management Team
1- review proposed changes
2- ensure risk and impact of the planned changes are understood
3- recommend approval - disapproval - deferral - withdrawal of a requested change
4- communicate proposed and approved changes to coworkers

How well did you know this?

Not at all

Perfectly

The planning - coordination - communications - and planning functions that are needed in order to resolve an incident in an efficient manner.

Incident Handling

How well did you know this?

Not at all

Perfectly

The components required to identify - analyze - and contain an incident.

Incident Response

How well did you know this?

Not at all

Perfectly

What are the functions of an organization’s information security policy?

1- it can be an overall intention and direction. A security policy is a vehicle for communicating an organization’s information security culture and acceptable information security behavior.
2- it details specific risks and how to address them - and provide controls that executives can use to direct employee behavior.
3- it can help to create a security-aware organization culture
4- it can help to ensure that employee behavior is directed and monitored to ensure compliance with security requirements.

How well did you know this?

Not at all

Perfectly

What must an effective security policy balance?

Trust and Control

How well did you know this?

Not at all

Perfectly

What are the 3 approaches to trust?

1- Trust everyone all of the time- easiest model to enforce because there are not restrictions; impractical because it leaves system vulnerable to attacks
2- Trust no one at any time- most restrictive model; impractical because few employees would work for an organization that did not trust them
3- Trust some people some of the time- this approach exercises caution in the amount of trust given; access is provided as needed with technical controls to ensure the trust is not violated.

How well did you know this?

Not at all

Perfectly

A collection of requirements specific to the system or procedure that must be met by everyone.

Standard

How well did you know this?

Not at all

Perfectly

A collection of suggestions that should be implemented.

Guideline

How well did you know this?

Not at all

Perfectly

A document that outlines specific requirements or rules that must be met.

Policy

How well did you know this?

Not at all

Perfectly

What is the three-phase cycle in the development and maintenance of a security policy?

1- vulnerability assessment
2- create the security policy using information from risk management study
3- compliance monitoring and evaluation

How well did you know this?

Not at all

Perfectly

What does a vulnerability assessment attempt to identify?

1- asset identification (what needs to be protected)
2- threat identification (what the pressures are against it)
3- vulnerability appraisal (how susceptible the current protection is)
4- risk assessment (what damages could result from the threats)
5- risk mitigation (what to do about it)

How well did you know this?

Not at all

Perfectly

What MUST a security policy do?

1- be implementable and enforceable 2- be concise and easy to understand 3- balance protection with productivity

What SHOULD a security policy do?

1- state reasons the policy is necessary 2- describe what is covered by the policy 3- outline how violations will be handled

Ideally - who should comprise the team who designs a security policy?

1- Senior level administrator 2- member of management who can enforce the policy 3- member of the legal staff 4- representative from the user community

What is due care?

is the obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them. It is the care that a reasonable person would exercise under circumstances.

Defines requirements for using cryptography.

Acceptable encryption policy

Established guidelines for effectively reducing the threat of computer viruses on the organization's network and computers.

Anti-virus policy

Outlines the requirements and provides the authority for an information security team to conduct audits and risk assessments - investigate incidents - to ensure conformance to security policies - or to monitor user activity.

Audit vulnerability scanning policy

Prescribes that no e-mail will be automatically forwarded to an external destination without prior approval from the appropriate manager or director.

Automatically forwarded e-mail policy

Defines requirements for storing and retrieving database usernames and passwords.

Database credentials coding policy

Defines standards for all networks and equipment located in the DMZ.

Demilitarized zone security policy

Creates standards for using corporate e-mail.

E-mail policy

Helps employees determine what information sent or received by e-mail should be retained and for how long.

E-mail retention policy

Defines the requirements for third-party organizations to access the organization's networks.

Extranet policy

Establishes criteria for classifying and securing the organization's information in a manner appropriate to its level of security.

Information sensitivity policy

Outlines standards for minimal security configuration for routers and switches.

Router security policy

Creates standards for minimal security configuration for servers.

Server security policy

Established requirements for Remote Access IPSec Virtual Private Network (VPN) connections to the organization's network.

VPN security policy

Defines standards for wireless systems used to connect to the organization's networks.

Wireless communication policy

What policy is considered to be the most important information security policy?

Acceptable Use Policy (AUP)

Which policy is also called a PII (personally identifiable information) policy?

A policy that addresses security as it relates to human resources.

Security-Related Human Resource Policy

A statement used in a security policy that states any investigation into suspicious employee conduct will examine all material facts.

Due diligence

A policy that addresses how passwords are created and managed.

Password Management and Complexity Policy

A policy that addresses the disposal of resources that are considered confidential.

Disposal and Destruction Policy

A person's fundamental beliefs and principles used ot define what is good - right - and just.

Values

List the 3 classification of values.

1- moral (fairness - truth - justice - love) 2- pragmatic (efficiency - thrift - health - patience) 3- aesthetic (attractive - soft - cold)

Values that are attributed to a system of beliefs that help the individual distinguish right from wrong.

Morals

The study of what a group of people understand to be good and right behavior and how people make those judgements.

Ethics

A written code of conduct intended to be a central guide and reference for employees in support of day-to-day decision making.

Ethics Policy

Name 3 awareness and training topics.

1- compliance 2- secure user practices 3- awareness of threats

Active Internet connections that download a specific file that is available through a tracker.

BitTorrent

The collective pieces of a file downloaded from a BitTorrent.

Swarm

Which learning style do information technology professionals tend to fall in?

Kinesthetic

A symmetric cipher that was approved by the NIST in late 2000 as a replacement for DES.

Advanced Encryption Standard (AES)

Procedures based on a mathematical formula; used to encrypt data.

Algorithm

Encryption that uses two mathematically related keys.

Asymmetric Cryptographic Algorithm

A cipher that manipulates an entire block of plaintext at one time.

Block Cipher

A block cipher that operates on 64-bit blocks and can have a key length from 32 to 448 bits.

Blowfish

Data that has been encrypted.

Ciphertext

Unencrypted data.

Cleartext

The science of transforming information into a secure form while it is being transmitted or stored so that unauthorized persons cannot access it.

Cryptography

A symmetric block cipher that uses 56-bit key and encrypts data in 64-bit blocks.

Data Encryption Standard (DES)

The process of changing ciphertext into plaintext.

Decryption

An electronic verification of the sender.

Digital Signature

An algorithm that uses elliptic curves instead of prime numbers to compute keys.

Elliptic Curve Cryptography (ECC)

The process of changing plaintext to ciphertext.

Encryption

Free and open-source software that is commonly used to encrypt and decrypt e-mail messages.

GNU Privacy Guard (GPG)

A secure cryptographic processor.

Hardware Security Module (HSM)

The unique digital fingerprint created by a hashing algorithm.

Hash

A variation of a hash that encrypts the hash with a shared secret key before transmitting it.

Hashed Message Authentication Code (HMAC)

The process for creating a unique digital fingerprint signature for a set of data.

Hashing

A mathematical value entered into the algorithm to produce ciphertext.

Key

A common hash algorithm of several different versions.

Message Digest (MD)

A revision of MD4 that is designed to address it weaknesses.

Message Digest 5 (MD5)

The process of proving that a user performed an action.

Nonrepudiation

A password hash for Microsoft Windows systems that is no longer recommended for use.

NTLM (New Technology LAN Manager) Hash

An updated version of NTLM that uses HMAC with MD5.

NTLMv2 (New Technology LAN Manager Version 2) Hash

Using a unique truly random key to create ciphertext.

One-Time Pad (OTP)

Data input into an encryption algorithm.

Plaintext

A commercial product that is commonly used to encrypt e-mail messages.

Pretty Good Privacy (PGP)

An asymmetric encryption key that does have to be protected.

Private Key

Cryptographic algorithms that use a single key to encrypt and decrypt a message.

Private Key Cryptography

An asymmetric encryption key that does not have to be protected.

Public Key

Encryption that uses two mathematically related keys.

Public Key Cryptography

An asymmetric cryptography that attempts to use the unusual and unique behavior of microscopic objects to enable users to securely develop and share keys.

Quantum Cryptography

A hash algorithm that uses two different and independent parallel chains of computation and then combines the result at the end of the process.

RACE Integrity Primitives Evaluation Message Digest (RIPEMD)

An RC stream cipher that will accept keys up to 128 bits in length.

RC4

A family of cipher algorithms designed by Ron Rivest.

Rivest Cipher (RC)

An asymmetric algorithm published in 1977 and patented by MIT in 1983.

RSA

A secure hash algorithm that creates hash values of longer lengths than Message Digest (MD) algorithms.

Secure Hash Algorithm (SHA)

Hiding the existence of data within a text - audio - image - or video file.

Steganography

An algorithm that takes one character and replaces it with one character.

Stream Cipher

Encryption that uses a single key to encrypt and decrypt a message.

Symmetric Cryptographic Algorithm

1000 Flashcards

(97 cards)