A security ____ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization. (p. 190)
____ firewalls examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information. (p. 250)
____ inspection firewalls keep track of each network connection between internal and external systems. (p. 253)
A(n) ____ is an object, person, or other entity that represents an ongoing danger to an asset. (p. 43)
A(n) ____ is an identified weakness in a controlled system, where controls are not present or are no longer effective. (p. 65)
Asset ____ is the process of assigning financial value or worth to each information asset. (p. 153)
Implementing multiple types of technology and thereby precluding that the failure of one system will compromise the security of information is referred to as ____. (p. 205)
A(n) _____ is an information security program that prevents specific types of information from moving between the outside world and the inside world. (p. 250)
Describe the multiple types of security systems present in many organizations. (p. 8)
- Physical security, to protect physical items, objects, or areas from unauthorized access and misuse.
- Personnel security, to protect the individual or group of individuals who are authorized to access the organization and its operations.
- Operations security, to protect the details of a particular operation or series of activities.
- Communications security, to protect communications media, technology, and content.
- Network security, to protect networking components, connections, and contents.
- Information security, to protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology.
Outline types of data ownership and their respective responsibilities. (p. 30)
- Data owners: Those responsible for the security and use of a particular set of information. They are usually members of senior management and could be CIOs. The data
owners usually determine the level of data classification, as well as the changes to that classification required by organizational change. The data owners work with subordinate managers to oversee the day-to-day administration of
- Data custodians: Working directly with data owners, data custodians are responsible for the storage, maintenance, and protection of the information. Depending on the size of the organization, this may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.
- Data users: End users who work with the information to perform their assigned roles supporting the mission of the organization. Everyone in the organization is responsible
for the security of data, so data users are included here as individuals with an information security role.
Describe viruses and worms. (p. 46)
- A computer virus consists of segments of code that perform malicious actions. This code behaves very much like a virus pathogen that attacks animals and plants, using the
cell's own replication machinery to propagate the attack beyond the initial target. The code attaches itself to an existing program and takes control of that program's access to the
targeted computer. The virus-controlled target program then carries out the virus's plan by replicating itself into additional targeted systems.
- A worm is a malicious program that replicates itself constantly, without requiring another program environment. Worms can continue replicating themselves until they completely fill available resources, such as memory, hard drive space, and network bandwidth.
Describe the capabilities of a sniffer. (p. 70)
A sniffer is a program or device that can monitor data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information.
Unauthorized sniffers can be extremely dangerous to a network's security, because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favorite weapon in the hacker's arsenal. Sniffers often work on TCP/IP networks, where they're sometimes called packet sniffers. Sniffers add risk to the network, because many systems and users send information on local networks in clear text. A sniffer program shows all the data going by, including passwords, the data inside files—such as word-processing
documents—and screens full of sensitive data from applications.
What are the requirements for a policy to become enforceable? (p. 91)
For a policy to become enforceable, it must meet the following five criteria:
- Dissemination (distribution)—The organization must be able to demonstrate that the relevant policy has been made readily available for review by the employee. Common dissemination techniques include hard copy and electronic distribution.
- Review (reading)—The organization must be able to demonstrate that it disseminated the document in an intelligible form, including versions for illiterate, non-English reading,
and reading-impaired employees. Common techniques include recordings of the policy in English and alternate languages.
- Comprehension (understanding)—The organization must be able to demonstrate that the employee understood the requirements and content of the policy. Common techniques
include quizzes and other assessments.
- Compliance (agreement)—The organization must be able to demonstrate that the employee agreed to comply with the policy through act or affirmation. Common techniques include logon banners, which require a specific action (mouse click or
keystroke) to acknowledge agreement, or a signed document clearly indicating the employee has read, understood, and agreed to comply with the policy.
- Uniform enforcement—The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment.
List the five fundamental principles of HIPAA. (p. 94)
HIPAA has five fundamental principles:
1. Consumer control of medical information.
2. Boundaries on the use of medical information.
3. Accountability for the privacy of private information.
4. Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual.
5. Security of health information.
List three of the provisions included in the Security And Freedom Through Encryption Act of 1999. (p. 98)
The Security and Freedom through Encryption Act of 1999 provides guidance on the use of encryption and provides protection from government intervention. The acts include provisions that:
- Reinforce an individual's right to use or sell encryption algorithms, without concern for regulations requiring some form of key registration. Key registration is the storage of a cryptographic key (or its text equivalent) with another party to be used to break the encryption of data. This is often called "key escrow."
- Prohibit the federal government from requiring the use of encryption for contracts, grants, and other official documents and correspondence.
- State that the use of encryption is not probable cause to suspect criminal activity.
- Relax export restrictions by amending the Export Administration Act of 1979.
- Provide additional penalties for the use of encryption in the commission of a criminal act.
List seven key areas identified by Microsoft as best security practices for home users. (p. 159)
Microsoft focuses on the following seven key areas for home users:
1. Use antivirus software.
2. Use strong passwords.
3. Verify your software security settings.
4. Update product security.
5. Build personal firewalls.
6. Back up early and often.
7. Protect against power surges and loss.
What three purposes does the ISSP serve? (p.181)
1. Addresses specific areas of technology, such as E-mail, use of the internet, and Specific minimum configurations of computers to defend.
2. Requires frequent updates
3. Contains a statement on the organization's position on a specific issue.
What is the purpose of security education, training, and awareness (SETA)? (p. 209)
The purpose of SETA is to enhance security by doing the following:
- Improving awareness of the need to protect system resources.
- Developing skills and knowledge so computer users can perform their jobs more securely.
- Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems.
What must a VPN that proposes to offer a secure and reliable capability while relying on public networks accomplish? (p. 282)
A VPN that proposes to offer a secure and reliable capability while relying on public networks must accomplish the following, regardless of the specific technologies and protocols
- Encapsulation of incoming and outgoing data, wherein the native protocol of the client is embedded within the frames of a protocol that can be routed over the public network and be usable by the server network environment.
- Encryption of incoming and outgoing data to keep the data contents private while in transit over the public network, but usable by the client and server computers and/or the local networks on both ends of the VPN connection.
- Authentication of the remote computer and, perhaps, the remote user as well. Authentication and the subsequent authorization of the user to perform specific actions are predicated on accurate and reliable identification of the remote system and/or user.