Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
111 Cards in this Set
- Front
- Back
An access control policy for a bank teller is an example of the implementation of what?
|
Role-based policy
|
|
What is defined as fact or opinion based information used to verify an individual's identity?
|
Cognitive passwords
|
|
Why should batch files and scripts be stored in a protected area?
|
because they may contain credentials
|
|
Behavorial-based systems are known as?
|
profile-based systems
|
|
Which Kerberos component holds all users and services cryptographic keys?
|
the key distribution center
|
|
What kind of certificate is used to validate a user identity?
|
public key certificate
|
|
Which type of security control is also known as a "logical" control?
|
technical
|
|
Which access control model requires a security clearance for subjects?
|
mandatory access control (MAC)
|
|
What is considered the weakest authentication mechanism?
|
passwords
--passphrases, token devices, and one-time passwords are much stronger |
|
What trusted, third party authentication protocol was developed under Project Athena at MIT?
|
Kerberos
|
|
What should organizations consider first before connecting their LANs to the Internet?
|
plan for considering proper authentication options
|
|
What is considered a straight-forward approach that provides access rights to subjects for objects?
|
Access Matrix Model
|
|
Honeypots, intrusion detection software, and audit trails are all considered forms of what?
|
detective technical controls
|
|
What does the * property mean in the Bell-LaPadula model?
|
no write down
|
|
Intrusion detection systems and automatically generated violation reports from audit trails describes?
|
detective and technical measures
|
|
In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on what?
|
physical attributes of a person
|
|
Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished:
|
through access control mechanisms that require identification and authentication and through the audit function
|
|
What is Kerberos?
|
a trusted third-party authentication protocol
|
|
What is called the verification that the user's claimed identity is valid and is usually implemented through a user password at logon?
|
authentication
|
|
What is used for identification in physical controls and for authentication in logical controls?
|
biometrics
|
|
What is the most critical characteristic of a biometric identifying system?
|
accuracy
|
|
True or False.
In the process of gathering evidence from a computer attack, displaying the contents of a folder may compromise the whole evidence collection process. |
True
|
|
True or False.
If access is not explicitly denied, it should be implicitly allowed as pertaining to access control. |
False
|
|
According to the NISTIR 5153 document, what should not be recorded in the security audit trail?
|
character strings inputted as a response to a password challenge
|
|
What is called the access protection system that limits connections by calling back the number of a previously authorized location?
|
Callback systems
|
|
What is used to represent the columns of a table in a relational database?
|
attributes
|
|
Which security-model introduces access to objects only through programs?
|
Clark-Wilson model
|
|
Audit trails are a type of ____________ control?
|
detective
|
|
What refers to legitimate users accessing networked services that would normally be restricted to them?
|
logon abuse
|
|
A timely review of system access audit records is an example of what basic security function?
|
detection
|
|
What method is used to capture network user passwords?
|
sniffing
|
|
Who developed one of the first mathematical models of a multilevel-security computer system?
|
Bell and LaPadula
|
|
Using clipping levels refers to?
|
setting allowable thresholds on a reported activity
|
|
What term is used to describe a weakness that could potentially be exploited?
|
vulnerability
|
|
What is the main key management challenge associated with choosing an identity management solution?
|
it must be able to scale to support high volumes of data and peak transaction rates
|
|
A network-based vulnerability assessment is also called what?
|
an active vulnerability assessment
|
|
True or False.
System generated passwords are more vulnerable to brute force and dictionary attacks? |
False
|
|
What is the main concern associated with single sign-on?
|
maximum unauthorized access would be possible if a password is disclosed
|
|
In biometric identification systems, the parts of the body conveniently available for identification are?
|
hands, face, eyes
|
|
The control measures that are intended to reveal the violations of security policy using technical means are associated with?
|
detective and technical
|
|
An IDS is what type of control?
|
deterrent
|
|
What is used to monitor network traffic in real time?
|
network-based IDS
|
|
Role-based, mandatory, and rule-based are all examples of?
|
access controls
|
|
What is a called a sequence of characters that is usually longer than the allotted number for a password?
|
passphrase
|
|
What is used to monitor network traffic or to monitor host audit logs in order to determine violations of security policy?
|
IDS
|
|
What type of control is concerned with avoiding occurrences of risks?
|
preventative controls
|
|
What is the Biba security model concerned with?
|
Integrity
|
|
What can be defined as a list of subjects along with their access rights that are authorized to access a specific object?
|
an access control list (ACL)
|
|
Syn Flood, Smurf, and TearDrop are all examples of what?
|
denial of service attacks
|
|
What is the first step in protecting data's confidentiality?
|
identify what information is sensitive
|
|
What protocol protects a password from eavesdroppers and supports the encryption of communication?
|
CHAP
|
|
Which access model achieves data integrity through well-formed transactions and separation of duties?
|
Clark-Wilson model
|
|
What physical characteristic does a retina scan biometric device measure?
|
the pattern of blood vessels at the back of the eye
|
|
Which access control model is best suited in an environment where a high security level is required and where it is desired that only the admin grants access control?
|
MAC
|
|
What are called user interfaces that limit the functions that can be selected by a user?
|
Constrained user interfaces
|
|
What primary security service is provided by Kerberos?
|
Authentication
|
|
What is an alternate to using passwords for authentication in logical or technical access control?
|
Biometrics
|
|
Mandatory access requires sensitivity labels to be attached to all objects. What are considered objects on a MAC system?
|
files, directories, and devices
|
|
A chunk of data, or sequence of commands that take advantage of a bug, glitch, or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software best describes what?
|
exploit
|
|
In a security context, what are database views used for?
|
to restrict user access to data in a database
|
|
In what type of access control does the system determine which users or groups may access a file?
|
MAC
|
|
In biometric identification systems, at the beginning, it became apparent that truly positive identification could only be based on physical attributes of a person. What questions did this raise?
|
What part of the body should be used and how to accomplish identification to be viable
|
|
Password aging, minimum password length, and account expiration all describe what type of login control?
|
preventive
|
|
Which access control model is based on sensitivity labels?
|
MAC
|
|
What centralized access control mechanism is not appropriate for mobile workers accessing the corporate network over analog lines?
|
Call-back
|
|
Tokes, smart cards, and biometric devices used in conjunction with other factors to validate identification and authentication provide robust authentication of the individual by practicing what principle?
|
two-factor authentication
|
|
What is the main focus of the Bell-LaPadula security model?
|
confidentiality
|
|
What is the primary use of a password?
|
authenticate the user
|
|
Which access control mode is also called non discretionary access control?
|
role-based access control
|
|
What would be the name of a logical or virtual table dynamically generated to restrict the information a user can access in a database?
|
database views
|
|
What is not a security goal for remote access?
|
automated login for remote users
|
|
What security principle is not addressed by Kerberos?
|
availability
|
|
What is required for system accountability?
|
audit mechanisms
|
|
Policies and procedures, security awareness training, background checks, work habit checks, a review of personal family history, and increased supervision are all factors of what type of control?
|
administrative controls
|
|
What security principle does the Clark-Wilson security model focus on?
|
integrity
|
|
The act of requiring two of the three factors to be used in the authentication process refers to?
|
two-factor authentication
|
|
Something you know, something you have, and something you are describes the factors of?
|
authentication
|
|
Which access control model uses a directed graph to specify rights that can be transferred from a subject to an object?
|
the take-grant model
|
|
What best describes a tool (key fob, calculator, memory card, or smart card) used to supply dynamic passwords?
|
tokens
|
|
Once an individual obtains access to the system through the initial logon, they have access to all resources within the environment that the account has access to describes a major disadvantage of what?
|
single sign-on (SSO)
|
|
Which access model is most appropriate for companies with a high employee turnover?
|
role-based access control
|
|
What is defined as high level statements on management's expectations that must be met in regards to security?
|
security policy
|
|
The task of collecting as much information as possible about your target prior to moving to other phases refers to what?
|
reconnaissance
|
|
A weakness or lack of a safeguard which may be exploited by a threat, causing harm to the information systems or networks is called a?
|
vulnerability
|
|
Modifying employee attitude and behavior is one goal of a ______________ program?
|
security awareness
|
|
What is define as protection mechanisms implemented after an information system has become operational?
|
add-on security
|
|
What would be the annualized rate of occurrence (ARO) of the threat "user input error", in the case where a company employs 100 data entry clerks and every one of them makes one input error each month?
|
1,200
|
|
What is the difference between advisory and regulatory security policies?
|
Advisory policies are not mandated. Regulatory policies must be implemented.
|
|
What is the main difference between quantitative and qualitative analysis?
|
quantitative provides a formal cost/benefit analysis, qualitative does not
|
|
What is the best criterion to consider in determining the classification of an information asset?
|
value
|
|
The absence of a safeguard or a weakness in a system that may possibly be exploited is called?
|
vulnerability
|
|
What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at $1,000,000 from a threat that has an ARO of once every five years and an EF of 30%?
|
$60,000
|
|
What group represents the leading source of computer crime losses?
|
employees
|
|
Within the context of the CBK, what provides a minimum level of security acceptable for an environment?
|
a baseline
|
|
True or False.
IT security measures should be tailored to meet organizational security goals. |
True
|
|
Whose role is it to assign classification levels to information?
|
owner or data owner
|
|
In a discretionary access environment, what entity is authorized to grant information access to other people?
|
owner
|
|
What type of documentation embodies all the detailed actions that personnel are required to follow?
|
procedures
|
|
How should a risk be handled when the cost of the countermeasure outweighs the cost of the risk?
|
accept the risk
|
|
All risks must be _________.
|
identified
|
|
What is opposite of the CIA in risk management?
|
disclosure, alteration, and destruction
|
|
What is considered the weakest link in a security system?
|
people
|
|
What formula is used to represent an ALE calculation?
|
SLE x ARO = ALE
|
|
Which approach to a security program makes sure that the people actually responsible for protecting the company's assets are driving the program?
|
top-down approach
|
|
Making sure data has not been changed unintentionally due to an accident or malice is?
|
integrity
|
|
Making sure data is accessible when and where it is needed is?
|
availability
|
|
True or False.
Within the realm of IT security, threat coupled with a vulnerability best defines risk. |
True
|
|
The likelihood of a threat agent taking advantage of a vulnerability is?
|
a risk
|
|
What is the main responsibility of the information (data) owner?
|
determining the data sensitivity or classification level
|
|
What is the first step in establishing an information security program?
|
adoption of a corporate information security policy statement
|
|
Preservation of confidentiality information systems requires that the information is not disclosed to?
|
unauthorized persons or processes
|