Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

147 Cards in this Set

  • Front
  • Back
block cipher being developed as a successor to DES. It operates under the symmetric key model.
Advanced Encryption Standard (AES)
developed in the 1970s by the National Bureau of Standards with the help of the National Security Agency" with an algorithm submitted by IBM. It operates under the symmetric key model. This is the current standard
Data Encryption Standard (DES) and Triple-DES (3DES)
an encryption algorithm that employs the asymmetric key model.
block cipher used in PGP. unlike the other block cipher algorithms is patented by the Swiss firm of Ascom. They have, however, been generous in allowing, with permission, free noncommercial use of their algorithm, with the result that ______ is best known as the block cipher algorithm used within the popular encryption program PGP."
International Data Encryption Algorithm (IDEA)
993 by Bruce Schneier as a fast, free alternative to existing encryption algorithms. Since then it has been analyzed considerably, and it is slowly gaining acceptance as a strong encryption algorithm.
unpatented, and the source code is uncopyrighted and license-free; it is free for all uses." (Counterpane Internet Security: ________: A New Block Cipher) It operates under the symmetric key model.
family of algorithms that employ the asymmetric key model. There are actually multiple incarnations of this algorithm; RC5 is one of the most common in use.
Rivest-Shamir-Adelman (RSA)
Select this check box to rely on a common passphrase rather than on public key cryptography. The file is encrypted using a session key, which encrypts using a passphrase that you will be asked to choose.
Conventional Encryption
Select this checkbox to create a self decrypting executable file. If you select this option, the file is encrypted using a session key, which encrypts (and decrypts) using a passphrase that you are asked to choose. To decrypt the file, double-click it and enter the appropriate passphrase. This option is especially convenient for user’s who are sending encrypted files to people who do not have PGP software installed.
Self Decrypting Archive (SDA)
focuses on immediate response, but if the attack escalates or is disastrous the process changes to disaster recovery and BCP
typically focuses on restoring systems after disasters occur, and as such is closely associated with BCP
occurs concurrently with DRP when the damage is major or long term, requiring more than simple restoration of information and information resources
A high-level manager to support, promote, and endorse the findings of the project
Leads the project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed
Project Manager
Should be the managers or their representatives from the various communities of interest: Business, IT, and Information Security
Team Members
Fill in the Blanks of the Contingency Planning Hierarchy.
Contingency Planning, Incident Response, Disaster recovery, and business continuity
Fill in the steps of the Contingency Planning Timeline.
Incident Response (IRP), Disaster Recovery (DRP), and Business Continuity (BCP)
What has the following steps.
1. Treat attack identification
2. Business unit analysis
3. Attack Success Scenarios
4. Potential Damage Assessment
5. Subordinate Plan Classification
Business Impact Analysis (BIA)
The detailed description of activities during an attack
Attack Profile
* The second major task within the BIA is the analysis and prioritization of business functions within the organization
* Identify the functional areas of the organization and prioritize them as to which are most vital
* Focus on a prioritized list of the various functions the organization performs
Business Unit Analysis
whether or not an organization is able to take effective action during the event to combat the effect of the attack
Qualifying Differene
________ is an attack against an information asset that poses a clear threat to the confidentiality, integrity, or availability of information resources
An Incident
Attacks are only classified as incidents if they have what three characteristics?
Are directed against information assets
Have a realistic chance of success
Could threaten the confidentiality, integrity, or availability of information resources
What are the following?
*intrusion detection systems, both host-based and network-based
*virus detection software
*systems administrators
*end users
Possible Incident Detectors
When Does an Incident Become a Disaster?
* the organization is unable to mitigate the impact of an incident during the incident
* the level of damage or destruction is so severe the organization is unable to quickly recover
* It is up to the organization to decide which incidents are to be classified as disasters and, thus, receive the appropriate level of response
consists of actions that guide the organization to stop the incident, mitigate the impact of the incident, and provide information for the recovery from the incident
Incident Reaction
What are the following the steps of?

* There must be a clear establishment of priorities
* There must be a clear delegation of roles and responsibilities
* Someone must initiate the alert roster and notify key personnel
* Someone must be tasked with the documentation of the disaster
* If and only if it is possible, some attempts must be made to mitigate the impact of the disaster on the operations of the organization
Disaster Recovery Plan (DRP)
actions taken during and after a disaster focusing on the people involved and addressing the viability of the business
Crisis Managment
outlines reestablishment of critical business operations during a disaster that impacts operations
Business Continuity Planning
The bulk batch-transfer of data to an off-site facility.
Electronic Vaulting
The transfer of live transactions to an off-site facility; only transactions are transferred not archived data, and the transfer is real-time.
Remote Journaling
Not only processing duplicate real-time data storage, but also duplicates the databases at the remote site to multiple servers.
Database Shadowing
* Fully configured and ready to operate within a few hours of a disaster
* Can support a short- or long-term outage
* Flexible in its configuration and options
Hot Site
* Partially configured with some equipment
* Essentially provide the facility and some peripheral devices, but not a full configuration like a hot site
Warm Site
*Supplies basic computing environments including wiring, ventilation, plumbing, and flooring
Cold Site
What are these the six steps of?

1. Identifying the mission- or business-critical functions
2. Identifying the resources that support the critical functions
3. Anticipating potential contingencies or disasters
4. Selecting contingency planning strategies
5. Implementing the contingency strategies
6. Testing and revising the strategy
Contingency Planning Process
What is the major drawback to law enforcement involvement?
You lose control of your data and systems.
deals with many computer crimes that are categorized as felonies
Federal Bureau of Investigation
works with crimes involving US currency, counterfeiting, credit cards, identity theft, and other crimes
US Secret Service
has a bank fraud investigation unit and the Securities and Exchange Commission has investigation and fraud control units as well
US Treasury Department
What is the biggest advantage to law enforcement involvement?
Better equipt
what was

* Developed in a language called ABAP
* Platform that includes the operating system and database called Basis
*Language of choice is Java and ABAP
* Basis is replace with the SAP Web Application Server (WAS) which implements the J2EE 1.3 standard
* Extended by several products including BI, Portals and others
SAP NetWeaver
* Creates professional user interfaces while minimizing manual coding
* Uses visual design tools and reuses UI components
* Users Model-View-Controller architecture, clear separation between UI and backend services
Web Dynpro
* An abstraction of the database that allows more platform independence than JDBC
* Allows a direct relational interface or an object-based interface to access data with little work on the part of the developer
Open SQL
Facilitates unified access to enterprise applications to enable Drag and Relate operations
Unification technology
Renders HTML pages which users interact
Page builder
Create users and assign then roles
Use role management
Single sign on to all systems
User management
Built on proven technology. A solution verified for large data warehouses (5+ Tb)
Integrates business processes. Provides a centralized metadata repository with a consistent business semantic. Read-to-go templates and best-practices – horizontal and vertical business content.
Business Orientation
Supports decision-making requirements of every user.
Actionable Information
A platform for process integration based upon the exchange of XML messages
Exchange Infrastructure (XI)
To tap the contents of text documents by structuring and classifying them so relevant information is available
Knowledge Management
Is designed to provide a unified view of data from a distributed and heterogeneous environment
Master Data Management (MDM)
A model-driven development environment that allows applications to be assisted by the use of modeling to describe the structure of the application so that code and interfaces of various sorts can be generated.
Composite Application Framework (CAF)
Security mechanisms:

security clearance of personnel, pwd protection, information classification, security policies, application program controls, audit
External procedures
Security mechanisms:

hazards, fire, flooding, radiation
Physical security
Security mechanisms:

encryption, duplication, hot, cold sites
Data storage
Security mechanisms:

authentication, access, threat monitoring, audit trail
Processor software
Security mechanisms:

memory protection, reliability
Processor hardware
Security mechanisms:

Communication lines
A critical element of security and control in a financial application is monitoring of
Great Plains Dynamics (GPD)
What GPD tool combines inquiry and reporting capabilities to provide easier access to Dynamics business objects
__________________________ can also be used to set the SmartList views that will be available to a specific user or to a specific user class.
SmartList Security window
For security by ___________, the settings apply to the members of the class without regard to what Dynamics Company they work with.
user class
For a ______________, select the company these settings should apply to.
single user
what is a classification feature in Dynamics in which users are grouped and given the same levels of access to the accounting system.
user class
states that in lists of numbers from many real-life sources of data, the leading digit is 1 almost one third of the time, and larger numbers occur as the leading digit with less and less frequency as they grow in magnitude, to the point that 9 is the first digit less than one time in twenty. This is based on the observation that real-world measurements are generally distributed logarithmically, thus the logarithm of a set of real-world measurements is generally distributed uniformly.

This counter-intuitive result applies to a wide variety of figures, including electricity bills, street addresses, stock prices, population numbers, death rates, lengths of rivers, physical and mathematical constants, and processes described by power laws (which are very common in nature). Even more counter-intuitively, the result holds regardless of the base in which the numbers are expressed, although the exact proportions of course change.
Benford's law
Is used to analyze data and produce reports for both non-technical and expert users. It saves you time and money by accomplishing in minutes what used to take hours or even days.
is the perceived level of risk that a material misstatement may occur in the client's un-audited financial statements, or underlying levels of aggregation, in the absence of internal control procedures.
Inherent risk (IR)
is the perceived level of risk that a material misstatement in the client's un-audited financial statements, or underlying levels of aggregation, will not be detected and corrected by the management's internal control procedures
control risk (CR)
is the perceived level of risk that a material misstatement in the client's un-audited financial statements, or underlying levels of aggregation, will not be detected by the auditor.
detection risk (DR)
The higher the assessment of inherent and control risk the more ________________ the IS auditor should normally obtain from the performance of substantive audit procedures.
audit evidence
_______________ is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with applicable laws and regulations.
Internal control
has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.
is a term used for a number of concepts involving either the performance of an investigation of a business or person, or the performance of an act with a certain standard of care. It can be a legal obligation, but the term will more commonly apply to voluntary investigations.
Due diligence
identifying, assessing and evaluating the levels of risk facing the organization, also begins in this stage.
risk management task
has been considered the industry standard for computer security since the development of the mainframe. It was solely based on three characteristics that described the utility of information: confidentiality, integrity, and availability.
The C.I.A. triangle
weaknesses or faults in a system or protection mechanism that expose information to attack or damage
a category of objects, persons, or other entities that represents a potential danger to an asset.
to take advantage of weaknesses or vulnerability in a system
an act that is an intentional or unintentional attempt to cause damage or compromise to the information and/or the systems that support it.
a subject or object’s ability to use, manipulate, modify, or affect another subject or object.
the probability that something can happen.
an active entity that interacts with an information system and causes information to move through the system for a specific end purpose
he action of gathering, analyzing, and applying information about products, domain constituents, customers, and competitors for the short term and long term planning needs of an organization
Competitive intelligence
Name the threat Category:

Accidents, employee mistakes
Acts of human error or failure
Name the threat Category:

Piracy, copyright infringement
Compromise to intellectual property
Name the threat Category:

Unauthorized access and/or data collection
Deliberate acts of espionage or trespass
Name the threat Category:

Blackmail of information disclosure
Deliberate acts of information extortion
Name the threat Category:

Destruction of systems or information
Deliberate acts of sabotage or vandalism
Name the threat Category:

Illegal confiscation of equipment or information
Deliberate acts of theft
Name the threat Category:

Viruses, worms, macros, denial-of-sevice
Deliberate software attacks
Name the threat Category:

Fire, flood, earthquake, lightning
Forces of nature
Name the threat Category:

Power and WAN service issues
Deviations in quality of services from service providers
Name the threat Category:

Equipment failures
Technical hardware failures or errors
Name the threat Category:

Bugs, code problems, unknown loophols
Technical software failures or errors
Name the threat Category:

Antiquated or outdated technologies
Technological obsolescence
A risk management strategy calls on us to “know ourselves” by identifying, classifying, and prioritizing the organization’s information assets
Risk Identification
Modification of Systems Development Life Cycle for risk managment
waterfall methodology
We can determine the relative risk for each of the vulnerabilities through a process called _______________.
Risk Assessment
what formula is used for Risk Determination
RISK ={(likelihood of vulnerability occurrence)*(value or impact)}- percentage risk already controlled + an element of uncertainty
strategies for risk management:

Apply safeguards
strategies for risk management:

Transfer the risk
strategies for risk management:

Reduce the impact
strategies for risk management:

Inform themselves of all of the consequences and accept the risk without control or mitigation
is simply how often you expect a specific type of attack to occur, per year
Annualized Rate of Occurrence (ARO)
is the calculation of the value associated with the most likely loss from an attack
Single Loss Expectancy (SLE)
is the percentage loss that would occur from a given vulnerability being exploited
exposure factor (EF)
What is the formula for Single Loss Expectancy (SLE)?
asset value x exposure factor (EF)
What is the formula for Annualized Loss Expectancy (ALE) ?
= Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)
Rather than use the financial value of information assets, review peer institutions to determine what they are doing to protect their assets
_________is the analysis of measures against established standards
___________ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility
Risk appetite
What are the three types of plans that help mitigate damages causes by incidents?
1. incident response planning (IRP)
2. disaster recovery planning (DRP)
3. business continuity planning (BCP)
_________ direct how issues should be addressed and technologies used
What are the following examples of?

* high risk, moderate risk, low risk
* board confidential, senior management confidential, department confidential, company confidential, public
Information Classification
One of the foundations of security architectures is the requirement to implement security in layers. __________________ requires that the organization establish sufficient security controls and safeguards, so that an intruder faces multiple layers of controls
Defense in depth
The point at which an organization’s security protection ends, and the outside world begins, is referred to as the __________________. Unfortunately the _________ does not apply to internal attacks from employee threats, or on-site physical threats.
security perimeter
An ___________________________ is used to detect many types of malicious network traffic and computer usage that can't be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).
intrusion detection system
What is this model known as?
The Triangle model
Positive identification of person/system seeking access to secured information/services
Predetermined level of access to resources
Logging use of each asset
Unique alphanumeric identifier used to identify an individual when logging onto a computer/network
Secret combination of keystrokes that, when combined with a username, authenticates a user to a computer/network
____________ prevents eavesdropping or replay attacks, and ensures the integrity of the data. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other's identity.

__________ builds on symmetric key cryptography and requires a trusted third party.
Point-to-Point Protocol (PPP) mechanism used by an authenticator to authenticate a peer
Challenge Handshake Authentication Protocol (CHAP)
Electronic means of verifying identity of an individual/organization
Digital Certificates
Converts plain text message into secret message
Converts secret message into plain text message
Uses only one key
Symmetric cipher
Uses a key pair (private key and public key)
Asymmetric cipher
Trusted, third-party entity that verifies the actual identity of an organization/individual before providing a digital certificate
Certificate authority (CA)
Practice of using a trusted, third-party entity to verify the authenticity of a party who sends a message
* Authentication devices assigned to specific user
* Small, credit card-sized physical devices
* Incorporate two-factor authentication methods
* Utilize base keys that are much stronger than short, simple passwords a person can remember
Security Tokens
Security Token Type:

* Act as a storage device for the base key
* Do not emit, or otherwise share, base tokens
Security Token Type:

* Actively create another form of a base key or encrypted form of a base key that is not subject to attack by sniffing and replay
* Can provide variable outputs in various circumstances
what type of authentication does the following?

* Uses measurements of physical or behavioral characteristics of an individual
* Generally considered most accurate of all authentication methods
* Traditionally used in highly secure areas
This is what percent of the time will an authorized person be rejected by the system.
FRR (False Rejection Rate)
Type 1 error rate
This is what percent of the time will an unauthorized person be accepted by the system?
FAR (False Acceptance Rate)
Type 2 error rate
Point at which FRR and FAR is?
cross over
Known to be the most secure type of biometric authentication.
What are the important factors to consider when choosing a biometric technology for your application? ______________will show you how each technology ranks for cost, accuracy, effort and ease of use.
Zephyr Analysis
_____________ is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message; this is in contrast to cryptography, where the existence of the message itself is not disguised, but the content is obscured. Quite often, _________________ is hidden in pictures.
What does this diagram represent?
The Zephyr Analysis