Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
19 Cards in this Set
- Front
- Back
• Facilities that house systems that process sensitive information should have
physical access controls to limit access to authorized personnel only. |
• Data should be classified, and the necessary technical controls should be put
into place to protect its integrity, confidentiality, and availability. |
|
• Hacker tools are becoming increasingly more sophisticated while requiring
increasingly less knowledge by the attacker about how they work. |
• Quality assurance involves the verification that supporting documentation
requirements are met |
|
• Quality control ensures that an asset is operating within accepted standards.
|
• System and audit logs should be monitored and protected from unauthorized
modification. |
|
• Repetitive errors can indicate lack of training or issues resulting from a poorly
designed system. |
• Sensitive data should not be printed and left at stand-alone printers or fax
devices. |
|
• Users should have the necessary security level to access data and resources, but
must also have a need to know. |
.• Clipping levels should be implemented to establish a baseline of user activity
and acceptable errors. |
|
• Separation of responsibilities and duties should be in place so that if fraud
takes place, it requires collusion. |
• Sensitive information should contain the correct markings and labels to
indicate the corresponding sensitivity level. |
|
• Contract and temporary staff members should have more restrictive controls
put upon their accounts. |
• Access to resources should be limited to authorized personnel, applications,
and services and should be audited for compliance to stated policies. |
|
• Change control and configuration management should be put in place so
changes are approved, documented, tested, and properly implemented. |
• Activities that involve change management include requesting a change,
approving a change, documenting a change, testing a change, implementing a change, and reporting to management. |
|
• Systems should not allow their bootup sequences to be altered in a way that
could bypass operating system security mechanisms. |
• Potential employees should have background investigations, references,
experience, and education claims checked out. |
|
• Proper fault-tolerant mechanisms should be put in place to counter
equipment failure. |
• Antivirus and IDS signatures should be updated on a continual basis.
|
|
• System, network, policy, and procedure changes should be documented and
communicated. |
• When media is reused, it should contain no residual data.
|
|
• Media holding sensitive data must be properly purged, which can be
accomplished through zeroization, degaussing, or media destruction. |
• Life-cycle assurance involves protecting a system from inception to
development to operation to removal. |
|
• The key aspects of operations security include resource protection, change
control, hardware and software controls, trusted system recovery, separation of duties, and least privilege. |
• Least privilege ensures that users, administrators, and others accessing a
system have access only to the objects they absolutely require to complete their job. |
|
• Vulnerability assessments should be done on a regular basis to identify new
vulnerabilities. |
• The operations department is responsible for any unusual or unexplained
occurrences, unscheduled initial program loads, and deviations from standards. |
|
• Standards need to be established that indicate the proper startup and
shutdown sequence, error handling, and restoration procedures. |
• A teardrop attack involves sending malformed fragmented packets to a
vulnerable system. |
|
• Improper mail relay configurations allow for mail servers to be used to
forward spam messages. |
• Phishing involves an attacker sending false messages to a victim in the hopes
that the victim will provide personal information that can be used to steal their identity. |
|
• A browsing attack occurs when an attacker looks for sensitive information
without knowing what format it is in. |
• A fax encryptor encrypts all fax data leaving a fax server.
|
|
• A system can fail in one of the following manners: system reboot, emergency
system restart, and system cold start. |
• The main goal of operations security is to protect resources.
|
|
• Operational threats include disclosure, theft, corruption, interruption, and
destruction. |
• Operations security involves balancing the necessary level of security with ease
of use, compliance, and cost constraints. |