Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
18 Cards in this Set
- Front
- Back
|
Which of the following are valid risk responses?
a - mitigation b - transfer c - investment d - avoidance |
a,b, and d
|
|
|
Which of the following would be appropriate security measures for a building's external security perimeter?
a - motion detector b - parking lot lights c - turnstile d - security guards |
b and d
|
|
|
The process of eliminating risk by choosing not to engage in an activity is called what?
a - mitigation b - residual risk c - avoidance d - acceptance |
c, avoidance
|
|
|
CIA represents the core goals of an information security program (pg 2). What are they?
|
Confidentiality
Integrity Availability |
|
|
A risk matrix can be used to determine an overall risk ranking. What elements should be included in it?
|
Pg 4
For each risk, list the following elements: 1. The likelihood that the risk will actually occur 2. The impact of the risk 3. The total risk score 4. Who will be affected 5. Core security principles affected (CIA) |
|
|
What is the principle of least privilege?
|
The principle of least privilege is a security discipline that requires any person system or application be given no more privilege than necessary to perform its function or job.
Strategies to be successful in this area include: - Setting up a limited number of standardized account types - Admins perform non-admin work in non-admin accounts - And others listed on pg 6 |
|
|
Another concept important to security is that of attack surface. Can you define it?
|
An attack surface consists of the set of methods and vectors an attacker can use to enter a system and potentially cause damage. The larger the attack surface of a particular environment, the greater the risk of a successful attack.
Attack surfaces can be divided into three components - application (e.g., what ports an application is listening on), network (e.g., placement and rule sets on firewalls), and employee (e.g., the potential for human error or malicious behavior). Pg 7 |
|
|
A key factor to consider when evaluating the employee attack surface is that of the social engineering attack. What is this?
|
Social engineering describes the method where an attacker gains access to your systems through misrepresentation.
You can counteract this through education of your employees to be suspicious, verify identiy of unknowns, and be cautious. |
|
|
Physical security is your first line of defense. Describe some of the key physical security measures you should be considering for implementation at your place of business.
Additionally, describe what defense in depth is. |
Pg 8
Site security, computer security, the securing of removable and mobile devices and drives, access control, and identifying and removing keyloggers. Defense in depth means using multiple layers of security to defend your assets. |
|
|
Regarding security of mobile devices, does locking your laptop in a docking station by itself confer security to that device?
|
No. It does not good if the docking station can be removed from the room - they must be secured to a piece of furniture first!
|
|
|
What are steps you can take to mitigate risk related to theft and loss of mobile devices containing confidential company data?
|
While available security options are scarce due to the relative newness of these devices, you can configure passwords, enable encryption, and use programs that track and enable remote wipe.
Employees should be instructed to always keep their equipment with them and secure them in the trunk of their car if they are unable to do so (but not overnight). If at a hotel, the room safe should be used if the device is being left behind. pg 13 |
|
|
It is probably impossible (never mind impractical) to ban cell phones and other similar mobile devices from the work place. With that in mind, what is the single greatest way to protect company data from espionage?
a - install bit locker on all mobile devices b - ban all removable storage devices c - disallow USB ports on all equipment d - employ the principle of lease privilege |
The principle of least privilege should be considered your first and last defense against data theft and confidentiality leaks. Some companies do go to extreme measures to protect their data, but if you nip the problem in the bud at the level of data access successfully, you don't need to go any further. pg 14
|
|
|
What is the best defense against keyloggers?
a - ban all types of keys on company premises b - remove all physical keyboards and rely instead on on-screen keyboards c - visually inspect keyboards and their cabling for unusual devices d - make sure antivirus software is installed and up-to-date on all machines e - make sure UAC is activated on all user workstations f - make sure all wireless keyboards support encryption. |
c-f
Note that most modern wireless keyboards operate in encrypted mode by default, but you should check anyways. pg 15 |
|
|
When you disable unneeded services and ports to make a system more secure what are you doing?
a - mitigating a trojan horse attack b - security avoidance c - reducing the surface attack area d - defense in depth |
c - you are reducing the surface attack area.
|
|
|
________________ is the characteristic of a resource that ensures that access is restricted to only permitted users, applications, or computer systems.
|
Confidentiality
|
|
|
If you are deploying technologies to restrict access to a resource, you are practicing the security principle known as _____________.
|
Access control
|
|
|
As the new company risk manager your first assignment is to perform a formal risk assessment. You will most likely record the results of your assessment in a(n) _____________.
|
Risk register
|
|
|
As the new bank risk manager, you have just deployed a new badge reader system to address an access control risk. Although your solution has mitigated the risk, there is still a small remaining risk associated with access control. This risk is known as the _____________.
|
Residual risk. As risk manager you do your best to mitigate risk of all types but you can't plan for all possibilities.
|
