The Fabrication attack type most commonly affects which principle(s) of the CIA triad?
A. Availability
B. Integrity
C. Confidentiality
D. Integrity a... [Show More] nd Availability
E. Confidentiality and Integrity - correct answerIntegrity and Availability
The Interception attack type most commonly affects which principle(s) of the CIA triad? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.Integrity and Availability
B.Confidentiality and Integrity
C.Availability
D.Integrity
E.Confidentiality - correct answerConfidentiality
Something that has the potential to cause harm to our assets is known as a(n) ________.
A.Threat
B.Impact
C.Risk
D.Vulnerability - correct answerThreat
Controls that protect the systems, networks, and environments that process, transmit, and store our data are called _______.
A.Logical controls
B.Administrative controls
C.Physical controls - correct answerLogical Control
What is the first and arguably one of the most important steps of the risk management process?
A.Assess risks
B.Mitigate risks
C.Identify threats
D.Assess vulnerabilities
E.Identify assets - correct answerIdentify assets
Protects information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction - correct answerinformation security
A type of attack, primarily against confidentiality - correct answerInterception
Something that has the potential to cause harm to our assets - correct answerThreat
A weakness that can be used to harm us - correct answerVulnerability
The likelihood that something bad will happen - correct answerRisk
An attack that involves tampering with our assets - correct answerModification attack
A model that adds three more principles to the CIA triad: possession or control, utility, and authenticity - correct answerParkerian hexad
The physical disposition of the media on which the data is stored - correct answerPossession or control
An attack that involves generating data, processes, communications, or other similar activities with a system - correct answerFabrication attack
A multilayered defense that will allow us to achieve a successful defense should one or more of our defensive measures fail - correct answerDefense in depth
Sometimes called technical controls, these protect the systems, networks, and environments that process, transmit, and store our data - correct answerLogical controls
Controls that protect the physical environment in which our systems sit, or where our data is stored - correct answerPhysical controls
The risk management phase that consists of all of the activities that we can perform in advance of the incident itself, in order to better enable us to handle it - correct answerPreparation phase
The risk management phase where we detect the occurrence of an issue and decide whether it is actually an incident so that we can respond to it appropriately - correct answerDetection and analysis phase
The biometric characteristic that measures how well a factor resists change over time and with advancing age is called __________.
A. Collectability
B. Acceptability
C.Universality
D.Uniqueness
E.Permanence - correct answerE.Permanence
What type of authentication can prevent a man-in-the-middle attack? This task contains the radio buttons and checkboxes for options.
A.Multifactor
B.Mutual
C.Something you know
D.Something you are
ESomething you do - correct answerB.Mutual
An authentication mechanism in which both parties authenticate each other - correct answerMutual authentication
Describes the ease with which a system can be tricked by a falsified biometric identifier - correct answerCircumvention
A user who creates a network share and sets permissions on that share is employing which model of access control? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A. Mandatory access control
B. Discretionary access control
C. Attribute-based access control
D. Role-based access control - correct answerDiscretionary access control
What type of access control can prevent the confused deputy problem? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.ACLs
B.A password policy
C.Capability-based security
D.A locked door - correct answerCapability-based security
Confidential Services Inc. is a military-support branch consisting of 1,400 computers with Internet access and 250 servers. All employees are required to have security clearances. From the options listed below, what access control model would be most appropriate for this organization? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.Discretionary access control
B.Role-based access control
C.Attribute-based access control
D.Mandatory access control - correct answerD.Mandatory access control
A VPN connection that is set to time out after 24 hours is demonstrating which model of access control? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.Mandatory access control
B.Role-based access control
C.Attribute-based access control
D.Discretionary access control - correct answerAttribute-based access control
Lesson: Authorization and Access Control
Objective: More Advanced
States that we should allow only the bare minimum access required in order for a given party (person, user account, or process) to perform a needed functionality - correct answerPrinciple of least privilege
Typically built to a certain resource, these contain the identifiers of the party allowed to access the resource and what the party is allowed to do. - correct answerAccess control lists (ACLs)
In this method of security, a person's capabilities are oriented around the use of a token that controls their access (e.g. a personal badge) - correct answerCapability-based security
A type of attack that is more common in systems that use ACLs rather than capabilities - correct answerThe confused deputy problem
A type of attack that misuses the authority of the browser on the user's computer - correct answerCross-site request forgery (CSRF)
Access is determined by the owner of the resource in question - correct answerDiscretionary access control (DAC)
Similar to MAC in that access controls are set by an authority responsible for doing so, rather than by the owner of the resource. In this model, access is based on the role the individual is performing - correct answerRole-based access control (RBAC)
Access is based on attributes (of a person, a resource, or an environment) - correct answerAttribute-based access control
Designed to prevent conflicts of interest; commonly used in industries that handle sensitive data. Three main resource classes are considered in this model: objects, company groups, and conflict classes. - correct answerThe Brewer and Nash model
A combination of DAC and MAC, primarily concerned with the confidentiality of the resource. Two security properties define how information can flow to and from the resource: the simple security property and the * property. - correct answerThe Bell-LaPadula model
Primarily concerned with protecting the integrity of data, even at the expense of confidentiality. Two security rules: the simple integrity axiom and the * integrity axiom. - correct answerThe Biba model
An access control model that includes many tiers of security and is used extensively by military and government organizations and those that handle data of a very sensitive nature - correct answerMultilevel access control model
What process ensures compliance with applicable laws, policies, and other bodies of administrative control, and detects misuse? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.Nonrepudiation
B.Deterrence
C.Auditing
D.Accountability
E.Authorization - correct answerC.Auditing
Lesson: Auditing and Accountability
Objective: Introduction
Nessus is an example of a(n) _______________ tool. This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.Fuzzing
B.Anti-virus
C.Anti-malware
D.Vulnerability scanning
E.Penetration testing - correct answerD.Vulnerability scanning
A surveillance video log contains a record, including the exact date and time, of an individual gaining access to his company's office building after hours. He denies that he was there during that time, but the existence of the video log proves otherwise. What benefit of accountability does this example demonstrate? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.Deterrence
B.Nonrepudiation
C.Intrusion detection and prevention
D.Authentication
E.Authorization - correct answerB.Nonrepudiation
_______ provides us with the means to trace activities in our environment back to their source. This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.Access
B.Authentication
C.Accountability
D.Authorization
E.Nonrepudiation - correct answerC.Accountability
Backordered Parts is a defense contractor that builds communications parts for the military. The employees use mostly Web-based applications for parts design and information sharing. Due to the sensitive nature of the business, Backordered Parts would like to implement a solution that secures all browser connections to the Web servers. What encryption solution best meets this company's needs? This task contains the radio buttons and checkboxes for options.
A.Elliptic Curve Cryptography (ECC)
B.Digital signatures
C.Advanced Encryption Standard (AES)
D.Blowfish - correct answerA.Elliptic Curve Cryptography (ECC)
Lesson: Cryptography
Objective: Alert!
Question 3 : We are somewhat limited in our ability to protect which type of data? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.Data at rest
B.Data in motion
C.Data in use - correct answerC.Data in use
he science of breaking through encryption is known as _____. This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.Ciphertext
B.Cryptology
C.Cryptography
D.Cryptanalysis - correct answerD.Cryptanalysis
The specifics of the process used to encrypt the plaintext or decrypt the ciphertext - correct answerCryptographic algorithm
Also known as private key cryptography, this uses a single key for both encryption of the plaintext and decryption of the ciphertext - correct answerSymmetric key cryptography
Example: AES
A type of cipher that takes a predetermined number of bits in the plaintext message (commonly 64 bits) and encrypts that block - correct answerBlock cipher
A type of cipher that encrypts each bit in the plaintext message, 1 bit at a time - correct answerStream cipher
A set of symmetric block ciphers endorsed by the US government through NIST. Shares the same block modes that DES uses and also includes other modes such as XEX-based Tweaked CodeBook (TCB) mode - correct answerAES
Also known as public key cryptography, this method uses two keys: a public key and a private key. - correct answerAsymmetric key cryptography
Uses the RSA algorithm, an asymmetric algorithm, to secure web and email traffic - correct answerSecure Sockets Layer (SSL) protocol
Also referred to as message digests, these functions do not use a key - correct answerHash functions
Infrastructure that includes the CAs that issue and verify certificates and the registration authorities (RAs) that verify the identity of the individuals associated with the certificates - correct answerPublic key infrastructure (PKI)
______ regulates the financial practice and governance of corporations. This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.GLBA
B.FISMA
C.SOX
D.FERPA
E.HIPAA - correct answerC.SOX
Regulations mandated by law, usually requiring regular audits and assessments - correct answerRegulatory Compliance
This act safeguards privacy through the establishment of procedural and substantive rights in personal data - correct answerThe Federal Privacy Act of 1974
Question : Risk can be higher when ___________ services are used for computing operations. This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.auditing
B.competitive intelligence
C.cloud computing
D.OPSEC - correct answerC.cloud computing
Laws of OPSEC
1.If you don't know what to protect, how do you know you are protecting it?
2.If you don't know the threat, how do you know what to protect?
3.If you are not protecting it (i.e. the information), THE DRAGON WINS! - correct answer1.If you don't know the threat, how do you know what to protect?
2.If you don't know what to protect, how do you know you are protecting it?
3.If you are not protecting it (i.e. the information), THE DRAGON WINS!
During what phase of the operations security process do we match threats and vulnerabilities? T
A.Assessment of risks
B.Analysis of vulnerabilities
C.Analysis of threats
D.Identification of critical information
E.Application of countermeasures - correct answerA.Assessment of risks
Haas' second law of operations security, "If you don't know what to protect, how do you know you are protecting it?," maps to what step in the operations security process?
A.Analysis of threats
B.Analysis of vulnerabilities
C.Assessment of risks
D.Application of countermeasures
E.Identification of critical information - correct answerE.Identification of critical information
You are leaving for an extended vacation and want to take steps to protect your home. You set a timer to turn lights and the TV on and off at various times throughout the day, suspend the mail delivery, and arrange for a neighbor to come in and water the plants. What step in the operations security process do these actions demonstrate? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9.
A.Identification of critical information
B.Analysis of threats
C.Analysis of vulnerabilities
D.Assessment of risks
E.Application of countermeasures - correct answerE.Application of countermeasures
The process of intelligence gathering and analysis to support business decisions is known as _______.
A.Competitive intelligence
B.Competitive business
C.Business intelligence
D.Business competition
E.Counter intelligence - correct answerA.Competitive intelligence
The study that was conducted to discover the cause of the information leak during the Vietnam War was codenamed ________ and is now considered a symbol of OPSEC.
A.Sun Tzu
B.Vietnam Viper
C.The Art of War
D.Purple Dragon - correct answerD.Purple Dragon
The process of intelligence gathering and analysis in order to support business decisions - correct answerCompetitive intelligence
Name the five steps of the operations security process
1.Identification of critical information
2.Analysis of threats
3.Analysis of vulnerabilities
4.Assessment of risks
5.Application of countermeasures - correct answer1.Identification of critical information
2.Analysis of threats
3.Analysis of vulnerabilities
4.Assessment of risks
5.Application of countermeasures
Haas' Laws of Operations Security: The First Law - correct answerIf you don't know the threat, how do you know what to protect?
Haas' Laws of Operations Security: The Second Law - correct answerIf you don't know what to protect, how do you know you are protecting it?
Haas' Laws of Operations Security: The Third Law - correct answerIf you are not protecting it, the dragon wins!
The first step in the OPSEC process, and arguably the most important: to identify the assets that most need protection and will cause us the most harm if exposed - correct answerIdentification of critical information
The second step in the OPSEC process: to look at the potential harm or financial impact that might be caused by critical information being exposed, and who might exploit that exposure - correct answerAnalysis of threats
The third step in the OPSEC process: to look at the weaknesses that can be used to harm us - correct answerAnalysis of vulnerabilities
The fourth step in the OPSEC process: to determine what issues we really need to be concerned about (areas with matching threats and vulnerabilities) - correct answerAssessment of risks
The fifth step in the OPSEC process: to put measures in place to mitigate risks - correct answerApplication of countermeasures
Name the most common security awareness issues
Protecting data, passwords, social engineering, network usage, malware, the use of personal equipment, clean desk, policy knowledge - correct answerName the most common security awareness issues
Protecting data, passwords, social engineering, network usage, malware, the use of personal equipment, clean desk, policy knowledge
A technique used by an attacker that relies on the willingness of people to help others - correct answerSocial engineering
A technique involving a fake identity and a believable scenario that elicits the target to give out sensitive information or perform some action which they would not normally do for a stranger - correct answerPretexting
A social engineering technique that uses electronic communications (email, texts, or phone calls) to convince a potential victim to give out sensitive information or perform some action - correct answerPhishing
A social engineering technique that targets a specific company, organization, or person, and involves knowing specifics about the target to appear valid - correct answerSpear phishing
A program that seeks to make users aware of the risk they are accepting through their current actions and attempts to change their behavior through targeted efforts - correct answerSecurity Awareness, Training, and Education (SATE)
What planning process ensures that critical business functions can continue to operate during an emergency?
A.Incident response planning
B.Risk management planning
C.Operations security planning
D.Disaster recovery planning
E.Business continuity planning - correct answerE.Business continuity planning
What planning process ensures that we can respond appropriately during and after a disaster?
A.Incident response planning
B.Risk management process
C.Operations security process
D.Disaster recovery planning
E.Business continuity planning - correct answerD.Disaster recovery planning
Your company has an office full of expensive computer equipment to protect. You recommend a variety of approaches, including a security guard stationed at the entrance, a high fence around the property, and key card entry to all nonpublic areas. What security concept are you recommending to protect your company's assets?
A.Defense in depth
B.Nonrepudiation
C.Capability-based security
D.Access control lists
E.Principle of least privilege - correct answerA.Defense in depth
Which of the options below demonstrates all three types of physical security controls: deterrent, detective, and preventive?
A.A burglar alarm
B.A guard dog
C.A locked door
D.A warning sign
E.An employee policy - correct answerB.A guard dog
Name three main types of physical controls
Deterrent, detective, and preventive - correct answerDeterrent, detective, and preventive
Hping3: A tool used to test the security of firewalls. - correct answerHping3: A tool used to test the security of firewalls. [Show Less]