Term
| The Information Security Triad consists of which three areas? |
|
Definition
| Confidentiality, Integrity, and Availability |
|
|
Term
| In reference to the Information Security Triad, What does Confidentiality mean? |
|
Definition
| Preventing unauthorized access to sensitive or critical data |
|
|
Term
| In reference to the Information Security Triad, What are the two sections of integrity? |
|
Definition
| Data Integrity and System Integrity |
|
|
Term
| In reference to the Information Security Triad, What does Data Integrity mean? |
|
Definition
| Data in the system is accurate |
|
|
Term
| In reference to the Information Security Triad, What does System Integrity mean? |
|
Definition
| That the system performs exactly as intended |
|
|
Term
| In reference to the Information Security Triad, What does Availability mean? |
|
Definition
| Access control mechanisms must not prevent information and resources from being available to authorized users. |
|
|
Term
| As it relates to Access Control, what does security refer to? |
|
Definition
| Ensure only authorized people or processes are granted access |
|
|
Term
| As it relates to Access Control, what does reliability refer to? |
|
Definition
| Assurance that the control functions as expected every time |
|
|
Term
| As it relates to Access Control, what does transparency refer to? |
|
Definition
| The controls should have minimum impact on authorized users |
|
|
Term
| As it relates to Access Control, what does scalability refer to? |
|
Definition
| Access controls should be able to handle a wide range of changing systems |
|
|
Term
| As it relates to Access Control, what does maintainability refer to? |
|
Definition
| Access control solutions must be maintainable to be effective |
|
|
Term
| What is the key concept behind separation of duties? |
|
Definition
| No one person should have complete control over the processing of a transaction |
|
|
Term
| As it relates to Access Control, what does integrity refer to? |
|
Definition
| Systems must be designed to protect subjects, objects, and permissions from unauthorized changes |
|
|
Term
| What does the concept of Least Privilege mean? |
|
Definition
| People or processes should only be allowed access to the resources they absolutely need to accomplish their assigned work |
|
|
Term
| What does the Need to Know Principle mean? |
|
Definition
| Restricting users from accessing information not required to do their job, even if they have the proper level of clearance. |
|
|
Term
| What does Information Classification refer to? |
|
Definition
| The proper assessment of the sensitivity and criticality of a given piece of information |
|
|
Term
| What is Compartmentalized Information? |
|
Definition
| Information that requires special authorization beyond the normal classification. |
|
|
Term
| What are the three types of Access Control? |
|
Definition
| Administrative, Technical/Logical, and Physical |
|
|
Term
| What are the categories of Access Control? |
|
Definition
| Preventative, Detective, Corrective, Directive, Deterrent, Recovery, Compensating |
|
|
Term
| What does Identification mean? |
|
Definition
| The means by which the user provides a claimed identity to the system |
|
|
Term
| What are the three methods of authentication? |
|
Definition
| Knowledge, Ownership, and Characteristics |
|
|
Term
| What is an Asynchronous Token Device? |
|
Definition
| A device using a numeric keyboard for challenge-response technology |
|
|
Term
| What are the two types of synchronous tokens? |
|
Definition
| Event Based Synchronization, and Time-based synchronization |
|
|
Term
| How do contactless smart cards work? |
|
Definition
| They contain an embedded radio frequency tranciever |
|
|
Term
| What do physiological biometrics measure? |
|
Definition
|
|
Term
| When dealing with Biometric Accuracy, what do we call the intersection between the False Acceptance Rate and the False Rejection Rate? |
|
Definition
|
|
Term
| What are the Identity Management Challenges? |
|
Definition
| Consistency, Reliability, Usability, Efficiency, and Scalability |
|
|
Term
| What type of encryption does Kerberos use? |
|
Definition
|
|
Term
| What do we call the combination of both an Authentication Server and a Ticket Granting Server in a Kerberos deployment? |
|
Definition
|
|
Term
| SESAME is an extension of what other technology? |
|
Definition
|
|
Term
| What type of key does SESAME use? |
|
Definition
| Both symmetric and assymetric |
|
|
Term
| Which Model does Hierarchical Domain control follow? |
|
Definition
|
|
Term
| What does Service Provisioning Markup Service do? |
|
Definition
| Provides an XML based framework for managing the allocation of system resources within and between organizations |
|
|
Term
| Restricting access to objects based on the sensitivity of the information and the formal authorization of subjects to access such sensitivity is known as what? |
|
Definition
|
|
Term
| Configuring the system to only allow access to certain information during specific times is known as _____________. |
|
Definition
|
|
Term
| When using a Discretionary Access Control system, who assigns access? |
|
Definition
|
|
Term
| What does the information owner provide in the Mandatory Access Control system? |
|
Definition
| The "need to know" element |
|
|
Term
| A ________ access control policy bases access control authorizations on the user's job functions. |
|
Definition
|
|
Term
| What is a current example of rule based access control? |
|
Definition
|
|
Term
| ________ access control is based on the actual content of the data record. |
|
Definition
|
|
Term
| What is the most common type of Discretionary Access Control? |
|
Definition
|
|
Term
| A _________ is a collection of access control lists implemented by comparing the column of objects with the rows of subjects. |
|
Definition
| Subject Oriented Capability Table |
|
|
Term
| In __________ access control, access rules are closely managed by the security administrator. |
|
Definition
|
|
Term
| What type of access control do most Operating Systems use? |
|
Definition
|
|
Term
| What type of analysis engine compares current activity with normal activity? |
|
Definition
|
|
Term
|
Definition
| A record of system activities |
|
|
Term
| __________ consists of a formal set of steps and procedures similar to what an attacker would use to compromise a network. |
|
Definition
|
|
Term
| What are the three attack strategies used in penetration testing? |
|
Definition
| Black Box, partial knowledge and white box |
|
|
Term
| What are the three types of access control? |
|
Definition
| Administrative, technical, and physical |
|
|
Term
| Separation of duties forces collusion to commit fraud. Collusion can best be broken up by ____________. |
|
Definition
|
|
Term
| What is the main benefit of an information classification system? |
|
Definition
| To give data the appropriate level of protection |
|
|
Term
| What is an authoritative system of records? |
|
Definition
| A hierarchical parent system that tracks users, accounts, and authorization chains |
|
|
Term
|
Definition
| Controls emanations from electronic equipment |
|
|
Term
| In Mandatory Access Control, who determines the need to know? |
|
Definition
|
|
Term
| In content dependent access control, what is the key element that determines the effective access authorization? |
|
Definition
|
|
Term
| An alternate control used when another fails is called a ____________. |
|
Definition
|
|
Term
| How could an attacker use an IPS to help create a Denial of Service? |
|
Definition
| By generating a false attack that causes the IPS to block legitimate traffic |
|
|
Term
| How can attackers exploit password security guidelines to their advantage? |
|
Definition
| By intentionally entering incorrect passwords to lock out user accounts |
|
|
Term
| Why are passphrases considered more secure than passwords? |
|
Definition
| Because passphrases are longer |
|
|
Term
| Which error rate of the biometric error rates is by far the more serious? |
|
Definition
|
|
Term
| What does the hierarchical domain relationship mean? |
|
Definition
| Subjects are allowed to access objects at or lower than their access level |
|
|
