CISA Ch 5 - Protection of Information Assets

Study online at quizlet.com/_drzg7

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

Information
security
management
system (ISMS)

a framework of policies, procedures,

guidelines and associated resources to
establish, implement, operate, monitor,
review, maintain and improve information
security for all types of organizations

Information
security
steering
committee

individuals representing various

management levels that should meet as a
committee to discuss issues that affect the
organization and establish and approve
security practices

Executive
management

individuals responsible for the overall

protection of information assets, and for
issuing and maintaining the policy
framework

Security
advisory
group

individuals responsible for defining the

information security risk management
process and acceptable level of risk and for
reviewing the security plans of the
organization

Chief Privacy
Officer (CPO)

a senior level corporate official responsible

for articulating and enforcing the policies
that companies use to protect their
customers' and employees' privacy rights

Chief
Information
Security
Officer (CISO)

a senior level corporate official responsible

for articulating and enforcing the policies
that companies use to protect their
information assets

Process
owners

individuals that ensure appropriate security

measures are consistent with organizational
policy and are maintained

Information
assets owners
and data
owners

individuals responsible for the owned asset,

including conducting a risk assessment,
selecting appropriate controls, and accepting
the residual risk

Users

individuals that follow procedures set out in

the organization's security policy and adhere
to privacy and security regulations

External
parties

individuals that follow procedures set out in

the organization's security policy
(individuals are not part of the organization)

Security
administrator

staff level position responsible for providing

adequate physical and logical security for IS
programs, data and equipment

Security
specialists/advisors

individuals that assist with the

design, implementation,
management, and review of the
organization's security policy

13.

IT developers

individuals that implement

information security within their
applications

14.

IS auditors

individuals that provide independent

assurance to management on the
appropriateness and effectiveness of
information security objectives and
the controls

4 layers of logical
security

network, operating system, database,

applications

Mandatory access
controls (MACs)

logical access control filters used to

validate access credentials that
cannot be controlled or modified by
normal users or data owners; they act
by default

Discretionary
access controls
(DACs)

logical access protection that may be

activated or modified by the data
owner at his/her discretion; act as an
additional filter, but cannot override
MACs

Hackers

persons with the ability to explore the

details of programmable systems and
the knowledge to stretch or exploit
their capabilities, whether ethical or
not

Denial of service
(DoS)

an attack on a network resource that

prevents authorized users from
accessing the system

20.

Social engineering

using one's social skills to trick

people into revealing access
credentials or other information
valuable to the attacker

21.

Phishing

the criminally fraudulent process of

attempting to acquire sensitive
information, such as usernames,
passwords and credit card details, by
masquerading as a trustworthy entity
in an electronic communicaiton

Peer-to-peer
computing

a connection between any two or

more systems for common interest
such as file sharing, etc.

Logical access
controls

the primary means used to manage

and protect information assets; refers
to the collection of policies designed
to enable safe access to computer
software and data files as well as to
the network

12.

15.

16.

17.

18.

19.

22.

23.

24.

25.

26.

27.

28.

29.

30.

31.

32.

33.

34.

Technical
exposures

Identification
and
authentication
(I&A)

the unauthorized (intentional or

unintentional) activities interfering with
normal processing, such as implementation
or modification of data and software,
locking or misusing user services,
destroying data, compromising system
usability, distracting processing resources,
or spying data flow or users activities at
either the network, OS, database, or
application level
the process of establishing and proving
one's identity; the process by which the
system obtains from a user his/her claimed
identity and the credentials needed to
authenticate this identity, and validates both
pieces of information

Logon IDs and

passwords

the components of a user identification and

authentication process, where the
authentication is based on something you
know

Two-factor
authenication

authentication technique that involves

something you have (a device subject to
theft) and something you know (a personal
identification number)

Biometrics

the best means of authenticating a user's

identity based on a unique, measurable
attribute or trait for verifying the identity of a
human being; based on a physical
(something you are) or behavioral
(something you do) characteristic of the user

Falserejection rate
(FRR)

type-I error rate; the number of times an

individual granted authority to use the
system is falsely rejected by the system

Failure-toenroll rate
(FER)

the proportion of people who fail to be

enrolled successfully

Falseacceptance
rate (FAR)

type-II error rate; the number of times and

individual not granted authority to use a
system is falsely accepted by the system

Single sign-on
(SSO)

the process for consolidating all

organization platform-based
administration, authentication and
authorization functions into a single
centralized administrative function

Access control
naming
conventions

structures used to govern user access to the

system and user authority to access/use the
computer resources such as files, programs
and terminals

Virtualization

allows multiple OSs (guests) to coexist on

the same physical server (host), in isolation
of one another; it creates a layer between the
hardware and the guest OSs to manage
shared processing and memory resources on
the host

Passive
attacks

probing for network information; attacks that

gather network information (network
analysis, eavesdropping, traffic analysis,
etc.)

36.

Active attacks

an actual attack against a targeted system to

either gain complete control over that system
or enough control to cause certain threats to
be realized

37.

Firewall

a device installed at the point where network

connections enter a site; they apply rules to
control the type of networking traffic flowing
in and out

3 categories
of firewalls

packet filtering, application firewall systems,

and stateful inspection

Packet
filtering

a screening router examines the header of

every packet of data traveling between the
Internet and the corporate network; using
this information, the router can prevent
certain packets from being sent between the
Internet and corporate network

IP spoofing

the attacker fakes the IP address of either an

internal network host or a trusted network
host so that the packet being sent will pass
the rule base of the firewall

Miniature
fragment
attack

an attacker fragments the IP packet into

smaller ones and pushes it through the
firewall in hope that only the first of the
sequence of fragmented packets would be
examined and the others would pass without
review

Applicationlevel gateway
firewall

a system that analyzes packets through a set

of proxies - one for each service

Circuit-level
firewalls

operate at the application level typically

through a single, general purpose proxy
before opening a connection

Stateful
inspection

a firewall that keeps track of the destination

IP address of each packet that leaves the
organization's internal network; whenever
the response to a packet is received, its record
is referenced to ascertain and ensure that the
incoming message is in response to the
request that went out from the organization

Demilitarized
zone (DMZ)

a small, isolated network for an

organization's public servers, bastion host
information servers, and modem pools'
configured to limit access from the Internet
and the organization's private network (most
secure firewall system)

Application
firewall
systems

allow information to flow between systems

but do not allow the direct exchange of
packets

35.

38.

39.

40.

41.

42.

43.

44.

45.

46.

Intrusion
detection
system (IDS)

works in conjunction with routers and

firewalls by monitoring network usage
anomalies; protects a company's IS
resources from external as well as internal
misuse

Intrusion
prevention
system (IPS)

designed to not only detect attacks, but also

to prevent the intended victim hosts from
being affected by the attacks

49.

Honeypot

a software application that pretends to be an

unfortunate server on the Internet and is not
set up to actively protect against break ins;
instead, it acts as a decoy system that lures
hackers

50.

Honeynet

multiple honeypots networked together to

simulate a larger network installation, as
part of an architecture to let hackers break
into the false network while allowing
investigators to watch either every move by a
combination of surveillance technologies

47.

48.

51.

52.

53.

54.

55.

56.

57.

58.

Encryption

the process of converting a plaintext

message into a secure-coded form of text,
called ciphertext, which cannot be
understood without converting back, via
decryption to plaintext

Encryption
key

a piece of information that is used within an

encryption algorithm to make the encryption
or decryption process unique

Symmetric key
encryption

encryption method that uses the same key to

encrypt and decrypt the data

Asymmetric
key
encryption

encryption system in which two keys are

used: a public key used only to encrypt data,
and a private key used only to decrypt it

Digital
signature

an electronic identification of a person or

entity created by using a public key
algorithm and intended to verify to a
recipient the integrity of the data and the
identity of the sender

Digital
envelope

used to send encrypted information, using

symmetric keys, and the relevant key session
along with it; secure method to send
electronic documents without compromising
the data integrity, authentication and
nonrepudiation, which were obtained with
the sue of asymmetric keys

Public key
infrastructure
(PKI)

a framework established to issue, maintain,

and revoke public key certificates by a trusted
party

Secure sockets
layer (SSL)

a session, or connection-layered protocol

widely used on the Internet for
communication between browsers and web
servers, where any amount of data is
securely transmitted while a session is
established

59.

Virus

a generic term applied to a variety of malicious

computer programs that send out requests to the
operating system of the host system under attack
to append the virus to other programs

60.

Worm

a malicious computer program that propagates

itself to the host system by exploiting security
weaknesses in the operating systems'
configurations

61.

Scanners

a type of control against viruses that looks for

sequences of bits called signatures that are
typical of virus programs (need to be updated
periodically)

Active
monitors

interpret DoS and read-only memory BIOS calls,

looking for virus-like actions

Integrity
CRC
checkers

compute a binary number on a known virus free

program that is then stored in a database file
(cyclical redundancy check) - checks for changes
to the files as compared to the database and
reports possible infection if changes have
occured

Behavior
blockers

focus on detecting potentially abnormal behavior

such as writing to the boot sector or the master
boot record, or making changes to executable
files

IP
telephony

the technology that makes it possible to have a

voice conversation over the internet or over any
dedicated IP network instead of dedicated voice
transmission lines

Voice-over
IP (VoIP)

a technology where voice traffic is carried on top

of existing data infrastructure

Private
branch
exchange
(PBX)

a sophisticated computer-based switch that can

be thought of as essentially a small in-house
phone company for the origination that operates
it

Data
ownership

refers to the classification of data elements and

the allocation of responsibility for ensuring that
they are kept confidential, complete and accurate

Access
path

the logical route an end user takes to access

computerized information

Bypass
label
processing
(BLP)

bypasses the computer reading of the file label,

can bypass access control programs (only system
software programmers should have access to this
feature)

System
exit

system software feature that permits the user to

perform complex system maintenance, which
may be tailored to a specific environment or
company (only system software programmers
should have access to this feature)

Computer
forensics

the process of identifying, preserving, analyzing,

and presenting digital evidence in a manner that
is legally acceptable in any legal proceedings

62.

63.

64.

65.

66.

67.

68.

69.

70.

71.

72.

73.

Extraction

a process that consists of identification and selection of data from the imaged data set

74.

Chain of custody

a term that refers to documenting, in detail, how evidence is handled and maintained, including its ownership,
transfer and modification

75.

External testing

refers to attacks and control circumvention attempts on the target's network perimeter from outside the target's
system

76.

Internal testing

refers to attacks and control circumvention attempts on the target from within the perimeter

77.

Blind testing

refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target's
information systems

Double blind
testing

refers to the condition of testing when the penetration tester has little or no knowledge of the target's information
systems AND the administrator and staff at the target are not aware of the test

Targeted testing

refers to attacks and control circumvention attempt on the target, while both the target's IT team and penetration
testers are aware of the testing activities; penetration testers are provided with information related to the target and
network design

Total failure
(blackout)

a complete loss of electrical power often caused by weather conditions or inability of electrical utility companies to
meet demands

Severely reduced
voltage
(brownout)

the failure of an electrical utility company to supply power within an acceptable range

Sags / spikes /
surges

temporary and rapid decreases or increases in voltage levels

Electromagnetic
interference
(EMI)

interference caused by electrical storms or noisy electrical equipment

Uninterruptible
power supply /
generator

consists of a battery or gasoline powered generator that interfaces with the electrical power entering the facility and
the electrical power entering the computer; cleanses the power to ensure that voltage into the computer is consistent;
continues power in the event of an electrical failure

78.

79.

80.

81.

82.

83.

84.