Domain 3: Information Security Program Flashcards

Question

EMPLOYMENT AGREEMENTS

Answer 1

Organizations should use written employment agreements that spell out the employee's responsibilities in many different areas. For the purposes of the CISM exam, you should know that this may include security-related responsibilities. Here are two specific areas that should be included in all employment agreements: Nondisclosure agreements (NDAs), where the employee agrees not to disclose any confidential information learned during the course of employment, even after the employee leaves the organization Asset return agreements, where the employee agrees to return all of the organization's property at the end of employment, including both information and physical assets

Answer 2

The separation of duties principle states that sensitive business functions should require the involvement of at least two people. This reduces the likelihood of fraud by requiring collusion between two employees to commit fraud. A common example of separation of duties is found in accounting departments. One way that employees might steal funds from the organization is to set up fake vendors in the system and then issue checks to those vendors for services that were never rendered. To prevent this, organizations typically separate the ability to set up a new vendor and issue a check to a vendor and say that no employee should ever have both of those privileges.

Answer 3

Know Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs look at historical performance. Key goal indicators (KGIs) measure progress toward defined goals. Key risk indicators (KRIs) try to quantify the security risk facing an organization. KRIs look forward at future potential risks.

Answer 4

Endpoint devices, such as laptop and desktop computers, mobile phones, and tablets, are the front lines in cybersecurity defensive strategies. They're at a high level of risk because they rest in the hands of end users who may intentionally or accidentally undermine the security mechanisms that protect these devices. For this reason, cybersecurity professionals pay careful attention to managing the secure configuration, monitoring, and management of endpoint systems.

Answer 5

Malicious software, or malware, is one of the most common threats to endpoints. Malicious software may invade a network, spreading under its own power, or it may arrive on a system when a user clicks a malicious link or installs unsafe software. Once it has a foothold on a system, malware may be used to gain control of system resources and to steal sensitive information.

Answer 6

Signature detection uses databases of known malware patterns and scans the files and memory of a system for any data matching the pattern of known malicious software. If it finds suspect contents, it can then remove the content from the system or quarantine it for further analysis. When you're using signature detection, it is critical that you frequently update the virus definition file to ensure that you have current signatures for newly discovered malware. Heuristic detection takes a different approach. Instead of using patterns of known malicious activity, these systems attempt to model normal activity and then report when they discover anomalies—activity that deviates from that normal pattern.

Answer 7

Today, virtually every system out there has basic malware protection installed. Organizations are now deploying more sophisticated tools, known as endpoint detection and response (EDR) platforms. EDR extends traditional malware protection to include four important capabilities: Detecting security incidents Containing incidents that are detected Investigating contained incidents Remediating endpoints back to their pre-compromised state

Answer 8

Data loss prevention (DLP) solutions provide technology that helps an organization enforce information handling policies and procedures to prevent data loss and theft. They search systems for stores of sensitive information that might be unsecured and monitor network traffic for potential attempts to remove sensitive information from the organization. They can act quickly to block the transmission before damage is done and alert administrators to the attempted breach.

Answer 9

Host-based DLP uses software agents installed on a single system that search the system for the presence of sensitive information. These searches often turn up Social Security numbers, credit card numbers, and other sensitive information in the most unlikely places! Detecting the presence of stored sensitive information allows security professionals to take prompt action to either remove it or secure it with encryption. Taking the time to secure or remove information now will be worth it in the long run if the device is lost, stolen, or compromised. Host-based DLP can also monitor system configuration and user actions, blocking undesirable actions. For example, some organizations use host-based DLP to block users from accessing USB-based removable media devices that they might use to carry information out of the organization's secure environment. Network-based DLP systems monitor outbound network traffic, watching for any transmissions that contain unencrypted sensitive information. They can then block those transmissions, preventing the unsecured loss of sensitive information. DLP systems may simply block traffic that violates the organization's policy, or, in some cases, they may automatically apply encryption to the content. This automatic encryption is commonly used with DLP systems that focus on email.

Answer 10

Pattern matching watches for the telltale signs of sensitive information. For example, if the DLP sees a number that is formatted like a credit card or Social Security number, it can automatically trigger an alert based on that pattern. Similarly, the DLP may contain a database of sensitive terms, such as “Top Secret” or “Business Confidential,” and trigger when it sees those terms in a transmission. Watermarking allows systems or administrators to apply electronic tags to sensitive documents and then the DLP system can monitor systems and networks for unencrypted content containing those tags.

Answer 11

Configuration management tracks the way that specific endpoint devices are set up. Configuration management tracks both the operating systems settings and the inventory of software installed on a device. Change management programs provide organizations with a formal process for identifying, requesting, approving, and implementing changes to configurations.

Answer 12

A baseline is a snapshot of a system or application at a given point in time. It may be used to assess whether a system has changed outside of an approved change management process. System administrators may compare a running system to a baseline to identify all changes to the system and then compare those changes to a list of approved change requests.

Answer 13

Version control is also a critical component of change management programs, particularly in the areas of software and script development. Versioning assigns each release of a piece of software an incrementing version number that may be used to identify any given copy.

Answer 14

Configuration management should also create artifacts that may be used to help understand system configuration. For example, diagrams often play an important role in helping security professionals understand how a system was designed and configured. These can be crucial when performing time-sensitive troubleshooting or incident investigations. Together, change and configuration management allow technology professionals to track the status of hardware, software, and firmware, ensuring that change occurs when desired but in a controlled fashion that minimizes risk to the organization.

Answer 15

Applying patches to operating systems is critical because it ensures that systems are not vulnerable to security exploits discovered by attackers. Each time an operating system vendor discovers a new vulnerability, they create a patch that corrects the issue. Promptly applying patches ensures a clean and tidy operating system. In Windows, the Windows Update mechanism is the simplest way to apply security patches to systems as soon as they are released. On Linux systems, administrators may take advantage of a variety of update mechanisms depending on their specific Linux distributions and organizational practices. As a security administrator, you should not only ensure that your systems are configured to receive updates, you should also analyze the output of patch management processes to ensure that those patches are applied. Configuration management tools can assist you with automating this work. They also help you keep track of patches to the applications that you run in your organization.

Answer 16

System hardening involves analyzing the default settings of your operating system and removing services and components that are not required to meet your business needs. Remove unnecessary software and operating system components to configure the system for the least functionality required to perform its function. This is an activity known as reducing the attack surface. The fewer things you have installed on a system, the fewer opportunities for an attacker to exploit. Lock down the host firewall to only allow access to those open ports and services that are intended for use by other systems. Disable any default accounts and passwords that came with the operating system or applications you installed. These default accounts provide attackers with a starting point for brute-force attacks and, when configured with default passwords, will be quickly compromised if exposed to the Internet. Verify that system configuration settings match best practices. On Windows systems, this may mean modifying registry settings to configure your system to meet minimum security requirements. On Linux systems, you may need to modify configuration files to perform similar hardening tasks.

Answer 17

Networks also play a crucial role in an organization's cybersecurity program. Endpoints, servers, and other devices all rely on the network to communicate with one another. Networks are often trusted to carry sensitive information within an organization. Cybersecurity professionals use a variety of controls to ensure the security of their networks.

Answer 18

Well-designed networks group systems into network segments based on their security level. This approach limits the risk that a compromised system on one network segment will be able to affect a system on a different network segment. It also makes it more difficult for a malicious insider to cause the organization damage.

Answer 19

Network firewalls serve as the security guards of a network, analyzing all attempts to connect to systems on a network and determining whether the request should be allowed or denied according to the organization's security policy. They also play an important role in network segmentation.

Answer 20

Virtual LANs (VLANs) are an important network security control. VLANs allow you to logically group together related systems, regardless of where they normally exist on the network. When you create diagrams of your desired network layouts, you typically place different functional groups in different network locations. Users in the accounting department share a network that is separate from users in the sales department and those in the IT department.

Answer 21

Networks carry all types of data over both short and long distances. Whether it's a transatlantic videoconference or an email across the room, many different networks carry the 1s and 0s that make communications work. Routers and switches are the core building blocks of these networks and require special security attention. Switches do create networks, but they are limited to creating local networks. Switches generally operate at Layer 2 of the OSI model—the Data Link layer—where they work with MAC addresses only. Some switches can perform limited functions at Layer 3 of the OSI model—the Network layer—where they can interpret IP addresses. In those cases, switches are beginning to take on the function of routers.

Answer 22

Network engineers use switches to connect devices to networks. They are simple-looking devices that contain a large number of network ports. Switches may be very small, with 8 or fewer ports, or they can be quite large, with 500 or more ports. Switches are normally hidden away inside wiring closets and other secure locations. Each switch port is connected to one end of a network cable. Those cables then disappear into special pipes known as conduits for distribution around a building.

Answer 23

Implement VLAN pruning. Switches use a technology known as VLAN trunking to carry VLANs across the many switches that make up a network. This allows any switch port on the network to join any VLAN trunked to that switch. VLAN pruning implements the least privilege principle and only trunks VLANs to switches if the VLAN is needed on that switch. This requires a little more work on the part of network administrators, but it also reduces the risk of a compromised switch. For example, if you have a VLAN for the sales department and the sales department is contained within a single building, you should trunk that VLAN within the building but not into other buildings. Block VLAN hopping. Malicious users may attempt an attack known as VLAN hopping to change from their authorized VLAN to one containing resources that they would like to attack. They might do this through a variety of means, but most rely on pretending to be a switch and asking the switch to trunk VLANs to the malicious user's device. The countermeasures for this attack vary from device to device, but generally speaking, you should configure your switches to deny automatic VLAN trunking negotiation and only trunk VLANs when explicitly authorized by a network administrator.

Answer 24

Port security protects against attackers disconnecting an authorized device from the wired network and replacing it with a rogue device that may eavesdrop on other users or attempt to access secure network resources. Port security works by limiting the MAC addresses that may be used on a particular switch port and requiring administrator intervention to change out a device. Port security works in two modes: In static mode, the administrator manually configures each switch port with the allowable MAC addresses. This is very time-consuming, but this MAC filtering approach is the most secure way to implement port security. In dynamic, or “sticky” mode, the administrator enables port security and then tells the switch to memorize the first MAC address that it sees on any given port and then restrict access to that MAC address. This makes configuration much faster but can be risky if you have unused but active switch ports.

Answer 25

Routers play a higher-level role, connecting networks together by serving as a central aggregation point for network traffic heading to or from a large network. The router makes decisions about the best paths for traffic to follow as it travels to its final destination. The router plays a role on the network that is similar to the way an air traffic controller organizes planes in the sky, sending them to their correct destination. Routers also play an important role in network security. They are often located both physically and logically between the firewall and another network. Because they see traffic before network firewalls, they can perform filtering that reduces the load on the network firewall. Routers aren't great at performing complex filtering, but network administrators can configure them to perform basic screening of network traffic. Routers share some common functionality with firewalls, but they are definitely not a substitute for firewall technology.

Answer 26

Firewalls are purpose-specific devices and are much more efficient at performing complex filtering than routers. Firewalls have advanced rule capabilities. They allow you to create rules that are conditional upon the time of day, users involved, and other criteria. Firewalls offer more advanced security functionality. They can incorporate threat intelligence, perform application inspection, and integrate with intrusion prevention systems to provide enhanced protection to a network.

Answer 27

VPNs require an endpoint on the remote network that accepts VPN connections. Many different devices may serve as VPN endpoints, such as a firewall, router, server, or a dedicated VPN concentrator. All of these approaches provide secure VPN connections, but organizations that have high volumes of VPN often choose to use a dedicated VPN concentrator because these devices are efficient at handling VPN connections and can manage high-bandwidth traffic with ease. If you don't have a high volume of VPN traffic, you might choose to use the firewall, router, or server approach. If you go that way, be warned that VPN traffic requires resource-intensive encryption, and that unlike VPN concentrators, firewalls, routers, and servers usually don't contain specialized hardware that accelerates encryption. Using them as VPN endpoints can cause performance issues.

Answer 28

In a full-tunnel VPN, any traffic leaving the remote device is sent through the VPN back to the home network and protected by encryption. This includes not only traffic headed back to the corporate network, but all web browsing and other activity as well. In a split-tunnel VPN, some traffic is sent through the VPN while other traffic is sent out through the user's local network. The routing policy is set by the VPN administrator. In most cases, they configure the split tunnel to send traffic headed for corporate systems through the VPN while allowing regular Internet traffic to go directly to the destination over the local network. This approach was set up to reduce the burden on VPNs and to conserve bandwidth.

Answer 29

Another emerging trend is the Always-On VPN. In this strategy, all corporate mobile devices are configured to automatically connect to the VPN whenever they are powered on. This takes control away from the end user and ensures that traffic leaving the device is always protected by strong encryption.

Answer 30

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) play an extremely important role in the defense of networks against hackers and other security threats. Intrusion detection systems sit on the network and monitor traffic, searching for signs of potentially malicious traffic. For example, an intrusion detection system might notice that a request bound for a web server contains a SQL injection attack, a malformed packet is attempting to create a denial of service, a user's login attempt seems unusual based on the time of day and prior patterns, or that a system on the internal network is attempting to contact a botnet command-and-control server. All of these situations are examples of security issues that administrators would obviously want to know about. Intrusion detection systems identify this type of situation and then alert administrators to the issue for further investigation.

Answer 31

Intrusion detection systems can make mistakes. Two different types of errors are caused by these systems, and monitoring those errors is an important part of security analytics: False positive errors occur when the system alerts administrators to an attack but the attack does not actually exist. This is an annoyance to the administrator, who wastes time investigating the alert, and may lead to administrators ignoring future alerts. False negative errors occur when an attack actually takes place but the intrusion detection system does not notice it.

Answer 32

The most common and effective method is called signature detection. This approach works similarly to antivirus software. Signature-based systems contain very large databases containing patterns of data (or signatures) known to be associated with malicious activity. When the system spots network traffic matching one of those signatures, it triggers an intrusion alert. This approach is also known as rule-based detection. The downside is that a signature-based system cannot detect a previously unknown attack. If you're one of the first victims of a new attack, it will sneak right past a signature-detection system. The upside is that if the signatures are well designed, these systems work very well, with a low false positive rate. Signature detection is a reliable, time-tested technology. The second method is known as anomaly detection. This model takes a completely different approach to the intrusion detection problem. Instead of trying to develop signatures for all possible malicious activity, the anomaly detection system tries to develop a model of normal activity and then report deviations from that model as suspicious. For example, an anomaly detection system might notice that a user who normally connects to the VPN from home during the early evening hours is suddenly connecting from Asia in the middle of the night. The system can then either alert administrators or block the connection, depending on the policy. The models developed by these IDS and IPS systems are often application-aware and understand how to dissect the applications protocols in use during a network session. Anomaly detection has the potential to notice new attack types, but it also has a high false positive error rate and is not widely used by security administrators. Many modern intrusion detection and prevention systems combine signature detection and anomaly detection capabilities in the same product.

Answer 33

There are also differences in the way that intrusion prevention systems are set up and configured on the network. The two major approaches are in-band and out-of-band deployments. In an in-band deployment, the intrusion prevention system sits directly on the network path and all communications must pass through it on their way to their final destination. In this approach, the IPS can block suspicious traffic from reaching its final destination. In-band deployments are also known as inline deployments. Although this approach allows an active response, it also adds the risk that an issue with the IPS can disrupt all network communications because the in-band IPS is a single point of failure. In an out-of-band deployment, the IPS is not in the network path but sits outside the flow of network traffic. It is connected to a SPAN port on a switch, which allows it to receive copies of all traffic sent through the network to scan, but it cannot disrupt the flow of traffic. This approach is also known as passive mode because the IPS can still react by sending commands to block future traffic from offending systems, but it cannot stop the initial attack from entering the network because it only learns about that traffic after it has been sent.

Answer 34

Most of the attack techniques used by hackers focus on undermining the confidentiality or integrity of data. One of the common goals of attackers is to steal sensitive information, such as credit card numbers or Social Security numbers, or alter information in an unauthorized fashion, such as increasing bank account balances or defacing a website. Some attacks, however, focus on disrupting the legitimate use of a system. Unlike other attacks, these target the availability leg of the CIA triad. We call these attacks denial-of-service (DoS) attacks. These attacks make a system or resource unavailable to legitimate users by sending thousands or millions of requests to a network, server, or application, overwhelming it and making it unable to answer any requests. It is difficult to distinguish well-executed DoS attack requests from legitimate traffic.

Answer 35

DoS attacks require large amounts of bandwidth. Sending lots of requests that tie up the server requires a large network connection. It becomes a case of who has the bigger network connection. DoS attacks are easy to block. Once the victim recognizes they are under attack, they can simply block the IP addresses of the attackers. Distributed denial-of-service (DDoS) attacks overcome these limitations by using botnets to overwhelm their target. The attack requests come from many different network locations, so it is difficult to distinguish them from legitimate requests.

Answer 36

Many of the key benefits of the cloud derive from the fact that it uses a shared pool of resources that may be configured for different purposes by different users. This sharing allows oversubscription because not everyone will use all their resources at the same time, and it achieves economies of scale. The fact that many different users share resources in the same cloud infrastructure is known as multitenancy. In a multitenant environment, the same physical hardware might support the workloads and storage needs of many different customers, all of whom operate without any knowledge of or interaction with their fellow customers.

Answer 37

On-demand self-service computing. Cloud resources are available when and where you need them. This provides developers and technologists with incredible agility, reducing cycle times and increasing the speed of deployment. Scalability. As the demand for a cloud-based service increases, customers can manually or automatically increase the capacity of their operations. In some cloud environments, the cloud service provider may do this in a manner that is completely transparent to the customer, scaling resources behind the scenes. Cloud providers achieve scalability in two ways: Vertical scaling increases the capacity of existing servers, as shown in Figure 7.2(a). For example, you might change the number of CPU cores or the amount of memory assigned to a server. In the physical world, this means opening up a server and adding physical hardware. In the cloud, you can just click a few buttons and add memory or compute capacity. Horizontal scaling adds more servers to a pool of clustered servers, as shown in Figure 7.2(b). If you run a website that supports 2,000 concurrent users with two servers, you might add a new server every time your typical usage increases by another 1,000 users. Cloud computing makes this quite easy since you can just replicate your existing server with a few clicks.

Answer 38

The distributed nature of cloud computing involves the use of geographically distant facilities to achieve high availability and to place content in close proximity to users. This may mean that a customer's data is stored and processed in data centers across many different countries, either with or without explicit notification. Unless customers understand how their data is stored, this could introduce legal concerns. Data sovereignty is a principle that states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. Under this principle, a customer might wind up subject to the legal requirements of a jurisdiction where they have no involvement other than the fact that one of their cloud providers operates a data center within that jurisdiction. Security professionals responsible for managing cloud services should be certain that they understand how their data is stored, processed, and transmitted across jurisdictions. They may also choose to encrypt data using keys that remain outside the providers’ control to ensure that they maintain sole control over their data.

Answer 39

Virtual machine escape vulnerabilities are the most serious issue that may exist in a virtualized environment, particularly when a device is running several virtual systems of differing security levels. In an escape attack, the attacker has access to a single virtual guest system and then manages to leverage that access to intrude upon the resources assigned to a different virtual machine. The hypervisor is supposed to prevent this type of access by restricting a virtual machine's access to only those resources assigned to that machine. Escape attacks allow a process running on the virtual machine to “escape” those hypervisor restrictions. Virtual machine sprawl occurs when IaaS users create virtual service instances and then forget about them or abandon them, leaving them to accrue costs and accumulate security issues over time. Organizations should maintain instance awareness to avoid VM sprawl issues.

Answer 40

Cloud applications depend heavily on the use of application programming interfaces (APIs) to provide service integration and interoperability. In addition to implementing the secure coding practices discussed in Chapter 6, “Security Assessment and Testing,” security analysts responsible for API-based applications should implement API inspection technology that scrutinizes API requests, looking for requests that pose security issues. These capabilities are often found in web application firewall (WAF) solutions. Secure web gateways (SWGs) also provide a layer of application security for cloud-dependent organizations. SWGs monitor web requests made by internal users and evaluate them against the organization's security policy, blocking requests that violate these requirements. SWGs are commonly used to block access to potentially malicious content but may also be used to enforce content filtering restrictions.

Answer 41

Inline CASB solutions physically or logically reside in the connection path between the user and the service. They may do this through a hardware appliance or an endpoint agent that routes requests through the CASB. This approach requires configuration of the network and/or endpoint devices. It provides the advantage of seeing requests before they are sent to the cloud service, allowing the CASB to block requests that violate policy. API-based CASB solutions interact not directly with the user but rather with the cloud provider through the provider's API. This approach provides direct access to the cloud service and does not require any user device configuration. However, it also does not allow the CASB to block requests that violate policy. API-based CASBs are limited to monitoring user activity and reporting on or correcting policy violations after the fact.

Answer 42

Hardware security modules (HSMs) are special-purpose computing devices that manage encryption keys and also perform cryptographic operations in a highly efficient manner. HSMs are expensive to purchase and operate, but they provide an extremely high level of security when configured properly. One of their core benefits is that they can create and manage encryption keys without exposing the keys to a single human being, dramatically reducing the likelihood that the keys will be compromised.

Answer 43

Key distribution is a major problem. Parties must have a secure method of exchanging the secret key before establishing communications with a symmetric key protocol. If a secure electronic channel is not available, an offline key distribution method must often be used (that is, out-of-band exchange). Symmetric key cryptography does not implement nonrepudiation. Because any communicating party can encrypt and decrypt messages with the shared secret key, there is no way to prove where a given message originated. The algorithm is not scalable. It is extremely difficult for large groups to communicate using symmetric key cryptography. Secure private communication between individuals in the group could be achieved only if each possible combination of users shared a private key. Keys must be regenerated often. Each time a participant leaves the group, all keys known by that participant must be discarded.

Answer 44

Great speed at which it can operate. Symmetric key encryption is very fast, often 1,000 to 10,000 times faster than asymmetric algorithms. By nature of the mathematics involved, symmetric key cryptography also naturally lends itself to hardware implementations, creating the opportunity for even higher-speed operations. The Advanced Encryption Standard (AES) is the most commonly used example of a symmetric encryption algorithm.

Answer 45

If Alice wants to send a message to Bob using public key cryptography, she creates the message and then encrypts it using Bob's public key. The only possible way to decrypt this ciphertext is to use Bob's private key, and the only user with access to that key is Bob. Therefore, Alice can't even decrypt the message herself after she encrypts it. If Bob wants to send a reply to Alice, he simply encrypts the message using Alice's public key, and then Alice reads the message by decrypting it with her private key.

Answer 46

The addition of new users requires the generation of only one public-private key pair. This same key pair is used to communicate with all users of the asymmetric cryptosystem. This makes the algorithm extremely scalable. Users can be removed far more easily from asymmetric systems. Asymmetric cryptosystems provide a key revocation mechanism that allows a key to be canceled, effectively removing a user from the system. Key regeneration is required only when a user's private key is compromised. If a user leaves the community, the system administrator simply needs to invalidate that user's keys. No other keys are compromised and therefore key regeneration is not required for any other user. Asymmetric key encryption can provide integrity, authentication, and nonrepudiation. If a user does not share their private key with other individuals, a message signed by that user can be shown to be accurate and from a specific source and cannot be later repudiated. Key distribution is a simple process. Users who want to participate in the system simply make their public key available to anyone with whom they want to communicate. There is no method by which the private key can be derived from the public key. No preexisting communication link needs to exist. Two individuals can begin communicating securely from the moment they start communicating. Asymmetric cryptography does not require a preexisting relationship to provide a secure mechanism for data exchange.

Answer 47

They accept an input of any length. They produce an output of a fixed length, regardless of the length of the input. The hash value is relatively easy to compute. The hash function is one-way (meaning that it is extremely hard to determine the input when provided with the output). The hash function is collision-free (meaning that it is extremely hard to find two messages that produce the same hash value). The Secure Hash Algorithm (SHA) versions 2 and 3 (SHA-2 and SHA-3) are government standard hash functions promoted by the National Institute of Standards and Technology (NIST).

Answer 48

Digitally signed messages assure the recipient that the message truly came from the claimed sender. They enforce nonrepudiation (that is, they preclude the sender from later claiming that the message is a forgery). Digitally signed messages assure the recipient that the message was not altered while in transit between the sender and recipient. This protects against both malicious modification (a third party altering the meaning of the message) and unintentional modification (because of faults in the communications process, such as electrical interference). Digital signature algorithms rely on a combination of the two major concepts already covered in this chapter—public key cryptography and hashing functions.

Answer 49

If Alice wants to digitally sign a message she's sending to Bob, she performs the following actions: Alice generates a message digest of the original plaintext message using one of the cryptographically sound hashing algorithms, such as SHA-3. Alice then encrypts only the message digest using her private key. This encrypted message digest is the digital signature. Alice appends the signed message digest to the plaintext message. Alice transmits the appended signature and message to Bob. When Bob receives the digitally signed message, he reverses the procedure, as follows: Bob decrypts the digital signature using Alice's public key. Bob uses the same hashing function to create a message digest of the full plaintext message received from Alice. Bob then compares the decrypted message digest he received from Alice with the message digest he computed himself. If the two digests match, he can be assured that the message he received was sent by Alice. If they do not match, either the message was not sent by Alice or the message was modified while in transit. However, if Alice wanted to ensure the privacy of her message to Bob, she could add a step to the message creation process. After appending the signed message digest to the plaintext message, Alice could encrypt the entire message with Bob's public key. When Bob receives the message, he would decrypt it with his own private key before following the steps just outlined.

Answer 50

The development environment is typically used for developers or other “builders” to do their work. Some workflows provide each developer with their own development environment; others use a shared development environment. The test environment is where the software or systems can be tested without impacting the production environment. In some schemes, this is preproduction, whereas in others a separate preproduction staging environment is used. Quality assurance (QA) activities take place in the test environment. The staging environment is a transition environment for code that has successfully cleared testing and is waiting to be deployed into production. The production environment is the live system. Software, patches, and other changes that have been tested and approved move to production.

Answer 51

Individuals and interactions are more important than processes and tools. Working software is preferable to comprehensive documentation. Customer collaboration replaces contract negotiation. Responding to change is key, rather than following a plan.

Answer 52

Understand Routers and switches must be protected against unauthorized physical access to avoid compromise. Switch security techniques include VLAN pruning, the prevention of VLAN hopping, and port security. Router security techniques include the use of access control lists to filter traffic and quality of service controls to prioritize important network use.

Answer 53

Public cloud service providers deploy infrastructure and then make it accessible to any customers who wish to take advantage of it in a multitenant model. The term private cloud is used to describe any cloud infrastructure that is provisioned for use by a single customer. A community cloud service shares characteristics of both the public and private models. Community cloud services do run in a multitenant environment, but the tenants are limited to members of a specifically designed community.

Answer 54

Under the shared responsibility model of cloud security, cloud customers must divide responsibilities between one or more service providers and the customers' own cybersecurity teams. In an IaaS environment, the cloud provider takes on the most responsibility, providing security for everything below the operating system layer. In PaaS, the cloud provider takes over added responsibility for the security of the operating system itself. In SaaS, the cloud provider is responsible for the security of the entire environment, except for the configuration of access controls within the application and the choice of data to store in the service.

Answer 55

Digital certificates provide a trusted mechanism for sharing public keys with other individuals. Users and organizations obtain digital certificates from certificate authorities (CAs), who demonstrate their trust in the certificate by applying their digital signature. Recipients of the digital certificate can rely on the public key it contains if they trust the issuing CA and verify the CA's digital signature.

Answer 56

Identity and access management systems perform three major functions: identification, authentication, and authorization. Identification is the process of a user making a claim of identity, such as by providing a username. Authentication allows the user to prove their identity. Authentication may be done using something you know, something you have, or something you are. Multifactor authentication combines different authentication techniques to provide stronger security. Authorization ensures that authenticated users may only perform actions necessary to carry out their assigned responsibilities.

Answer 57

The type of security objectives that are included in the program. Does the program cover all aspects of information security or are there exceptions? For example, physical security and the security of paper documents might be excluded from the information security program if they are covered by other work. The portion of the organization covered by the information security program. A security program might cover the entire organization, or its work might be limited to a business unit or other portion of the organizational structure. Option 1 The information security program is responsible for securing the confidentiality, integrity, and availability of all information stored, processed, or transmitted by the organization in any form: physical or digital. Option 2 The information security program is responsible for securing the confidentiality, integrity, and availability of all information stored, processed, or transmitted by the organization in any form: physical or digital. The program does not apply to elements of the University Health System governed by the UHS Cybersecurity Program.

Answer 58

The potential impact of the KRI, or the likelihood that the indicator will identify potential risks that are significant to the business The effort required to implement, measure, and support the indicator on an ongoing basis The reliability of the indicator as a good predictor of risk The sensitivity of the indicator, meaning that it is able to accurately capture variances in the risk

Answer 59

Every organization will have to define its own KPIs, but the Information Technology Infrastructure Library (ITIL) framework provides a good starting point. They offer nine KPIs that security programs may choose to leverag

Answer 60

Similar to KPIs but measure progress toward defined goals. For example, if an organization has a goal to eliminate all stored Social Security numbers (SSNs), a KGI might track the percentage of SSNs that have been removed.

Answer 61

The core of the charter is the scope statement, which defines the security objectives included in the program and the portion of the organization covered by the program. The charter should also address the business purpose of the program, a statement of authority, roles and responsibilities, governance structures, documentation, enforcement mechanisms, and processes for periodic program reviews.

Answer 62

Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs look at historical performance. Key goal indicators (KGIs) measure progress toward defined goals. Key risk indicators (KRIs) try to quantify the security risk facing an organization. KRIs look forward at future potential risks.

Answer 63

Security training programs impart new knowledge to employees and other stakeholders. They should be tailored to meet the specific requirements of an individual's role in the organization. Security awareness programs seek to remind users of the information they have already learned, keeping their security responsibilities top-of-mind.

Answer 64

Security managers lead a team of professionals and are responsible for the motivation, development, and management of those team members. This includes providing training that helps employees keep their skills current and certifications that help employees validate their skills.

Answer 65

. Security managers should cultivate relationships with other business leaders to ensure that security is well integrated with other business functions. This includes integrating with the human resources function for employee hiring, transfers, and termination. It also includes aligning with procurement and accounting functions for product and service acquisitions. Security leaders should also work carefully with other information technology leaders and the organization's auditors.

Answer 66

The firms that offer cloud computing services to their customers. They may build their own data centers or work hand-in-hand with other cloud providers to deliver their service, but their defining characteristic is that they offer a cloud service for sale.

Answer 67

(or cloud brokers) Oganizations that offer ancillary products or services that support or integrate with the offerings of a cloud service provider. Cloud partners may offer training or consulting to help customers make use of a cloud service, provide software development and integration services, or perform any other service that facilitates the use of a cloud offering.

Answer 68

Independent organizations who provide third-party assessments of cloud services and operations. Depending on the scope of the audit engagement, they may provide a general assessment of a cloud environment or focus on security controls for a narrow scope of operations.

Answer 69

Organizations that offer ancillary products or services that support or integrate with the offerings of a cloud service provider. Cloud partners may offer training or consulting to help customers make use of a cloud service, provide software development and integration services, or perform any other service that facilitates the use of a cloud offering.

Answer 70

Describe any cloud infrastructure that is provisioned for use by a single customer. This infrastructure may be built and managed by the organization that will be using the infrastructure, or it may be built and managed by a third party.

Answer 71

This approach allows customers to upload their own code functions to the provider and the provider will then execute those functions on a scheduled basis, in response to events, and/or on demand.

Answer 72

The distributed nature of cloud computing involves the use of geographically distant facilities to achieve high availability and to place content in close proximity to users. This may mean that a customer's data is stored and processed in data centers across many different countries, either with or without explicit notification. Unless customers understand how their data is stored, this could introduce legal concerns. Data sovereignty is a principle that states that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. Under this principle, a customer might wind up subject to the legal requirements of a jurisdiction where they have no involvement other than the fact that one of their cloud providers operates a data center within that jurisdiction.

Answer 73

Virtual machine escape vulnerabilities are the most serious issue that may exist in a virtualized environment, particularly when a device is running several virtual systems of differing security levels. In an escape attack, the attacker has access to a single virtual guest system and then manages to leverage that access to intrude upon the resources assigned to a different virtual machine. The hypervisor is supposed to prevent this type of access by restricting a virtual machine's access to only those resources assigned to that machine. Escape attacks allow a process running on the virtual machine to “escape” those hypervisor restrictions.

Answer 74

xine sprawl occurs when IaaS users create virtual service instances and then forget about them or abandon them, leaving them to accrue costs and accumulate security issues over time. Organizations should maintain instance awareness to avoid VM sprawl issues.

Answer 75

Auditability is an important component of cloud governance. Cloud computing contracts should include language that guarantees the right of the customer to audit cloud service providers. Customers may choose to perform these audits themselves or engage a third party to perform an independent audit. The use of auditing is essential to providing customers with the assurance that the provider is operating in a secure manner and meeting its contractual data protection obligations.

Answer 76

Key distribution is a major problem. Parties must have a secure method of exchanging the secret key before establishing communications with a symmetric key protocol. If a secure electronic channel is not available, an offline key distribution method must often be used (that is, out-of-band exchange). Symmetric key cryptography does not implement nonrepudiation. Because any communicating party can encrypt and decrypt messages with the shared secret key, there is no way to prove where a given message originated. The algorithm is not scalable. It is extremely difficult for large groups to communicate using symmetric key cryptography. Secure private communication between individuals in the group could be achieved only if each possible combination of users shared a private key. Keys must be regenerated often. Each time a participant leaves the group, all keys known by that participant must be discarded.

Answer 77

Asymmetric key algorithms, also known as public key algorithms, provide a solution to the weaknesses of symmetric key encryption. In these systems, each user has two keys: a public key, which is shared with all users, and a private key, which is kept secret and known only to the owner of the key pair. But here's a twist: opposite and related keys must be used in tandem to encrypt and decrypt. In other words, if the public key encrypts a message, then only the corresponding private key can decrypt it, and vice versa.

Answer 78

The addition of new users requires the generation of only one public-private key pair. This same key pair is used to communicate with all users of the asymmetric cryptosystem. This makes the algorithm extremely scalable. Users can be removed far more easily from asymmetric systems. Asymmetric cryptosystems provide a key revocation mechanism that allows a key to be canceled, effectively removing a user from the system. Key regeneration is required only when a user's private key is compromised. If a user leaves the community, the system administrator simply needs to invalidate that user's keys. No other keys are compromised and therefore key regeneration is not required for any other user. Asymmetric key encryption can provide integrity, authentication, and nonrepudiation. If a user does not share their private key with other individuals, a message signed by that user can be shown to be accurate and from a specific source and cannot be later repudiated. Key distribution is a simple process. Users who want to participate in the system simply make their public key available to anyone with whom they want to communicate. There is no method by which the private key can be derived from the public key. No preexisting communication link needs to exist. Two individuals can begin communicating securely from the moment they start communicating. Asymmetric cryptography does not require a preexisting relationship to provide a secure mechanism for data exchange.

Answer 79

The addition of new users requires the generation of only one public-private key pair. This same key pair is used to communicate with all users of the asymmetric cryptosystem. This makes the algorithm extremely scalable. Users can be removed far more easily from asymmetric systems. Asymmetric cryptosystems provide a key revocation mechanism that allows a key to be canceled, effectively removing a user from the system. Key regeneration is required only when a user's private key is compromised. If a user leaves the community, the system administrator simply needs to invalidate that user's keys. No other keys are compromised and therefore key regeneration is not required for any other user. Asymmetric key encryption can provide integrity, authentication, and nonrepudiation. If a user does not share their private key with other individuals, a message signed by that user can be shown to be accurate and from a specific source and cannot be later repudiated. Key distribution is a simple process. Users who want to participate in the system simply make their public key available to anyone with whom they want to communicate. There is no method by which the private key can be derived from the public key. No preexisting communication link needs to exist. Two individuals can begin communicating securely from the moment they start communicating. Asymmetric cryptography does not require a preexisting relationship to provide a secure mechanism for data exchange.

Answer 80

The certificate was compromised (for example, the certificate owner accidentally gave away the private key). The certificate was erroneously issued (for example, the CA mistakenly issued a certificate without proper verification). The details of the certificate changed (for example, the subject's name changed). The security association changed (for example, the subject is no longer employed by the organization sponsoring the certificate).

Answer 81

Static code analysis (sometimes called source code analysis) is conducted by reviewing the code for an application. Since static analysis uses the source code for an application, it can be seen as a type of white-box testing with full visibility to the testers. This can allow testers to find problems that other tests might miss, either because the logic is not exposed to other testing methods, or because of internal business logic problems.

Answer 82

Dynamic code analysis relies on the execution of the code while providing it with input to test the software. Much like static code analysis, dynamic code analysis may be done via automated tools or manually, but there is a strong preference for automated testing due to the volume of tests that need to be conducted in most dynamic code testing processes.

Answer 83

Fuzz testing, or fuzzing, involves sending invalid or random data to an application to test its ability to handle unexpected data. The application is monitored to determine if it crashes, fails, or responds incorrectly. Fuzzing is typically automated due to the large amount of data that a fuzz test involves and is particularly useful for detecting input validation and logic issues as well as memory leaks and error handling. Unfortunately, fuzzing tends to only identify simple problems; it does not account for complex logic or business process issues and may not provide complete code coverage if its progress is not monitored.

Answer 84

False acceptance errors occur when the system misidentifies an individual as an authorized user and grants access that should be denied. This is a very serious error because it allows unauthorized access to the system, device, information, or facility. The frequency of these errors is measured by the false acceptance rate (FAR). False rejection errors occur when an authorized individual attempts to gain access to a system but is incorrectly denied access by the system. This is not as serious as a false acceptance because it does not jeopardize confidentiality or integrity, but it is still a serious error because it jeopardizes the availability of resources. The frequency of these errors is measured by the false rejection rate (FRR).

Answer 85

s, administrators should perform regular user account reviews in cooperation with managers from around the organization. During each of these manual reviews, the administrators should pull a listing of all the permissions assigned to each account and then review that listing with managers to ensure that it is appropriate for the user's role, making any necessary adjustments. Administrators should pay careful attention to users who switched jobs since the last account review.

Answer 86

Logons from strange geographic locations such as a user connecting from both the home office and a remote location in Eastern Europe at the same time; cases like this are known as impossible travel time logins and should be treated as risky logins. Logins from unusual network locations, such as a user who always logs in from the HR network suddenly appearing on a guest network. Logons at unusual times of day, such as a mail clerk logging into the system in the middle of the night. Deviations from normal behavior, such as users accessing files that they do not normally access. High volumes of activity that may represent bulk downloading of sensitive information. The specific circumstances that merit attention will vary from organization to organization, but performing this type of behavior-based continuous account monitoring is an important security control.

Answer 87

The role ofAntimalware software protects endpoint devices from many different threats. Antimalware software uses signature detection and heuristic detection to prevent malware infections. Endpoint detection and response (EDR) platforms manage the detection, containment, investigation, and remediation of endpoint security incidents. Data loss prevention (DLP) systems prevent the unauthorized exfiltration of sensitive data. Change and configuration management systems maintain secure system configurations, whereas patch management ensures that security updates are consistently applied. System hardening techniques close holes that might be exploited by an attacker.

Answer 88

Routers and switches must be protected against unauthorized physical access to avoid compromise. Switch security techniques include VLAN pruning, the prevention of VLAN hopping, and port security. Router security techniques include the use of access control lists to filter traffic and quality of service controls to prioritize important network use.

Answer 89

Software should be created using a standardized software development lifecycle that moves software through development, test, staging, and production environments. Developers should understand the issues associated with code reuse and software diversity. Web applications should be developed in alignment with industry-standard principles such as those developed by the Open Web Application Security Project (OWASP).

Answer 90

The four goals of cryptography are confidentiality, integrity, authentication, and nonrepudiation. Confidentiality is the use of encryption to protect sensitive information from prying eyes. Integrity is the use of cryptography to ensure that data is not maliciously or unintentionally altered. Authentication refers to the uses of encryption to validate the identity of individuals. Nonrepudiation ensures that individuals can prove to a third party that a message came from its purported sender.

Answer 91

Digital certificates provide a trusted mechanism for sharing public keys with other individuals. Users and organizations obtain digital certificates from certificate authorities (CAs), who demonstrate their trust in the certificate by applying their digital signature. Recipients of the digital certificate can rely on the public key it contains if they trust the issuing CA and verify the CA's digital signature.

Answer 92

Hashing is a one-way encryption process that converts a password or other data into a fixed-size alphanumeric string, called a hash. Key stretching is a technique that makes it more difficult for attackers to crack passwords or other secrets by repeatedly hashing the secret with a salt. In simpler terms, hashing is a one-way function that converts an input into a fixed-size output, while key stretching is a technique that makes it computationally expensive to crack a secret. Hashing is a one-way encryption process that converts data into a fixed-size hash value. Key stretching is a technique that makes it more difficult to crack secrets by repeatedly hashing them with a salt. Key stretching is often used in conjunction with hashing to improve the security of passwords and other secrets The process that takes a relatively insecure value, such as a password, and manipulates it in a way that makes it stronger and more resilient to threats is called password hashing. Password hashing is a one-way encryption process that converts a password into a fixed-size alphanumeric string, called a hash. The hash is stored in a database and used to verify the user's password when they log in. When a user logs in, they enter their password into the system. The system then generates a hash of the password and compares it to the hash that is stored in the database. If the two hashes match, the user is authenticated and granted access to the system. Password hashing is a more secure way to store passwords than storing them in plain text. If an attacker gains access to a database of passwords stored in plain text, they will be able to log in to all of the accounts associated with those passwords. However, if the passwords are stored in hashed form, the attacker will not be able to log in to any of the accounts, even if they have access to the database. There are a number of different password hashing algorithms available, such as bcrypt, scrypt, and Argon2. These algorithms are designed to be resistant to brute-force attacks and other common password cracking techniques. Organizations should use a strong password hashing algorithm to protect their users' passwords. They should also encourage users to create strong passwords and to use multi-factor authentication (MFA) whenever possible. Here are some tips for creating strong passwords: Use a mix of upper and lowercase letters, numbers, and symbols. Make your password at least 12 characters long. Avoid using common words or phrases in your password. Do not reuse passwords for different accounts. By following these tips, you can create strong passwords that will help to protect your accounts from being compromised.

Answer 93

The entity that verifies the identity of individuals and organizations and then issues those individuals and organizations digital certificates, vouching for the public key associated with the entity to which they belong, is called a certificate authority (CA). CAs play an important role in public key infrastructure (PKI), which is a set of standards and practices that enable secure communication over the internet. PKIs rely on digital certificates to bind a public key to the identity of its owner. This allows users to verify the authenticity of the other party in a secure communication session. To obtain a digital certificate, an individual or organization must first submit a request to a CA. The CA will then verify the identity of the requester and issue a certificate if the verification is successful. The certificate will contain the requester's public key and other information about the requester, such as their name and organization. Once a digital certificate is issued, it can be used to verify the identity of the certificate holder in a variety of applications, such as secure web browsing, email encryption, and code signing. Here are some examples of well-known CAs: Let's Encrypt DigiCert GlobalSign GoDaddy Entrust CAs play an important role in ensuring the security of the internet. By verifying the identities of individuals and organizations and issuing digital certificates, CAs help to enable secure communication and transactions.

Answer 94

* Ephemeral session keys in TLS are symmetric keys that are generated and used for a single TLS session only. They are also known as one-time keys. Ephemeral session keys are generated using a technique called Diffie-Hellman key exchange, which allows two parties to establish a shared secret key over an insecure channel. * * The use of ephemeral session keys is one of the things that makes TLS so secure. By using ephemeral session keys, TLS is able to protect the data that is exchanged between a client and a server from a variety of attacks, including: * * Man-in-the-middle attacks: In a man-in-the-middle attack, an attacker intercepts the communication between two parties and impersonates one of the parties. The use of ephemeral session keys makes it very difficult for an attacker to carry out a man-in-the-middle attack, as the attacker would need to be able to generate the ephemeral session key for the TLS session in order to decrypt the data. * * Replay attacks: In a replay attack, an attacker intercepts a message and then replays it to the receiver at a later time. The use of ephemeral session keys makes it very difficult for an attacker to carry out a replay attack, as the ephemeral session key for the TLS session will have changed by the time the attacker replays the message. * Ephemeral session keys are typically generated at the beginning of a TLS session and are destroyed at the end of the session. This ensures that the ephemeral session key cannot be reused by an attacker to decrypt data from other sessions. Overall, the use of ephemeral session keys is a good practice that can help to improve the security of TLS connections.

Answer 95

V Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication over a computer network. It is the successor to Secure Sockets Layer (SSL) and is the most widely used cryptographic protocol on the internet. TLS works by encrypting the data that is exchanged between a client and a server. This ensures that the data is protected from eavesdropping and tampering. TLS also uses digital certificates to authenticate the client and server to each other. This helps to prevent man-in-the-middle attacks. A TLS handshake is the process that is used to establish a secure connection between a client and a server. The TLS handshake involves the following steps: The client sends a hello message to the server. This message contains the client's supported protocol versions and cipher suites. The server sends a hello message to the client. This message contains the server's supported protocol versions and cipher suites. The client and server agree on a protocol version and cipher suite. The server sends its digital certificate to the client. The client verifies the server's digital certificate. The client and server generate a session key. This key is used to encrypt and decrypt the data that is exchanged during the TLS session. Once the TLS handshake is complete, the client and server can begin exchanging data securely. The data is encrypted using the session key that was generated during the handshake. TLS is used in a wide variety of applications, including: Secure web browsing (HTTPS) Email encryption (S/MIME) File transfer (FTPS) Voice over IP (VoIP) Virtual private networks (VPNs) TLS is a very important security protocol that helps to protect the data that is exchanged over the internet. By using TLS, users can be confident that their data is protected from eavesdropping and tampering. Here are some of the benefits of using TLS: Improved security: TLS encrypts the data that is exchanged between a client and a server, which protects it from eavesdropping and tampering. Reduced risk of data breaches: If an attacker is able to compromise a TLS connection, they will only be able to decrypt the data from that connection. Improved compliance: Many regulations require organizations to use TLS to protect sensitive data. Overall, TLS is a very important security protocol that can help to improve the security of online communications.

Answer 96

Here are some examples: Network layer Implement a firewall to control traffic entering and leaving the network. Use intrusion detection and prevention systems to detect and block malicious traffic. Segment the network into different zones to limit the damage that an attacker can do if they breach one zone. Use strong passwords and multi-factor authentication for all network devices. Keep network devices up to date with the latest security patches. Operating system layer Keep the operating system up to date with the latest security patches. Disable unnecessary services and features. Use strong passwords and multi-factor authentication for all user accounts. Implement least privilege access, so that users only have the permissions they need to do their jobs. Use security software, such as antivirus and antimalware software, to protect the system from malware. Application layer Keep applications up to date with the latest security patches. Use strong passwords and multi-factor authentication for all user accounts. Implement least privilege access, so that users only have the permissions they need to use the application. Use security software, such as a web application firewall (WAF), to protect the application from web-based attacks. Device layer Use strong passwords and multi-factor authentication for all devices. Keep devices up to date with the latest security patches. Encrypt devices at rest and in transit. Use mobile device management (MDM) software to manage mobile devices and enforce security policies. In addition to these general tips, there are also specific security hardening measures that can be taken for different types of devices, such as servers, workstations, laptops, and mobile devices. For example, servers should be hardened to protect against common server attacks, such as SQL injection and cross-site scripting. Workstations should be hardened to protect against common workstation attacks, such as phishing and malware. Laptops and mobile devices should be hardened to protect against the unique security risks that they face, such as loss or theft. By following these tips, organizations can harden their devices and reduce the risk of security breaches. Here are some additional tips for securely hardening devices: Use a password manager to create and store strong, unique passwords for all of your devices and accounts. Be careful about what apps you install on your devices. Only install apps from trusted sources. Keep your devices physically secure. Lock your devices when you're not using them and don't leave them unattended in public places. Be aware of the latest security threats and scams. Stay informed about the latest security news and updates from your device manufacturers and security software providers. By following these tips, you can help to keep your devices and data safe.

Answer 97

Here is a rewritten version of my previous response to include MAC security, VLAN pruning, and VLAN hopping: VLANs can be used to segment a network into multiple logical subnetworks. This can help to improve performance, security, and manageability. MAC security can be used to prevent unauthorized devices from accessing a VLAN. This can be done by configuring the switch to only allow devices with registered MAC addresses to access the VLAN. VLAN pruning can be used to remove unused VLANs from switches. This can help to improve performance and security. VLAN hopping is a type of attack where an attacker tricks a switch into thinking that they are authorized to access a VLAN. This can be done by spoofing the MAC address of a device that is authorized to access the VLAN. To harden data switches with VLANs, organizations can: Use VLANs to segment the network. This will help to limit the damage that an attacker can do if they breach one VLAN. Configure VLANs so that they are only accessible to authorized devices. This can be done by using access control lists (ACLs) or other security features. Use VLAN trunking protocol (VTP) to manage VLANs across multiple switches. This can help to ensure that VLANs are configured consistently across the network. Use private VLANs to isolate sensitive traffic from other traffic on the network. This can help to protect sensitive data from being accessed by unauthorized users. Use VLAN tagging to identify traffic from different VLANs. This can help to troubleshoot network problems and improve security. Use MAC security to prevent unauthorized devices from accessing VLANs. Use VLAN pruning to remove unused VLANs from switches. Implement security measures to prevent VLAN hopping, such as using strong passwords for switch management interfaces, keeping switch firmware up to date, disabling unused ports on switches, configuring switches to log all events, and monitoring switch logs for suspicious activity. By following these tips, organizations can harden their data switches with VLANs and reduce the risk of security breaches.

Answer 98

The security control implemented by routers to limit the traffic that may enter or leave a network is called access control lists (ACLs). ACLs are lists of rules that define which traffic is allowed to pass through a router and which traffic is denied. ACLs can be applied to incoming or outgoing traffic, or to both. ACLs can be used to filter traffic based on a variety of criteria, such as source and destination IP addresses, ports, and protocols. For example, an organization could use an ACL to block all incoming traffic from a specific IP address, or to allow only HTTP traffic to pass through the router. ACLs are a powerful tool for controlling traffic flow and improving network security. By carefully configuring ACLs, organizations can protect their networks from unauthorized access and malicious attacks. Here are some of the benefits of using ACLs: Improved security: ACLs can help to protect networks from unauthorized access and malicious attacks. Reduced network load: ACLs can be used to block unnecessary traffic, which can improve network performance. Compliance: Many regulations require organizations to implement ACLs to protect sensitive data. Overall, ACLs are a valuable security control that can help organizations to improve the security of their networks.

Answer 99

Posture checking on a network port is the process of verifying that the device connected to the port is in a secure state. This can involve checking the device's operating system, security patches, and firewall configuration. Posture checking can be used to prevent unauthorized devices from accessing the network, and to ensure that all devices connected to the network are meeting the organization's security policies. There are a number of different ways to implement posture checking on network ports. One common approach is to use a network access control (NAC) solution. NAC solutions can automatically detect and identify devices connected to the network, and then verify that the devices meet the organization's security policies. Another approach to posture checking is to use a security information and event management (SIEM) solution. SIEM solutions can collect and analyze logs from network devices and other security devices, and can be used to identify devices that are not meeting the organization's security policies. Posture checking is an important part of network security. By verifying that the devices connected to the network are in a secure state, organizations can help to protect their networks from unauthorized access and malicious attacks. Here are some of the benefits of using posture checking on network ports: Improved security: Posture checking can help to prevent unauthorized devices from accessing the network, and to ensure that all devices connected to the network are meeting the organization's security policies. Reduced risk of data breaches: By verifying that all devices connected to the network are secure, organizations can help to reduce the risk of data breaches. Compliance: Many regulations require organizations to implement posture checking on network ports to protect sensitive data. Overall, posture checking on network ports is a valuable security control that can help organizations to improve the security of their networks.

Answer 100

There are two main types of VPNs: remote access VPNs and site-to-site VPNs. Remote access VPNs allow users to connect to a private network over a public network, such as the internet. This type of VPN is commonly used by employees to connect to their company's network from home. Site-to-site VPNs connect two or more private networks over a public network. This type of VPN is commonly used by businesses to connect their offices to each other. Both types of VPNs use encryption to protect the data that is transmitted over the public network. This ensures that the data cannot be intercepted or read by unauthorized individuals. Here is a table that summarizes the key differences between remote access VPNs and site-to-site VPNs: Feature Remote access VPN Site-to-site VPN Purpose Connect users to a private network over a public network Connect two or more private networks over a public network Common users Employees working from home Businesses connecting their offices Example An employee connecting to their company's network from home Two businesses connecting their offices to each other Which type of VPN is right for you will depend on your specific needs. If you need to connect to a private network from home, then a remote access VPN is the right choice for you. If you need to connect two or more private networks, then a site-to-site VPN is the right choice for you. In addition to remote access VPNs and site-to-site VPNs, there are also other types of VPNs, such as extranet VPNs and mobile VPNs. Extranet VPNs are used to connect businesses to their partners and suppliers. Mobile VPNs are used to connect mobile devices to a VPN. No matter what type of VPN you need, there is a VPN solution available that is right for you.

Answer 101

SSL VPNs: SSL VPNs use the Secure Sockets Layer (SSL) protocol to encrypt traffic between the client device and the VPN server. SSL VPNs are easy to set up and use, and they can be used with a variety of devices, including computers, smartphones, and tablets. IPsec VPNs: IPsec VPNs use the Internet Protocol Security (IPsec) protocol to encrypt traffic between the client device and the VPN server. IPsec VPNs are more secure than SSL VPNs, but they are also more complex to set up and use. The best type of remote access VPN for you will depend on your specific needs. If you need a VPN that is easy to set up and use, then an SSL VPN is a good choice. If you need a VPN that is highly secure, then an IPsec VPN is a better choice. Here is a table that summarizes the key differences between SSL VPNs and IPsec VPNs: Feature SSL VPN IPsec VPN Encryption protocol SSL IPsec Setup and use Easy Complex Security Good High Common users Employees working from home, students accessing school resources Businesses connecting their employees on the road, organizations protecting sensitive data Here are some additional factors to consider when choosing a remote access VPN: Price: VPNs can range in price from free to hundreds of dollars per year. Choose a VPN that fits your budget and needs. Features: VPNs offer a variety of features, such as kill switches, split tunneling, and ad blocking. Choose a VPN that has the features that are important to you. Compatibility: Make sure that the VPN you choose is compatible with your devices and operating system. Support: Choose a VPN that offers good customer support. By considering these factors, you can choose the best remote access VPN for your needs.

Answer 102

Split tunneling is a VPN feature that allows you to choose which traffic is routed through the VPN tunnel and which traffic is not. This can be useful if you need to access local network resources or if you want to improve the performance of certain applications. Full tunnel VPNs route all traffic through the VPN tunnel. This provides the highest level of security, but it can also impact performance. Here is a table that summarizes the key differences between split tunneling and full tunnel VPNs: Feature Split tunneling Full tunnel Route traffic Some traffic is routed through the VPN tunnel, some traffic is not All traffic is routed through the VPN tunnel Security Less secure More secure Performance Better Worse Which type of VPN is right for you will depend on your specific needs. If you need the highest level of security, then a full tunnel VPN is the right choice for you. If you need to access local network resources or if you want to improve the performance of certain applications, then a split tunneling VPN is the right choice for you. Here are some examples of when you might want to use split tunneling: You need to access a local network resource, such as a printer or a file server. You want to improve the performance of a video streaming application. You want to use a different DNS server than the one provided by your VPN provider. Here are some examples of when you might want to use a full tunnel VPN: You are using a public Wi-Fi network. You are working with sensitive data. You are traveling to a country with strict internet censorship laws. No matter which type of VPN you choose, it is important to use a strong password and to keep your VPN software up to date.

Answer 103

In-band and out-of-band intrusion detection systems (IDS) Intrusion detection systems (IDS) are used to monitor networks for malicious activity. IDS can be deployed in two ways: in-band and out-of-band. In-band IDS are deployed inline with the network traffic, meaning that all traffic must pass through the IDS sensor in order to reach its destination. This is the most effective way to deploy IDS, but it can also impact network performance. Out-of-band IDS are not deployed inline with the network traffic. Instead, they monitor the network traffic by mirroring a copy of the traffic to the IDS sensor. This has less of an impact on network performance, but it is not as effective as in-band IDS. Which type of IDS is right for you? The best type of IDS for you will depend on your specific needs and resources. If you need the highest level of security, then in-band IDS is the right choice. However, if you are concerned about network performance, then out-of-band IDS may be a better option. Here is a table that summarizes the key differences between in-band and out-of-band IDS: Feature In-band IDS Out-of-band IDS Deployment Inline with the network traffic Not inline with the network traffic Impact on network performance High Low Effectiveness High Low Examples of in-band IDS Network firewalls Intrusion prevention systems (IPS) Security information and event management (SIEM) systems Examples of out-of-band IDS Network taps Network sniffers Dedicated IDS sensors Conclusion Both in-band and out-of-band IDS have their advantages and disadvantages. The best type of IDS for you will depend on your specific needs and resources. If you are unsure which type of IDS is right for you, it is a good idea to consult with a security expert.

Answer 104

A digital certificate is an electronic document that binds a public key to an identity, such as the name of a person, organization, or website. Digital certificates are used to secure online communications and transactions. Digital certificates are issued by certificate authorities (CAs), which are trusted third parties that verify the identities of certificate holders. CAs use a variety of methods to verify identities, such as checking government-issued IDs or business records. Once a CA has verified the identity of a certificate holder, they will issue a digital certificate. The digital certificate contains the following information: The public key of the certificate holder The identity of the certificate holder The name of the CA that issued the certificate The expiration date of the certificate Digital certificates are used in a variety of different ways, including: Secure Socket Layer (SSL)/Transport Layer Security (TLS): SSL/TLS is a protocol that encrypts traffic between web browsers and web servers. Digital certificates are used to authenticate the identity of the web server, which helps to protect users from phishing attacks. Email signing: Digital certificates can be used to sign emails, which allows the recipient to verify the identity of the sender. This can help to prevent email fraud and phishing attacks. Code signing: Digital certificates can be used to sign code, such as software applications or operating system updates. This allows users to verify that the code has not been tampered with. Digital certificates are an important part of online security. They help to protect users from phishing attacks, email fraud, and malware infections. Here are some of the benefits of using digital certificates: Security: Digital certificates provide a high level of security for online communications and transactions. Authentication: Digital certificates can be used to authenticate the identity of individuals, organizations, and websites. Trust: Digital certificates are issued by trusted third parties, which helps to build trust between users and websites. Compliance: Many industries and regulations require the use of digital certificates. If you are concerned about your online security, then you should use digital certificates whenever possible.

Answer 105

A digital certificate can have one of the following statuses: Valid: The certificate is valid and can be used to secure communications and transactions. Expired: The certificate has expired and can no longer be used. Revoked: The certificate has been revoked by the CA and can no longer be used. Unknown: The CA cannot verify the status of the certificate. The status of a digital certificate can be checked using a variety of methods, including: Certificate revocation lists (CRLs): CRLs are lists of certificates that have been revoked by the CA. Online certificate status protocol (OCSP): OCSP is a protocol that allows users to check the status of a certificate in real time. Certificate transparency (CT): CT is a public record of all certificates that have been issued by CAs. It is important to note that the status of a digital certificate can change at any time. For example, a certificate may be revoked if the CA discovers that the certificate holder has provided false information or has violated the CA's terms of service. Here are some examples of situations where a digital certificate might be revoked: The private key associated with the certificate has been compromised. The certificate holder has violated the CA's terms of service. The certificate holder has ceased to exist. The certificate has been issued in error. It is important to check the status of a digital certificate before using it to secure communications or transactions. If a certificate is expired, revoked, or unknown, then it should not be used. Here are some tips for managing digital certificates: Keep track of the expiration dates of your digital certificates. Revoke any certificates that are no longer needed. Monitor your digital certificates for signs of compromise. Use a trusted certificate authority to issue your digital certificates. By following these tips, you can help to ensure that your digital certificates are always valid and secure.

Answer 106

OSCP stands for Online Certificate Status Protocol. It is a protocol that allows users to check the status of a digital certificate in real time. This is in contrast to Certificate Revocation Lists (CRLs), which are lists of revoked certificates that are published periodically by certificate authorities (CAs). OCSP is a more efficient and up-to-date way to check the status of a digital certificate. CRLs can be large and can take some time to be updated. OCSP, on the other hand, allows users to check the status of a certificate at the time it is used. OCSP works by sending a request to the CA that issued the certificate. The CA then responds with the status of the certificate. The status can be one of the following: Valid: The certificate is valid and can be used to secure communications and transactions. Revoked: The certificate has been revoked by the CA and can no longer be used. Unknown: The CA cannot verify the status of the certificate. OCSP is supported by most major browsers and web servers. It is also supported by many other applications, such as email clients and file transfer programs. Here are some of the benefits of using OSCP: Real-time status checking: OSCP allows users to check the status of a digital certificate in real time. This is in contrast to CRLs, which are published periodically and may not be up-to-date. Reduced bandwidth usage: OSCP requests are much smaller than CRLs. This can help to reduce bandwidth usage and improve performance. Improved security: OSCP can help to improve security by preventing users from using revoked certificates. If you are concerned about the security of your online communications and transactions, then you should use OSCP to check the status of digital certificates.

Answer 107

Here is a list of all the different types of software code reviews: Code reviews: Code reviews are the most common type of software inspection. In a code review, a group of developers review the code of another developer. This can be done informally, with developers sitting around a table and reviewing the code together, or it can be done more formally, with developers submitting their code to a review tool. Static code analysis: Static code analysis is an automated process that analyzes software code for potential defects. Static code analysis tools can identify a wide variety of defects, including syntax errors, security vulnerabilities, and potential performance problems. Dynamic code analysis: Dynamic code analysis is an automated process that analyzes software code while it is running. Dynamic code analysis tools can identify defects that static code analysis tools cannot, such as concurrency errors and race conditions. Pair programming: Pair programming is a software development practice in which two developers work together on the same piece of code. Pairing can help to reduce errors and improve the quality of the code. Test-driven development (TDD): TDD is a software development process in which developers write tests for a piece of code before they write the code itself. This helps to ensure that the code meets the requirements and that it works as expected. Fagan reviews: Fagan reviews are a type of software inspection that was developed by Michael Fagan in the 1970s. Fagan reviews are a structured and rigorous inspection process that involves a team of reviewers examining the code of a developer. User acceptance testing (UAT): UAT is a type of testing that is performed by users of the software to ensure that it meets their needs and expectations. UAT is typically performed at the end of the software development process, before the software is released to production. Beta testing: Beta testing is a type of testing that is performed by a small group of users before the software is released to the general public. Beta testing can help to identify any bugs or usability issues with the software. Community reviews: Many software products have online communities where users can share feedback and reviews. These reviews can be a valuable source of information for potential users of the software. Expert reviews: Software experts often publish reviews of new software products. These reviews can provide a more in-depth analysis of the software's features and functionality. In addition to these specific types of code reviews, there are a number of other ways to get reviews for software. For example, you can ask friends, colleagues, or mentors for feedback on your code. You can also submit your code to open source projects for review. No matter how you choose to get reviews for your code, it is important to remember that feedback is a gift. By taking the time to get reviews from others, you can improve the quality of your code and become a better developer.

Answer 108

what is it change management Change management is the process of guiding people and organizations through change. It is a systematic approach to helping people understand, accept, and embrace change. Change management can be applied to any type of change, big or small, from implementing a new software system to merging two companies. The goal of change management is to minimize disruption and maximize the chances of success for the change. Change management practitioners use a variety of tools and techniques to help people through the change process, including communication, training, and support. Change management is important because change is inevitable. The world is constantly changing, and organizations need to be able to adapt to change in order to survive and thrive. Change management can help organizations to: Reduce the risk of change failure Increase the adoption rate of new changes Improve employee morale and productivity Mitigate the negative impacts of change Accelerate the benefits of change There are many different change management models, but they all share some common elements, such as: Assessment: The first step in change management is to assess the current situation and to identify the desired state. This includes identifying the stakeholders, the drivers for change, and the potential impacts of change. Planning: Once the current situation and desired state have been assessed, a change plan can be developed. The change plan should outline the steps that will be taken to achieve the desired state, as well as the resources and timelines needed. Implementation: The change plan is then implemented. This involves communicating the change to stakeholders, providing training and support, and monitoring the progress of the change. Evaluation: Once the change has been implemented, it is important to evaluate its success. This involves assessing whether the desired state has been achieved and identifying any areas for improvement. Change management is a complex process, but it is essential for any organization that wants to be successful in the ever-changing world. Here are some tips for implementing effective change management: Communicate early and often: Keep stakeholders informed about the change from the beginning. Explain the reasons for the change, the benefits of the change, and how the change will impact them. Involve stakeholders in the change process: Get feedback from stakeholders on the change plan and make changes as needed. This will help to ensure that the change is supported by the people who are most affected by it. Provide training and support: Make sure that stakeholders have the skills and knowledge they need to adapt to the change. Provide training on new systems and processes, and offer support to help people through the change process. Monitor the change and make adjustments as needed: Things don't always go according to plan, so it's important to monitor the change and make adjustments as needed. Be flexible and willing to change the change plan if necessary. By following these tips, you can increase your chances of success in implementing change.

Answer 109

Asset management is the process of acquiring, maintaining, and disposing of assets to maximize their value. Assets can be physical, such as equipment and inventory, or intangible, such as intellectual property and customer relationships. Asset management is important for businesses of all sizes. Effective asset management can help businesses to: Reduce costs Improve efficiency Increase productivity Reduce risk Improve compliance Increase shareholder value There are a number of different asset management strategies that businesses can use. The best strategy for a particular business will depend on its industry, size, and goals. Some common asset management strategies include: Preventive maintenance: This involves regularly inspecting and maintaining assets to prevent problems from occurring. Predictive maintenance: This involves using data and analytics to predict when assets are likely to fail. This allows businesses to schedule maintenance before assets fail, which can save time and money. Risk management: This involves identifying and mitigating risks to assets. Asset disposal: This involves disposing of assets in a way that maximizes their value. Asset management is a complex process, but it is essential for any business that wants to be successful. Effective asset management can help businesses to save money, improve efficiency, and increase shareholder value. Here are some tips for effective asset management: Develop an asset management plan: This plan should identify your business's assets, their value, and the risks associated with them. The plan should also outline your strategies for managing your assets. Track and monitor your assets: Keep track of the condition, location, and value of your assets. This will help you to identify potential problems early on and to make informed decisions about how to manage your assets. Perform regular maintenance: Inspect and maintain your assets on a regular basis to prevent problems from occurring. Upgrade and replace assets as needed: Don't wait until your assets fail to replace them. Upgrade and replace assets as needed to ensure that they are meeting your business's needs. Dispose of assets properly: When you no longer need an asset, dispose of it in a way that maximizes its value. By following these tips, you can develop and implement an effective asset management strategy for your business.

Domain 3: Information Security Program Flashcards

(134 cards)