Final Exam Flashcards

Question

Financial risk

Answer 1

Includes cash flow, capital and budget issues.

Answer 2

affect project schedule or resources.

Answer 3

affect product quality or performance of software.

Answer 4

Includes staffing, inexperience and training problems.

Answer 5

Prevent the exploitation of the system via application of policy, training/education, and technology. Preferably layered security (defense in depth) Counter threats Remove vulnerabilities from assets Limit access to assets Add protective safeguards

Answer 6

Shift risks to other areas or outside entities to handle Can include: Purchasing insurance Outsourcing to other organizations Implementing service contracts with providers Involve Third Parties for risk monitoring and control

Answer 7

Creating plans and preparations to reduce the damage of threat actualization Preparation should include a: Incident Response Plan Disaster Recovery Plan Business Continuity Plan

Answer 8

Properly identifying and acknowledging risks, and choosing to not control them Appropriate when: The cost to protect an asset or assets exceeds the cost to replace it/them When the probability of risk is very low and the asset is of low priority

Answer 9

Removing or discontinuing the information asset from the organization Examples include: Equipment disposal Discontinuing a provided service Firing an employee

Answer 10

Examines the management control over IT and related programs, policies, and processes

Answer 11

Pertains to ensuring that specific guidelines, laws, or requirements have been met

Answer 12

Involves the applications that are strategic to the organization, for example those typically used by finance and operations

Answer 13

Examines the IT infrastructure and data communications

Answer 14

Provide an objective and independent review of an organization’s policies, information systems, and controls.

Answer 15

Provide reasonable assurance that appropriate and effective IT controls are in place.

Answer 16

Provide audit recommendations for both corrective actions and improvement to controls.

Answer 17

Where is the risk? How significant is the risk?

Answer 18

what threats or risks will affect the asset?

Answer 19

what is the likelihood of the threats happening?

Answer 20

what impact or effect would the loss of the asset have on the operation of the organization or its personnel?

Answer 21

Is there a log of all people with passwords (and what type). How secure is this ACL list, and how strong are the passwords currently in use?

Answer 22

Can computers or laptops be picked up and removed from the premises by visitors or even employees?

Answer 23

What backups of virtual assets exist, how are they backed up, where are the backups kept, and who conducts the backups?

Answer 24

Each time someone accesses some data, is this logged, along with who, what, when, where, etc.?

Answer 25

e.g., credit card info. Who has access? How can access be controlled? Can this information be accessed from outside the company premises?

Answer 26

Does the website allow backdoor access into the client database? Can it be hacked?

Answer 27

Are spam filters in place? Do employees need to be educated on how to spot potential spam and phishing s? Is there a company policy that outgoing s to clients not have certain types of hyperlinks in them?

Answer 28

Keep the fishing expedition at bay to prevent or avoid an overly broad or invasive search for information, especially in legal or investigative contexts. It implies that someone is trying to gather information without specific evidence or grounds.

Answer 29

Independent assessment of an organization’s internal policies, controls, and activities.

Answer 30

You use an audit to assess the presence and effectiveness of IT controls and to ensure that those controls are compliant with stated policies.

Answer 31

process oriented and focuses on Defect Prevention a set of activities for ensuring quality in the holistic processes by which end results are created Planned system of review, and sometimes audit, procedures conducted by personnel not involved in process execution

Answer 32

end product oriented and focuses on Defect Identification a set of activities for ensuring quality in process, products, or services The activities focus on identifying defects in the end products System of routine, planned technical activities implemented to measure and control the quality as execution occurs.

Answer 33

focus of processes / controls in relation so standards & expectations

Answer 34

Allows for an analytical view on process adherence.

Answer 35

Aides in identifying areas of improvement within programs.

Answer 36

the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user.

Answer 37

Five essential cloud characteristics

Answer 38

Three cloud service models

Answer 39

Four cloud deployment models.

Answer 40

Capabilities are available over the network and accessed through standard mechanisms.

Answer 41

Cloud computing gives you the ability to expand and reduce resources according to your specific service requirement.

Answer 42

Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service

Answer 43

A cloud service consumer (CSC) can unilaterally provision computing capabilities, such as server time and network storage, as needed

Answer 44

The provider’s computing resources are pooled to serve multiple customers using a multitenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.

Answer 45

To provision processing, storage, networks, and other fundamental computing resources

Answer 46

To deploy customer-created and acquired applications

Answer 47

To use the provider’s applications

Answer 48

– Control / Security – Availability – Speed of Access

Answer 49

– Scalability – Maintenance

Answer 50

– Security – Legal/compliance – Same Policy and Concerns

Answer 51

– Development – Cost

Answer 52

– High performance: – Expanded capacity – Scalability – Security – Low cost

Answer 53

– Complex SLAs – Complex networking

Answer 54

The cloud acts as a big black box, nothing inside the cloud is visible to the clients Clients have no idea or control over what happens inside a cloud

Answer 55

Even if the cloud provider is honest, it can have malicious system admins who can tamper with the VMs and violate confidentiality and integrity

Answer 56

Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks

Answer 57

Data security and privacy

Answer 58

Resource availability

Answer 59

Monitoring and repairing of services/resources

Answer 60

Fear of loss of control over data Will the sensitive data stored on a cloud remain confidential? Will cloud compromises leak confidential client data Will the cloud provider itself be honest and won’t peek into the data?

Answer 61

How do I know that the cloud provider is doing the computations correctly? How do I ensure that the cloud provider really stored my data without tampering with it?

Answer 62

Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? What happens if cloud provider goes out of business? Would cloud scale well-enough?

Answer 63

Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients

Answer 64

Entity outside the organization now stores and computes data, and so Attackers can now target the communication link between cloud provider and client Cloud provider employees can be phished

Answer 65

Difficult to audit data held outside organization in a cloud Forensics also made difficult since now clients don’t maintain data locally

Answer 66

the cloud provider’s security people are “better” than yours (and leveraged at least as efficiently),

Answer 67

the web-services interfaces don’t introduce too many new vulnerabilities, and

Answer 68

the cloud provider aims at least as high as you do, at security goals,

Answer 69

If an attacker gains access to the credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. Using the credentials and passwords for longer time without changing and reusing the same for different accounts makes this type of attack easy.

Answer 70

Following the password rules to create strong passwords Changing the passwords timely Prohibiting the use of passwords on unknown machines and sharing of the passwords with other users Multi Factor Authentication

Answer 71

The security of the cloud services is dependent on how secure is their Application Programming Interface API’s Accidental and malicious attempts must be taken into consideration when designing the APIs Organizations are facing a variety of authenticity, confidentiality, and integrity, issues due to their dependence on a weak set of APIs

Answer 72

Analyze the security model of cloud provider interfaces. Ensure strong authentication and access controls are implemented in concert with encrypted transmission

Answer 73

Distributed Denial of Service (DDoS) Attacks Preventing users from accessing cloud services. Using resource exhaustion attacks or software vulnerability attacks. The cloud becomes irresponsive or legal users will pay more for using more resources

Answer 74

Anomalous Behavior Analysis (ABA) Intrusion Tolerance by using diversity and redundancy

Answer 75

Malicious insider threat is well-known to most organizations. A provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. This kind of situation clearly creates an attractive opportunity for hobbyist hacker.

Answer 76

Human resource required specifications should be part of legal contract. Cloud Service Provider should provide transparently all security and management practices

Answer 77

The registration process for cloud resources has become so easy that anyone with a valid credit card can register and immediately begin using services. Thus, spammers, malicious code authors, and other criminals have been able to conduct their activities with relative impunity Thus PaaS and IaaS providers are suffering from these kind of attacks.

Answer 78

Strict initial registration and validation Enhanced credit card fraud monitoring and coordination Constant monitoring of customer network traffic. Monitoring public blacklists for one’s own network blocks

Answer 79

Organizations moving fast toward the cloud for its cost reductions, operational efficiencies and improved security. However, without a full understanding of the cloud service provider environment and responsibilities, they are increasing their risk.

Answer 80

Organizations need to understand the risk of moving to the cloud. 24/7 Continuous Monitoring, Analysis, and Mitigation

Answer 81

Cloud Service Providers deliver their services in a scalable way by sharing infrastructure. Cloud services depend on utilizing virtualization. Virtualization Hypervisors, like any other software, have flaws that allow attackers with access to the guest operating system to attack the host. This impacts the operations of other cloud customers and allow attackers to gain access to unauthorized data.

Answer 82

Implementing and applying security best practices for both the installation and configuration processes Continuously monitoring for the environment to detect unauthorized activities. Enforcing strict access control and strong authentication for all critical operations. Continuously searching for vulnerabilities and threats

Final Exam Flashcards

(107 cards)