Inf Sec Flashcards

Question

While developing information asset protection policies and awareness what is important?

Answer 1

It is important to identify what information should be and protected and when, and then identify the many forms this information may take over its life cycle.

Answer 2

The first-and second-tier management and because the managers who see employees every day are the ones who will actually be there to notice when people are following security practices and when they are not.

Answer 3

Ultimately the responsibility for protecting information assets rests with the leadership of an organization.

Answer 4

Risk assessment should identify risks, quantify them, and prioritize them according to the organization's criteria for risk acceptance.

Answer 5

The perpetrator come to the attention of management due to inappropriate behaviors before the incident (e.g; tardiness, truancy, arguments with coworkers, or poor job performance)

Answer 6

Elements that create fertile ground for insider espionage due to information revolution, global economic competition, the involvement of new and non-traditional intelligence adversaries, other changes in the domestic and international environment.

Answer 7

Inadvertent threats can be attributed to inadequate employee training, misunderstandings, lack of attention to details, lax security enforcement, pressure to produce a deliverable, insufficient staffing etc

Answer 8

The largest losses basically are from the people in the mirror, people make mistake, and those mistakes are the most likely thing to hurt.

Answer 9

The most frequently overlooked threats are inadvertent threats

Answer 10

To assess intentional threats need to identify 1 - Potential adversaries 2 - Evaluates their capability 3 - Intention to target key information assets.

Answer 11

Types of threats for information assets may include: 1 - Intentional threats 2 - Natural threats 3 - Inadvertent threats

Answer 12

The goal of information security program is to optimize risk, never minimize.

Answer 13

Identifying information assets

Answer 14

Cyber threat is one of the most serious economic and national security.

Answer 15

A person who can control the computer can create two dangers: 1 - A valid administrator could add a backdoor or additional card 2 - The system may be accessible to the internet

Answer 16

When card reader requests an identification number to the card, the card simply supplies without verification of authenticity.

Answer 17

When an outsiders who gain insider privileges in extracting information

Answer 18

Effectively combating cyber-attacks requires: 1 - Increased awareness 2 - New technology 3 - And improved response and recovery capabilities

Answer 19

Hackers make attacks by using worms, viruses, network flooding, no-notice attacks through compromised routers, spyware, insider attacks, data ex-filtration by outsiders who gain insider privileges(phishing), and distributed denial of service attacks are all commonplace

Answer 20

Convergence creates significant additional risk to the organization because the physical security devices are now accessible from anywhere on the network

Answer 21

Security convergence is the integration. in a formal, collaborative, and strategic manner, of the cumulative security resources of the organization in order to deliver enterprise-wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings

Answer 22

1- Executive management responsibility 2- Information security policy 3- User awareness training and education 4- Computer and network security 5- Third- party information security assurance 6- Physical and personnel security 7- Periodic risk assessment.

Answer 23

Not compromised-confidentiality; remain unchanged without authorization- integrity; remains available-Availability

Answer 24

Rogueware, or software that pretends to be security software but really compromise a computer, is also on the rise. Cybercriminals are doing this job by getting users to download this malicious software

Answer 25

Malware attack

Answer 26

When someone is able to take advantage of an error committed by the victim and installed malware to take advantage of it

Answer 27

Organized criminal groups pose the greater threat to corporate information systems because this group can organize their funds to conduct their attack

Answer 28

The factors that are promoting cyber-attack are: Cybercriminals do not need to change their malware as quickly but can implement it on more sites; they can use the automated techniques that continually compromise legitimate web sites; moreover, they can change malware code so it is not detected by traditional antivirus system.

Answer 29

Bots (software applications that run automated tasks) under the control of the hackers to bring the site down

Answer 30

Sanitized code used in a penetration test to obtain Social Security Numbers and other sensitive information from a supposedly database

Answer 31

To address the challenges of ISS, security professional must augment their physical security paradigm with a new logical security paradigm

Answer 32

The security professional strives to protect CIA triangle: 1‐ Confidentiality 2‐Integrity 3‐ Availability

Answer 33

Residual Threat Risk for each threat, the remaining potential risk after all ISS counter measures are applied and Residual Risk , the total remaining potential risk after all ISS countermeasures are applied across all threats

Answer 34

Information system threats agents are : 1- Natural 2- People 3- Virtual

Answer 35

A computer program or script illegitimately installed on a workstation, server, router or other information systems device and capable of any or all of the following: 1 -Sending information from the device on which it is installed to the owner of the program (its control), 2- Receiving command and control instructions from its control and adjusting its behavior accordingly, 3- Executing commands on the device on which it is installed

Answer 36

Methods include 1- Direct physical access to the computer (via USB drive or cybercriminal or other perpetrator must other peripheral) 2- Hacking into the computer remotely 3- Placing malware on the computer 4- Phishing 5- Engineering.

Answer 37

1- Vulnerabilities in the information systems infrastructure 2- Vulnerabilities in people using the information systems infrastructure(Users) 3- Vulnerabilities in people maintaining the information systems infrastructure (custodians) 4- Executive and senior management vulnerabilities 5- Vulnerabilities in information systems management processes

Answer 38

It is important to specify the ISS control objectives that those counter measures must meet

Answer 39

Information system countermeasures divided into three broad classifications: 1‐ Administrative control 2‐ Technical controls 3‐ Physical controls

Answer 40

Perhaps most important in information security, as in physical security is to have the buy‐in of executive management in supporting security initiatives

Answer 41

The seven layers of the OSI model are: 1‐ Physical(layer‐1) 2‐ Data link (layer‐2) 3‐ Network(layer‐3) 4‐ Transport(layer‐4) 5‐ Session(layer‐5) 6‐ Presentation(layer‐6) 7‐ Application(layer‐7)

Answer 42

In OSI (open system Interconnect) layer 3, computers that could not immediately see each other could nevertheless still communicate.

Answer 43

The computer device called “router” allows for this communication to happen.

Answer 44

It is a form of attack. In this instance, a malicious user or program can give more information to the computer program that it is expecting. The extra words or characters can produce a buffer overflow state, giving the computer instructions to do something unintended

Answer 45

This process of authentication and authorization is part of what is called the AAA triad. The third part of this triad is auditing/accountability.

Answer 46

Apart from AAA, data confidentiality can be maintained through encryption and system protection

Answer 47

(From any source) Authentication means examining identification of user who seeks to gain access to computer by asking for a user name and password. Authorization means, after identifying a user, the Computer checks a data base to see what type of authorization that particular user has. This process particularly allows the user to avail his/her rights as per the level of access of information predetermined by organization’s policy.

Answer 48

Biometric authentication; second‐factor authentication (one time password); encryption

Answer 49

Because redundancy aids the efforts to ensure data availability and also ensure continuity.

Answer 50

The technology called virtual private network (VPN), can be used which encrypts data from one point to another.

Answer 51

“Escalation of privilege" is basically a specially crafted e-mail based attack which enables the mail system to do something undesirable to the recipient. This type of attack succeed because the email program is tricked into executing the e-mail as if it were a program rather than a simply processing it as text.

Answer 52

In the VOIP system, every phone and every phone and server hosting phone-related information, including voicemail and the actual phone calls in progress, have potential to be compromised as these systems are completely accessible on the framework.

Answer 53

Third-party review is a critical aspect of any information security program. Each organization is responsible for managing its vendors and ensuring that they come up to a specific level

Answer 54

Intrusion detection (IDS) is designed to monitor one's network and attempt and to interpret either via behavior or pattern/signatures whether someone is trying to attack the system. An intrusion prevention system (IPS), which is designed to automatically stop an attack in progress.

Answer 55

The ISO 27001 is an international standard for managing information security. This standard is broken down into 11 domains which are: 1‐Security policy 2‐Organization of information security 3‐Asset management 4‐Human resource security 5‐Physical and environmental security 6‐ Communications and operations management 7‐Access control 8‐Information system acquisition, development and management 9‐Information security incident management 10‐Business continuity management 11‐Compliance.

Answer 56

The center piece of ISO 27001 is its concept of ISMS

Answer 57

Integrity, non‐repudiation and confidentiality

Answer 58

Early detection and prevention of identity theft

Answer 59

Management’s biggest challenges lies not in the writing of specific ISS policies but in the orderly development and implementation of policies

Answer 60

Depends upon people’s behavior

Answer 61

Their current job function and "need-to-know."

Answer 62

Removing data on the media before the media is reused

Answer 63

What a person has/what a person knows/who a person is

Answer 64

HIPS operates on a host system, such as a computer or server

Answer 65

Brute force attack

Answer 66

Trojan horse

Answer 67

Transmission security

Answer 68

Height of the building

Answer 69

Classify it according to its value

Answer 70

The information was patented, trademarked, or copyrighted

Answer 71

Identifying information assets

Answer 72

Identify it and classify it by value.

Answer 73

Communicate IAP issues to all elements of management

Answer 74

Represent the first acknowledged worldwide standards to identify a code of practice for the management of information security.

Answer 75

To ensure that whatever credentials are passed between a workstation and the device, they cannot be easily stolen off the network. Otherwise, the organization may face one of these familiar issues: denial of services, insertion of inaccurate data, data theft, data modification, and data destruction.

Answer 76

Corporate ISS policies should prohibit accessing into network without using second‐factor authentication

Answer 77

In a converged IP‐based across control system is vulnerably to viruses and Trojans because if control system, not placing antivirus or other host protection software on the machine that runs the system could leave it susceptible to compromise or failure.

Answer 78

Upgrading a video camera could cause a broadcast storm on the network due to a bug in the camera, causing not only that video camera but also other systems to stop working.

Answer 79

If power supply is not consistently, which might cause to leave an organization’s video system down during the restart because computer‐based systems make take unexpectedly long to start up and shut down.

Answer 80

When using 3rd party delivery services, ISS professional need to ensure that organization is protected by making sure that provider must adhere to the organization’s policies. Besides, a vetting process can be carried out before allowing access to an organization’s data.

Answer 81

It is critical for the physical security professional to collaborate with the ISS department to ensure that physical security is a good ISS partner and complies with policies and procedures.

Answer 82

The first job of the individual charged with an organization’s ISS is to create ISMS appropriate for the size of the organization

Answer 83

Physical security professionals mitigate risk via policies, references and frameworks. On the other hand, ISS professionals mitigate risk through an information security management system(ISMS).

Answer 84

In case of web attack, when users are accessing the web they can pick up malware simply by going to a compromised web and malware introduction on to the network cannot be blocked by VPN because web attack can defeat every control.

Answer 85

Because it can defeat almost every control

Answer 86

This is because malware has been designed to be primarily silent. The longer the hackers can stay in stealth mode, owning an organization system stealing its information, the more they have time to gain. Etc

Answer 87

An engineer could configure the system incorrectly or make an architectural mistake, such as plugging an internal server into as witch that is accessible via the internet.

Answer 88

Hackers may start by checking a readily accessible website. If, via social engineering they can steal a username and password to gain access, they will. If this is not possible, they might use a brute force password cracker that enables them to try many passwords very quickly.

Answer 89

Someone attacks a system by installing software on it, either with the user’s knowledge (usually hidden in other software or e‐mail)or automatically, without the user’s knowledge

Answer 90

Social engineering is the manipulation of people to get them to do something that weakens the security of the networks

Answer 91

Layer3 or indirect communication is the mechanism that allows for computers to interact across the internet globally. In a converged paradigm, an organizations computers and physical security assets are potentially accessible from across the world‐therefore vulnerable to attacks.

Answer 92

According to the CIA triad

Answer 93

When physical security practitioners put physical security technology onto the network, they open the door to significant network‐based security risk. Some elements of information systems security (ISS) can weaken the physical security. These are: 1‐ denial of service (DOS), 2‐ insertion of inaccurate data, 3‐data theft, 4‐ data modification, 5‐ data destruction

Answer 94

Convergence is the integration, in a formal, collaborative, and strategic manner of the cumulative security resources of the organization in order to deliver enterprise-wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings.

Answer 95

Anything that has tangible or Intangible value to an enterprise

Answer 96

Assets that do not have a physical presence (Information, Intellectual property, reputation etc..).

Answer 97

Assets that have a physical presence. (Human & Environmental assets).

Answer 98

A property right in an original work of authorship fixed in any tangible medium of expression, giving the holder the exclusive right to reproduce, adapt, distribute, perform, and display the work.

Answer 99

Original works may include things such as Literary, musical, dramatic, choreographic, pictorial, graphic, sculptural, and architectural work; motion pictures and other audio-visual works; and sound & records

Answer 100

Intangible rights protecting the realization of ideas and concepts resulting in commercially valuable products. NOTE: Examples include but are not limited to trademark, copyright, and patent rights, as well as trade secret rights, publicity rights, moral rights, and rights against unfair competition

Answer 101

A system of interrelated computing devices, mechanical, and digital machines provided with unique identifiers (UIDs) with the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

Answer 102

A Legal contract that establishes a relationship between two or more parties outlining confidentiality and the responsibility for protecting information

Answer 103

To exclude others from making, using, marketing, selling, offering for sale, or importing an invention for a specified period granted to the inventor if the device or process is novel, useful, and no obvious

Answer 104

Information of value, owned by an entity or entrusted to it, which has not been disclosed publicly

Answer 105

Effect of uncertainty on the achievement of strategic, tactical, and operational objectives

Answer 106

Overall and systematic process for evaluating the effects of uncertainty on achieving an enterprise's objectives_ Risk assessment includes risk identification, risk analysis, and risk evaluation

Answer 107

A technique used to identify the conditions that initiate the occurrence of an undesired activity or state.

Answer 108

Employment of services, equipment, and techniques designed to Locate, identify, and neutralize the effectiveness of technical surveillance activities.

Answer 109

Potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community

Answer 110

All forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processed, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if (a the owner thereof has taken reasonable measures to keep such information secret; and if) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public

Answer 111

Goals & Objectives

Answer 112

IAP - Information Asset Protection program appropriate to its size & type

Answer 113

Some assets have both tangible and intangible characteristics and may be referred to as "mixed assets

Answer 114

Security Professionals & Asset Owners.

Answer 115

Asset Owners

Answer 116

The Top Management & Other Asset owners

Answer 117

The IAP Lead nominated/Assigned by Top Management

Answer 118

Metrics & Key performance indicators

Answer 119

Policies & Procedures

Answer 120

All individuals working for or on behalf of the organization

Answer 121

Asset Identification followed by asset valuation & prioritization

Answer 122

Importance-criticality-sensitivity

Answer 123

Valuing assets / Assigning Value to assets

Answer 124

Highly restricted is used for information that could allow a competitor to take action that could seriously damage an organization's competitive position in the marketplace, or the disclosure of which could cause significant damage to the organization's financial or competitive position, brand, or reputation.

Answer 125

Restricted is used for information that is organizationally or competitively sensitive or could introduce Legal or employee privacy risks.

Answer 126

His or Her current Role in organization

Answer 127

Security Measure - Legal Protection - Management Practice

Answer 128

Trade Secret

Answer 129

Clearly identified and valuated

Answer 130

A trademark is a name, phrase, sound, or symbol used in association with a product

Answer 131

A service mark is a brand name or logo that identifies the provider of a service. A service mark may consist of a word, phrase, symbol, design, or a combination of these elements

Answer 132

10 years after registration and can be renewed

Answer 133

NDA - Non Disclosure Agreement

Answer 134

An individual's recruitment

Answer 135

During On Boarding

Answer 136

Security awareness & Training

Answer 137

Employees are the eyes & ears of the organization that spot physical and electronic security risks that need to be reported

Answer 138

Information security management system (ISMS)

Answer 139

Risk management approach that is consistent with the IAP strategy

Answer 140

Business needs, regulatory/contractual compliance Requirements, risk profile, internal & external audit findings.

Answer 141

RCA - Root Cause Analysis

Answer 142

Legal and ethical

Answer 143

Open Source Intelligence

Answer 144

Collecting publicly available information and using it for a business purpose

Answer 145

The emergence of remote work models

Answer 146

Proper training

Answer 147

Roles & Need to Know basis

Answer 148

Implementing and test crisis management and business continuity plans

Answer 149

All employees, suppliers, contractors, and agents are responsible for protecting (company/organization) information assets to assure its confidentiality, integrity, and availability

Answer 150

Trusted parties include vendors, supplier, contractors, consultants, interns, and others who are granted access to information assets or facilities.

Answer 151

Organizational roles, responsibilities, and accountabilities

Answer 152

Classification and labelling information; handling protocols to specify use, distribution, storage, security expectations, declassification, return, and destruction/disposal methodology; Training; incident reporting and investigation; audit compliance processes and special needs (disaster recovery).

Answer 153

It is important to understand the IPR climate and the ability of legal safeguards that are applicable in each jurisdiction where there is a necessity to support your business requirements

Answer 154

The owner thereof has taken reasonable measures to keep such information secret; and (b) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public

Answer 155

It is important identify what information should be protected and then identify the many forms this information may take over its lifecycle. It is also important to recognize that only a certain segment of the organization's information may warrant protection. Once such information is identified, it should be classified such that the most significant information assets receive the greatest degree of protection. However, some suggested controls might not be applicable, or practical, in every part of every organization.

Answer 156

Sensitivity and criticality

Answer 157

Sensitivity: This information includes that which if disclosed outside of trusted people and processes would likely have a significant impact on the organization's operations and business strategy. Criticality: Critical information is that upon which an organization relies to accomplish its mission and support business decisions.

Answer 158

At the product, technology and transaction specific level.

Answer 159

This step is to identify the information that may need to be labelled and protected.

Answer 160

In order to maintain the necessary level of trust and to meet legal and regulatory requirements.

Answer 161

Security awareness and training.

Answer 162

Through routine business practices that permeate every element of an organization.

Answer 163

Technical means of collecting information by adversaries

Answer 164

Key factors to consider are the amount of information within your company that is considered information and the level of protection that this information should receive.

Answer 165

Compartmentalization is an important measure to counter the internal threat.

Answer 166

The primary objective is to preserve and protect the confidentiality, integrity, and availability of information, systems, and resources

Answer 167

By using a point of entry legitimately open for business needs

Answer 168

Encryption should support an information identification, classification and protection structure

Answer 169

Document your identification and valuation of the asset, its role in establishing competitive advantage in your industry, and the full scope of protection measures you have instituted to protect it.

Answer 170

Possible to ensure a common understanding as well as a legal obligation with respect to protecting information assets.

Answer 171

Training, awareness and preparation

Answer 172

Identify “high risk” travellers based on their position, project, access or clearance within the company

Answer 173

Proprietary information

Answer 174

Technical surveillance countermeasures

Answer 175

The organization’s leadership

Answer 176

Intentional, natural and inadvertent threats

Answer 177

Risk assessments should identify risks, quantify them, and prioritize them according to the organization’s criteria for risk acceptance.

Answer 178

The originator of the information

Answer 179

Company personnel or others who have signed a nondisclosure agreement

Answer 180

Defense in Depth

Answer 181

Defense in Depth

Answer 182

Personally Identifiable Information

Answer 183

Copyrights

Answer 184

Trade Secret

Answer 185

Logical network access control

Answer 186

Embedded systems

Answer 187

Information systems threat

Answer 188

Residual risk

Answer 189

Vulnerability in the information systems infrastructure

Answer 190

Detection; recovery; and compliance

Answer 191

Administrative controls

Answer 192

Mark & classify

Answer 193

People’s behavior

Answer 194

A pattern of shared basic assumptions that the group learned to solve its problems

Answer 195

Virtual threat

Answer 196

Damage assessment

Answer 197

ISS countermeasure

Answer 198

Trojan Horse

Answer 199

Management buy-in

Answer 200

Outsiders’ threats

Answer 201

Implement measures to prevent a recurrence of the problem

Answer 202

Residual risk

Answer 203

Infrastructure countermeasures

Answer 204

Administrative Technical Physical

Answer 205

Maintain confidentiality Maintain integrity Maintain availability

Answer 206

Social engineering

Answer 207

Direct attack

Answer 208

Inadvertent threats

Answer 209

Residual threat risk

Answer 210

Virtual threats

Answer 211

Cryptography

Answer 212

ISO 27001 & ISO 27002

Answer 213

Industrial espionage

Answer 214

HIPS is like IDS except it operates on a host system

Answer 215

Trojan Horse

Answer 216

Using corporate resources effectively to protect sensitive information and systems

Answer 217

Having the buy-in of executive management in supporting the security initiatives

Answer 218

Certificate

Answer 219

Protect Compliance Recovery Detection

Answer 220

Non competitive covenant

Answer 221

Trade marks

Answer 222

Policy document for protecting an organization information asset

Answer 223

AAA triad Authentication, Authorization and Accountability /Auditing

Answer 224

Biometrics OTP Encryption

Answer 225

Security measures

Answer 226

ISO 27001/2

Answer 227

ISO 27001/2

Answer 228

Integrity Non-repudiation Confidentiality

Answer 229

The policy document

Answer 230

Continual improvement

Answer 231

People’s behavior

Answer 232

People’s behavior

Answer 233

Organizational culture

Answer 234

Continued fierce global economic competition

Answer 235

Social engineering

Answer 236

Proprietary information

Answer 237

 Identification  Classification  Marking

Answer 238

A pattern of shared basic assumptions that the group learned

Answer 239

Encryption

Answer 240

Trade secret guidelines Acquisition of patent protection Consider using trade commission as venues for resolving patent disputes

Answer 241

ISO/IEC 27001/ISO IEC 27002

Answer 242

Encryption

Answer 243

Industrial espionage

Answer 244

Administrative controls Technical controls Physical controls

Answer 245

Goals Strategy Timeliness

Answer 246

Leadership of an organization

Answer 247

Originator

Answer 248

Signed a non-disclosure agreement

Answer 249

All employees/ members of the extended enterprise

Answer 250

Double seal envelopes, mark inner envelop ‘‘Highly restricted’’ to be opened by addressee only, No security mark on outer envelop

Answer 251

Using corporate resources effectively to protect sensitive information and system

Answer 252

The value of the trade secret to the company

Answer 253

The probability of the incident times its cost

Answer 254

Classifying and controlling sensitive information

Answer 255

Prudently and cost-effectively manage the risk that critical organizational information are exposed against compromise, alteration, unavailability

Answer 256

Users I.D’s/password Allowed roles (rights) Permissions/privileges

Answer 257

Third party review

Answer 258

Encryption

Answer 259

Trade marks

Answer 260

Non-disclosure agreements

Answer 261

Cyber crime

Answer 262

Inadvertent threats.

Answer 263

The internet allows sellers and seekers of information to remain anonymous. Americans are more vulnerable to experiencing serve financial crisis due to aggressive spending habits. Organizational loyalty and obligation is diminishing and employees may be less deterred from theft of information.

Answer 264

Negative work events are a frequent trigger factor insider information theft. Insider information thieves often present performance issues. Three out of ten perpetrators had previous arrest records.

Answer 265

A person to whom sensitive company information is entrusted and who should be bound by the terms of an NDA

Answer 266

Access control to IT system on which trade secrets are stored should be protected according to the AAA triad. The fundamentals of the CIA triad apply to both secrets and other sensitive information. Encryption of trade secrets should be a standard countermeasure...

Answer 267

The levels of trust should increase for those who are given access to successive layers (working from the outside of the layer inwards). Each layer should seek to employ delays, detection and deterrence. A range of complementary security technologies should be employed.

Answer 268

Can be reversed engineered if not destroyed properly.

Answer 269

 Due diligence of potential partners;  Standard pre-employment screening;  Vetting of subcontractors, vendors and consultants

Answer 270

Personally identifiable information

Answer 271

The establishment of partnerships or outsourcing agreements

Answer 272

The trade secret was specifically identified.

Answer 273

The organization’s leadership should show its commitment to IAP by providing appropriate resources and requiring all business units to develop strategies to align business and protection goals,. A dedicated department, group, or individuals should be tasked with policy management and auditing. All business units, personnel, temporary employees, vendors, consultants, contractors, and business partners should be required to adhere to the policy

Answer 274

All employees.

Answer 275

Availability

Answer 276

Appropriately identified and marked.

Answer 277

Digital signature.

Answer 278

Register those rights.

Answer 279

Trademarks.

Answer 280

The security professional needs a practical understanding of the new logical security paradigm.

Answer 281

 There is a worldwide federation between various classes of cybercriminals and malware developers.  Nation states are involved in cybercrime.  Cyber extortion is an example of a significant threat facing some businesses.  There is no cohesive global law enforcement effort to eliminate cybercrime.

Answer 282

Because they can circumvent signature-based controls.

Answer 283

Rouge ware, masquerading as security software, is frequently downloaded by non-savvy IT users and by cybercriminals into compromise information on a target computer or to enroll into a both net.

Answer 284

Legislation and regulation of information holders to protect all; contract and tort law on security information and information assets, recommended security practices of the professional ISS community.

Answer 285

Identification, Authentication, Authorization and Accountability

Answer 286

Convergence.

Answer 287

The use of the internet exposes SCADA system response and recovery capabilities

Answer 288

The creation of a back door or additional cards by administrators; a PC to which the access control server is connected may have been taken over by an adversary.

Answer 289

IP video surveillance is vulnerable to internet-based threats such as unauthorized access, tampering and destruction of recordings.

Answer 290

Protecting against the insider threat, Protecting against unauthorized change, Protecting against unavailability

Answer 291

Information systems vulnerability

Answer 292

Residual risk=(Threats x Vulnerabilities) ÷ Countermeasures

Answer 293

USB peripheral device attachment; hacking; malware, sometimes as a result of visiting a website; phishing; social engineering.

Answer 294

Social engineering.

Answer 295

Encrypt sensitive files.

Answer 296

Administrative controls, Technical controls, Physical controls.

Answer 297

Communication stack

Answer 298

Auditing/accountability.

Answer 299

Escalation of privilege attack.

Answer 300

ISO 27001/2.

Answer 301

 When physical security practitioners put physical security technology into the network, they open the door to significant network-based security task.  When physical security practitioners put physical security technology into the network, cost-effectiveness can be increased.  When physical security practitioners put physical security technology into the networks, greater operational effectiveness and efficiency can be achieved than in stand-alone system.  When physical security practitioners put physical security technology into the network, they increase network-based security risk

Answer 302

Someone convinces a user to share his credentials to get on the network.

Answer 303

Proprietary information.

Answer 304

Trojan horse.

Answer 305

Time bombs and logic bombs.

Answer 306

Virtual private network (VPN)

Answer 307

Pen register

Answer 308

All companies involved in credit card issuance