IS3230 CHAPTER 2 Flashcards Preview

IS3230 ACCESS CONTROL, KEY INFRASTRUCTURE > IS3230 CHAPTER 2 > Flashcards

Flashcards in IS3230 CHAPTER 2 Deck (47):
1

The number of times per year we can expect a compromise to occur is called ___.

ANNUAL RATE OF OCCURRENCE (ARO)

2

The total cost per year of the threat under assessment. ALE is calculated by multiplying the SLE by the ARO.

ANNUALIZED LOSS EXPECTANCY (ALE)

3

The relative value, either in monetary terms or in overall impact, of the resource being protected by the access control system is called.

ASSET VALUE

4

What it costs an organization to obtain or create an asset originally is called ___.

COST OF ATTAINMENT

5

What an organization would lose if an asset were unavailable. Ex: The organization might lose $50,000 per hour in lost productivity if its internal network went down.

COST OF IMPACT

6

What it would cost an organization to replace an asset if it were stolen or compromised is called ___.

COST OF REPLACEMENT

7

An action taken to counter another action is called ___.

COUNTERMEASURE

8

The approach of using multiple layers of security to protect against a single point of failure is called ___.

DEFENSE-IN-DEPTH STRATEGY

9

The ability of an attacker to log into a system under one level of access and exploit a vulnerability to gain a higher level of access is called ___.

HEIGHTENED ACCESS

10

A problem-solving system that uses a set of rules to select the best answer available. In virus scanning, ___ refers to an algorithm that uses a set of rules that is constantly revised based on feedback to determine whether a given file contains a virus.

HEURISTICS

11

A combination of hardware and software used to analyze network traffic passing through a single point on the network. It is designed to analyze traffic patterns to find suspicious activity is called ___.

INTRUSION DETECTION SYSTEM (IDS)

12

A combination of a firewall and an IDS. An ___ is designed to analyze network traffic patterns and react in real time to block suspicious activity.

INTRUSION PREVENTION SYSTEM

13

Used to create secure pathways for data through a public network is called ___.

IP TUNNELING

14

A network connecting computers and other assets in a small, physical location such as an office, home, or school is called ___.

LOCAL AREA NETWORK (LAN)

15

The combination of more than one access control method to secure a single resource is called ___.

MULTILAYERED ACCESS CONTROL

16

Guessing or deciphering passwords is called ___.

PASSWORD CRACKING

17

Creating legitimate-looking Web sites or emails that trick a user into entering sensitive information such as passwords, Social Security numbers, or credit card numbers is called ___.

PHISHING

18

The likelihood that an attack will occur is called ___.

PROBABILITY OF OCCURRENCE

19

A method of risk assessment that assigns a subjective label (usually "high", "medium", and "low" to a risk scenario is called ___.

QUALITATIVE RISK ASSESSMENTS

20

A method of risk assessment that assigns a dollar value to every data point is called ___.

QUANTITATIVE RISK ASSESSMENTS

21

The probability that a particular threat will exploit an IT vulnerability causing harm to an organization is called ___. It is measured in terms of probability and consequence.

RISK

22

The process of identifying and prioritizing risk is called ___.

RISK ASSESSMENT

23

The cost incurred in one loss incident is called ___.

SINGLE LOSS EXPECTANCY (SLE)

24

An ID badge or other card with an embedded RFID chip that stores basic identification and authentication information is called ___.

SMART CARD

25

The use of manipulation or trickery to convince authorized users to perform actions or divulge sensitive information to an attacker is called ___.

SOCIAL ENGINEERING

26

An attack targeted at specific, usually high-level, individuals within an organization is called ___.

SPEAR PHISHING

27

A potential attack on a system is called a ___.

THREAT

28

A system that uses a public network (usually the Internet) to transmit private data securely. Users on a ___ can exchange data and share resources as if they were directly connected via a LAN.

VIRTUAL PRIVATE NETWORK (VPN)

29

Allows network managers to segment resources into local area networks despite geographical distance. EX: if a work group's office space was reallocated and the individuals in the group were reassigned to new offices spread across the building, a ___ could be created to allow them the same resource sharing abilities they had when their offices were located in a geographically small area.

VIRTUAL LOCAL AREA NETWORK (VLAN)

30

An unintended weakness in a system's design that makes it possible for attackers to take control of a system, access resources to which they are not authorized, or damage the system in some way is called ___.

VULNERABILITY

31

A network that connects several smaller networks. EX: a large corporation with offices in New York, Chicago, and Los Angeles might have a LAN in each local office, and then connect those three LANs via a ___.

WIDE AREA NETWORK (WAN)

32

1. Risk is measured in terms of ___ and impact.

Probability of occurrence

33

2. Risk assessment is the first step in designing any access control system.
TRUE OR FALSE

TRUE

34

3. The two types of risk assessments are qualitative and ___.

Quantitative

35

4. Vulnerabilities and threats are synonymous.
TRUE OR FALSE

FALSE

36

5. A vulnerability is a weakness purposely designed into the system.
TRUE OR FALSE

FALSE

37

6. You should consider probability of occurrence in order to prioritize limited time and resources.
TRUE OR FALSE

FALSE

38

7. What are the three primary threats to any access control system?
1. Password cracking
2. Heightened access
3. Social engineering
4. Forgotten passwords

Password cracking
Heightened access
Social engineering

39

8. A strong password that would take an attacker 10 years to crack in 1990 would take 10 years to crack today.
TRUE OR FALSE

FALSE

40

9. As long as users choose strong, secure passwords, how those passwords are stored is irrelevant.
TRUE OR FALSE

FALSE

41

10. Insecure applications run as the administrative user are the most common heightened access vulnerability.
TRUE OR FALSE

TRUE

42

11. You should weigh the value of the assets and their relative risk level against the cost and inconvenience of the access control.
TRUE OR FALSE

TRUE

43

12. You calculate ALE by multiplying SLE by 12.
TRUE OR FALSE

FALSE

44

13. You should install every patch that is released for the applications running in your environment.
TRUE OR FALSE

FALSE

45

14. Calculate the ALE of a threat that can be expected to occur three times per year, and will cost the organization $50,000 per incident.
___.

$150,00

46

15. Calculate the ARO of a threat with an SLE of $100,000 and an ALE of $200,000.

Annual Rate of Occurrence (ARO)=2

47

16. Calculate the SLE of a threat with an ARO of 4 and an ALE of $100,000.

$25,000