isa\

Question 1

Items of fact collected by an organization. Data includes
raw numbers, facts, and words. Student quiz scores are a simple
example of data.

Answer 1

Data

Question 2

The unauthorized taking of personally
identifiable information with the intent of committing fraud and
abuse of a person’s financial and personal reputation,
purchasing goods and services without authorization, and
generally impersonating the victim for illegal or unethical
purposes

Answer 2

Identity Theft

Question 3

was the first widely recognized
published document to identify the role of management and
policy issues in computer security.

Answer 3

RAND Report R-609

Question 4

The model, which was created by John
McCumber in 1991, provides a graphical representation of the
architectural approach widely used in computer and
information security,

Answer 4

McCumber Cube- T

Question 5

are rules that mandate or prohibit certain behavior and
are enforced by the state.

Answer 5

Laws-

Question 6

In 1973, An Internet pioneer identified
fundamental problems with ARPANET security.

Answer 6

Robert M. Metcalfe

Question 7

a well-informed sense of assurance that
the Information risk and controls are in balance.

Answer 7

Information Security

Question 8

is a potential weakness in an asset or its
defensive control system(s).

Answer 8

Vulnerability

Question 9

measures that an organization takes to ensure every
employee knows what is acceptable and what is not

Answer 9

Due care

Question 10

Reasonable steps taken by people or
organizations to meet the obligations imposed by laws or
regulations.

Answer 10

Due diligence

Question 11

In the context of information security, the right of
individuals or groups to protect themselves and their
information from unauthorized access, providing
confidentiality.

Answer 11

Privacy

Question 12

The power to make legal decisions and
judgments; typically, an area within which an entity such as a
court or law enforcement agency is empowered to make legal
decisions

Answer 12

Jurisdiction

Question 13

An entity’s legal obligation or responsibility

Answer 13

Liability

Question 14

A legal requirement to make compensation or
payment resulting from a loss or injury

Answer 14

Restitution

Question 15

Attack can be intentional or unintentional act that can damage
or otherwise compromise information and the systems that
support it. Attacks can be active or passive and direct or
indirect

Answer 15

Attack

Question 16

The creation, ownership, and
control of original ideas as well as the representation of those
ideas.

Answer 16

Intellectual property (IP)

Question 17

model
of information security evolved from a concept developed by
the computer security industry called the C.I.A. triad.

Answer 17

The Committee on National Security Systems (CNSS)

Question 18

has been the standard for computer security in both
industry and government since the development of the
mainframe.

Answer 18

C.I.A. triad

Question 19

means the need to secure the physical
location of computer technology from outside threats.

Answer 19

Computer Security

Question 20

a collection of related data stored in a structured
form and usually managed by a database management system.

Answer 20

Database

Question 21

During the Cold War, many more mainframe
computers were brought online to accomplish more
complex and sophisticated tasks.

Answer 21

1960’s

Question 22

These mainframes required a less cumbersome process
of communication than mailing magnetic tapes
between computer centers

Answer 22

1960’s

Question 23

In response to this need, the Department of Defense’s
Advanced Research Projects Agency (ARPA) began
examining the feasibility of a redundant, networked
communications system to support the military’s
exchange of information.

Answer 23

1960’s

Question 24

developed the ARPANET
(Advanced Research Projects Agency Network)
project

Answer 24

In 1968, Dr. Larry Roberts

Question 25

an interruption in service, usually from a service provider, which causes an adverse event within an organization

Answer 25

Availability Disruption

Question 26

Guidelines that dictate certain behavior within the organization

Answer 26

Policy -

Question 27

is a fixed moral attitudes or customs of a particular group

Answer 27

Cultural Mores

Question 28

The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property.

Answer 28

Software Piracy

Question 29

- A document or part of a document that specifies the expected level of service from a service provider. An SLA usually contains provisions for minimum acceptable availability and penalties or remediation procedures for downtime.

Answer 29

Service Level Agreement (SLA)

Question 30

The documented product of operational planning; a plan for the organization’s intended operational efforts on a day-to-day basis for the next several months.

Answer 30

Operational plan

Question 31

The actions taken by management to specify the short-term goals and objectives of the organization in order to obtain specified tactical goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives

Answer 31

Operational planning

Question 32

- The documented product of tactical planning; a plan for the organization’s intended tactical efforts over the next few years.

Answer 32

Tactical plan

Question 33

- The actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives.

Answer 33

Tactical planning

Question 34

Conduct a thorough risk assessment to identify potential threats and vulnerabilities associated with the adoption of the new cloud-based system. This assessment should consider factors such as data sensitivity, regulatory compliance requirements, and the potential impact of security breaches on the organization's operations and reputation.

Answer 34

Risk Assessment:

Question 35

Develop a set of security policies and procedures tailored to the specific needs of the organization and aligned with industry best practices. These policies should cover areas such as data encryption, access controls, authentication mechanisms, and incident response protocols.

Answer 35

Security Policies and Procedures

Question 36

Implement a range of security controls to mitigate identified risks and vulnerabilities. This may include deploying firewalls, intrusion detection systems, endpoint protection solutions, and encryption technologies to safeguard data both in transit and at rest

Answer 36

Security Controls

Question 37

Provide comprehensive training and awareness programs to educate employees about security best practices, their roles and responsibilities in maintaining security, and the potential consequences of security breaches. This will help create a security-conscious culture within the organization

Answer 37

Employee Training and Awareness

Question 38

Establish mechanisms for continuous monitoring of the security posture of the cloud-based system, including regular vulnerability assessments, penetration testing, and log analysis. This will enable the organization to proactively identify and address emerging security threats and weaknesses

Answer 38

Continuous Monitoring and Improvement:

Question 39

Ensure that the security plan is in compliance with relevant regulatory requirements such as GDPR, CCPA, and industry standards like ISO 27001. Additionally, consider legal implications related to data sovereignty, contractual agreements with cloud service providers, and liability in the event of security incidents

Answer 39

Compliance and Legal Considerations:

Question 40

Collaborate closely with stakeholders to identify security requirements early in the development process. Conduct threat modeling exercises to anticipate potential security risks and define security objectives for the project.

Answer 40

Requirements Gathering:

Question 41

Integrate security principles into the architectural design of the software. Define security controls, such as authentication mechanisms, access controls, encryption methods, and secure communication protocols. Consider security implications when designing user interfaces and data flows

Answer 41

Design Phase:

Question 42

Implement secure coding practices and guidelines to mitigate common vulnerabilities such as injection attacks, cross-site scripting (XSS), and insecure deserialization. Use secure development frameworks and libraries to reduce the risk of introducing security flaws into the codebase

Answer 42

Development Phase:

Question 43

Conduct thorough security testing, including static code analysis, dynamic application security testing (DAST), and penetration testing. Identify and remediate security vulnerabilities, ensuring that the software meets security requirements and industry standards.

Answer 43

Testing Phase:

Question 44

allows the attacker to acquire valuable information, such as account credentials, account numbers, or other critical data.

Answer 44

Cross-Site Scripting (XSS)

Question 45

caused by a developer’s failure to ensure that command input is validated before it is used in the program.

Answer 45

Command Injection-

Question 45

Implement secure deployment practices, such as using secure configuration settings, encrypting sensitive data, and regularly patching and updating software components. Employ secure deployment pipelines and automate security checks to ensure consistent and secure deployments.

Answer 45

Deployment Phase:

Question 46

Establish procedures for monitoring and maintaining the security of the deployed software. Implement security monitoring tools to detect and respond to security incidents in realtime. Provide regular security updates and patches to address newly discovered vulnerabilities

Answer 46

Maintenance Phase:

Question 47

an attacker can make the target system execute instructions or take advantage of some other unintended consequence of the failure

Answer 47

Buffer Overruns-

Question 47

Document securityrelated decisions, configurations, and procedures throughout the SDLC. Provide training and awareness programs for developers, testers, and other stakeholders to promote a security-conscious culture and ensure adherence to security policies and best practices.

Answer 47

Documentation and Training:

Question 47

One of the marks of effective software is the ability to catch and resolve exceptions—unusual situations that require special processing. If the program doesn’t manage exceptions correctly, the software may not perform as expected

Answer 47

Catching Exceptions

Question 48

Traffic on a wired network is also vulnerable to interception in some situations.

Answer 48

Failure to Protect Network Traffic

Question 48

Failure to properly implement sufficiently strong access controls makes the data vulnerable.

Answer 48

Failure to Store and Protect Data Securely

Question 49

can cause a variety of unexpected system behaviors.

Answer 49

Failure to Handle Errors

Question 50

An attacker may embed characters that are meaningful as formatting directives (such as %x, %d, %p, etc.) into malicious input.

Answer 50

Format String Problems-

Question 51

If an attacker changes the expected location of a file by intercepting and modifying a program code call, the attacker can force a program to use files other than the ones it is supposed to use

Answer 51

Improper File Access

Question 52

Those who understand the workings of such a “random” number generator can predict particular values at particular times

Answer 52

Failure to Use Cryptographically Strong Random Numbers

Question 53

While most programmers assume that using SSL guarantees security, they often mishandle this technology.

Answer 53

Improper Use of SSL

Question 54

- One of the most common methods of obtaining inside and classified information is directly or indirectly from one person, usually an employee

Answer 54

Information Leakage

Question 55

An integer bug can result when a programmer does not validate the inputs to a calculation to verify that the integers are of the expected size

Answer 55

Integer Bugs (Overflows/Underflows)-

Question 56

Developers use a process known as change control to ensure that the working system delivered to users represents the intent of the developers

Answer 56

Neglecting Change Control-

Question 57

Employees prefer doing things the easy way. When faced with an “official way” of performing a task and an “unofficial way”— which is easier—they prefer the latter.

Answer 57

Poor Usability-

Question 58

a failure of a program that occurs when an unexpected ordering of events in its execution results in a conflict over access to the same system resource.

Answer 58

Race Conditions

Question 59

occurs when developers fail to properly validate user input before using it to query a relational database

Answer 59

SQL Injection-

Question 60

Other attacks attempt to compromise the DNS servers further up the DNS distribution mode—those of ISPs or backbone connectivity providers.

Answer 60

Trusting Network Address Resolution-

Question 61

an unauthorized person might receive a key that was copied onto a USB device and shipped

Answer 61

Unauthenticated Key Exchange-

Question 62

can cause problems that allow an attacker to send malicious code to the user’s computer by inserting the script into an otherwise normal Web site.

Answer 62

Web Client-Related Vulnerability (XSS)-

Question 62

Cross-site request forgery (XSRF or CSRF) attacks cause users to attack servers they access legitimately, on behalf of an outside attacker.

Answer 62

Web Server-Related Vulnerabilities (XSS, XSRF, and Response Splitting)-

Question 63

an attacker can harvest the information from a magic URL as it travels across the network, or use scripts on the client to modify information in hidden form fields.

Answer 63

Use of Magic URLs and Hidden Forms-

Question 64

Failure to require sufficient password strength and to control incorrect password entry is a serious security issue.

Answer 64

Use of Weak Password-Based Systems-

Question 65

one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices

Answer 65

Computer Security Act of 1987-

Question 66

which provides law enforcement agencies with broader latitude to combat terrorism related activities.

Answer 66

USA PATRIOT Act of 2001-

Question 67

is the cornerstone of many computer-related federal laws and enforcement efforts.

Answer 67

Computer Fraud and Abuse Act of 1986 (CFA Act or CFAA)-

Question 68

mandates that all federal agencies establish informationsecurityprogramstoprotecttheirinformation assets.

Answer 68

Federal Information Security Management Act (FISMA)-

Question 69

known as the National Bureau of Standards prior to 1988—is responsible for developing these security standards and guidelines in cooperation with the National Security Agency.

Answer 69

National Institute of Standards and Technology (NIST)-