isa\ Flashcards

Question 1

Q

Items of fact collected by an organization. Data includes
raw numbers, facts, and words. Student quiz scores are a simple
example of data.

Question 2

Q

The unauthorized taking of personally
identifiable information with the intent of committing fraud and
abuse of a person’s financial and personal reputation,
purchasing goods and services without authorization, and
generally impersonating the victim for illegal or unethical
purposes

Answer

A

Identity Theft

Question 3

Q

was the first widely recognized
published document to identify the role of management and
policy issues in computer security.

Answer

A

RAND Report R-609

Question 4

Q

The model, which was created by John
McCumber in 1991, provides a graphical representation of the
architectural approach widely used in computer and
information security,

Answer

A

McCumber Cube- T

Question 5

Q

are rules that mandate or prohibit certain behavior and
are enforced by the state.

Question 6

Q

In 1973, An Internet pioneer identified
fundamental problems with ARPANET security.

Answer

A

Robert M. Metcalfe

Question 7

Q

a well-informed sense of assurance that
the Information risk and controls are in balance.

Answer

A

Information Security

Question 8

Q

is a potential weakness in an asset or its
defensive control system(s).

Answer

A

Vulnerability

Question 9

Q

measures that an organization takes to ensure every
employee knows what is acceptable and what is not

Question 10

Q

Reasonable steps taken by people or
organizations to meet the obligations imposed by laws or
regulations.

Answer

A

Due diligence

Question 11

Q

In the context of information security, the right of
individuals or groups to protect themselves and their
information from unauthorized access, providing
confidentiality.

Question 12

Q

The power to make legal decisions and
judgments; typically, an area within which an entity such as a
court or law enforcement agency is empowered to make legal
decisions

Answer

A

Jurisdiction

Question 13

Q

An entity’s legal obligation or responsibility

Answer

A

Liability

Question 14

Q

A legal requirement to make compensation or
payment resulting from a loss or injury

Answer

A

Restitution

Question 15

Q

Attack can be intentional or unintentional act that can damage
or otherwise compromise information and the systems that
support it. Attacks can be active or passive and direct or
indirect

Question 16

Q

The creation, ownership, and
control of original ideas as well as the representation of those
ideas.

Answer

A

Intellectual property (IP)

Question 17

Q

model
of information security evolved from a concept developed by
the computer security industry called the C.I.A. triad.

Answer

A

The Committee on National Security Systems (CNSS)

Question 18

Q

has been the standard for computer security in both
industry and government since the development of the
mainframe.

Answer

A

C.I.A. triad

Question 19

Q

means the need to secure the physical
location of computer technology from outside threats.

Answer

A

Computer Security

Question 20

Q

a collection of related data stored in a structured
form and usually managed by a database management system.

Question 21

Q

During the Cold War, many more mainframe
computers were brought online to accomplish more
complex and sophisticated tasks.

Question 22

Q

These mainframes required a less cumbersome process
of communication than mailing magnetic tapes
between computer centers

Question 23

Q

In response to this need, the Department of Defense’s
Advanced Research Projects Agency (ARPA) began
examining the feasibility of a redundant, networked
communications system to support the military’s
exchange of information.

Question 24

Q

developed the ARPANET
(Advanced Research Projects Agency Network)
project

Answer

A

In 1968, Dr. Larry Roberts

Question 25

Q

an interruption in service, usually
from a service provider, which causes an adverse event within
an organization

Answer

A

Availability Disruption

Question 26

Q

Guidelines that dictate certain behavior within the
organization

Question 27

Q

is a fixed moral attitudes or customs of a
particular group

Answer

A

Cultural Mores

Question 28

Q

The unauthorized duplication, installation,
or distribution of copyrighted computer software, which is a
violation of intellectual property.

Answer

A

Software Piracy

Question 29

Q

A document or part of a
document that specifies the expected level of service from a
service provider. An SLA usually contains provisions for
minimum acceptable availability and penalties or remediation
procedures for downtime.

Answer

A

Service Level Agreement (SLA)

Question 30

Q

The documented product of operational
planning; a plan for the organization’s intended operational
efforts on a day-to-day basis for the next several months.

Answer

A

Operational plan

Question 31

Q

The actions taken by management to
specify the short-term goals and objectives of the organization
in order to obtain specified tactical goals, followed by estimates
and schedules for the allocation of resources necessary to
achieve those goals and objectives

Answer

A

Operational planning

Question 32

Q

The documented product of tactical planning; a
plan for the organization’s intended tactical efforts over the next
few years.

Answer

A

Tactical plan

Question 33

Q

The actions taken by management to
specify the intermediate goals and objectives of the
organization in order to obtain specified strategic goals,
followed by estimates and schedules for the allocation of
resources necessary to achieve those goals and objectives.

Answer

A

Tactical planning

Question 34

Q

Conduct a thorough risk
assessment to identify potential threats and
vulnerabilities associated with the adoption of the new
cloud-based system. This assessment should consider
factors such as data sensitivity, regulatory compliance
requirements, and the potential impact of security
breaches on the organization’s operations and
reputation.

Answer

A

Risk Assessment:

Question 35

Q

Develop a set of
security policies and procedures tailored to the specific
needs of the organization and aligned with industry
best practices. These policies should cover areas such
as data encryption, access controls, authentication
mechanisms, and incident response protocols.

Answer

A

Security Policies and Procedures

Question 36

Q

Implement a range of security
controls to mitigate identified risks and vulnerabilities.
This may include deploying firewalls, intrusion
detection systems, endpoint protection solutions, and
encryption technologies to safeguard data both in
transit and at rest

Answer

A

Security Controls

Question 37

Q

Provide
comprehensive training and awareness programs to
educate employees about security best practices, their
roles and responsibilities in maintaining security, and
the potential consequences of security breaches. This
will help create a security-conscious culture within the
organization

Answer

A

Employee Training and Awareness

Question 38

Q

Establish mechanisms for continuous monitoring of
the security posture of the cloud-based system,
including regular vulnerability assessments,
penetration testing, and log analysis. This will enable
the organization to proactively identify and address
emerging security threats and weaknesses

Answer

A

Continuous Monitoring and Improvement:

Question 39

Q

Ensure that
the security plan is in compliance with relevant
regulatory requirements such as GDPR, CCPA, and
industry standards like ISO 27001. Additionally,
consider legal implications related to data sovereignty,
contractual agreements with cloud service providers,
and liability in the event of security incidents

Answer

A

Compliance and Legal Considerations:

Question 40

Q

Collaborate closely with
stakeholders to identify security requirements early in
the development process. Conduct threat modeling
exercises to anticipate potential security risks and
define security objectives for the project.

Answer

A

Requirements Gathering:

Question 41

Q

Integrate security principles into the
architectural design of the software. Define security
controls, such as authentication mechanisms, access
controls, encryption methods, and secure
communication protocols. Consider security
implications when designing user interfaces and data
flows

Answer

A

Design Phase:

Question 42

Q

Implement secure coding
practices and guidelines to mitigate common
vulnerabilities such as injection attacks, cross-site
scripting (XSS), and insecure deserialization. Use
secure development frameworks and libraries to
reduce the risk of introducing security flaws into the
codebase

Answer

A

Development Phase:

Question 43

Q

Conduct thorough security testing,
including static code analysis, dynamic application
security testing (DAST), and penetration testing.
Identify and remediate security vulnerabilities,
ensuring that the software meets security requirements
and industry standards.

Answer

A

Testing Phase:

Question 44

Q

allows the attacker
to acquire valuable information, such as account
credentials, account numbers, or other critical
data.

Answer

A

Cross-Site Scripting (XSS)

Question 45

Q

caused by a developer’s
failure to ensure that command input is validated
before it is used in the program.

Answer

A

Command Injection-

Question 46

Q

Implement secure deployment
practices, such as using secure configuration settings,
encrypting sensitive data, and regularly patching and
updating software components. Employ secure
deployment pipelines and automate security checks to
ensure consistent and secure deployments.

Answer

A

Deployment Phase:

Question 47

Q

Establish procedures for
monitoring and maintaining the security of the
deployed software. Implement security monitoring
tools to detect and respond to security incidents in realtime. Provide regular security updates and patches to
address newly discovered vulnerabilities

Answer

A

Maintenance Phase:

Question 48

Q

an attacker can make the
target system execute instructions or take
advantage of some other unintended consequence
of the failure

Answer

A

Buffer Overruns-

Question 49

Q

Document securityrelated decisions, configurations, and procedures
throughout the SDLC. Provide training and awareness
programs for developers, testers, and other
stakeholders to promote a security-conscious culture
and ensure adherence to security policies and best
practices.

Answer

A

Documentation and Training:

Question 50

Q

One of the marks of
effective software is the ability to catch and
resolve exceptions—unusual situations that
require special processing. If the program
doesn’t manage exceptions correctly, the
software may not perform as expected

Answer

A

Catching Exceptions

Question 51

Q

Traffic on
a wired network is also vulnerable to interception
in some situations.

Answer

A

Failure to Protect Network Traffic

Question 52

Q

Failure to properly implement sufficiently strong
access controls makes the data vulnerable.

Answer

A

Failure to Store and Protect Data Securely

Question 53

Q

can cause a variety of
unexpected system behaviors.

Answer

A

Failure to Handle Errors

Question 54

Q

An attacker may
embed characters that are meaningful as
formatting directives (such as %x, %d, %p, etc.)
into malicious input.

Answer

A

Format String Problems-

Question 55

Q

If an attacker changes the
expected location of a file by intercepting and
modifying a program code call, the attacker can
force a program to use files other than the ones it
is supposed to use

Answer

A

Improper File Access

Question 56

Q

Those who understand the
workings of such a “random” number generator
can predict particular values at particular times

Answer

A

Failure to Use Cryptographically Strong
Random Numbers

Question 57

Q

While most programmers
assume that using SSL guarantees security, they
often mishandle this technology.

Answer

A

Improper Use of SSL

Question 58

Q

One of the most common
methods of obtaining inside and classified
information is directly or indirectly from one
person, usually an employee

Answer

A

Information Leakage

Question 59

Q

An
integer bug can result when a programmer does
not validate the inputs to a calculation to verify
that the integers are of the expected size

Answer

A

Integer Bugs (Overflows/Underflows)-

Question 60

Q

Developers use a
process known as change control to ensure that
the working system delivered to users represents
the intent of the developers

Answer

A

Neglecting Change Control-

Question 61

Q

Employees prefer doing things
the easy way. When faced with an “official way”
of performing a task and an “unofficial way”—
which is easier—they prefer the latter.

Answer

A

Poor Usability-

Question 62

Q

a failure of a program that
occurs when an unexpected ordering of events in its execution results in a conflict over access to
the same system resource.

Answer

A

Race Conditions

Question 63

Q

occurs when developers fail to
properly validate user input before using it to
query a relational database

Answer

A

SQL Injection-

Question 64

Q

Other
attacks attempt to compromise the DNS servers
further up the DNS distribution mode—those of
ISPs or backbone connectivity providers.

Answer

A

Trusting Network Address Resolution-

Answer 55

A

Unauthenticated Key Exchange-

Answer 56

A

Web Client-Related Vulnerability (XSS)-

Answer 57

A

Web Server-Related Vulnerabilities (XSS, XSRF, and Response Splitting)-

Answer 58

A

Use of Magic URLs and Hidden Forms-

Answer 59

A

Use of Weak Password-Based Systems-

Answer 60

A

Computer Security Act of 1987-

Answer 61

A

USA PATRIOT Act of 2001-

Answer 62

A

Computer Fraud and Abuse Act of 1986 (CFA Act or CFAA)-

Answer 63

A

Federal Information Security Management Act (FISMA)-

Answer 64

A

National Institute of Standards and Technology (NIST)-

Brainscape's Knowledge GenomeTM

isa\ Flashcards

Brainscape's Knowledge Genome^TM