Practice Test 1 Flashcards
(276 cards)
1
Q
Packets with internal source addresses entering the network
A
Packets with internal source addresses should never originate from outside the network; block them
2
Q
Packets with external source addresses leaving the network
A
Packets with external source addresses should never be found on the internal network; block from leaving the network
3
Q
Packets with private IP addresses exiting the network
A
Private IP addresses should never be used on the internet; block from leaving the network
4
Q
Packets with public IP addresses entering the network
A
Packets with public IP addresses will routinely be allowed to enter the network
5
Q
CDN
A
content distribution network: provides reliable, low-latency, geographically distributed content distribution
6
Q
Four functions of a forensic disk controller
A
Write blocking: intercepts write commands sent to the device and prevents them from modifying data on the device. Returning data requested by a read operation. Returning access-significant information from the device. Reporting errors from the device back to the forensic host.
7
Q
RAID 1
A
Disk mirroring; requires two physical disks that will contain copies of the same data
8
Q
TGS
A
ticket-granting service; receives and validates a TGT from the client, then issues a ticket and session keys to the client
9
Q
KDC
A
Key distribution center; does not communicate directly with the client as part of Kerberos
10
Q
AS
A
Authentication server forwards the username to the KDC
11
Q
TGT
A
ticket-granting ticket; provided by the client to the TGS for validation and in return, receives user’s rights to access the service requested
12
Q
breach of contract by a vendor to protect sensitive data
A
civil investigation; contract dispute.
13
Q
Administrative investigation
A
for internal purposes and not applicable when a third party is being investigated
14
Q
Criminal and regulatory investigation
A
initiated by those with regulatory authority, typically government agencies
15
Q
Wave pattern motion detectors
A
Transmit ultrasonic or microwave signals into the monitor area, watching for changes in the returned signals bouncing off objects
16
Q
Infrared head-based detectors
A
Watch for unusual heat patterns
17
Q
Capacitance detectors
A
Work based upon electromagnetic fields
18
Q
Stateful packet inspection firewall
A
Dynamic packet filtering firewalls; track the state of a conversation and allow a response from a remote system based on an internal system being allowed to start the communication
19
Q
Static packet filtering and circuit-level gateways
A
Only filter based on source, destination, and ports
20
Q
Application-level gateway firewalls
A
Proxy traffic for specific applications
21
Q
captive portal
A
provides access control for customers using wifi without provisioning user IDs while also gathering useful contact info
22
Q
Business devices on open (unencrypted) wireless network
A
Wireless routers can provide multiple SSIDs. Separate SSID using WPA3 to create a private, secure network that is firewalled or logically separated
23
Q
Hijacking customer web traffic including usernames and passwords
A
Open networks are unencrypted; traffic easily sniffable
24
Q
Guideline
A
best practices, not mandatory; general, not specific
25
Clipping
analysis technique that only reports alerts after they exceed a set threshold
26
RADIUS
common AAA tech used to provide services for dial-up, wireless networks
27
OAuth
authentication protocol used to allow applications to act on a user's behalf without sharing the password and is used for web applications
28
XTACACS; TACACS+
AAA technology; authentication, authorization, and accounting server for wireless network services using Cisco proprietary protocols
29
Inference
attacker uses several pieces of generic nonsensitive information to determine a specific sensitive value
30
Salami slicing attack
attacker siphons off minute quantities of money many times to accumulate a large amount of funds
31
Data diddling attack
attacker alters the contents of a database
32
Take-Grant protection model
Take rule allows a subject to take the rights belonging to another object
33
Brute-force attack
attack tries every possible password; password attempts change by one letter at each attempt
34
Dictionary attack
Uses dictionary words for the attack
35
Man-in-the-middle or pass-the-hash
attacks would not be visible in an authentication log except as a successful login
36
Isolation
database transactions operate separately from each other
37
Atomicity
ensures that if any part of a database transaction fails, the entire transaction must be rolled back as if it never occurred
38
Consistency
ensures all transactions are consistent with the logical rules of the database, such as having a primary key
39
Durability
requires that once a transaction is committed to the database it must be preserved
40
ACID model
database properties; Atomicity, Isolation, Consistency, Durability
41
Worm
built-in propagation mechanisms that do not require user interaction, scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access
42
Viruses and Trojan horses
Require user interaction to spread
43
Logic bomb
Lie in wait until certain conditions are met, triggering the delivery of their payload
44
HIPAA
Health Insurance Portability and Accountability Act; US law governing the healthcare sector that does provide for criminal penalties
45
FERPA
Family Educational Rights and Privacy Act; US law governing educational records that does not provide for criminal penalties
46
PCI DSS
Payment Card Industry Data Security Standard; industry standard for credit card operations and handling; it is not a law, so violations cannot incur criminal sanctions
47
SOX
Sarbanes-Oxley Act; governs publicly traded corporations and also provides for criminal penalties
48
TCP three-way handshake
1. SYN (synchronize flagged packet) receives a response with a 2. SYN/ACK (synchronize and acknowledge flagged packet) and is acknowledged by the original sender with a 3. ACK (acknowledge packet)
49
RST
Used in TCP to reset a connection
50
PSH
Used to send data immediately
51
FIN
Used to end a connection
52
MDM capabilities
Mobile device management: manage device backups, enforce the use of encryption, and remotely wipe the contents of mobile devices
53
IDaaS
Identity as a service; provides an identity platform as a third party service. Provides integration with cloud services and removes overhead of traditional on-premises identity systems, but creates risk due to third-party control of identity services and reliance on off-site identity infrastructure
54
ISC2 Code of Ethics
Advance and protect the profession (do not publicly share the exam questions); Act honorably, honestly, justly, responsibly, and legally; Protect society; Provide diligent service to principals
55
ALE
annualized loss expectancy; the amount of damage the org expects to occur each year as the result of a given risk
56
Whitelisting
approach to application control; allows users to install only those software packages specifically approved by administrators (tightly controlled)
57
Denial of service
attack that denies legitimate users authorized access to the system through the use of overwhelming traffic
58
Compromise
attack where the attacker attempts to gain access to the system
59
Primary key
unique identifier in a database
60
PII
personally identifiable information; data that can be used to distinguish or trace that person's identity and also includes information like their medical, education, financial, and employment information
61
PHI
personal health information
62
EDI
electronic data interchange
63
Proprietary
data used to maintain and organization's competitive advantage
64
Public IP address
129.53.44.124; valid public IP address and legitimate destination for traffic leaving a network; 10.8.15.9 and 192.168.109.55 are both private IP addresses that should not be routed to the internet
65
Result of increasing length of cryptographic key by 8 bits
Increase size of the keyspace; binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. 2 to the eighth power is 256, so the keyspace will increase by a factor of 256
66
Types of data assets disposed by shredding
Traditional office shredding for paper records and credit cards; Industrial shredders for equipment including removable media and hard drives
67
Risk Mitigation Strategy
Reduces the probability of the risk (encryption reduces probability the data will be successfully stolen)
68
Risk avoidance
Avoid the risk (delete sensitive files and do not store them)
69
Risk transference
Purchase cyber-liability insurance
70
Risk Acceptance
Taking no action on a risk
71
Sampling
Should be done on a truly randomly to avoid human bias and on a sample of a sufficient size to provide effective coverage of the userbase
72
Involuntary termination under adverse circumstances
User is being fired and may have a negative and potentially hostile reaction. Important to terminate access immediately upon the user being informed of the termination. Terminating access prior to notification may tip the user off to the termination in advance. Leaving access privileges available after termination poses a risk of malicious insider activity
73
Application log from an HTTP server
Log file with HTTP requests, evidenced by GET commands
74
CVSS
Common Vulnerability Scoring System; standardized approach to rating the severity of vulnerabilities
75
STRIDE and ATT&CK
models used to classify the nature, not the severity, of threats
76
PASTA
model designed to help with countermeasure selection
77
Social engineering
Exploits humans to allow attacks to succeed; typically target help-desk employees posing as legitimate employees
78
Trojans
type of malware
79
Phishing
targeted attack via electronic communication methods intended to capture passwords or other sensitive data
80
Whaling
type of phishing aimed at high-profile or important targets
81
Supply Chain Risk to equipment
Interception and tampering of devices in transit from vendor to organization
82
Single-level security environment
Classify information systems with the highest classification of information they are ever expected to process
83
Availability of authentication services is the priority
Identity platform should be hybrid to provide services both in the cloud and on-premises, ensuring service outages due to interrupted links are minimized
84
On-site authentication service
Would continue to work during an internet outage but would not allow the e-commerce website to authenticate
85
Cloud authentication service
Would leave the corporate location offline during an outage
86
Federation
Links identity information between organizations. Federating with a business partner allows identification and authorization to occur between them
87
Single sign-on
Reduces the number of times a user has to log in but does not facilitate the sharing of identity information
88
MFA
Multifactor authentication secures authentication but does not help integrate with a third party
89
SAML
Security Assertion Markup Language (SAML) used to integrate cloud services and provides ability to make authentication and authorization assertions
90
SPML
Service Provisioning Markup Language (SPML) used to provision users, resources, and services
91
Rainbow tables
precomputed password hashes to conduct cracking attacks against password files. frustrated by use of salting
92
Salting
Adds a specified value to the password prior to hashing, making it much more difficult to perform precomputation
93
Honeypot
decoy computer system used to bait intruders into attacking
94
Honeynet
a network of multiple honeypots that creates a more sophisticated environment for intruders to explore
95
Pseudoflaw
False vulnerability in a system that may attract an attacker
96
Darknet
segment of unused network address space that should have no network activity and may be easily used to monitor for illicit activity
97
FAR
false acceptance rate; rate at which the system inadvertently admits an unauthorized user
98
FRR
false rejection rate; rate at which the system inadvertently rejects an authorized user
99
CER
crossover error rate; point where both the false acceptance rate and the false rejection rate cross; less subject to manipulation and thus the best metric to use for evaluating systems
100
Steganography
the art of using cryptographic techniques to embed secret messages within other content. algorithms make invisible alterations to files by modifying the least significant bits of the many bits that make up image files
101
VPN
Virtual Private Network; provide protection in transit
102
Watermarking
embed information in an image with the intent of protecting intellectual property
103
JavaScript
interpreted language so the code is not compiled prior to execution; code is human-readable in its final form allowing for inspection of the content
104
C, C++, Java
compiled languages; compiler produces an executable file that is not human-readable
105
Shadow passwords in an /etc/passwd file
password field contains x; no password in plaintext, encrypted, or hashed form
106
EOL
end-of-life date for a product is normally the date the vendor will stop selling a product
107
EOS
end-of-support; date the vendor will stop supporting the product
108
Due Care
Principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person
109
Due Diligence
Principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner
110
Least Privilege
Principle states an individual should have the minimum set of permissions necessary to carry out their work
111
Separation of duties
Principle states that no single person should have the right to perform two distinct tasks which when combined constitute a highly privileged action
112
Primary Driver for data classification
Sensitivity; the value of the information to the org, the damage caused if lost of compromised
113
Risk of interception
Require the use of transport encryption; anyone intercepting the information would be unable to read its contents
114
Tangible asset inventories
Physical items owned by the organization; server hardware, mobile devices
115
Intangible asset inventory
non-physical items owned by the organization; intellectual property and files stored on a server
116
Physical Layer; Fiber-Optic Cable
Layer of the OSI Model that deals with the electrical impulses or optical pulses sent as bits to convey data; cable tapping: attacker installs a tap on a cable
117
Data Link, Network, or Transport layer attack
Higher levels of activity in the OSI model, compromising a device and using a protocol analyzer to sniff network traffic
118
Vendor responsibility in IaaS
Responsible for all security mechanisms at the hypervisor layer and below; maintaining the hypervisor
119
Customer Responsibility for IaaS
Responsible for server security operations; managing OS security settings, maintaining host firewalls, and configuring server access control
120
Type I Hypervisor
Bare metal; acts like a lightweight operating system and runs directly on the host's hardware; cloud service providers use Type I hypervisors, Hyper-V
121
Type II Hypervisor
Hosted; runs as a software layer on an operating system like other computer programs; VirtualBox on my laptop
122
Proactive monitoring
synthetic monitoring; uses recorded or generated traffic to test systems and software
123
Passive monitoring
Uses a network span, tap, or other device to capture traffic to be analyzed
124
Proximity Card
Uses an electromagnetic coil inside the card
125
Parallel test
team activates the disaster recovery site for testing, but the primary site remains operational
126
Full interruption test
team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations; most thorough but also most disruptive
127
Checklist review
least disruptive disaster recovery test; team reviews the contents of their disaster recovery checklists on their own and suggest any necessary changes
128
Tabletop exercise
team comes together and walks through a scenario without making any changes to information systems
129
Agile approach to software development
12 principles; best architecture, requirements, and designs emerge from self-organizing teams; teams should welcome changing requirements at any step in the process; simplicity is essential; emphasis on delivering software frequently
130
Hand geometry scanners
Assess the physical dimensions of an individual's hand but do not verify other unique factors about the individual or even verify if they are alive; should not be implemented as the sole authentication factor for secure environments
131
MTD
maximum tolerable downtime; the amount of time that a business may be without a service before irreparable harm occurs; MTO maximum tolerable outage; MAD maximum allowable downtime
132
CASB
Cloud access security brokers; designed to enforce security policies consistently across cloud services
133
DLP
Data loss prevention; detects, blocks, and controls use of information in the cloud
134
DRM
digital rights management; detects, blocks, and controls use of information in the cloud
135
IPS
Intrusion prevention systems; designed to detect and block malicious activity
136
Replay attack
Specific type of masquerading attack that relies on captured authentication tokens, such as from a user's web session to impersonate the user on the site
137
Masquerading (or impersonation) attacks
Use stolen or falsified credentials to bypass authentication mechanisms
138
Spoofing attack
Relies on falsifying an identity like an IP address or hostname without credentials
139
Modification attacks
Occur when captured packets are modified and replayed to a system to attempt to perform an action
140
OpenID Connect
An authentication layer that works with OAuth 2.0 as its underlying authorization framework; widely adopted by cloud service providers and widely supported; seamless integration with OAuth
141
Kerberos
authentication technology
142
Two-person control
Action requires the concurrence of two users
143
Job rotation
Move people through jobs on a periodic basis to deter fraud
144
Parol evidence rule
States that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing
145
Best evidence rule
States that a copy of a document is not admissible if the original document is available
146
Real evidence and testimonial evidence
types of evidence
147
NAT
Network Address Translation; translates an internal address to an external address
148
VLANs
virtual local area networks; used to logically divide networks
149
BGP
routing protocol
150
SSAE-18
Reviews the use and application of controls in an audited organization; An attestation standard used for external audits, forms part of the underlying framework for SOC 1, 2, and 3 reports; DOES NOT ASSERT SPECIFIC CONTROLS
151
Creating a digital signature
Sender of a message always encrypts the message with their own private key. Recipient verifies the digital signature by decrypting it with the sender's public key and comparing that decrypted signature with a message digest that the recipient computes themselves
152
RTO
Recovery time objective; amount of time expected to return an IT service or component to operation after a failure; amount of time it should take to restore an IT service after an outage
153
RPO
Recovery Point Objective; maximum amount of data, measured in time that may be lost during a recovery effort
154
SLA
service-level agreement; written contracts that document service expectations
155
Change management
Business process that requires sign-off from a manager or supervisor before changes are made to ensure proper awareness and communication
156
SDN
software-defined networking
157
Release Management
the process that new software releases go through to be accepted
158
Versioning
Used to differentiate versions of software, code, or other objects
159
Wet pipe
Wet pipe suppression systems have water present in the pipes at all times, posing an unacceptable level of risk for a data center containing electronics that might be damaged if a pipe leaks
160
Dry pipe and pre-action
Suppression systems only contain water when triggered in the event of a possible fire
161
FM-200
a chemical suppressant commonly used in place of water in data centers
162
Directive control
Notifications and procedures like the signs posted on the company doors reminding employees to be careful to not allow people to enter when they do
163
Detective control
Designed to operate after the fact; Motion detectors
164
Physical control
the doors and the locks on the doors of the company
165
Preventive control
Designed to stop an event and could also include the locks on the doors; Mantraps intended to deny intruders access
166
Deterrent control
Prevent an intruder from attempting an attack in the first place; Guard dogs, Lighting
167
PaaS
Platform as a service; an example of function as a service (FaaS) computing; cloud provider is managing the infrastructure and only making the platform available to customers
168
IaaS
Infrastructure as a service; cloud provider provides the infrastructure but the customer manages the infrastructure
169
Frequency analysis
cryptanalytic attack against a large volume of encrypted ciphertext
170
Brute-force attack
Cryptanalytic attack against a large volume of encrypted ciphertext
171
Known plaintext attack
access to plaintext information
172
Chosen ciphertext attack
attacker has the ability to encrypt information
173
Workflow-based account provisioning
provisioning that occurs through an established workflow, such as through an HR process
174
Discretionary account provisioning
Individual (owner) set up accounts for a new hire on systems they manage
175
Self-service account provisioning
the provisioning system allowed the new hire to sign up for an account on their own
176
Automated account provisioning
a central, software-driven process to provision an account, rather than HR forms
177
Privilege creep
as individuals change roles, they may retain access to systems that they no longer administer.
178
User changes roles
Provisioned based on the role and other access entitlements. de-provisioning and re-provisioning are time-consuming and lead to problems with changed IDs and how existing credentials work
179
EAL2 evaluation assurance level
EAL2 assurance applies when the system has been structurally tested. It is the second-to-lowest level of assurance under the Common Criteria
180
Prior to granting any user access to information
Verify appropriate security clearance and need to know
181
Preservation phase of the e-discovery reference model
Ensures information related to the matter at hand is protected against unintentional alteration or deletion
182
Identification phase
Locates relevant information but does not preserve it
183
Collection phase
Occurs after preservation and gathers responsive information
184
Processing phase
Performs a rough cut of the collected information for relevance
185
Hash algorithms with known vulnerabilities
RIPEMD and MD5
186
SHA-2
cryptographically strong hash with speed and efficient; SHA-3 is also secure but less efficient
187
subject/object model
object of the resource request is the resource being requested by a subject. Requesting access to a document would make the document the object of the request
188
De-encapsulation
the process of removing a header (and possibly a footer) from the data received from a previous layer in the OSI model
189
Encapsulation
process when the header and/or footer are added
190
Payload
part of a virus or malware package delivered to a target
191
CPTED framework
Crime Prevention Through Environmental Design; implements three strategies: natural access control, natural surveillance, and natural territorial reinforcement
192
Natural access control
uses barricades and other physical elements to create a separation between secure and insecure spaces
193
Natural surveillance
designs the environment to expose potential intruders to natural scrutiny by legitimate occupants
194
Natural territorial reinforcement
Uses fences, signs, and other elements to clearly define secure spaces
195
SPML
Service Provisioning Markup Language; uses requesting authorities to issue SPML requests to a provisioning service point
196
Provisioning service targets
Often user accounts and are required to be allowed unique identification of the data in its implementation
197
SAML
used for security assertions
198
SAMPL
an algebraic modeling language
199
XACML
an access control markup language used to describe and process access control policies in an XML format
200
Qualitative risk assessment
uses probability/impact matrix and subjective measures of probability and impact, such as "high" and "low" in place of quantitative measures
201
MAC
mandatory access control systems are hierarchical, compartmentalized, or hybrid.
202
Hierarchical
each domain is ordered and related to other domains above and below it
203
Compartmentalized
where there is no relationship between each domain
204
Asymmetric encryption algorithm application
Require two keys per user, regardless of the number of participants. (6-member team would require 12 keys)
205
Symmetric cryptography
require (n*(n-1))/2 keys
206
Cat 5e
Category 5e, cable rated to 1000Mbps
207
Cat 6
Category 6 UTP cable rated to 1000Mbps
208
Cat 5
Category 5; rated to 100Mbps
209
Cat 7
Category 7; rated to 10Gbps
210
CDN
content delivery network; distribute content to many remote endpoints where it may be quickly loaded by local users
211
Smurf attack
a distributed attack approach to send ICMP echo replies at a targeted system from many different source addresses.
212
Most effective way to block smurf attacks
block inbound ICMP traffic
213
Static packet filtering firewalls
first-generation firewalls that do not track connection state; do not have the ability to track connection status between different packets
214
Firewalls with connection state tracking capability
Stateful inspection, application proxying, and next-generation firewalls
215
Dual power supplies
Address hardware issues (equipment failures) within a server, allowing it to continue to operate if one of the power supplies fails
216
Increase the reliability of power flowing to a server
redundant power sources, backup generators, and uninterruptible power supplies (UPS)
217
Remote access technologies with built-in encryption
RDP, Remote Desktop Protocol; SSH Secure Shell
218
Telnet and Dial-up
Outdated remote access tech that does not provide encryption for secure access
219
Latency
a delay in the delivery of packets from their source to their destination
220
Jitter
a variation in the latency for different packets
221
Packet loss
disappearance of packets in transit that requires retransmission
222
Interference
electrical noise or other disruptions that corrupt the contents of packets
223
Internal auditor report recipients
Internal reports for remediating issues: managers, individual contributors, and board members for oversight
224
Interface testing
web applications communicate with web browsers via an interface; ensure it is accessible from all commonly used web browsers
225
Regression testing
re-runs functional and non-functional tests to ensure that a software application works as intended after any code changes, updates, revisions, improvements, or optimizations
226
White-box testing
full knowledge test
227
Fuzzing
tests unexpected inputs, rather than functionality
228
Role-based access control
Gives users an array of permissions based on their position in the organization; reviewer, editor, submitter
229
Rule-based access control
Use rules that apply to all subject; firewalls and routers
230
Discretionary access controls
Gives object owners rights to choose how the object they own are accessed
231
Impact
Fire suppression system does not stop a fire but reduces the damage that fires cause (reduce risk by lowering the impact of an event)
232
Patent
intellectual property in the form of a process; Require public disclosure and have expiration dates
233
Trade Secret
intellectual property in the form of a process; remain in force for as long as they remain secret
234
SCAP
Security Content Automation Protocol; a suite of specifications used to handle vulnerability and security configuration information; The National Vulnerability Database provided by NIST uses SCAP
235
XACML
eXtensible Access Control Markup Language; an OASIS standard used for access control decisions
236
BAS
Breach and attack simulation platforms automate aspects of penetration testing; these systems are designed to inject threat indicators onto systems and networks in an effort to trigger other security controls; white-box, gray-box, and black-box testing involve more manual effort
237
Simple Security Property
prevents an individual from reading information at a higher security level than their clearance allows; "no read up" rule
238
Simple Integrity Property
a user can't write data to a higher integrity level than their own
239
*-Security Property
Users can't write data to a lower security level than their own
240
Discretionary Security Property
allows the use of a matrix to determine access permissions
241
WBS
work breakdown structure; project management tool that divides the work done for a large project into smaller components.
242
Project plan
describes timing and resources
243
Test analysis reports
used during later phases of the development effort to report test results
244
Functional requirements
May be included in a work breakdown structure
245
NAC
Network Access Control system; used to authenticate users (using identities) and validate their system's compliance with a security standard before they are allowed to connect to the network; enforcing security policies can help reduce zero-day attacks
246
Firewall vs NAC
firewall can't enforce system security policies
247
IDS vs NAC
intrusion detection system; only monitor for attacks and alarm when they happen; IDS can't enforce system security policies
248
Port security
MAC address-based security feature that can only restrict which systems or devices can connect to a given port
249
Application running under a service account with full admin rights to the web server
Violation of least privilege principle; an application should never require full admin rights to run; service account should only have the privileges necessary to support the application
250
Key performance and risk indicators of security program
Time to resolve vulnerabilities, number of account compromises, number of attempts by users to visit malicious sites, number of repeat audit findings
251
True positive
Scan detected the vulnerability and the vulnerability actually existed
252
True negative
Scan correctly notes the absence of a vulnerability
253
False positive
Scan reports the presence of a vulnerability that does not actually exist
254
False negative
Scan reports that no vulnerability exists when one does, in fact, exist
255
/test directory
Test directories often include scripts that can be misused and have poor protections or may have other data that can be misued.
256
Issue of directory indexing
Knowing the name and location of files can provide an attacker with quite a bit of information about an org and a list of potentially accessible files; it is not a clear sign of attack
257
XST
Cross-site tracing; leverages the HTTP TRACE or TRACK methods and could be used to steal a user's cookies via cross-site scripting (XSS)
258
Supervisor of an org's chief audit executive (CAE)
Should report to the most senior possible leader to avoid conflicts of interest; CEO or board of directors to provide a degree of independence
259
DLS
Data loss prevention systems; identify sensitive information
260
Network-based DLP
detects sensitive information if the user transmits it over the network; not stored on an endpoint
261
IPS
Intrusion prevention systems; designed to detect and block attacks in progress
262
Private cloud
cloud computing model where customer builds a cloud environment in their own data center or build an environment in another data center that is for the customer's exclusive use (by a vendor at a co-location site); dedicated to a single organization and does not follow the shared tenancy model
263
Load balancing
designed to prevent a web server going offline from becoming a single point of failure; helps to ensure a failed server will not take a website or service offline
264
Dual-power supplies
prevent failure of a power supply or power source
265
RAID
prevent a disk failure from taking a system offline
266
Star topology
uses a central connection device
267
Ethernet networks
may look like a star; actually a logical bus topology that is sometimes deployed in a physical star
268
Input validation
ensures that the data provided to a program as input matches the expected parameters
269
Limit check
a special form of input validation; ensures that the value remains within an expected range
270
Options when planning for possible system failures
fail open; fail secure
271
Black box
No prior knowledge of the system
272
White box
full knowledge of the system
273
Gray box
Partial or incomplete knowledge
274
Something you know
PIN, password, security question/answer
275
Something you have
token, smartcard
276
Something you are
fingerprint, retinal scan
