NT2580 – Flashcard
Unlock all answers in this set
Unlock answersquestion
Gram-Leach-Bliley Act (GLBA)
answer
Requires all types of financial institution to protect customer's private financial information.
question
Health insurance portability and accountability
answer
Requires health care organizations to secure patient information, and organizations must adhere to the minimum necessary rule.
question
Sarbanes-Oxley act (SOX)
answer
requires publicly traded companies to submit accurate and reliable financial reporting.
question
Children's internet protection act (CIPA)
answer
requires public schools and public libraries to use the internet safety policy to prevent children's access to inappropriate matter on the internet.
question
Payment card industry data security standard
answer
standard that handles transactions involving payment cards, and requires to build and maintain security,implement strong access controls, and test + monitor networks.
question
Family educational rights and privacy act (FERPA)
answer
Protect the private information of students and their records.
question
confidentiality
answer
means guarding information from everyone except those with rights.Protecting private data is the process of ensuring data confidentiality.
question
Data classification standards
answer
To provide a consistent and detailed definition for how an organization should handle different types of data,software, and hardware.
question
U.S federal data classification
answer
Top secret, secret, and confidential.
question
Security gap
answer
The difference between the security controls you have in place and all the controls you need to address all the vulnerabilities is called a security gap.
question
Gap analysis
answer
identify the applicable elements of the security policy,assembling policy,standard,procedure, and guideline documents.
question
Black-hat attacker
answer
Tries to break IT security for the challenge and to prove technical prowess.
question
White-hat hacker
answer
is an information security or network professional who uses various penetration tools to uncover vulnerabilities so that can be fixed.
question
Gray-hat attacker
answer
Is a hacker with average abilities who may one day become a black-hat or white-hat attacker.
question
Access control
answer
Are methods used to restrict and allow access to certain computers,etc...
question
The four parts of access controls
answer
Authorization,identification,authentication, and accountability.
question
Authorization
answer
who is approved for access and what,exactly can they use.
question
Identification
answer
Who is the user,workstation, and services identified.
question
Authentication
answer
How to verify identities,something you know,have, and something unique.
question
Accountability
answer
Process of associating actions with users for latter reporting and research.
question
Physical access control
answer
Access to buildings,parking lots, and protected areas.
question
Logical access controls
answer
Access to a computer system or a network. Username,password,token,smart card, etc...
question
Discretionary Access controls (DAC) (Unix/Linux)
answer
the owner of the resource decides who gets in, and changes permission as needed. The owner can give that owner can give that job to others.
question
Mandatory Access controls (MAC) (SELinux)
answer
Permissions to enter a system is kept by the owner. It cannot be given to someone else.(makes MAC tronger than DAC)
question
Non-discretionary access control
answer
closely monitored by the security administrator , not the system admin.
question
Ruled-based access control
answer
A list of rules, maintained by the data owner, determines which users have access to objects.
question
Bell-La Padula model (access control model)
answer
Focuses on the confidentiality of the data and the control of access to classified information.
question
Bilba integrity model
answer
fixes a weakness in the Bell-la padula model, which addresses only the confidentiality of the data.
question
Clark & Wilson integrity model
answer
Focuses on what happens when users allowed into a system try to do things they are not allowed to do.
question
Brewer & Nash integrity model
answer
Based on mathematical theory published in 1989 to ensure competition. It is used to apply dynamically changing access permissions.
question
Security program addresses these directives
answer
Standards, procedures,baselines, and guidelines.
question
Limiting access
answer
the idea that users should be granted only the levels of permissions they need in order to perform their duties.
question
configuration control
answer
Is the management of baseline settings for a system device.
question
Change control
answer
is the management of changes to configuration. it ensures that any changes to a production system are tested,documented, and approved.
question
SLC (system life cycle) and SDLC (system development life cycle
answer
describe the entire change and maintenance process for applications and system hardware.
question
tools and techniques for security monitoring
answer
baselines,alarms,closed circuitTV,andsystems that spot irregular behavior.
question
Black-box testing
answer
Uses test methods that aren't based directly on knowledge of a programs design.
question
White-box testing
answer
is based on the knowledge of the applications design and source code.
question
gray-box testing
answer
lies somewhere between black and white box testing.
question
Risk mitigation
answer
uses various controls to mitigate or reduce risk. (anti-virus software)
question
Risk assignment
answer
allows the organization to transfer risk to another entity. (insurance)
question
Risk acceptance
answer
the organization has decided to accept the risk. ( the cost of reducing it is higher than the loss)
question
Asset value (AV)
answer
Value of the asset
question
Exposure factor (EF)
answer
percentage of asset value that will be lost
question
annualized rate of occurance (ARO)
answer
How many times the is is expected to occur
question
annualized loss expectancy (ALE)
answer
This is calculated by ,multiplying SLE by the ARO.
question
Business continuity plan BCP
answer
Helps keep critical business processes running in a disaster.
question
Disaster recovery plan
answer
helps recover the infrastructure necessary for normal business operations.
question
Risk avoidance
answer
deciding not to take the risk
question
Business impact analysis (BIA)
answer
determines the extent of the impact that a particular incident would have on business operations over time.
question
Cryptography
answer
encoding data so that it can only be decoded by specific individuals.
question
Cipher algorithm
answer
Shifts each letter in the english alphabet
question
Symmetric key cipher
answer
the key is send out of band letters
question
Asymmetric key cipher
answer
use private and public keys.
question
border firewall
answer
they separate the protected network from the internet
question
screened subnets or DMZ firewall
answer
the dmz is a semiprivate network used to hosts services that the public can access.
question
worms
answer
they propagate through the network service
question
Trojan horses
answer
know as the backdoor
question
logic bombs
answer
executes a malicious function of some kind when it detects certwin conditions.
question
choke points
answer
firewalls,routers,IDSs,IPSs
