Card Set Information

2011-10-17 21:04:39

Chapter 8
Show Answers:

  1. Defense-in depth
    Is to employ multiple layers of controls in order to avoid having a single point of failure. For example, many organizations use not only firewalls but also multiple authentication methods to restrict access.
  2. Time-based model of
    Is to emply a combination of detective and corrective controls that identify an information security incident early enough to prevent the loss or compromise of information.

    • o P
    • = time it takes the attackers to break through preventive controls.

    • o D
    • = the time it takes to detect that an attack is in progress.

    • o C
    • = the time it takes to respond to the attack.

    • o If
    • P > D + C then organizations security is effective.
  3. Conduct reconnaissance
    study the targets and its layout.
  4. Attempt Social engineering
    This is when attackers try to use information obtained during their initial reconnaissance to “trick” an unsuspecting employee into granting them access.
  5. Scan and map the target
    if they cant attempt social engineering, then conduct further reconnaissance.
  6. Research
    once the attacker has identified specific targets and knows what versions of software are running on them, the next step is to conduct research to find vulnerabilities for those programs.
  7. Execute the attack
    obtain unauthorized access to the system.
  8. Cover tracks
    after you attack the system, most attacks then try to cover their tracks.
  9. Authentication
    Is the process of verifying the identity of the person or device attempting to access the system. PIN’s, ID badges, or biometric identifiers.
  10. Biometric identifier
    Physical characteristics such as a fingerprint.
  11. Multifactor authentication
    Using two or all three types of authentication together.
  12. Multimodal authentication
    Using multiple credentials of the same type together.
  13. Authorization
    Is the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
  14. Access control matrix·
    A matrix to show the authorization controls (whohas authentication to what).
  15. Compatibility test·
    Matches the user’s authentication credentialsagainst the access control matrix to determine whether that employee should beallowed to access that resource and perform the requested action.
  16. Border router·
    A device that connects an organizationsinformation system to the internet.
  17. Firewall·
    Is either a special-purpose hardware device or software running on a general-purpose computer.
  18. Demilitarized zone DMZ·
    Is a separate network that permits controlledaccess from the internet to selected resources, such as the organization’se-commerce Web server.
  19. COBIT's framework ensures that information provided to management satisfies seven key criteria:
    • 1. effectiveness
    • 2. efficiency
    • 3. confidentiality
    • 4. integrity
    • 5. availability
    • 6. compliance
    • 7. reliability
  20. COBIT's domains
    • 1. plan and organize
    • 2. acquire and implement
    • 3. deliver and support
    • 4. monitor and evaluate
  21. The Trust Services Framework classifies information systems controls into five categories:
    • 1. security
    • 2. confidentiality
    • 3. privacy
    • 4. processing integrity
    • 5. availability
  22. Managements role in information security
    • 1. create and foster a pro-active "security aware" culture
    • 2. inventory and value the organization's information resources
    • 3. assess risks and select a risk response
    • 4. develope and communicate security plans, policies, and procedures.
    • 5. acquire and deploy information security technologies and products.
    • 6. monitor and evaluate the effectiveness of the organizations information security program
  23. preventive
    training, user access controls, physical access controls, network access controls, device and software hardening controls.
  24. detective controls
    log analysis, intrusion detection systems, security testing and audits, managerial reports.
  25. corrective
    computer incident response teams, cheif information security officer, patch management.