lesson 6

The flashcards below were created by user slmckissack on FreezingBlue Flashcards.

  1. Where all the network users to know and understand security policies and procedures.
    User Awareness

    User awareness of security policies is an essential part of the overall security of a network. Without it, the security of the network and the organization is at risk.
  2. NOTE: User awareness starts with the training new employees receive when they join an organization. It doesn't stop there, though: all employees should continue to receive training through regular briefings, workshops, and posted notices and reminders. Regular training can prevent users from forgetting or ignoring the security policies.

    To ensure user awareness, training must include all of an organization's employees, contractors, and even temporary workers who work in secured areas. This includes everyone from office interns all the way through the highest-ranking employees (senior management).
  3. What are the 7 things every user will need to know about the organization's security policies?
    • 1. Handling Data
    • 2. Physical Security
    • 3. File sharing
    • 4. Copyrights
    • 5. Using wireless networks
    • 6. Desktop security
    • 7. Privacy
  4. NOTE: While it's true that the network's internal users are security threats, this doesn't mean that they often go out of their way to break the security of the network. When training users, remember that most user-related security breaches are unintentional. Users might inadvertently visit a website or open an email message that contains a virus, malware, or another type of security threat. An effective user awareness and training program continuously reinforces the vulnerabilities, risks, and threats to the organization and the security policies that exist to mitigate these exposures. This program should also emphasize the responsibility of each employee to ensure the security of the organization and its networks.
  5. In the context of information security, is information that uniquely identifies a single person. Your name, address, city, state, and ZIP code, along with your birth date, telephone number, income amount, driver's license number, Social Security number, and so on...Any fact about you, in the Internet age, may be enough to identify you. In fact, according to some sources, just a ZIP code, birth date, and gender are enough to uniquely identify about 87% of the US population.
    Personal Identifiable Information (PII)
  6. NOTE: PII is not a new thing-it has been around as long as human senses, which allow us to identify individuals by sight, sound, smell, and so on. However, the proliferation of information on the internet has made it a lot easier to capture PII from a wider range of source than you could in the past. One of the largest internet-based industries is the collection and resale of PII gathered from online applications, social media, email, and even chat. The availability of PII also facilitates cyber-stalking, cyber-bullying, identity theft, and other crimes.
  7. What are the three types of protected information?
    • -Customer Proprietary Network Information (CPNI)
    • -Protected Health Information (PHI)
    • -Private Financial Information
  8. This is a legal definition of protected individually identifiable information about any person, or customer in telecommunications privacy laws.
    Customer Proprietary Network Information (CPNI)
  9. The primary law that protects your private medical and health-related information in the United States is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA defines the regulations that cover the use and disclosure of PHI, which is any personal information concerning health status, healthcare, and payments for healthcare, or essentially any part of a person's medical or payment history.
    Protected Health Information (PHI)
  10. Both federal laws and a variety of state laws define a person's right to privacy in their financial dealings. The Right to Financial Privacy Act dictates that no financial institution, officer, employee, or agent of a financial institution can provide financial information of any customer to any government authority access. The Gramm-Leach_Bliley Act requires that financial institutions or companies offering financial products or services (loans, financial or investment advice, or insurance) must fully disclose their information-sharing practices to customers and agree to protect all sensitive personal information.
    Private Financial Information
  11. NOTE: Your organization's security policies must address any personal, private, and identifying information about employees, customers, and perhaps even suppliers. Keeping private data private should be the goal for any security and privacy policies. Unfortunately, users have become too comfortable with sharing their private information, especially on the Web. Increasing user awareness in this area can prevent threats to your users as well as your network.
  12. What are the three groups that the methods that provide security and protection of data resources on a network fall into?
    • -Information Classification
    • -Data Handling
    • -Compliance
  13. divides data into groups depending on the level of protection or security the information requires.
    Information Classification

    The more sensitive or confidential the information is, the higher (in terms of priority) its information classification should be.
  14. NOTE: Every organization has a variety of information types. Some information is sensitive or confidential, while other information is less so. Some information is subject to strict government regulation, and some is not. The protection and security that applies to information should be in accordance with the type of information, any specific rules that apply, and its sensitivity. Applying a general data security policy to all of the stored information an organization has is both overkill and expensive.
  15. What is the first step in developing information protection and data security policies?
    To classify the stored information by the level of protection it requires.
  16. What are the four ways to classify information?
    • -Sensitivity
    • -Access
    • -Protection
    • -Regulation
  17. The level of sensitivity or confidentiality of the information
  18. The level of access control on sensitive or confidential information.
  19. The level of protection for sensitive or confidential information.
  20. The amount and type of protection mandated by laws or regulations.
  21. What are the five categories in the governmental and military hierarchy classification for sensitivity of information?
    • -Public
    • -Eyes Only
    • -Confidential
    • -Secret
    • -Top Secret
  22. NOTE: Any information classified as public information shouldn't require much protection. However, Top Secret information requires all of the security and protection measures available. Between these two classifications, the level of security and protection increases with each higher-level classification.
  23. NOTE: To determine the appropriate security or privacy level for information, you identify its confidentiality and the level of its sensitivity. The confidentiality level relates to the degree of harm that unauthorized access, disclosure, or loss of the information could cause. Classify each information entity against these criteria as highly confidential, moderately confidential, mildly confidential, or not confidential.
  24. What is the second part of classifying information?
    To determine its degree of sensitivity.
  25. Meaning how critical would a loss of the data be to an organization?
  26. What three categories are used to measure sensitivity?
    • -Low
    • -Moderately
    • -High
  27. Could cause limited harm to an organization or individual if its disclosed, damaged, or lost.
    Information with low sensitivity
  28. Could cause serious harm to an organization or individual if it's disclosed, damaged, or lost, but it wouldn't cause the failure of the organization or loss of life.
    Moderate Sensitive Information
  29. Could cause sever or catastrophic harm if its disclosed, damaged, or lost, including failure of the organization and loss of life.
    Highly Sensitive Information
  30. NOTE: In many cases, a consolidation of less sensitive information can be highly confidential or sensitive. Its confidentiality and sensitivity classification should reflect the consolidation, not its elements. The street address of a special facility, the names of its employees, its floor plans, and maybe a description of a project or two contains information that could, taken together, be much more confidential.
  31. Is a generic term that covers the access, storage, transmission, retention, and disposal of information. While the security policies that cover each of these actions overlap, each of these actions should have a separate security policy.
    Data Handling
  32. NOTE: As you learned above, highly confidential and sensitive information requires very strict control, access, and disclosure, and there could be legal restrictions or regulations that dictate its handling. Typically, people who have access to confidential information have signed a confidentiality agreement or a nondisclosure statement.
  33. NOTE: Access to the most confidential or sensitive information requires stringent security measures as well. The policies that govern this access should address a more robust password policy, tighter access controls and authentication measures, and perhaps even external physical controls to secure workstations.
  34. What are the three controls which should be a part of any data storage policy for sensitive or confidential information?
    -Store sensitive or confidential paper documents in a locked cabinet within a locked room. Access to the room should be restricted. The policy should state that employees must secure all keys and access badges when they're in areas accessible to unauthorized personnel.

    • -Store sensitive or confidential electronic data using encryption on fixed hard drives, removable media, a mobile device, or when sending it by email to an address outside the organization.
    • -All stored documents should be subject to an established document retention life cycle policy.
  35. What are the five controls that should be a part of a data transmitting or transporting policy for sensitive or confidential information?
    • -Do not discuss or display sensitive or confidential documents or their contents where others might overhear a conversation regarding the document or where unauthorized individuals could see the contents of the document.
    • -Only authorized individuals should print, photocopy, or fax a sensitive document, and they must ensure that only authorized personnel are able to see the document or its output.
    • -When transferring sensitive or confidential information or documents electronically (by email, FTP, or upload), transfer only encrypted copies.
    • -Use the most secure service available when transferring paper copies of highly sensitive information to remote locations by the U.S. Postal Service, UPS, or FedEx.
    • -Label all highly sensitive documents in transit as "Highly Sensitive" so that recipients are immediately aware of their sensitivity.
  36. NOTE: Virtually all large businesses have a document retention and disposal policy, especially those that regularly work with confidential, protected, or sensitive information, such as insurance companies, credit card companies, health and medicine organizations, and educational institutions. This policy defines how to store information, who has access to it, how long to retain information, and how to dispose of or destroy information.
  37. What are the 4 points most data retention and disposal policies include?
    • -References to the organizational, government, and association policies, regulations, and guidelines that govern document storage, retention, and disposal.
    • -A list or table of document retention periods for each type of document an organization processes.
    • -The policies and procedures for the retention and disposal of electronically stored information. These should emphasize that merely deleting a document from a storage device is not sufficient and that the method for removing documents or information from a storage media must guarantee its complete removal.
    • -A policy for documenting the disposal of sensitive or confidential information and documents.
  38. Note: Electronically stored sensitive and confidential information is something secure network administrators must take seriously and consider as an important part of their overall responsibility. For the Security + exam, be sure you understand information classification and the elements that make up information security policies and procedures.
  39. is the result of an organization's conformity to defined or established process and procedure guidelines, regulations, and recommended best practices.

    An organization that has its policies and practices in line with the applicable rules, regulations, and guidelines is in compliance.
  40. Typically, an organization must comply with federal or state laws and industry or trade guidelines and practices. What are the 6 examples of governmental and association regulations and guidelines?
    • -Fair and Accurate Credit Transactions ACT (FACTA)
    • -Gramm-Leach-Bliley Act (GLBA)
    • -Health Information Portability and Accountability Act (HIPAA)
    • -Health Information Technology for Economic and Clinical Health Act (HITECH)
    • -ISO 27001
    • -Sarbanes-Oxley Act (SOX)
  41. Requires financial institutions and creditors to implement an identity theft prevention program that detects, prevents, and mitigates identity theft.
    Fair and Accurate Credit Transactions Act (FACTA)
  42. Requires financial institutions to report data security breaches.
    Gramm-Leach-Bliley Act (GLBA)
  43. Requires healthcare organizations to report security breaches.
    Health Information Portability and Accountability Act (HIPAA)
  44. Requires data assets in healthcare organizations to be securely protected.
    Health Information Technology for Economic and Clinical Health Act (HITECH)
  45. Requires specific forms and practices in information technology management and security.
    ISO 27001
  46. Requires all business records, including electronic records and electronic messages, to be securely saved for five years.
    Sarbanes-Oxley Act (SOX)
  47. What are the two types of security measures used to keep outside dangers from infiltrating?
    • -Physical Security
    • -Logical Security
  48. Involves locking doors, controlling who can enter a space, installing physical intrusion alarms, and, in extreme cases, hiring armed guards. Focuses on protecting a network against physical loss or damage.  Requires being proactive, and its very effecting when done right.
    Physical Security

    For the most part, physical security is about securing a physical space and protecting its contents from damage, theft, environmental issues, and power source problems.
  49. NOTE: to secure a network and its components, peripherals, and contents, you must begin with the physical security of the area in which its primary components sit. Beyond just locking a door or two, physical security involves restricting physical access, limiting the actions and activities of those who have access, and physically restricting the portability of network devices. Physical security is the first line of defense in any security scheme, but the extent to which a particular security scheme goes is a reflection of the situation and the size of the security budget.
  50. NOTE: A fence around the perimeter of an area you wish to secure might sound like an obvious part of an overall security policy. One thing to keep in mind is that the type of fence should reflect the sensitivity of what it protects.
  51. What are the standards recommended to secure a physical area with fencing?
    You should have a fence that's 8 feet tall, with three strands of barbed or razor wire set at a 45-degree angle and facing out toward the intruder. Remember that this is the recommendation for larger and more secure facilities. This kind of fence is not necessary for your home or office.
  52. Attach to the computer case and secure the PC to the table or desk, which is good for securing portable computers.
    Cable locks

    Most new notebook computers have a slot or opening on one side or on the back of the base portion of their case for an external lock.
  53. consists of a small space between two interlocking doorways. One door must close completely before the second door will open.

    The reason we call it a trap is because both doors require separate security measures, and if someone trying to enter the space is able to sneak in through one door, he probably won't be able to get either door open without the proper security credentials, so he's trapped.
  54. NOTE: In conjunction with a mantrap or on a stand-alone door mechanism, some systems support a list of identification numbers, biological scans, pass codes, and the like so that only those people on the physical security access list are able to gain access to a protected space.
  55. NOTE: KEY POINT: Be sure that you know the difference between a physical security access list and an access control list (ACL) on a router or firewall. As we discussed in Lesson 2, an ACL defines the action for a range of IP addresses or a specific object, such as a particular port number.
  56. NOTE: The use of video cameras to record who enters and exist a secured space provides after-the-fact evidence if there's a physical security incident. However, 13 states in the U.S. prohibit the unauthorized use of recording cameras in private places, such as homes, offices, and secured computer facilities. In these states, installing and using a video recording device in a private place for spying, eavesdropping, or photographing without the express permission from the person on the video is against the law. Public places, including stores, parking lots, malls, and so on are exempt from these restrictions.
  57. Includes the software-based tools that protect and organization's networks and systems. Include user access, authentication, and authorization (AAA). As you're aware, usernames and passwords provide much of a network's AAA controls. However, we can also place systems like proximity readers and smart cards into this general area, even though they technically span both physical and logical controls.
    Logical Security
  58. can control access to doors, cabinets, or other secure areas. It creates an electrical field between one inch and 20 inches around itself.
    Proximity Reader

    When the card reader detects the card's field, the reader's circuitry decodes the identification number the card is transmitting and permits or denies the security request to unblock whatever the proximity reader is controlling. The proximity system consists of two parts. The first part is facility code or site code that's unique to all of the cards of a particular set.  The second part is a sequential number that identifies each card within the facility code. There's some risk of duplicate card numbers because separate manufactures may sell the same site code, but the industry is moving to longer ID formats, which should reduce this risk significantly.
  59. has a microprocessor and memory embedded in a plastic card that's typically about the size of a credit card.
    Smart Card
  60. What are the two types of smart cards?
    • -Contact
    • -Contactless
  61. Where you must insert a this type of smart card into a slot on a reader with a specific orientation so that its eight contacts align with the corresponding contacts in the reader's slot.
    A Contact Smart Card
  62. works essentially the same as a proximity card and has a built-in antenna to broadcast its identification number.
    A Contactless Smart Card
  63. What's the difference between a proximity card and a smart card?
    The proximity card has only one specific function: to broadcast an ID number. A smart card, because it includes a microprocessor and an embedded operating system, is able to handle a wide range of applications. Smart cards support a variety of functions beyond access control: They can't act as cash cards, membership cards, and even credit cards.
  64. NOTE: The "bad guys" aren't the only potential threat we need to worry about when securing our networks. The network's environment can also be a threat to its electronics, stored data, and longevity. Dirty air, too much or too little humidity, and poor or fluctuating electrical power can directly affect the reliability of key network devices.
  65. When in a dry environment, a user can be a serious threat because he or she my build up static electricity energy and inadvertently discharge it to a PC or another electronic device.
    Electromagnetic static discharge (ESD)

    it is perhaps one of the more common and underestimated threats to computers and network devices.
  66. NOTE: We can control the environmental conditions through a buildings heating, ventilation, and air conditioning system. Electronic devices radiate a very dry heat, much drier than humans do. Because of this, the HVAC systems in the space housing the primary networking devices must produce the proper temperature and relative humidity (RH) to keep the systems from overheating and fatiguing themselves. Enclosed data centers should be at a constant temperature of 70 to 74 degrees Fahrenheit with an RH of 40% to 60%.
  67. What should be the constant temperature of an enclosed data center?
    70-74 degrees
  68. What should be the constant RH (relative humidity) of an enclosed data center?
    40% to 60%
  69. This means placing rows of cabinets facing each other so that cooled air can reach the equipment efficiently and warm exhaust air can be pumped back into the cooling system easily.
    Hot row-cold row.
  70. NOTE: In a large data center that consists of multiple rows of networking devices in cabinets and racks, the HVAC system should be set up to create a hot row-cold row situation.
  71. NOTE: Monitoring the conditions (temperature, air quality, and humidity) in a data center space should be part of a regular security policy checklist. These environmental conditions contribute to the security and reliability of network resources perhaps as much as any other factor, so its important to make sure you're aware of them.
  72. NOTE: Another security consideration for a network data center is fire suppression. A fire suppression system is an absolute necessity in any situation.
  73. What are the difference in fire suppression in a smaller data center and a larger data center?
    In a smaller data center, smoke detectors and fire alarms may be sufficient to alert anyone working in the space to call for emergency services and to evacuate the building if there's a fire. Even battery-operated detection and alarm systems may be enough, as long as checking and replacing the battery is on a regular security checklist.

    In a larger data center, more sophisticated smoke-and fire-detection systems are wired into the central electrical system and can notify emergency services directly if there's a fire.
  74. What are the four classes of fires, depending on the materials that are burning?
    • -Class A: Common combustible fires of wood, paper, cloth, or plastic. Use a fire extinguisher containing water or soda-acid.
    • -Class B: Fires of liquids such as gas, oil, tar, solvent, or alcohol. Do not use water. Use carbon dioxide (CO2), Halon, Hydroflurocarbon, or heptafluoropropane (FM-200) extinguishing equipment.
    • -Class C: Electrical component fires. Use CO2, halon, hydroflurocarbon, or hetafluoropropane (FM-200) extinguishing equipment. Class C fire suppression systems are nonconductive.
    • -Class D: Fires of combustible metals, like magnesium and sodium. Use a dry chemical suppression system.
  75. NOTE: Electrical fires, which are Class C fires, require special fire suppression as listed above. In a larger data center, the fire suppression systems should also provide for automatic shutdown of electrical systems.
  76. NOTE: When you think of fire suppression, though, you probably think of water sprinkler systems. Fire and extreme heat can destroy electronic devices, but a water sprinkler system is much more of a threat. If a fire does not directly engulf an electronic device, there's a chance that the device may not suffer much damage. However, if the fire sets off a water sprinkler system, chances are that pouring water on an operating electronic device has devastating results.
  77. NOTE: Be sure to include inspection of the fire and smoke detection equipment and the suppression system on any periodic security checklist.
  78. Electrical line noise that every electrical circuit has a certain amount.
    Electromagnetic Interference (EMI)

    For the most part, EMI comes from other electrical equipment, such as electrical motors, fluorescent lighting, or perhaps a nearby radio transmitter. Nature can also cause EMI; the electric supply could pick up a nearby electrical storm and transmit EMI over the power lines of a building.
  79. NOTE: A shared electrical supply line carries a significant amount of electrical noise (a power stream that radically fluctuates on the line over and above the normal electrical stream) over the power line to other devices connected to the same electrical circuit. An example is the noise you hear or see on an AM radio or the TV set when a vacuum cleaner is operating on the same electrical circuit. The static you hear is electrical noise.
  80. NOTE: Nearly all electronic device power supplies are able to handle a certain amount of EMI, but excessive levels of EMI can pass through the power supply to the circuit boards, disk drivers, and other internal components of a computer or networking device. The problems that can  develop from EMI and electrical line noise include memory errors, data loss, circuit connections loss, data transmission problems, and frequent system failure.
  81. Another closely related interference that can cause damage by exposure to a strong radio frequency (RF) broadcast, such as from a very close television or radio transmission tower, can result in damage to the electrical components of a PC as they absorb the energy field of the RFI.
    Radio Frequency Interference (RFI)
  82. NOTE: RFI can also be absorbed by the electrical power lines and create fluctuations on the power line similar to those caused by EMI.
  83. NOTE: While neither EMI or RFI is a good thing, RFI poses a double-threat. It could be your wireless network creating the RFI, and this RFI is intelligible. Its common for war drivers (people driving around trying to tap into wireless networks) to be able to receive a wireless RF signal outside of a building.
  84. NOTE: The solution to protecting a network from EMI and the interception of RF is to shield the data center there are several ways to do this, but perhaps the most secure is a Faraday cage or Faraday shield.
  85. Consists of an electric-conductive metal wire mesh that is installed either inside or on the surface of the walls, ceiling, and floor of a data center, creating a cage-like wrapping. This cage absorbs any interference entering or exiting the data center, which protects the electronics, transmitted signals, and wireless transmissions from interception.
    Faraday cage or Faraday shield
  86. NOTE: Remember that the security of the resources on a network are just as susceptible to environmental damage as they are to a hacker, if not more so. Monitoring the system's environment is a crucial duty of a secure network administrator.
  87. Who should assume responsibility for conducting user awareness training?
    A. Outside Consultants
    B. Secure Network Administration
    C. The user.
    D. The users' managers
    B. Secure Network Administration
    (this multiple choice question has been scrambled)
  88. What term describes information stored on a network that may identify an individual user?
    A. MAC Address
    B. IP Address
    C. Password
    D. PII
    D. PII
    (this multiple choice question has been scrambled)
  89. What process divides data into groups depending on the level of protection or security the information requires?
    A. Information Retention
    B. Information Storage
    C. Information Handling
    D. Information Classification
    D. Information Classification
    (this multiple choice question has been scrambled)
  90. What physical security method involves a space between two interlocking doorways?
    A. Dead zone
    B. Security Fencing
    C. Mantrap
    D. DMZ
    C. Mantrap
    (this multiple choice question has been scrambled)
  91. What fire suppression chemical extinguishes Class C electrical fires?
    A. Halon
    B. Water
    C. Alcohol
    D. Soda-acid
    A. Halon
    (this multiple choice question has been scrambled)
Card Set:
lesson 6
2015-01-27 20:49:03
ST lesson 6
ST lesson 6
Show Answers: