Card Set Information

2015-08-22 12:05:13

smaller set
Show Answers:

  1. Due Care
    Minimum and customary practic of responsible protection of assets
  2. Due Diligence
  3. The prudent management and execution of due care.
  4. 3 access control measures
    • Preventive
    • Detective
    • Corrective
  5. Describe CIA and DAD?
    • Confidentiality, Integrity and Availability
    • vs.
    • Disclosure, Alteration and Destruction
  6. What are the most important port numbers?
    • FTP Port 21
    • SSH Port 22
    • Telnet Port 23
    • HTTP Port 80
    • HTTPS Prt 443
    • SMTP Port 25
  7. What are the 8 domains?
    • 1. Security & Risk Management
    • 2. Asset Security
    • 3. Security Engineering
    • 4. Communications & Network Security
    • 5. Identity and Access Management
    • 6. Security Assessment & Testing
    • 7. Security Operations
    • 8. Software Development Security
  8. Which methods will securely erase a Solid State Drive?
    • ATA Secure Erase
    • Physical destruction

    • But not:
    • Format drive
    • sector by sector overwrite
    • Delete all files
    • Degaussing
  9. Authentication?
    Establishes, tests or reconciles a user's identity.
  10. Authorization?
    Deals with the rights and permissions granted to an individual or process that enable access to a computer
  11. Accountability
    systems ability to determine the actions of a user. Shows that a particular individual performed an action thur audit trails and logs.
  12. Risk
    Threat x Vulnerabilty
  13. Metasploit
    A framework with a command shell and dynamic payloads.
  14. ROI
    Easier to prove with preventive controls
  15. Detective controls
    Hard to justify with basic TCO and ROI
  16. Interconnection Security Agreement (ISA)
    defines the technical security requirements when connecting two organizations together. Supports a Memorandum of Understanding.
  17. OCTAVE
    Operationally Critical Threat, Asset and Vulnerability Evaluation
  18. CVSSv2
    Common Vulnerability Scoring System
  19. CVSS Metrics (3)
    • Base
    • Temporal
    • Environmental

    Base includes: Access Vector, Access Complexity, Authentication, Confidentiality, Integrity and Availability impacts
  20. Buffer overflow
    Smash the stack
  21. Race condition
    Exploits the gap between the time a security check is applied and the time the code is executed. Also called Time of check/time of use.
  22. Man in the middle
    • Masquerading
    • Replay attack
    • Spoofing
  23. Spoofing
    Lying about who you are
  24. Resource Exhaustion
    CAM Flood (content addressable memory table)
  25. Virus
    requires a carrier to spread
  26. Worm
    Spreads independently; infects one system, then many
  27. Trojan
    Appears benign (overtly) but has a covert malicious function
  28. Botnet
    a collection of compromised hosts controlled by a bot herder
  29. Server side attack
    Service side attack; initial SYN sent by the attacker
  30. Client side attack
    Victim initiates the attack by downloading malicious content
  31. Emanations
    EMI leaving a system; study of these Compromising Emanations is through TEMPEST
  32. Criminal law
    results in monetary penalties or prison

    Beyond a reasonable doubt
  33. Civil law
    Punitive or compensatory damages but no prison

    Tort law

    Preponderance of evidence
  34. Administrative/Regulatory law
    HIPAA etc.
  35. Categories of computer crime (10)
    • white collar/financial fraud
    • corporate espionage
    • hacking
    • stalking
    • child porn
    • organized crime
    • terroism
    • identity theft
    • social engineering
    • insider theft
  36. International Computer Crime
    • United Nations
    • The G8 nations
    • Mutual Legal Assistance Treaties
    • European Union Border Controls (Interpol)
  37. Patent
    20 year property right for the inventor; effective only in the US and territories

    right to exclude others from making, using, offering for sale, selling or importing the invention
  38. Copyright
    Form of expression (rather than the subject)
  39. Trademark
    mark is also called a servicemark (for services) while a trademark is for goods

    good indefinitely
  40. Trade secret
    IP that is not publicly available

    covered by an NDA

    must be proven to be protected to have any recourse
  41. Crippleware
    Software with limited functionality
  42. Privacy Act of 1974
    requires govt to keep information on individuals private and protected
  43. International Privacy
    OECD (Organization for Economic Cooperation and Development) PLUS

    European Union Data Protection Directive
  44. Ethics Bodies
    • IAB (Internet Activities Board)
    • Computer Ethics Institute
    • Association for Computing Machinery (ACM)
    • Institute of Electrical and Electronics Engineers (IEEE)
    • Information Systems Audit and Control Association (ISACA)
    • International Information Systems Security Certification Consortium (ISC)2
  45. Polices
    Directive controls

    High level guidance


    change infrequently but may be added to
  46. Procedures
    • speed limit signs
    • more detailed than policies
    • focused on how to achieve
    • should change frequently

    security configuration
  47. Standard
    • mandatory
    • specific
    • specifies a certain way of doing something

    Baseline is a specific implementation of a standard
  48. Guidelines
    • suggestion
    • assists users
    • not compulsory
  49. Controlling your environment
    • Policy - tells a user what to do
    • Training - provides the skill set
    • Awareness - changes user behavior