CHAPTER SUMMARY
Threats are always present and can’t be eliminated. The potential for a threat to do harm or the impact of a threat can be reduced but not the threat itself. However, many steps can be taken to reduce vulnerabilities. The most important vulnerabilities are those that are likely to match up as a threat/vulnerability pair. Once the likely threat/vulnerability pairs have been identified, mitigation techniques can be implemented.
The U.S. federal government has many resources that organizations can use to manage risk. The National Institute of Standards and Technology (NIST) has published several Special Publications. The SP 800 series includes many publications targeted for IT security. The Department of Homeland Security also has many divisions focused on IT security. Its resources are freely available to IT and security professionals.
KEY CONCEPTS AND TERMS
denial of service (DoS) attack
Department of Homeland Security (DHS)
distributed denial of service (DDoS) attack
Federally Funded Research and Development Centers (FFRDCs)
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
intrusion detection system (IDS)
intrusion prevention system (IPS)
National Cybersecurity and Communications Integration Center (NCCIC)
National Institute of Standards and Technology (NIST)
CHAPTER 2 ASSESSMENT
- What is a security policy?
- A document with a rigid set of rules created so that people follow it explicitly to be effective and avoid technical problems
- A technical control used to enforce security
- A physical control used to enforce security
- A document created by senior managers that identifies the role of security in the organization and is used as a defense mechanism to protect the assets of the organization
- What should be used to ensure that users are granted only the rights to perform actions required for their jobs?
- Principle of least privilege
- Principle of need to know
- Principle of limited rights
- Separation of duties
- What should be used to ensure that the amount spent on mitigating a risk (such as buying insurance) is proportional to the risk?
- Principle of least privilege
- Principle of proportionality
- Principle of limited rights
- Principle of limited permissions
- Which of the following security principles divides job responsibilities to reduce fraud?
- Need to know
- Least privilege
- Separation of duties
- Mandatory vacations
- What can be used to ensure that unauthorized changes are not made to systems?
- Input validation
- Patch management
- Version control
- Configuration management
- What are two types of intrusion detection systems?
- Intentional and unintentional
- Natural and man-made
- Host based and network based
- Technical and physical
- A technical control prevents unauthorized personnel from having physical access to a secure area or secure system.
- True
- False
- What allows an attacker to gain additional privileges on a system by sending unexpected code to the system?
- Buffer overflow
- MAC flood
- Input validation
- Spiders
- What is hardening a server?
- Securing it from the default configuration
- Ensuring it cannot be powered down
- Locking it in a room that is hard to access
- Enabling necessary protocols and services
- Which of the following steps could be taken to harden a server?
- Removing unnecessary services and protocols
- Keeping the server up to date
- Changing defaults
- Enabling local firewalls
- All of the above
- Which government agency includes the Information Technology Laboratory and publishes SP 800-30?
- NIST
- DHS
- NCCIC
- US-CERT
- Which of the following is a Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach?
- SP 800-34
- SP 800-35
- SP 800-37
- SP 800-84
- Which U.S. government agency regularly publishes alerts and bulletins related to security threats?
- NIST
- FBI
- US-CERT
- MITRE Corporation
- The CVE list is maintained by _______.
- What is the standard used to create information security vulnerability names?
- CVE
- MITRE
- DISA
- CSI