Test Bank for Principles of Information Security 7th Edition
richard@qwconsultancy.com
1|Pa ge
Name:
Class:
Date:
Mod 1 Introduction to Information Security True / False 1. During the early years of computing, the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage. a. True b. False ANSWER: True POINTS: 1 DIFFICULTY: Easy REFERENCES: H1: Introduction to Information Security p. 2 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.2 - Discuss the history of computer security and explain how it evolved into Information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 3/2/2017 3:48 PM 2. Network security focuses on the protection of physical items, objects, or areas from unauthorized access and misuse. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: What is Security? p. 8 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 12/4/2016 1:54 PM 3. When a computer is the subject of an attack, it is the entity being attacked. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 10 H1: What is Security? H2: Key Information Security Concepts QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 1 Introduction to Information Security DATE CREATED: DATE MODIFIED:
9/14/2016 10:29 AM 9/14/2016 10:29 AM
4. The value of information comes from the characteristics it possesses. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 11 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 9/14/2016 10:29 AM 5. E-mail spoofing involves sending an e-mail message with a harmful attachment. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 13 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 12/4/2016 2:02 PM 6. The possession of information is the quality or state of having value for some purpose or end. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 13 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 1 Introduction to Information Security
DATE CREATED: DATE MODIFIED:
security 9/14/2016 10:29 AM 9/14/2016 10:29 AM
7. A breach of possession may not always result in a breach of confidentiality. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 14 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 3/8/2017 11:50 AM 8. Hardware is often the most valuable asset possessed by an organization, and it is the main target of intentional attacks. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 16 H1: Components of An Information System H2: Data QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 3/8/2017 11:50 AM 9. Information security can be an absolute. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 17 H1: Security and The Organization H2: Balancing Information Security and Access QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 1 Introduction to Information Security LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 9/14/2016 10:29 AM 10. To achieve balance—that is, to operate an information system that satisfies the user and the security professional—the security level must allow reasonable access, yet protect against threats. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 17 H1: Security and The Organization H2: Balancing Information Security and Access QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 3/8/2017 5:20 PM 11. The bottom-up approach to information security has a higher probability of success than the top-down approach. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 18 H1: Security and The Organization H2: Approaches to Information Security Implementation QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 9/14/2016 10:29 AM 12. Using a methodology will usually have no effect on the probability of success. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Security and The Organization H2: Approaches to Information Security Implementation p. 18 QUESTION TYPE: True / False Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 1 Introduction to Information Security HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 12/4/2016 2:12 PM 13. A champion is a project manager, who may be a departmental line manager or staff unit manager, and has expertise in project management and information security technical requirements. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Security and The Organization H2: Security Professionals p. 20 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 9/14/2016 10:29 AM 14. A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 20 H1: Security and The Organization H2: Data Responsibilities QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 9/14/2016 10:29 AM 15. The roles of information security professionals focus on protecting the organization’s information systems and stored information from attacks. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 20 Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 1 Introduction to Information Security H1: Security and The Organization H2: Communities of Interest QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/8/2021 10:44 AM Modified True / False 16. Every organization, whether public or private and regardless of size, has information it wants to protect. ______ ANSWER: True POINTS: 1 REFERENCES: H1: Introduction to Information Security p. 2 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.1 - Define information security DATE CREATED: 4/6/2021 8:48 AM DATE MODIFIED: 4/8/2021 10:46 AM 17. The history of information security begins with the concept of communications security. ______ ANSWER: False - computer POINTS: 1 REFERENCES: H1: Introduction to Information Security p. 3 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.2 - Discuss the history of computer security and explain how it evolved into Information security DATE CREATED: 4/6/2021 8:50 AM DATE MODIFIED: 4/8/2021 10:46 AM 18. RAND Report R-609 was the first widely recognized published document to identify the role of management and policy issues in computer security. ______ ANSWER: True POINTS: 1 REFERENCES: p. 5 H1: Introduction to Information Security H2: The 1970s and ’80s QUESTION TYPE: Modified True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 1 Introduction to Information Security STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.2 - Discuss the history of computer security and explain how it evolved into Information security DATE CREATED: 4/6/2021 8:53 AM DATE MODIFIED: 4/8/2021 10:46 AM 19. Much of the early research on computer security centered on a system called Management Information and Computing Service (MULTICS). _______ ANSWER: False - Multiplexed POINTS: 1 REFERENCES: p. 6 H1: Introduction to Information Security H2: The 1970s and ’80s QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.2 - Discuss the history of computer security and explain how it evolved into Information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/8/2021 10:46 AM 20. According to the CNSS, networking is “the protection of information and its critical elements.” _______ False - information security ANSWER: POINTS: 1 REFERENCES: p. 8 H1: What is Security? QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.1 - Define information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/7/2021 6:36 PM 21. Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat. _______ ANSWER: True POINTS: 1 REFERENCES: p. 9 H1: What is Security? H2: Key Information Security Concepts QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 1 Introduction to Information Security DATE CREATED: DATE MODIFIED:
9/14/2016 10:29 AM 4/7/2021 6:36 PM
22. When unauthorized individuals or systems can view information, confidentiality is breached. _______ ANSWER: True POINTS: 1 REFERENCES: p. 11 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/7/2021 6:36 PM 23. Confidentiality ensures that only those with the rights and privileges to access information are able to do so. _______ ANSWER: True POINTS: 1 REFERENCES: p. 11 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/7/2021 6:36 PM 24. Information has redundancy when it is free from mistakes or errors and it has the value that the end user expects. _______ ANSWER: False - accuracy POINTS: 1 REFERENCES: p. 13 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/7/2021 6:36 PM Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 1 Introduction to Information Security 25. Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. _______ ANSWER: True POINTS: 1 REFERENCES: p. 15 H1: Components of An Information System H2: Hardware QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/7/2021 6:36 PM 26. A(n) hardware system is the entire set of people, procedures, and technology that enable business to use information. _______ False - information ANSWER: POINTS: 1 REFERENCES: p. 15 H1: Components of An Information System QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/7/2021 6:36 PM 27. Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems, often referred to as the bottom-up approach. _______ ANSWER: True POINTS: 1 REFERENCES: p. 18 H1: Security and The Organization H2: Approaches to Information Security Implementation QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/7/2021 6:36 PM Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 1 Introduction to Information Security 28. The role of the project manager—typically an executive such as a chief information officer (CIO) or the vice president of information technology (VP-IT)—in this effort cannot be overstated. _______ ANSWER: False - champion POINTS: 1 REFERENCES: p.18 H1: Security and The Organization H2: Approaches to Information Security Implementation QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/8/2021 10:48 AM 29. Of the two approaches to information security implementation, the top-down approach has a higher probability of success. _______ ANSWER: True POINTS: 1 REFERENCES: p. 18 H1: Security and The Organization H2: Approaches to Information Security Implementation QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/7/2021 6:36 PM 30. A(n) project team should consist of a number of individuals who are experienced in one or multiple facets of the technical and nontechnical areas. _______ ANSWER: True POINTS: 1 REFERENCES: p. 20 H1: Security and The Organization H2: Security Professionals QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 4/7/2021 6:36 PM Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 1 Introduction to Information Security Multiple Choice 31. __________ is a network project that preceded the Internet. a. NIST b. ARPANET c. FIPS d. DES ANSWER: b POINTS: 1 REFERENCES: p. 3 H1: Introduction to Information Security H2: The 1960s QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.2 - Discuss the history of computer security and explain how it evolved into Information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 9/14/2016 10:29 AM 32. Which of the following was not an identified fundamental problem with ARPANET security? a. phone numbers for access were closely held and distributed on a need-to-know basis b. vulnerability of password structure and formats c. lack of safety procedures for dial-up connections d. nonexistent user identification and authorizations ANSWER: a POINTS: 1 REFERENCES: p. 4 H1: Introduction to Information Security H2: The 1970s and ’80s QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.2 - Discuss the history of computer security and explain how it evolved into Information security DATE CREATED: 4/6/2021 9:04 AM DATE MODIFIED: 4/6/2021 9:07 AM 33. The famous study entitled “Protection Analysis: Final Report” focused on a project undertaken by ARPA to understand and detect __________ in operating systems security. a. bugs b. vulnerabilities c. malware d. maintenance hooks ANSWER: b POINTS: 1 REFERENCES: p. 5 H1: Introduction to Information Security H2: The 1970s and ’80s QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 1 Introduction to Information Security HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.2 - Discuss the history of computer security and explain how it evolved into Information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 3/8/2017 5:05 PM 34. __________ was the first operating system to integrate security as one of its core functions. a. UNIX b. DOS c. MULTICS d. ARPANET ANSWER: c POINTS: 1 REFERENCES: p. 6 H1: Introduction to Information Security H2: The 1970s and ’80s QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.2 - Discuss the history of computer security and explain how it evolved into Information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 3/8/2017 5:05 PM 35. In 1993, the first ______ conference was held in Las Vegas. Originally, it was established as a gathering for people interested in information security, including authors, lawyers, government employees, and law enforcement officials. a. DEFCON b. CyberCom c. Black Hat d. World Security ANSWER: a POINTS: 1 REFERENCES: p. 7 H1: Introduction to Information Security H2: The 1990s QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.2 - Discuss the history of computer security and explain how it evolved into Information security DATE CREATED: 4/6/2021 9:10 AM DATE MODIFIED: 4/8/2021 10:49 AM 36. The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________. a. communications security b. network security Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 1 Introduction to Information Security c. physical security d. information security ANSWER: POINTS: REFERENCES:
d 1 p. 8 H1: What Is Security? QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.1 - Define information security DATE CREATED: 12/5/2016 7:15 PM DATE MODIFIED: 12/5/2016 7:22 PM 37. A server would experience a(n) __________ attack when a hacker compromises it to acquire information via a remote location using a network connection. a. indirect b. direct c. software d. hardware ANSWER: b POINTS: 1 REFERENCES: p. 9 H1: What is Security? H2: Key Information Security Concepts QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 3/8/2017 5:07 PM 38. A subject or object’s ability to use, manipulate, modify, or affect another subject or object is known as ___________. a. access b. assets c. exploits d. risk ANSWER: a POINTS: 1 REFERENCES: p. 9 H1: What Is Security? H2: Key Information Security Concepts QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 12/5/2016 7:18 PM DATE MODIFIED: 3/8/2017 5:14 PM Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 1 Introduction to Information Security 39. An organizational resource that is being protected is sometimes logical, such as a Web site, software information, or data. Sometimes the resource is physical, such as a person, computer system, hardware, or other tangible object. Either way, the resource is known as a(n) ___________. a. access method b. asset c. exploit d. risk ANSWER: b POINTS: 1 REFERENCES: p. 9 H1: What Is Security? H2: Key Information Security Concepts QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 12/5/2016 7:22 PM DATE MODIFIED: 3/8/2017 5:16 PM 40. A computer is the __________ of an attack when it is used to conduct an attack against another computer. a. subject b. object c. target d. facilitator ANSWER: a POINTS: 1 REFERENCES: p. 10 H1: What is Security? H1: What is Security? H2: Key Information Security Concepts QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 9/14/2016 10:29 AM 41. A technique used to compromise a system is known as a(n) ___________. a. access method b. asset c. exploit d. risk ANSWER: c POINTS: 1 REFERENCES: p. 10 H1: What Is Security? H2: Key Information Security Concepts Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 1 Introduction to Information Security QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 12/5/2016 7:22 PM DATE MODIFIED: 3/8/2017 5:16 PM 42. In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single number called the __________ value. a. result b. smashing c. hash d. code ANSWER: c POINTS: 1 REFERENCES: p. 12 H1: What Is Security? H1: What Is Security? QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 9/14/2016 10:30 AM 43. __________ of information is the quality or state of being genuine or original. a. Authenticity b. Spoofing c. Confidentiality d. Authorization ANSWER: a POINTS: 1 REFERENCES: p. 13 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 9/14/2016 10:29 AM 44. __________ has become a widely accepted evaluation standard for training and education related to the security of information systems and is hosted by CNSS. a. NIST SP 800-12 b. NSTISSI No. 4011 c. IEEE 802.11(g) d. ISO 17788 ANSWER: b POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 1 Introduction to Information Security REFERENCES:
p. 14 H1: What Is Security? H2: CNSS Security Model QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/8/2021 10:50 AM 45. __________ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse. a. Physical b. Personal c. Object d. Standard ANSWER: a POINTS: 1 REFERENCES: p. 15 H1: Components of An Information System H2: Hardware QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 12/5/2016 12:35 PM 46. An information system is the entire set of __________, people, procedures, and networks that enable the use of information resources in the organization. a. software b. hardware c. data d. All of the above ANSWER: d POINTS: 1 REFERENCES: p. 15 H1: Components of An Information System H2: Software QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 3/8/2017 5:07 PM 47. The protection of tangible items, objects, or areas from unauthorized access and misuse is known as ___________. a. communications security b. network security Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 1 Introduction to Information Security c. physical security d. information security ANSWER: POINTS: REFERENCES:
c 1 p. 15 H1: Components of An Information System H2: Hardware QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 12/5/2016 7:16 PM DATE MODIFIED: 12/5/2016 7:21 PM 48. The ______ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization. a. ISO b. CIO c. CISO d. CTO ANSWER: c POINTS: 1 REFERENCES: p. 19 H1: Security and The Organization H2: Security Professionals QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 49. Which of the following is a valid type of role when it comes to data ownership? a. Data owners b. Data custodians c. Data users d. All of the above ANSWER: d POINTS: 1 REFERENCES: p. 20 H1: Security and The Organization H2: Data Responsibilities QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 9/14/2016 10:30 AM Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 1 Introduction to Information Security 50. People with the primary responsibility for administering the systems that house the information used by the organization perform the role of ____. a. Security policy developers b. Security professionals c. System administrators d. End users ANSWER: c POINTS: 1 REFERENCES: p. 20 H1: Security and The Organization H2: Security Professionals QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 3/8/2017 5:14 PM 51. Individuals who control, and are therefore ultimately responsible for, the security and use of a particular set of information are known as data __________. a. owners b. custodians c. trustees d. users ANSWER: a POINTS: 1 REFERENCES: p. 20 H1: Security and The Organization H2: Data Responsibilities QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 4/6/2021 9:16 AM DATE MODIFIED: 4/6/2021 9:18 AM 52. Individuals who are assigned the task of managing a particular set of information and coordinating its protection, storage, and use are known as data __________. a. owners b. custodians c. trustees d. users ANSWER: c POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 1 Introduction to Information Security REFERENCES:
p. 20 H1: Security and The Organization H2: Data Responsibilities QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 4/6/2021 9:20 AM DATE MODIFIED: 4/6/2021 9:20 AM 53. The community of interest made up of IT managers and skilled professionals in systems design, programming, networks, and other related disciplines is called ______. a. Information Technology Management and Professionals b. Organizational Management and Professionals c. Information Security Management and Professionals d. Executive Management ANSWER: a POINTS: 1 REFERENCES: p. 21 H1: Security and The Organization H2: Communities of Interest QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 4/6/2021 9:21 AM DATE MODIFIED: 4/8/2021 10:51 AM Completion 54. The history of information security begins with the concept of ________ security. computer ANSWER: POINTS: 1 REFERENCES: p. 3 H1: Introduction to Information Security QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.1 - Define information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 55. During the early years, information security was a straightforward process composed predominantly of ________ security and simple document classification schemes. physical ANSWER: Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 1 Introduction to Information Security POINTS: REFERENCES:
1 p. 3 H1: Introduction to Information Security QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.1 - Define information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 56. During the ________ War, many mainframes were brought online to accomplish more complex and sophisticated tasks, so it became necessary to enable the mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers. Cold ANSWER: POINTS: 1 REFERENCES: p. 3 H1: Introduction to Information Security H2: The 1960s QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.2 - Discuss the history of computer security and explain how it evolved into Information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 57. The Internet brought ________ to virtually all computers that could reach a phone line or an Internet-connected local area network. connectivity ANSWER: POINTS: 1 REFERENCES: p. 3 H1: Introduction to Information Security H2: The 1990s QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.2 - Discuss the history of computer security and explain how it evolved into Information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 58. The CNSS model of information security evolved from a concept developed by the computer security industry known as the ________ triad. CIA ANSWER: C.I.A. Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 1 Introduction to Information Security Confidentiality, Integrity, and Availability POINTS: 1 REFERENCES: p. 8 H1: What is Security? QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.1 - Define information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 59. A computer is the ________ of an attack when it is the entity being targeted. object ANSWER: POINTS: 1 REFERENCES: p. 10 H1: What is Security? H2: Key Information Security Concepts QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 60. The probability of an unwanted occurrence, such as an adverse event or loss, is known as a(n) _________. risk ANSWER: POINTS: 1 REFERENCES: p. 10 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 12/5/2016 7:29 PM DATE MODIFIED: 4/5/2021 3:35 PM 61. Any event or circumstance that has the potential to adversely affect operations and assets is known as a(n) _________. threat ANSWER: POINTS: 1 REFERENCES: p. 10 H1: What is Security? Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 1 Introduction to Information Security H2: Critical Characteristics of Information QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 12/5/2016 7:29 PM DATE MODIFIED: 12/5/2016 7:31 PM 62. In an organization, the value of ________ of information is especially high when it involves personal information about employees, customers, or patients. confidentiality ANSWER: POINTS: 1 REFERENCES: p. 11 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 63. A potential weakness in an asset or its defensive control system(s) is known as a(n) _________. vulnerability ANSWER: POINTS: 1 REFERENCES: p. 11 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 12/5/2016 7:28 PM DATE MODIFIED: 12/5/2016 7:34 PM 64. Information has ________ when it is whole, complete, and uncorrupted. integrity ANSWER: POINTS: 1 REFERENCES: p. 12 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: Completion Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 1 Introduction to Information Security HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 65. ________ enables authorized users—people or computer systems—to access information without interference or obstruction and to receive it in the required format. Availability ANSWER: POINTS: 1 REFERENCES: p. 13 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 66. ________ of information is the quality or state of being genuine or original, rather than a reproduction or fabrication. Authenticity ANSWER: POINTS: 1 REFERENCES: p. 13 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 67. The ________ of information is the quality or state of ownership or control of some object or item. possession ANSWER: POINTS: 1 REFERENCES: p. 13 H1: What is Security? H2: Critical Characteristics of Information QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 1 Introduction to Information Security LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 68. The ________ component of an information system comprises applications, operating systems, and assorted command utilities. software ANSWER: POINTS: 1 REFERENCES: p. 15 H1: Components of An Information System H2: Software QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 69. Software is often created under the constraints of ________ management, placing limits on time, cost, and manpower. project ANSWER: POINTS: 1 REFERENCES: p. 15 H1: Components of An Information System H2: Software QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 70. A frequently overlooked component of an information system, ________ are the written instructions for accomplishing a specific task. procedures ANSWER: POINTS: 1 REFERENCES: p. 16 H1: Components of An Information System H2: Procedures QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 1 Introduction to Information Security
DATE CREATED: DATE MODIFIED:
security 9/14/2016 10:30 AM 4/7/2021 6:36 PM
71. The senior technology officer is typically the chief ________ officer. information ANSWER: POINTS: 1 REFERENCES: p. 19 H1: Security and The Organization H2: Security Professionals QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM 72. A(n) ________ is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. community of interest ANSWER: POINTS: 1 REFERENCES: p. 20 H1: Security and The Organization H2: Communities of Interest QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:36 PM Essay 73. Describe the multiple types of security systems present in many organizations. A successful organization should have multiple layers of security in place to protect its ANSWER: operations, including physical, networks, and information: Physical security, to protect physical items, objects, or areas from unauthorized access and misuse Network security, to protect networking components, connections, and contents Information security, to protect the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology. Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 1 Introduction to Information Security POINTS: REFERENCES:
1 p. 8 H1: What is Security? QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.1 - Define information security DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 4/5/2021 3:40 PM 74. Outline types of data ownership and their respective responsibilities. Data owners: Those responsible for the security and use of a particular set of information. ANSWER: They are usually members of senior management and could be CIOs. The data owners usually determine the level of data classification associated with the data, as well as the changes to that classification required by organizational change. Data custodians: Working directly with data owners, data custodians are responsible for the storage, maintenance, and protection of the information. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner. Data users: End users who work with the information to perform their daily jobs supporting the mission of the organization. Data users are included as individuals with an information security role. POINTS: 1 REFERENCES: p. 20 H1: Security and The Organization H2: Data Responsibilities QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 9/14/2016 10:30 AM Subjective Short Answer 75. What is the difference between a threat agent and a threat source? A threat agent is the facilitator of an attack, whereas a threat source is a category of ANSWER: objects, people, or other entities that represents a potential danger to an asset. Threats are always present. Some threats manifest themselves in accidental occurrences and others are purposeful. Fire is a threat; however, a fire that has begun in a building is an attack. If an arsonist set the fire, then the arsonist is the threat agent. If an accidental electrical short started the fire, the short is the threat agent. POINTS:
1
Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 1 Introduction to Information Security REFERENCES:
p. 11 H1: What is Security? H2: Key Information Security Concepts QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 4/6/2021 9:25 AM DATE MODIFIED: 4/6/2021 9:28 AM 76. Describe the need for balance between information security and access to information inherent in information systems. To achieve balance—that is, to operate an information system that satisfies the user and the ANSWER: security professional—the security level must allow reasonable access yet protect against threats. POINTS: 1 REFERENCES: p. 17 H1: Security and The Organization H2: Balancing Information Security and Access QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 4/6/2021 9:32 AM DATE MODIFIED: 4/6/2021 9:32 AM 77. Should the overall approach to security be more managerial or technical? The approach to security should be more managerial than technical, although the technical ANSWER: ability of the resources who perform day-to-day activities is critical. The top-down approach to security implementation is by far the best. It has strong upper management support, a dedicated champion, dedicated funding, clear planning, and the opportunity to influence organizational culture. POINTS: 1 REFERENCES: p. 18 H1: Security and The Organization H2: Approaches to Information Security Implementation QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.01.3 - Define key terms and critical concepts of information security DATE CREATED: 4/6/2021 9:35 AM DATE MODIFIED: 4/6/2021 9:36 AM 78. Describe the role of a data trustee. Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 1 Introduction to Information Security ANSWER:
Data trustees are individuals appointed by data owners to oversee the management of a particular set of information and to coordinate with data custodians for its storage, protection, and use. Because data owners are typically top-level executives and managers too busy to oversee the management of their data, they will typically appoint a senior subordinate as a data trustee to handle those responsibilities. POINTS: 1 REFERENCES: p. 20 H1: Security and The Organization H2: Data Responsibilities QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.01.4 - Name the individuals who had a great impact on the profession of dentistry. DATE CREATED: 4/6/2021 9:39 AM DATE MODIFIED: 4/6/2021 9:40 AM
Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 2 The Need for Information Security True / False 1. Media are items of fact collected by an organization and include raw numbers, facts, and words. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Introduction p. 28 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.1 - Discuss the need for information security DATE CREATED: 12/28/2016 9:32 AM DATE MODIFIED: 3/8/2017 5:28 PM 2. Information security’s primary mission is to ensure that systems and their contents retain their confidentiality at any cost. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Introduction p. 28 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.1 - Discuss the need for information security DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 3. Media as a subset of information assets are the systems and networks that store, process, and transmit information. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 28 H1: Introduction QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.1 - Discuss the need for information security DATE CREATED: 12/28/2016 9:34 AM DATE MODIFIED: 12/28/2016 9:35 AM 4. The information security function in an organization safeguards its technology assets. a. True Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 2 The Need for Information Security b. False ANSWER: POINTS: REFERENCES:
True 1 p. 28 H1: Introduction QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.1 - Discuss the need for information security DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 3/8/2017 5:25 PM 5. As an organization grows, it must often use more robust technology to replace the security technologies it may have outgrown. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 28 H1: Introduction H2: Business Needs First QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.1 - Discuss the need for information security DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 3/8/2017 5:25 PM 6. Two watchdog organizations that investigate allegations of software abuse are the Software & Information Industry Association (SIIA) and National Security Agency (NSA). a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: The 12 Categories of Threats H2: Compromises to Intellectual Property p. 35 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 3/8/2017 5:26 PM 7. A number of technical mechanisms—digital watermarks and embedded code, copyright codes, and even the intentional placement of bad sectors on software media—have been used to deter or prevent the theft of software intellectual property. Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 2 The Need for Information Security a. True b. False ANSWER: POINTS: REFERENCES:
True 1 p. 35 H1: The 12 Categories of Threats H2: Compromises to Intellectual Property QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 8. Expert hackers are extremely talented individuals who usually devote lots of time and energy to attempting to break into other people’s information systems. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: The 12 Categories of Threats H2: Espionage or Trespass p. 39 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 9. Attacks conducted by scripts are usually unpredictable. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 42 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 2 The Need for Information Security 10. With the removal of copyright protection mechanisms, software can be easily and illegally distributed
and installed.
a. True b. False ANSWER: POINTS: REFERENCES:
True 1 H1: The 12 Categories of Threats H2: Espionage or Trespass p. 45 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/26/2021 6:41 PM 11. Organizations can use dictionaries to regulate password selection during the reset process and thus guard against easyto-guess passwords. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 46 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 12. Forces of nature, sometimes called acts of God, can present some of the most dangerous threats because they usually occur with very little warning and are beyond the control of people. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 47 H1: The 12 Categories of Threats H2: Forces of Nature QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 2 The Need for Information Security DATE CREATED: DATE MODIFIED:
9/14/2016 10:31 AM 3/8/2017 5:27 PM
13. Much human error or failure can be prevented with effective training and ongoing awareness activities. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 50 H1: The 12 Categories of Threats H2: Human Error or Failure QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 14. An advance-fee fraud attack involves the interception of cryptographic elements to determine keys and encryption algorithms. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 51 H1: The 12 Categories of Threats H2: Human Error or Failure QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 15. Compared to Web site defacement, vandalism within a network is less malicious in intent and more public. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 56 H1: The 12 Categories of Threats H2: Sabotage or Vandalism QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 2 The Need for Information Security LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 16. Suppose an act of theft performed by a hacker was accompanied by defacement actions to delay discovery. The first act is obviously in the category of “theft” but the second act is another category—in this case it is a “force of nature.” a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: The 12 Categories of Threats H2: Sabotage or Vandalism p. 56 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.2 - Explain why a successful information security program is the shared responsibility of the entire organization DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 3/8/2017 5:26 PM 17. A worm requires that another program is running before it can begin functioning. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: The 12 Categories of Threats H2: Software Attacks p. 60 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 18. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 62 H1: The 12 Categories of Threats H2: Software Attacks Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 2 The Need for Information Security QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 19. DoS attacks cannot be launched against routers. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 63 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 20. An e-mail bomb is a form of DoS attack. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 64 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/5/2021 7:35 PM 21. A sniffer program can reveal data transmitted on a network segment, including passwords, the embedded and attached files—such as word-processing documents—and sensitive data transmitted to or from applications. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 65 Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 2 The Need for Information Security H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 3/9/2017 9:40 AM 22. When electronic information is stolen, the crime is readily apparent. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 73 H1: The 12 Categories of Threats H2: Theft QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 3/8/2017 5:27 PM Modified True / False 23. Media assets are the focus of information security and are the information that has value to the organization, as well as the systems that store, process, and transmit the information. ______ ANSWER: False - Information POINTS: 1 REFERENCES: p. 28 H1: Introduction to Information Security QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.1 - Discuss the need for information security DATE CREATED: 12/28/2016 9:35 AM DATE MODIFIED: 4/26/2021 6:41 PM 24. Intellectual property is defined as “the creation, ownership, and control of ideas as well as the representation of those ideas.” ______ ANSWER: True POINTS: 1 REFERENCES: p. 34 H1: The 12 Categories of Threats Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 2 The Need for Information Security H2: Compromises to Intellectual Property QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 25. When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. ______ ANSWER: False - spike POINTS: 1 REFERENCES: p. 39 H1: The 12 Categories of Threats H2: Deviations in Quality of Service QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 26. Hackers are “persons who access systems and information without authorization and often illegally.” ______ ANSWER: True POINTS: 1 REFERENCES: H1: The 12 Categories of Threats H2: Compromises to Intellectual Property p. 40 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 27. "Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual’s shoulder or viewing the information from a distance. ______ False - surfing ANSWER: POINTS: 1 REFERENCES: p. 40 H1: The 12 Categories of Threats H2: Compromises to Intellectual Property Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 2 The Need for Information Security QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 28. Packet munchkins use automated exploits to engage in distributed denial-of-service attacks. ______ ANSWER: False - monkeys POINTS: 1 REFERENCES: p. 42 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 29. The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. ______ ANSWER: False - cracker POINTS: 1 REFERENCES: p. 45 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 30. The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. ______ False - brute force ANSWER: POINTS: 1 REFERENCES: p. 45 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Modified True / False Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 2 The Need for Information Security HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 31. Cyberterrorists hack systems to conduct terrorist activities via network or Internet pathways. ______ ANSWER: True POINTS: 1 REFERENCES: p. 57 H1: The 12 Categories of Threats H2: Sabotage or Vandalism QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 32. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. ______ ANSWER: True POINTS: 1 REFERENCES: p. 58 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 33. Software code known as a(n) cookie can allow an attacker to track a victim's activity on Web sites. ______ ANSWER: True POINTS: 1 REFERENCES: p. 59 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 2 The Need for Information Security LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 34. The macro virus infects the key operating system files located in a computer’s start-up sector. ______ ANSWER: False - boot POINTS: 1 REFERENCES: p. 60 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 35. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures. ______ ANSWER: True POINTS: 1 REFERENCES: p. 62 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 36. Once a(n) back door has infected a computer, it can redistribute itself to all e-mail addresses found on the infected system. ______ ANSWER: False - virus False - worm POINTS: 1 REFERENCES: p. 63 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 2 The Need for Information Security LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 37. One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. ______ False - bomb ANSWER: POINTS: 1 REFERENCES: p. 64 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 38. A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. ______ False - packet ANSWER: POINTS: 1 REFERENCES: p. 65 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM Multiple Choice 39. Which of the following functions does information security perform for an organization? a. Protecting the organization’s ability to function. b. Enabling the safe operation of applications implemented on the organization’s IT systems. c. Protecting the data the organization collects and uses. d. All of the above. ANSWER: d POINTS: 1 REFERENCES: p. 28 Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 2 The Need for Information Security H1: Introduction to Information Security QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.1 - Discuss the need for information security DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 40. The process of maintaining the confidentiality, integrity, and availability of data managed by a DBMS is known as ______ security. a. database b. data c. information d. residual ANSWER: a POINTS: 1 REFERENCES: H1: Introduction to Information Security H2: Business Needs First p. 29 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.2 - Explain why a successful information security program is the shared responsibility of the entire organization DATE CREATED: 12/28/2016 9:39 AM DATE MODIFIED: 4/7/2021 6:34 PM 41. Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____. a. SSL b. SLA c. MSL d. MIN ANSWER: b POINTS: 1 REFERENCES: p. 37 H1: The 12 Categories of Threats H2: Deviations in Quality of Service QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 42. A short-term interruption in electrical power availability is known as a ____. a. fault b. brownout c. blackout d. lag ANSWER: a Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 2 The Need for Information Security POINTS: REFERENCES:
1 p. 39 H1: The 12 Categories of Threats H2: Deviations in Quality of Service QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 43. When information gatherers employ techniques that cross a legal or ethical threshold, they are conducting ______. a. industrial espionage b. competitive intelligence c. opposition research d. hostile investigation ANSWER: a POINTS: 1 REFERENCES: p. 39 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 12/15/2016 12:27 PM DATE MODIFIED: 4/7/2021 6:34 PM 44. A long-term interruption (outage) in electrical power availability is known as a(n) ______. a. blackout b. sag c. brownout d. fault ANSWER: a POINTS: 1 REFERENCES: p. 39 H1: The 12 Categories of Threats H2: Deviations in Quality of Service QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 12/28/2016 9:44 AM DATE MODIFIED: 4/7/2021 6:34 PM Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 2 The Need for Information Security 45. Hackers can be generalized into two skill groups: expert and ______. a. novice b. journeyman c. packet monkey d. professional ANSWER: a POINTS: 1 REFERENCES: p. 40 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 46. Acts of ______ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter. a. bypass b. theft c. trespass d. security ANSWER: c POINTS: 1 REFERENCES: p. 40 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 47. The ______ data file contains the hashed representation of the user’s password. a. SLA b. SNMP c. FBI d. SAM ANSWER: d POINTS: 1 REFERENCES: p. 46 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 2 The Need for Information Security DATE MODIFIED:
4/7/2021 6:34 PM
48. A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system’s encrypted password file is known as a(n) ______. a. rainbow table b. dictionary c. crib d. crack file ANSWER: a POINTS: 1 REFERENCES: p. 46 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 12/28/2016 10:21 AM DATE MODIFIED: 4/7/2021 6:34 PM 49. Human error or failure often can be prevented with training, ongoing awareness activities, and ______. a. threats b. controls c. hugs d. paperwork ANSWER: b POINTS: 1 REFERENCES: p. 50 H1: The 12 Categories of Threats H2: Human Error or Failure QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 7:05 PM 50. Advance-Fee fraud is an example of a ______ attack. a. social engineering b. virus c. worm d. spam ANSWER: a POINTS: 1 REFERENCES: p. 51 H1: The 12 Categories of Threats H2: Human Error or Failure QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 2 The Need for Information Security HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/26/2021 6:42 PM 51. One form of online vandalism is ______ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. a. hacktivist b. phreak c. hackcyber d. cyberhack ANSWER: a POINTS: 1 REFERENCES: p. 56 H1: The 12 Categories of Threats H2: Sabotage or Vandalism QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 52. ______ is the premeditated, politically motivated attacks against information, computer systems, computer programs, and data that result in violence against noncombatant targets by subnational groups or clandestine agents. a. infoterrorism b. cyberterrorism c. hacking d. cracking ANSWER: b POINTS: 1 REFERENCES: p. 57 H1: The 12 Categories of Threats H2: Sabotage or Vandalism QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 53. ____ is any technology that aids in gathering information about a person or organization without their knowledge. a. A bot b. Spyware c. A Trojan d. A worm ANSWER: b POINTS: 1 REFERENCES: p. 59 H1: The 12 Categories of Threats Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 2 The Need for Information Security H2: Software Attacks QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 3/8/2017 5:29 PM 54. ______ are malware programs that hide their true nature and reveal their designed behavior only when activated. a. Viruses b. Worms c. Spam d. Trojan horses ANSWER: d POINTS: 1 REFERENCES: p. 62 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 55. Which of the following is an example of a Trojan horse program? a. Netsky b. MyDoom c. Klez d. Happy99.exe ANSWER: d POINTS: 1 REFERENCES: p. 62 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 9/14/2016 10:31 AM 56. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ______. a. false alarms b. polymorphisms c. hoaxes d. urban legends ANSWER: c POINTS: 1 REFERENCES: p. 63 Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 2 The Need for Information Security H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 57. In a ______ attack, the attacker sends a large number of connection or information requests to disrupt a target from a small number of sources. a. denial-of-service b. distributed denial-of-service c. virus d. spam ANSWER: a POINTS: 1 REFERENCES: p. 63 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 58. A ______ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. a. denial-of-service b. distributed denial-of-service c. virus d. spam ANSWER: b POINTS: 1 REFERENCES: p. 63 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 59. ______ are compromised systems that are directed remotely (usually by a transmitted command) by the attacker to participate in an attack. a. Drones b. Helpers c. Zombies d. Servants Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 2 The Need for Information Security ANSWER: POINTS: REFERENCES:
c 1 p. 63 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 60. In the ______ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. a. zombie-in-the-middle b. sniff-in-the-middle c. server-in-the-middle d. man-in-the-middle ANSWER: d POINTS: 1 REFERENCES: p. 66 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 61. The ______ hijacking attack uses IP spoofing to enable an attacker to impersonate another entity on the network. a. WWW b. TCP c. FTP d. HTTP ANSWER: b POINTS: 1 REFERENCES: p. 66 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 62. The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information is known as ______. Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 2 The Need for Information Security a. pharming b. phishing c. sniffing d. spoofing ANSWER: POINTS: REFERENCES:
a 1 p. 66 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 12/28/2016 10:24 AM DATE MODIFIED: 4/7/2021 6:34 PM 63. The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures, is known as ______. a. mean time between failure (MTBF) b. mean time to diagnose (MTTD) c. mean time to failure (MTTF) d. mean time to repair (MTTR) ANSWER: a POINTS: 1 REFERENCES: p. 67 H1: The 12 Categories of Threats H2: Technical Hardware Failures or Errors QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 12/28/2016 10:27 AM DATE MODIFIED: 4/7/2021 6:34 PM 64. The average amount of time until the next hardware failure is known as ______. a. mean time between failure (MTBF) b. mean time to diagnose (MTTD) c. mean time to failure (MTTF) d. mean time to repair (MTTR) ANSWER: c POINTS: 1 REFERENCES: p. 67 H1: The 12 Categories of Threats H2: Technical Hardware Failures or Errors Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 2 The Need for Information Security QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 12/28/2016 10:29 AM DATE MODIFIED: 4/7/2021 6:34 PM 65. Microsoft acknowledged that if you type a res:// URL (a Microsoft-devised type of URL) longer than ______ characters in Internet Explorer 4.0, the browser will crash. a. 64 b. 128 c. 256 d. 512 ANSWER: c POINTS: 1 REFERENCES: p. 69 H1: The 12 Categories of Threats H2: Technical Software Failures or Errors QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM Completion 66. A(n) ______ is a potential risk to an information asset. threat ANSWER: POINTS: 1 REFERENCES: H1: Information Security Threats And Attacks p. 30 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 67. A(n) ______ is an act against an asset that could result in a loss. attack ANSWER: POINTS: 1 REFERENCES: p. 30 H1: Information Security Threats And Attacks Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 2 The Need for Information Security QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 68. Duplication of software-based intellectual property is more commonly known as software ______. piracy ANSWER: POINTS: 1 REFERENCES: p. 34 H1: The 12 Categories of Threats H2: Compromises to Intellectual Property QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 69. ______ is the percentage of time a particular service is available. uptime ANSWER: up-time up time POINTS: 1 REFERENCES: p. 38 H1: The 12 Categories of Threats H2: Deviations in Quality of Service QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 12/28/2016 9:42 AM DATE MODIFIED: 4/7/2021 6:34 PM 70. A momentary low voltage is called a(n) ______. sag ANSWER: POINTS: 1 REFERENCES: p. 39 H1: The 12 Categories of Threats H2: Compromises to Intellectual Property QUESTION TYPE: Completion Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 2 The Need for Information Security HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/8/2021 11:39 AM 71. Some information gathering techniques are quite legal—for example, using a Web browser to perform market research. These legal techniques are called, collectively, competitive ______. intelligence ANSWER: POINTS: 1 REFERENCES: p. 39 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 72. When information gatherers employ techniques in a commercial setting that cross the threshold of what is legal or ethical, they are conducting industrial ______. espionage ANSWER: POINTS: 1 REFERENCES: p. 39 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 73. The expert hacker sometimes is called a(n) ______ hacker. elite ANSWER: POINTS: 1 REFERENCES: p. 40 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Completion HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 2 The Need for Information Security STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 74. Script ______ are hackers of limited skill who use expertly written software to attack a system. kiddies ANSWER: POINTS: 1 REFERENCES: p. 42 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 75. A(n) ______ hacks the public telephone network to make free calls or disrupt services. phreaker ANSWER: POINTS: 1 REFERENCES: p. 45 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 76. Attempting to reverse-calculate a password is called ______. cracking ANSWER: POINTS: 1 REFERENCES: p. 45 H1: The 12 Categories of Threats H2: Espionage or Trespass QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 2 The Need for Information Security DATE CREATED: DATE MODIFIED:
9/14/2016 10:31 AM 4/7/2021 6:34 PM
77. In the context of information security, ESD is the acronym for ______ discharge. electrostatic ANSWER: POINTS: 1 REFERENCES: p. 49 H1: The 12 Categories of Threats H2: Forces of Nature QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/8/2021 11:46 AM 78. In the context of information security, ______ is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker. social engineering ANSWER: POINTS: 1 REFERENCES: p. 50 H1: The 12 Categories of Threats H2: Human Error or Failure QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/8/2021 11:46 AM 79. The ______ fraud is a social engineering attack that involves convincing the victim to participate in a seeming moneymaking venture while getting the victim to pay fees or bribes or to refund uncleared international payments. advance-fee ANSWER: advance fee POINTS: 1 REFERENCES: p. 51 H1: The 12 Categories of Threats H2: Human Error or Failure QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 2 The Need for Information Security DATE CREATED: DATE MODIFIED:
9/14/2016 10:31 AM 4/7/2021 6:34 PM
80. A computer virus consists of segments of code that perform ______ actions. malicious ANSWER: POINTS: 1 REFERENCES: p. 59 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 81. A(n) ______ is a malicious program that replicates itself constantly without requiring another program environment. worm ANSWER: POINTS: 1 REFERENCES: p. 60 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 82. A virus or worm can have a payload that installs a(n) ______ door or trap door component in a system, which allows the attacker to access the system at will with special privileges. back ANSWER: POINTS: 1 REFERENCES: p. 63 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 2 The Need for Information Security 83. ______ is unsolicited commercial e-mail. Spam ANSWER: POINTS: 1 REFERENCES: p. 64 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 84. ______ is a technique used to gain unauthorized access to computers, wherein the intruder sends messages with a source IP address that has been forged to indicate that the messages are coming from a trusted host. Spoofing ANSWER: POINTS: 1 REFERENCES: p. 65 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM 85. ______ occurs when an application running on a Web server inserts commands into a user’s browser session and causes information to be sent to a hostile server. cross-site scripting (XSS) ANSWER: cross-site scripting XSS cross site scripting (XSS) cross site scripting POINTS: REFERENCES:
1 p. 68 H1: The 12 Categories of Threats H2: Technical Software Failures or Errors QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 29
Name:
Class:
Date:
Mod 2 The Need for Information Security LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 12/28/2016 10:30 AM DATE MODIFIED: 4/7/2021 6:34 PM 86. A(n) ______ is an application error that occurs when more data is sent to a program than it is designed to handle. buffer overrun ANSWER: buffer overflow POINTS: 1 REFERENCES: p. 69 H1: The 12 Categories of Threats H2: Technical Software Failures or Errors QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 4/7/2021 6:34 PM Essay 87. There are 12 general categories of threat to an organization's people, information, and systems. List at least six of the general categories of threat and identify at least one example of those listed. Compromises to intellectual property ANSWER: Software attacks Deviations in quality of service Espionage or trespass Forces of nature Human error or failure Information extortion Sabotage or vandalism Theft Technical hardware failures or errors Technical software failures or errors Technological obsolescence POINTS: 1 REFERENCES: p. 34 H1: The 12 Categories of Threats QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 3/8/2017 5:38 PM Copyright Cengage Learning. Powered by Cognero.
Page 30
Name:
Class:
Date:
Mod 2 The Need for Information Security 88. Describe viruses and worms. A computer virus consists of segments of code that perform malicious actions. This code ANSWER: behaves very much like a virus pathogen attacking animals and plants, using the cell’s own replication machinery to propagate and attack. The code attaches itself to the existing program and takes control of that program’s access to the targeted computer. The viruscontrolled target program then carries out the virus’s plan by replicating itself into additional targeted systems. A worm is a malicious program that replicates itself constantly without requiring another program to provide a safe environment for replication. Worms can continue replicating themselves until they completely fill available resources, such as memory, hard drive space, and network bandwidth. POINTS: 1 REFERENCES: p. 59 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 3/8/2017 5:38 PM 89. Describe the capabilities of a sniffer. A sniffer is a program or device that can monitor data traveling over a network. Sniffers ANSWER: can be used both for legitimate network management functions and for stealing information from a network. Unauthorized sniffers can be extremely dangerous to a network’s security because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favorite weapon in the hacker’s arsenal. Sniffers often work on TCP/IP networks, where they’re sometimes called packet sniffers. Sniffers add risk to the network because many systems and users send information on local networks in clear text. A sniffer program shows all the data going by, including passwords, the data inside files, and screens full of sensitive data from applications. POINTS: 1 REFERENCES: p. 65 H1: The 12 Categories of Threats H2: Software Attacks QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 9/14/2016 10:31 AM DATE MODIFIED: 3/8/2017 5:39 PM Subjective Short Answer Copyright Cengage Learning. Powered by Cognero.
Page 31
Name:
Class:
Date:
Mod 2 The Need for Information Security 90. Why is information security a management problem? What can management do that technology cannot? General management, IT management, and information security management are each ANSWER: responsible for implementing information security that protects the organization’s ability to function. Although many business and government managers shy away from addressing information security because they perceive it to be a technically complex task, implementing information security actually has more to do with management than technology. Just as managing payroll involves management more than mathematical wage computations, managing information security has more to do with policy and its enforcement than the technology of its implementation. POINTS: REFERENCES:
1 p. 29 H1: Introduction To The Need For Information Security H2: Business Needs First QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.2 - Explain why a successful information security program is the shared responsibility of the entire organization DATE CREATED: 4/8/2021 12:11 PM DATE MODIFIED: 4/8/2021 12:12 PM 91. What is information extortion? Describe how such an attack can cause losses. When an attacker can control access to an asset, it can be held hostage to the attacker’s demands. For example, if attackers gain access to a database and then encrypt its data, they may extort money or other value from the owner by threatening to share the encryption key and the data with others. POINTS: 1 REFERENCES: p. 54 H1: The 12 Categories of Threats H2: Information Extortion QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.3 - List and describe the threats posed to information security and common attacks associated with those threats DATE CREATED: 4/8/2021 12:17 PM DATE MODIFIED: 4/8/2021 12:18 PM ANSWER:
92. What is a SQL Injection? SQL injection occurs when developers fail to properly validate user input before using it to ANSWER: query a relational database allowing an attacker to gain unauthorized access to data. POINTS: 1 REFERENCES: H1: The 12 Categories of Threats H2: Technical Software Failures or Errors Copyright Cengage Learning. Powered by Cognero.
Page 32
Name:
Class:
Date:
Mod 2 The Need for Information Security p. 68 QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.02.4 - List the common information security issues that result from poor software development efforts DATE CREATED: 4/8/2021 12:21 PM DATE MODIFIED: 4/8/2021 12:23 PM
Copyright Cengage Learning. Powered by Cognero.
Page 33
Name:
Class:
Date:
Mod 3 Information Security Management True / False 1. A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Information Security Policy, Standards, And Practices H2: Policy as the Foundation for Planning p. 88 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:37 AM DATE MODIFIED: 3/8/2017 6:27 PM 2. Good security programs begin and end with policy. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 88 H1: Information Security Policy, Standards, And Practices QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:37 AM DATE MODIFIED: 9/14/2016 10:37 AM 3. The ISSP is a plan which sets out the requirements that must be met by the information security blueprint or framework. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 91 H1: Information Security Policy, Standards, And Practices H2: Issue-Specific Security Policy QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 3 Information Security Management LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:37 AM DATE MODIFIED: 12/28/2016 3:23 PM 4. You can create a single, comprehensive ISSP document covering all information security issues. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 92 H1: Information Security Policy, Standards, And Practices H2: Issue-Specific Security Policy QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:37 AM DATE MODIFIED: 3/8/2017 6:28 PM 5. Each policy should contain procedures and a timetable for periodic review. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 94 H1: Information Security Policy, Standards, And Practices H2: Issue-Specific Security Policy QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:37 AM DATE MODIFIED: 9/14/2016 10:37 AM 6. A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company will provide for the employee's legal defense. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 94 Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 3 Information Security Management H1: Information Security Policy, Standards, And Practices H2: Issue-Specific Security Policy QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:37 AM DATE MODIFIED: 4/27/2021 7:31 PM 7. A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 95 H1: Information Security Policy, Standards, And Practices H2: System-Specific Security Policy QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:37 AM DATE MODIFIED: 9/14/2016 10:37 AM 8. ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 97 H1: Information Security Policy, Standards, And Practices H2: System-Specific Security Policy QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM 9. To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 3 Information Security Management recommendations for reviews, and policy issuance and planned revision dates. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Information Security Policy, Standards, And Practices H2: Policy Management p. 103 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.4 - List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 3/8/2017 6:28 PM 10. The policy administrator is responsible for the creation, revision, distribution, and storage of the policy. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Information Security Policy, Standards, And Practices H2: Policy Management p. 103 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.4 - List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM 11. Every member of the organization's InfoSec department must have a formal degree or certification in information security. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Security Education, Training, And Awareness Program H2: Security Education p. 105 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.4 - List the elements in an effective security education, training, and awareness program and describe a methodology for effectively Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 3 Information Security Management
DATE CREATED: DATE MODIFIED:
implementing security policy in the organization 9/14/2016 10:38 AM 9/14/2016 10:38 AM
12. Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Security Education, Training, And Awareness Program H2: Security Training p. 106 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.4 - List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM 13. The security framework is a more detailed version of the security blueprint. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 107 H1: Information Security Blueprint, Models, and Frameworks QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM 14. The complete details of ISO/IEC 27002 are widely available to everyone. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 107 H1: Information Security Blueprint, Models, and Frameworks H2: The ISO 27000 Series QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 3 Information Security Management LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 12/28/2016 3:52 PM 15. The ISO/IEC 27000 series is derived from an earlier standard, BS7799. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 107 H1: Information Security Blueprint, Models, and Frameworks H2: The ISO 27000 Series QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 12/28/2016 3:49 PM 16. The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 108 H1: Information Security Blueprint, Models, and Frameworks H2: The ISO 27000 Series QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM 17. Failure to develop an information security system based on the organization’s mission, vision, and culture guarantees the failure of the information security program. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 110 H1: Information Security Blueprint, Models, and Frameworks H2: NIST Security Models QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 3 Information Security Management LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM 18. NIST 800-14's Principles for Securing Information Technology Systems can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 110 H1: Information Security Blueprint, Models, and Frameworks H2: NIST Security Models QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 3/8/2017 6:28 PM 19. NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans, and provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 111 H1: Information Security Blueprint, Models, and Frameworks H2: NIST Security Models QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM 20. In 2016, NIST published a new Federal Master Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of critical infrastructure services at every organization in the United States, based on vendor-specific technologies. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 111 H1: Information Security Blueprint, Models, and Frameworks Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 3 Information Security Management H2: NIST Security Models QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 3/8/2017 6:29 PM 21. Managerial controls set the direction and scope of the security process and provide detailed instructions for its conduct. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 114 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 3/8/2017 6:29 PM 22. To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 115 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM Modified True / False 23. The operational plan documents the organization’s intended long-term direction and efforts for the next several years. _____ ANSWER: False - strategic POINTS: 1 REFERENCES: p. 84 H1: Information Security Planning And Governance Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 3 Information Security Management QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.2 - Define information security governance and list the expectations of the organization’s senior management with respect to it DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 24. Guidelines are detailed statements of what must be done to comply with policy. _____ ANSWER: False - Standards POINTS: 1 REFERENCES: p. 88 H1: Information Security Policy, Standards, And Practices H2: Policy as the Foundation for Planning QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 25. A(n) strategic information security policy is also known as a general security policy, and sets the strategic direction, scope, and tone for all security efforts. _____ ANSWER: False - enterprise POINTS: 1 REFERENCES: p. 91 H1: Information Security Policy, Standards, And Practices H2: Enterprise Information Security Policy QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/27/2021 7:32 PM 26. Systems-specific security policies are organizational policies that provide detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. _____ ANSWER: False - Issue POINTS: 1 REFERENCES: p. 91 H1: Information Security Policy, Standards, And Practices Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 3 Information Security Management H2: Issue-Specific Security Policy QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 27. A security policy should begin with a clear statement of purpose. _____ ANSWER: True POINTS: 1 REFERENCES: p. 94 H1: Information Security Policy, Standards, And Practices H2: Issue-Specific Security Policy QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 28. A(n) capability table specifies which subjects and objects users or groups can access. _____ ANSWER: True POINTS: 1 REFERENCES: p. 95 H1: Information Security Policy, Standards, And Practices H2: System-Specific Security Policy QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 29. To remain viable, security policies must have a responsible manager, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and revision date. _____ ANSWER: True POINTS: 1 REFERENCES: p. 103 Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 3 Information Security Management H1: Information Security Policy, Standards, And Practices H2: Policy Management QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/27/2021 7:32 PM 30. Some policies may also need a(n) sunset clause indicating their expiration date. _____ ANSWER: True POINTS: 1 REFERENCES: p. 104 H1: Information Security Policy, Standards, And Practices H2: Policy Management QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 31. The Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area. _____ ANSWER: True POINTS: 1 REFERENCES: H1: Security Education, Training, And Awareness Program H2: Security Training p. 106 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.4 - List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/27/2021 7:33 PM 32. The security model is the basis for the design, selection, and implementation of all security program elements, including policy implementation and ongoing policy and program management. _____ ANSWER: False - blueprint Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 3 Information Security Management POINTS: REFERENCES:
1 p. 107 H1: Information Security Blueprint, Models, and Frameworks QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 33. The stated purpose of ISO/IEC 27002 is to offer guidelines and voluntary directions for information security management. _____ ANSWER: True POINTS: 1 REFERENCES: p. 107 H1: Information Security Blueprint, Models, and Frameworks H2: The ISO 27000 Series QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 34. NIST responded to a mandate and created a voluntary Risk Management Framework that provides an effective approach to manage cybersecurity risks. _____ ANSWER: True POINTS: 1 REFERENCES: p. 111 H1: Information Security Blueprint, Models, and Frameworks H2: NIST Security Models QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/27/2021 7:34 PM 35. Technical controls are the tactical and technical implementations of security in the organization. _____ ANSWER: True POINTS: 1 REFERENCES: p. 114 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 3 Information Security Management QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 36. One of the basic tenets of security architectures is the layered implementation of security, which is called defense in redundancy. _____ ANSWER: False - depth POINTS: 1 REFERENCES: p. 115 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 37. Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _____ ANSWER: False - domains POINTS: 1 REFERENCES: p. 116 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 38. The key components of the security perimeter include firewalls, DMZs (demilitarized zones), Web servers, and IDPSs. _____ ANSWER: False - proxy POINTS: 1 REFERENCES: p. 116 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Modified True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 3 Information Security Management STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM Multiple Choice 39. Which of these is NOT a unique function of information security management? a. hardware b. planning c. policy d. programs ANSWER: a POINTS: 1 REFERENCES: H1: Introduction To The Management Of Information Security P. 82 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.1 - Describe the different management functions with respect to information security DATE CREATED: 4/21/2021 5:54 PM DATE MODIFIED: 4/27/2021 7:35 PM 40. Which of these is not one of the general categories of security policy? a. Category-specific policy (CSP) b. Enterprise information security policy (EISP) c. Issue-specific security policy (ISSP) d. Systems-specific policy (SysSP) ANSWER: a POINTS: 1 REFERENCES: p. 83 H1: Introduction To The Management Of Information Security H2: Policy QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.1 - Describe the different management functions with respect to information security DATE CREATED: 4/25/2021 1:14 PM DATE MODIFIED: 4/25/2021 1:17 PM 41. A(n) _____ plan is a plan for the organization’s intended efforts over the next several years (long-term). a. standard b. operational c. tactical d. strategic ANSWER: d POINTS: 1 REFERENCES: H1: Information Security Planning And Governance Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 3 Information Security Management p. 84 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.2 - Define information security governance and list the expectations of the organization’s senior management with respect to it DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/27/2021 7:36 PM 42. Which of these best defines information security governance? a. The application of the principles and practices of corporate governance to the information security function. b. The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction. c. Executive management’s responsibility to provide strategic direction, ensure the accomplishment of objectives. d. The process of defining and specifying the long-term direction (strategy) to be taken by an organization. ANSWER: a POINTS: 1 REFERENCES: p. 84 H1: Information Security Planning And Governance H2: Information Security Leadership QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.2 - Define information security governance and list the expectations of the organization’s senior management with respect to it DATE CREATED: 4/25/2021 1:20 PM DATE MODIFIED: 4/25/2021 1:22 PM 43. The goals of information security governance include all but which of the following? a. Regulatory compliance by using information security knowledge and infrastructure to support minimum standards of due care b. Strategic alignment of information security with business strategy to support organizational objectives c. Risk management by executing appropriate measures to manage and mitigate threats to information resources d. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved ANSWER: a POINTS: 1 REFERENCES: p. 84 H1: Information Security Planning And Governance H2: Information Security Leadership QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.2 - Define information security governance and list the expectations of the organization’s senior management with respect to it DATE CREATED: 9/14/2016 10:38 AM Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 3 Information Security Management DATE MODIFIED:
9/14/2016 10:38 AM
44. The actions taken by management to specify the short-term goals and objectives of the organization are _____. a. operational planning b. tactical planning c. strategic planning d. contingency planning ANSWER: a POINTS: 1 REFERENCES: p. 87 H1: Information Security Planning And Governance H2: Planning Levels QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.2 - Define information security governance and list the expectations of the organization’s senior management with respect to it DATE CREATED: 4/25/2021 1:28 PM DATE MODIFIED: 4/27/2021 7:37 PM 45. The actions taken by management to specify the intermediate goals and objectives of the organization are _____. a. operational planning b. tactical planning c. strategic planning d. contingency planning ANSWER: b POINTS: 1 REFERENCES: p. 87 H1: Information Security Planning And Governance H2: Planning Levels QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.2 - Define information security governance and list the expectations of the organization’s senior management with respect to it DATE CREATED: 4/25/2021 1:25 PM DATE MODIFIED: 4/27/2021 7:37 PM 46. A detailed statement of what must be done to comply with management intent is known as a _____. a. guideline b. standard c. procedure d. practice ANSWER: b POINTS: 1 REFERENCES: p. 88 H1: Information Security Policy, Standards, And Practices H2: Policy as the Foundation for Planning QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 3 Information Security Management DATE CREATED: DATE MODIFIED:
4/25/2021 1:34 PM 4/27/2021 7:37 PM
47. Standards may be published, scrutinized, and ratified by a group, as in formal or _____ standards. a. de formale b. de public c. de jure d. de facto ANSWER: c POINTS: 1 REFERENCES: p. 88 H1: Information Security Policy, Standards, And Practices H2: Policy as the Foundation for Planning QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:21 PM 48. Nonmandatory recommendations the employee may use as a reference is known as a _____. a. guideline b. standard c. procedure d. practice ANSWER: a POINTS: 1 REFERENCES: p. 88 H1: Information Security Policy, Standards, And Practices H2: Policy as the Foundation for Planning QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 4/25/2021 1:32 PM DATE MODIFIED: 4/27/2021 7:37 PM 49. The _____is the high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts. a. SysSP b. EISP c. GSP d. ISSP ANSWER: b POINTS: 1 REFERENCES: p. 91 H1: Information Security Policy, Standards, And Practices H2: Enterprise Information Security Policy QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 3 Information Security Management HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:21 PM 50. The EISP component of _____ provides information on the importance of information security in the organization and the legal and ethical obligation to protect critical information about customers, employees, and markets. a. Need for Information Security b. Information Security Responsibilities and Roles c. Statement of Purpose d. Information Security Elements ANSWER: a POINTS: 1 REFERENCES: p. 92 H1: Information Security Policy, Standards, And Practices H2: Enterprise Information Security Policy QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 4/25/2021 1:38 PM DATE MODIFIED: 4/25/2021 1:40 PM 51. _____often function as standards or procedures to be used when configuring or maintaining systems. a. ESSPs b. EISPs c. ISSPs d. SysSPs ANSWER: d POINTS: 1 REFERENCES: p. 95 H1: Information Security Policy, Standards, And Practices H2: System-Specific Security Policy QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:21 PM 52. The SETA program is a control measure designed to reduce the instances of _____ security breaches by employees. a. intentional b. external c. accidental d. physical Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 3 Information Security Management ANSWER: POINTS: REFERENCES:
c 1 H1: Security Education, Training, And Awareness Program p. 104 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.03.4 - List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 53. An information security _____ is a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education, and training. a. plan b. framework c. model d. policy ANSWER: b POINTS: 1 REFERENCES: p. 107 H1: Information Security Blueprint, Models, and Frameworks QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:21 PM 54. The stated purpose of ISO/IEC 27002:2013 is to give guidelines for organizational information security standards and information security _____ practices. a. implementation b. certification c. management d. accreditation ANSWER: c POINTS: 1 REFERENCES: p. 107 H1: Information Security Blueprint, Models, and Frameworks H2: The ISO 27000 Series QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/14/2021 7:14 PM 55. When ISO 17799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems? Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 3 Information Security Management a. The standard lacked the measurement precision associated with a technical standard. b. It was not as complete as other frameworks. c. The standard was hurriedly prepared, given the tremendous impact its adoption could have on industry information security controls. d. The global information security community had already defined a justification for a code of practice, such as the one identified in ISO/IEC 17799. ANSWER: d POINTS: 1 REFERENCES: p. 108 H1: Information Security Blueprint, Models, and Frameworks H2: The ISO 27000 Series QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/27/2021 7:38 PM 56. SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security _____. a. plan b. standard c. policy d. blueprint ANSWER: d POINTS: 1 REFERENCES: p. 110 H1: Information Security Blueprint, Models, and Frameworks H2: NIST Security Models QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:21 PM 57. According to NIST SP 800-14's security principles, security should _____. a. support the mission of the organization b. require a comprehensive and integrated approach c. be cost-effective d. All of the above ANSWER: d POINTS: 1 REFERENCES: p. 110 H1: Information Security Blueprint, Models, and Frameworks H2: NIST Security Models QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 3 Information Security Management DATE MODIFIED:
4/17/2021 2:21 PM
58. In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework, which intends to allow organizations to _____. a. identify and prioritize opportunities for improvement within the context of a continuous and repeatable process b. assess progress toward a recommended target state c. communicate among local, state, and national agencies about cybersecurity risk d. None of these ANSWER: a POINTS: 1 REFERENCES: p. 111 H1: Information Security Blueprint, Models, and Frameworks H2: NIST Security Models QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 59. The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the _____ side of the organization. a. technology b. Internet c. people d. operational ANSWER: c POINTS: 1 REFERENCES: p. 113 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 60. _____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization. a. Managerial b. Technical c. Operational d. Informational ANSWER: a POINTS: 1 REFERENCES: p. 114 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 3 Information Security Management HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:21 PM 61. _____ controls address personnel security, physical security, and the protection of production inputs and outputs. a. Informational b. Operational c. Technical d. Managerial ANSWER: b POINTS: 1 REFERENCES: p. 114 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:21 PM 62. _____ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. a. Networking b. Proxy c. Defense in depth d. Best-effort ANSWER: c POINTS: 1 REFERENCES: p. 115 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 63. _____ is a strategy of using multiple types of controls that prevent the failure of one system from compromising the security of information. a. Firewalling b. Hosting c. Redundancy d. Domaining ANSWER: c POINTS: 1 REFERENCES: p. 115 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 3 Information Security Management HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/27/2021 7:39 PM 64. Redundancy can be implemented at a number of points throughout the security architecture, such as in _____. a. firewalls b. proxy servers c. access controls d. All of the above ANSWER: d POINTS: 1 REFERENCES: p. 115 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:21 PM 65. Security _____ are the areas of trust within which users can freely communicate. a. perimeters b. domains c. rectangles d. layers ANSWER: b POINTS: 1 REFERENCES: p. 116 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM Completion 66. The _____ of an organization are the intermediate states obtained to achieve progress toward a goal or goals. objectives ANSWER: POINTS: 1 REFERENCES: p. 84 H1: Information Security Planning And Governance QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.2 - Define information security governance and list the Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 3 Information Security Management
DATE CREATED: DATE MODIFIED:
expectations of the organization’s senior management with respect to it 9/14/2016 10:38 AM 4/17/2021 2:20 PM
67. The process of _____ planning is that of defining and specifying the long-term direction to be taken by an organization. strategic ANSWER: POINTS: 1 REFERENCES: p. 84 H1: Information Security Planning And Governance QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.2 - Define information security governance and list the expectations of the organization’s senior management with respect to it DATE CREATED: 4/25/2021 1:44 PM DATE MODIFIED: 4/25/2021 1:45 PM 68. The process of _____ governance is the executive management team’s responsibility to provide strategic direction. corporate ANSWER: POINTS: 1 REFERENCES: p. 84 H1: Information Security Planning And Governance QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.2 - Define information security governance and list the expectations of the organization’s senior management with respect to it DATE CREATED: 4/25/2021 1:47 PM DATE MODIFIED: 4/25/2021 1:48 PM 69. A(n) _____ plan is used to plan for the organization’s intended efforts on a day-to-day basis for the next several months. operational ANSWER: POINTS: 1 REFERENCES: H1: Information Security Planning And Governance H2: Planning Levels p. 87 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.2 - Define information security governance and list the expectations of the organization’s senior management with respect to it DATE CREATED: 4/25/2021 1:50 PM Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 3 Information Security Management DATE MODIFIED:
4/27/2021 7:39 PM
70. A(n) _____ directs members of an organization as to how issues should be addressed and how technologies should be used. policy ANSWER: POINTS: 1 REFERENCES: p. 88 H1: Information Security Policy, Standards, And Practices QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 71. _____-specific security policies often function as standards or procedures to be used when configuring or maintaining security technologies. Systems ANSWER: POINTS: 1 REFERENCES: p. 95 H1: Information Security Policy, Standards, And Practices H2: System-Specific Security Policy QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/27/2021 7:40 PM 72. A(n) _____ control list is a specification of authorization that govern the rights and privileges of users to a particular information asset. access ANSWER: POINTS: 1 REFERENCES: p. 95 H1: Information Security Policy, Standards, And Practices H2: System-Specific Security Policy QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 3 Information Security Management
DATE CREATED: DATE MODIFIED:
procedures, and guidelines 4/25/2021 1:54 PM 4/25/2021 1:56 PM
73. _____ rules are the instructions a system administrator codes into a server, networking device, or security device to specify how it operates. configuration ANSWER: POINTS: 1 REFERENCES: H1: Information Security Policy, Standards, And Practices H2: System-Specific Security Policy p. 97 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 4/25/2021 1:58 PM DATE MODIFIED: 4/25/2021 1:59 PM 74. Policy _____ means the employee must agree to the policy which means policies must be agreed to by act or affirmation. compliance ANSWER: POINTS: 1 REFERENCES: p. 100 H1: Information Security Policy, Standards, And Practices H2: Developing and Implementing Effective Security Policy QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 4/25/2021 2:00 PM DATE MODIFIED: 4/25/2021 2:01 PM 75. It is good practice for the policy _____ to solicit input both from technically adept information security experts and from business-focused managers in each community of interest when making revisions to security policies. administrator ANSWER: POINTS: 1 REFERENCES: p. 103 H1: Information Security Policy, Standards, And Practices H2: Policy Management QUESTION TYPE: Completion HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 3 Information Security Management STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 76. Some policies may need a(n) _____ indicating their expiration date. sunset clause ANSWER: POINTS: 1 REFERENCES: p. 104 H1: Information Security Policy, Standards, And Practices H2: Policy Management QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 77. The security _____ is an outline or structure of the organization’s overall information security strategy that is used as a road map for planned changes to its information security environment. framework ANSWER: POINTS: 1 REFERENCES: p. 107 H1: Information Security Blueprint, Models, and Frameworks QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 78. _____ controls are information security safeguards focusing on lower-level planning that deals with the functionality of the organization’s security. These safeguards include disaster recovery and incident response planning. Operational ANSWER: POINTS: 1 REFERENCES: p. 114 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 3 Information Security Management LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 79. Implementing multiple types of technology and thereby precluding that the failure of one system will compromise the security of information is referred to as _____. redundancy ANSWER: defense in depth POINTS: 1 REFERENCES: p. 115 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 80. _____ controls are information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets. Technical ANSWER: POINTS: 1 REFERENCES: p. 114 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 81. _____ controls are security processes that are designed by strategic planners and implemented by the security administration of the organization. Managerial ANSWER: POINTS: 1 REFERENCES: p. 114 H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 3 Information Security Management DATE MODIFIED:
4/17/2021 2:20 PM
82. A security _____ defines the boundary between the outer limit of an organization’s security and the beginning of the outside world. perimeter ANSWER: POINTS: 1 REFERENCES: H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture p. 115 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM Essay 83. What three purposes does the ISSP serve? The issue-specific security policy, or ISSP, 1) addresses specific areas of technology, 2) ANSWER: requires frequent updates, and 3) contains a statement about the organization’s position on a specific issue. POINTS: 1 REFERENCES: p. 91 H1: Information Security Policy, Standards, And Practices H2: Issue-Specific Security Policy QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 3/8/2017 6:49 PM 84. What is the purpose of security education, training, and awareness (SETA)? The purpose of SETA is to enhance security by: ANSWER: Improving awareness of the need to protect system resources Developing skills and knowledge so computer users can perform their jobs more securely Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems POINTS: 1 REFERENCES: H1: Security Education, Training, And Awareness Program p. 105 QUESTION TYPE: Essay HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 29
Name:
Class:
Date:
Mod 3 Information Security Management STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.4 - List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM Subjective Short Answer 85. List and briefly describe the general categories of information security policy. ANSWER:
In InfoSec, there are three general policy categories:
• Enterprise information security policy (EISP)—Developed within the
• •
context of the strategic IT plan, this sets the tone for the InfoSec department and the InfoSec climate across the organization. The CISO typically drafts the program policy, which is usually supported and signed by the CIO or the CEO. Issue-specific security policies (ISSPs)—These are sets of rules that define acceptable behavior within a specific organizational resource, such as email or Internet usage. Systems-specific policies (SysSPs)—A merger of technical and managerial intent, SysSPs include both the managerial guidance for the implementation of a technology as well as the technical specifications for its configuration.
POINTS: REFERENCES:
1 H1: Information Security Policy, Standards, And Practices p. 90 H2: Policy as the Foundation for Planning QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.3 - Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines DATE CREATED: 4/25/2021 2:06 PM DATE MODIFIED: 4/27/2021 7:41 PM 86. What is the purpose of the SETA program? The purpose of SETA is to enhance security by doing the following: ANSWER: • Improving awareness of the need to protect system resources • Developing skills and knowledge so computer users can perform their jobs more securely • Building in-depth knowledge as needed to design, implement, or operate security programs for organizations and systems POINTS:
1
Copyright Cengage Learning. Powered by Cognero.
Page 30
Name:
Class:
Date:
Mod 3 Information Security Management REFERENCES:
H1: Security Education, Training, And Awareness Program p. 104 QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.03.4 - List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization DATE CREATED: 4/25/2021 2:14 PM DATE MODIFIED: 4/25/2021 2:15 PM 87. Briefly describe management, operational, and technical controls, and explain when each would be applied
as part of a security framework. ANSWER:
Management controls cover security processes that are designed by strategic planners and implemented by an organization’s security administration. These designs include setting the direction and scope of the security processes and provide detailed instruction for their conduct. Operational controls deal with the functionality of security in the organization, including disaster recovery and incident response planning.
Technical controls address tactical and technical issues related to designing and implementing security in the organization, as well as issues related to examining and selecting appropriate technologies for protecting information. POINTS: 1 REFERENCES: H1: Information Security Blueprint, Models, and Frameworks H2: Design of the Security Architecture p. 114 QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.03.5 - Discuss the Dental Practice Act. DATE CREATED: 4/25/2021 2:11 PM DATE MODIFIED: 4/25/2021 2:12 PM
Copyright Cengage Learning. Powered by Cognero.
Page 31
Name:
Class:
Date:
Mod 4 Risk Management True / False 1. The upper management of an organization must structure the IT and information security functions to defend the organization’s information assets. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Introduction to Risk Management p. 122 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.1 - Define risk management and describe its importance DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 9/14/2016 10:42 AM 2. According to Sun Tzu, if you know yourself and know your enemy, you have an average chance to be successful in an engagement. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 122 H1: Introduction to Risk Management H2: Sun Tzu and the Art of Risk Management QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.1 - Define risk management and describe its importance DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 3/8/2017 9:17 PM 3. Knowing yourself means identifying, examining, and understanding the threats facing the organization's information assets. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 122 H1: Introduction to Risk Management H2: Sun Tzu and the Art of Risk Management QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.1 - Define risk management and describe its importance DATE CREATED: 9/14/2016 10:42 AM Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 4 Risk Management DATE MODIFIED:
5/17/2021 6:57 PM
4. Risk control, also known as risk treatment, is the application of controls that reduce the risks to an organization’s information assets to an acceptable level. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 123 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.2 - Explain the risk management framework and process model, including major components DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 5/17/2021 6:58 PM 5. In addition to their other responsibilities, the three communities of interest are responsible for determining which control options are cost effective for the organization. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 125 H1: The Risk Management Framework H2: The Roles of the Communities of Interest QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.2 - Explain the risk management framework and process model, including major components DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 3/8/2017 9:18 PM 6. Residual risk is the risk that organizations are willing to accept even after current current controls have been applied. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: The Risk Management Framework H2: Defining the Organization’s Risk Tolerance and Risk Appetite p. 126 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.3 - Define risk appetite and explain how it relates to residual risk Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 4 Risk Management DATE CREATED: DATE MODIFIED:
9/14/2016 10:42 AM 5/17/2021 6:59 PM
7. The organization should adopt naming standards that do not convey information to potential system attackers. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Identification p. 132 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 5/17/2021 6:59 PM 8. Identifying human resources, documentation, and data information assets of an organization is easier than identifying hardware and software assets. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 133 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 5/17/2021 7:00 PM 9. A data classification scheme is a formal access control methodology used to assign a level of availability to an information asset and thus restrict when people who can access it. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 134 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 4 Risk Management DATE CREATED: DATE MODIFIED:
9/14/2016 10:42 AM 5/17/2021 7:01 PM
10. Within a data classification scheme, "comprehensive" means that an information asset should fit in only one category. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 135 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 3/8/2017 9:19 PM 11. A security clearance is a component of a data classification scheme that assigns a status level to systems to designate the maximum level of classified data that may be stored on them. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 135 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 3/8/2017 9:19 PM 12. When determining the relative importance of each asset, refer to the organization’s mission statement or statement of objectives to determine which elements are essential, which are supportive, and which are merely adjuncts. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 135 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 4 Risk Management DATE CREATED: DATE MODIFIED:
9/14/2016 10:42 AM 9/14/2016 10:42 AM
13. When it is necessary to calculate, estimate, or derive values for information assets, you might give consideration to the value incurred from the cost of protecting the information. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis p. 162 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 9/14/2016 10:42 AM 14. The value of information to the organization's competition should influence the asset's valuation. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 162 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 9/14/2016 10:42 AM 15. You cannot use qualitative measures to rank information asset values. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 139 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:42 AM Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 4 Risk Management DATE MODIFIED:
9/14/2016 10:42 AM
16. The threats-vulnerabilities-assets (TVA) worksheet is a document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 141 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 9/14/2016 10:42 AM 17. Risk mitigation is the risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards, but it is not the preferred approach to controlling risk. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Risk Treatment/Risk Response p. 152 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.6 - Describe various options for a risk treatment strategy DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 5/17/2021 7:02 PM 18. If the acceptance risk treatment strategy is used to handle every vulnerability in the organization, its managers may be unable to conduct proactive security activities and may portray an apathetic approach to security in general. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Risk Treatment/Risk Response H2: Risk Acceptance p. 154 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.6 - Describe various options for a risk treatment strategy DATE CREATED: 9/14/2016 10:42 AM Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 4 Risk Management DATE MODIFIED:
5/17/2021 7:03 PM
19. To determine if the risk to an information asset is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 157 H1: Managing Risk QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 3/8/2017 9:21 PM 20. In a cost-benefit analysis, a single loss expectancy (SLE) is the calculated value associated with the most likely loss from an attack; the SLE is the product of the asset’s value and the annualized loss expectancy. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 163 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 3/8/2017 9:22 PM 21. Some information security experts argue that it is virtually impossible to determine the true value of information and information-bearing assets. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 161 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:42 AM Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 4 Risk Management DATE MODIFIED:
9/14/2016 10:42 AM
22. Cost-benefit analyses (CBAs) cannot be calculated after controls have been functioning for a time, as observation over time prevents precision in evaluating the benefits of the safeguard and determining whether it is functioning as intended. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 163 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:42 AM DATE MODIFIED: 3/8/2017 9:22 PM Modified True / False 23. When an organization depends on IT-based systems to remain viable, InfoSec and the discipline of asset management must become an integral part of the economic basis for making business decisions. _____ False - risk ANSWER: POINTS: 1 REFERENCES: H2: Sun Tzu and the Art of Risk Management H1: Introduction to Risk Management p. 122 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.1 - Define risk management and describe its importance DATE CREATED: 5/5/2021 6:07 PM DATE MODIFIED: 5/5/2021 6:08 PM 24. Establishing a competitive business model, method, or technique enables an organization to provide a product or service that is superior and creates a(n) competitive advantage. _____ ANSWER: True POINTS: 1 REFERENCES: p. 122 H1: Introduction to Risk Management QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.1 - Define risk management and describe its importance DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 4 Risk Management 25. "Know the enemy" means identifying, examining, and understanding the competition facing the organization. _____ False - threats ANSWER: False - threat POINTS: 1 REFERENCES: H1: Introduction to Risk Management H2: Sun Tzu and the Art of Risk Management p. 123 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.1 - Define risk management and describe its importance DATE CREATED: 5/5/2021 6:10 PM DATE MODIFIED: 5/17/2021 7:06 PM 26. The identification, analysis, and evaluation of risk as initial parts of risk management is called risk assessment. _____ ANSWER: True POINTS: 1 REFERENCES: H1: The Risk Management Framework p. 123 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.3 - Define risk appetite and explain how it relates to residual risk DATE CREATED: 5/5/2021 6:13 PM DATE MODIFIED: 5/5/2021 6:14 PM 27. The RM policy is a strategic document that formalizes much of the intent of the Infosec group. _____ ANSWER: False - governance POINTS: 1 REFERENCES: H1: The Risk Management Framework p. 125 H2: The RM Policy QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.3 - Define risk appetite and explain how it relates to residual risk DATE CREATED: 5/5/2021 6:17 PM DATE MODIFIED: 5/17/2021 7:08 PM 28. Risk acceptance defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. _____ ANSWER: False - appetite Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 4 Risk Management POINTS: REFERENCES:
1 H1: The Risk Management Framework H2: Defining the Organization’s Risk Tolerance and Risk Appetite p. 126 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.3 - Define risk appetite and explain how it relates to residual risk DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 29. Pervasive risk is the amount of risk that remains to an information asset even after the organization has applied its desired level of controls. _____ False - Residual ANSWER: POINTS: 1 REFERENCES: p. 126 H1: The Risk Management Framework H2: Defining the Organization’s Risk Tolerance and Risk Appetite QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.3 - Define risk appetite and explain how it relates to residual risk DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 30. Risk perception is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically part of the risk appetite. _____ False - tolerance ANSWER: POINTS: 1 REFERENCES: H1: The Risk Management Framework H2: Defining the Organization’s Risk Tolerance and Risk Appetite p. 127 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.3 - Define risk appetite and explain how it relates to residual risk DATE CREATED: 5/5/2021 6:21 PM DATE MODIFIED: 5/5/2021 6:22 PM 31. Risk analysis is the enumeration and documentation of risks to an organization's information assets. _____ ANSWER: False - identification POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 4 Risk Management REFERENCES:
p. 129 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:09 PM 32. Within data classification schemes, it is important that all categories used be unique and mutually exclusive. _____ ANSWER: False - comprehensive POINTS: 1 REFERENCES: p. 135 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:10 PM 33. One way to determine which information assets are valuable is by evaluating which information asset(s) would expose the company to liability or embarrassment if revealed. _____ ANSWER: True POINTS: 1 REFERENCES: p. 135 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:11 PM 34. Each of the threats faced by an organization must be evaluated, including determining the threat's potential to endanger the organization, which is known as a threat prioritization. _____ ANSWER: False - assessment POINTS: 1 REFERENCES: p. 136 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Modified True / False Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 4 Risk Management HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 35. Risk mitigation is the process of assigning a risk rating or score to each information asset. _____ False - assessment ANSWER: POINTS: 1 REFERENCES: p. 136 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 36. Likelihood is the probability that a specific vulnerability within an organization will be the target of an attack. _____ ANSWER: True POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Analysis p. 144 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.5 - List the functions and structure of the endocrine system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 37. The mitigation risk treatment strategy applies controls and safeguards that eliminate or reduce the remaining uncontrolled risk. _____ ANSWER: True POINTS: 1 REFERENCES: p. 152 H1: Risk Treatment/Risk Response QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.6 - Describe various options for a risk treatment strategy DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:12 PM Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 4 Risk Management 38. The computed value of the ALE compares the costs and benefits of a particular control alternative to determine whether the control is worth its cost. _____ ANSWER: False - cost-benefit analysis (CBA) False - cost-benefit analysis False - CBA POINTS: 1 REFERENCES: p. 159 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 39. Cost mitigation is the process of preventing the financial impact of an incident by implementing a control. _____ ANSWER: False - avoidance POINTS: 1 REFERENCES: p. 160 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 40. Exposure factor is the expected percentage of loss that would occur from a particular attack. _____ ANSWER: True POINTS: 1 REFERENCES: p. 163 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 4 Risk Management 41. The concept of competitive _____ refers to falling behind the competition. a. disadvantage b. drawback c. failure d. shortcoming ANSWER: a POINTS: 1 REFERENCES: p. 123 H1: Introduction To Risk Management QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.1 - Define risk management and describe its importance DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:17 PM 42. Risk _____ is the application of security mechanisms to reduce the risks to an organization’s data and information systems. a. avoidance b. treatment c. identification d. assessment ANSWER: b POINTS: 1 REFERENCES: p. 123 H1: The Risk Management Framework QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.2 - Explain the risk management framework and process model, including major components DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:16 PM 43. Risk _____ is the identification, analysis, and evaluation of risk as initial parts of risk management. a. management b. assessment c. identification d. control ANSWER: b POINTS: 1 REFERENCES: p. 123 H1: The Risk Management Framework QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.2 - Explain the risk management framework and process model, including major components DATE CREATED: 5/5/2021 6:26 PM DATE MODIFIED: 5/5/2021 6:27 PM 44. The risk management (RM) _____ is the overall structure of the strategic planning and design for the entirety of the organization’s RM efforts. Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 4 Risk Management a. assessment c. acceptance ANSWER: POINTS: REFERENCES:
b. framework d. treatment b 1 H1: The Risk Management Framework p. 123 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.3 - Define risk appetite and explain how it relates to residual risk DATE CREATED: 5/5/2021 6:30 PM DATE MODIFIED: 5/5/2021 6:32 PM 45. Risk _____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. a. benefit b. appetite c. acceptance d. residual ANSWER: b POINTS: 1 REFERENCES: p. 126 H1: The Risk Management Framework H2: Defining the Organization’s Risk Tolerance and Risk Appetite QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.3 - Define risk appetite and explain how it relates to residual risk DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:17 PM 46. Risk _____ is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization’s overall risk appetite. a. benefit b. baseline c. tolerance d. residual ANSWER: c POINTS: 1 REFERENCES: p. 126 H1: The Risk Management Framework H2: Defining the Organization’s Risk Tolerance and Risk Appetite QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.3 - Define risk appetite and explain how it relates to residual risk DATE CREATED: 5/5/2021 6:35 PM DATE MODIFIED: 5/5/2021 6:37 PM Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 4 Risk Management 47. The first phase of the risk management process is _____. a. risk identification b. forming the risk management planning team c. risk control d. risk evaluation ANSWER: a POINTS: 1 REFERENCES: p. 129 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:21 PM 48. Understanding the _____ context means understanding the impact of elements such as the business environment, the legal/regulatory/compliance environment, as well as the threat environment. a. external b. design c. internal d. risk evaluation ANSWER: a POINTS: 1 REFERENCES: H1: The Risk Management Process H2: RM Process Preparation—Establishing the Context p. 129 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 5/5/2021 6:39 PM DATE MODIFIED: 5/5/2021 6:45 PM 49. Understanding the _____ context means understanding elements that could impact or influence the RM process such as the organization’s governance structure (or lack thereof), the organization’s internal stakeholders, as well as the organization’s culture. a. external b. design c. internal d. risk evaluation ANSWER: c POINTS: 1 REFERENCES: H1: The Risk Management Process H2: RM Process Preparation—Establishing the Context p. 129 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 5/5/2021 6:42 PM DATE MODIFIED: 5/5/2021 6:44 PM Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 4 Risk Management 50. Which of the following is NOT one of the categories recommended for categorizing information assets? a. Firmware b. Procedures c. People d. Hardware ANSWER: a POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Identification p. 131 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 5/5/2021 6:49 PM DATE MODIFIED: 5/17/2021 7:21 PM 51. _____ addresses are sometimes called electronic serial numbers or hardware addresses. a. HTTP b. IP c. DHCP d. MAC ANSWER: d POINTS: 1 REFERENCES: p. 132 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:17 PM 52. A(n) _____ is an authorization issued by an organization for the repair, modification, or update of a piece of equipment. a. IP b. FCO c. CTO d. HTTP ANSWER: b POINTS: 1 REFERENCES: p. 133 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:17 PM 53. A(n) _____ scheme is a formal access control methodology used to assign a level of confidentiality to an information Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 4 Risk Management asset and thus restrict the number of people who can access it. a. security clearance b. data recovery c. risk management d. data classification ANSWER: d POINTS: 1 REFERENCES: p. 134 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/5/2021 6:53 PM 54. As each information asset is identified, categorized, and classified, a(n) _____ value must be assigned to it. a. secondary b. significant c. positional d. relative ANSWER: d POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Identification p. 135 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 5/5/2021 6:54 PM DATE MODIFIED: 5/5/2021 6:56 PM 55. A threat _____ is an evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack. a. review b. search c. investigation d. assessment ANSWER: d POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Identification p. 136 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 5/5/2021 6:57 PM DATE MODIFIED: 5/17/2021 7:22 PM 56. In a _____, assets or threats can be prioritized by identifying criteria with differing levels of importance, assigning a Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 4 Risk Management score for each of the criteria, and then summing and ranking those scores. a. threat assessment b. risk management program c. weighted table analysis d. data classification scheme ANSWER: c POINTS: 1 REFERENCES: p. 139 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:23 PM 57. Flaws or weaknesses in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to breach security are known as _____. a. threats b. exploits c. vulnerabilities d. events ANSWER: c POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Identification p. 140 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 5/5/2021 7:02 PM DATE MODIFIED: 5/5/2021 7:04 PM 58. In the TVA worksheet, assets are placed into a matrix with threats and then the exposure of the assets to specific threats is explored by documenting _____. a. variables b. verifications c. vulnerabilities d. value ANSWER: c POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Identification p. 141 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 5/5/2021 7:09 PM DATE MODIFIED: 5/17/2021 7:23 PM Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 4 Risk Management 59. Risk _____ is a determination of the extent to which an organization’s information assets are exposed to risk. a. interpretation b. analysis c. exploration d. declaration ANSWER: b POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Analysis p. 142 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.04.5 - List the functions and structure of the endocrine system. DATE CREATED: 5/5/2021 7:13 PM DATE MODIFIED: 5/5/2021 7:15 PM 60. The probability that a specific vulnerability within an organization will be attacked by a threat is known as _____ a. determinism b. likelihood c. externality d. potential ANSWER: b POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Analysis p. 144 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.04.5 - List the functions and structure of the endocrine system. DATE CREATED: 5/5/2021 7:16 PM DATE MODIFIED: 5/5/2021 7:18 PM 61. _____ equals the probability of a successful attack multiplied by the expected loss from a successful attack plus an element of uncertainty. a. Loss magnitude b. Risk c. Loss frequency d. Loss ANSWER: b POINTS: 1 REFERENCES: p. 147 H1: The Risk Management Process H2: Risk Assessment: Risk Analysis QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.04.5 - List the functions and structure of the endocrine system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:17 PM 62. The _____ risk treatment strategy attempts to eliminate or reduce any remaining uncontrolled risk through the Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 4 Risk Management application of additional controls and safeguards. a. termination b. mitigation c. transference d. acceptance ANSWER: b POINTS: 1 REFERENCES: p. 152 H1: Risk Treatment/Risk Response H2: Risk Mitigation QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.6 - Describe various options for a risk treatment strategy DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:24 PM 63. The _____ risk treatment strategy attempts to shift risk to other assets, other processes, or other organizations. a. transference b. defense c. acceptance d. mitigation ANSWER: a POINTS: 1 REFERENCES: p. 153 H1: Risk Treatment/Risk Response H2: Risk Transference QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.6 - Describe various options for a risk treatment strategy DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:26 PM 64. The _____ risk treatment strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. a. defense b. transference c. mitigation d. acceptance ANSWER: d POINTS: 1 REFERENCES: p. 154 H1: Risk Treatment/Risk Response H2: Risk Acceptance QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.04.6 - Describe various options for a risk treatment strategy DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:27 PM 65. The formal decision-making process used when considering the economic feasibility of implementing information Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 4 Risk Management security controls and safeguards is called a(n) _____. a. ARO b. CBA c. ALE d. SLE ANSWER: b POINTS: 1 REFERENCES: p. 160 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 66. _____ is simply how often you expect a specific type of attack to occur. a. ARO b. CBA c. ALE d. SLE ANSWER: a POINTS: 1 REFERENCES: p. 163 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM Completion 67. _____ is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Risk management ANSWER: POINTS: 1 REFERENCES: p. 122 H1: Introduction To Risk Management H2: Sun Tzu and the Art of Risk Management QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.1 - Define risk management and describe its importance DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 68. _____ include information and the systems that use, store, and transmit information. Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 4 Risk Management ANSWER: POINTS: REFERENCES:
Information assets 1 p. 122 H1: Introduction To Risk Management H2: Sun Tzu and the Art of Risk Management QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.1 - Define risk management and describe its importance DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 69. _____ involves four major undertakings: risk identification, risk analysis, risk evaluation, and risk treatment/control. Risk management ANSWER: POINTS: 1 REFERENCES: p. 123 H1: The Risk Management Framework QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.2 - Explain the risk management framework and process model, including major components DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:29 PM 70. You can determine the relative risk for each of the organization's information assets using a process called risk _____, which combines risk identification, risk analysis and risk evaluation. assessment ANSWER: POINTS: 1 REFERENCES: p. 123 H1: The Risk Management Framework QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.2 - Explain the risk management framework and process model, including major components DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/17/2021 7:30 PM 71. Risk _____ defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoff s between perfect security and unlimited accessibility. appetite ANSWER: POINTS: 1 REFERENCES: H1: The Risk Management Framework Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 4 Risk Management p. 126 H2: Defining the Organization’s Risk Tolerance and Risk Appetite QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.3 - Define risk appetite and explain how it relates to residual risk DATE CREATED: 5/7/2021 3:40 PM DATE MODIFIED: 5/7/2021 3:42 PM 72. Risk _____ is the assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization’s overall risk appetite. tolerance ANSWER: POINTS: 1 REFERENCES: H1: The Risk Management Framework p. 126 H2: Defining the Organization’s Risk Tolerance and Risk Appetite QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.3 - Define risk appetite and explain how it relates to residual risk DATE CREATED: 5/7/2021 3:43 PM DATE MODIFIED: 5/7/2021 3:44 PM 73. When deciding which information assets to track, consider the following asset attributes: people, _____, data, software, and hardware. procedures ANSWER: POINTS: 1 REFERENCES: p. 130 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 74. A data _____ scheme is a formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it. classification ANSWER: POINTS: 1 REFERENCES: H1: The Risk Management Process Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 4 Risk Management H2: Risk Assessment: Risk Identification p. 134 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 5/7/2021 3:46 PM DATE MODIFIED: 5/17/2021 7:32 PM 75. A threat _____ is an evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack. assessment ANSWER: POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Identification p. 136 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 5/7/2021 3:48 PM DATE MODIFIED: 5/7/2021 3:49 PM 76. Once the inventory and value assessment are complete, you can prioritize each asset using a straightforward process known as _____ analysis. weighted factor ANSWER: weighted table POINTS: 1 REFERENCES: p. 139 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 77. After identifying and performing the preliminary classification of an organization’s information assets, the analysis phase moves on to an examination of the _____ facing the organization. threats ANSWER: POINTS: 1 REFERENCES: p. 140 H1: The Risk Management Process H2: Risk Assessment: Risk Identification Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 4 Risk Management QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 78. Flaws or weaknesses in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to breach security are known as _____. vulnerabilities ANSWER: POINTS: 1 REFERENCES: p. 140 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 5/7/2021 3:49 PM DATE MODIFIED: 5/7/2021 3:50 PM 79. Risk _____ is a determination of the extent to which an organization’s information assets are exposed to risk. analysis ANSWER: POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Analysis p. 142 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.5 - List the functions and structure of the endocrine system. DATE CREATED: 5/7/2021 4:02 PM DATE MODIFIED: 5/7/2021 4:03 PM 80. _____ is the probability that a specific vulnerability within an organization's assets will be successfully attacked. Likelihood ANSWER: POINTS: 1 REFERENCES: H1: The Risk Management Process H2: Risk Assessment: Risk Analysis p. 144 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.5 - List the functions and structure of the endocrine system. Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 4 Risk Management DATE CREATED: DATE MODIFIED:
9/14/2016 10:43 AM 4/28/2021 7:16 PM
81. The _____ treatment strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. mitigation ANSWER: POINTS: 1 REFERENCES: p. 152 H1: Risk Treatment/Risk Response H2: Risk Mitigation QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.5 - List the functions and structure of the endocrine system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/3/2021 8:30 PM 82. Cost _____ is the process of preventing the financial impact of an incident by implementing a control. avoidance ANSWER: POINTS: 1 REFERENCES: p. 160 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 83. _____ is the process of assigning financial value or worth to each information asset. Asset valuation ANSWER: Information asset valuation POINTS: 1 REFERENCES: p. 161 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM 84. A single loss _____ is the calculation of the value associated with the most likely loss from an attack. Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 4 Risk Management ANSWER: POINTS: REFERENCES:
expectancy 1 p. 163 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 4/28/2021 7:16 PM Subjective Short Answer 85. According to Sun Tzu, what two things must be achieved to secure information assets successfully? ANSWER:
To reduce risk in an organization, the organization must know itself (including its assets and processes used to protect them) and know its enemy (the nature of the threats it faces). POINTS: 1 REFERENCES: p. 122 H1: Introduction to Risk Management H2: Sun Tzu and the Art of Risk Management QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.1 - Define risk management and describe its importance DATE CREATED: 5/7/2021 4:06 PM DATE MODIFIED: 5/7/2021 4:06 PM 86. Describe the TVA worksheet. What is it used for? ANSWER:
The TVA worksheet combines a prioritized list of assets and their vulnerabilities and a list that prioritizes threats facing the organization. The resulting grid provides a convenient method of examining the “exposure” of assets, allowing a simple vulnerability assessment.
POINTS: REFERENCES:
1 p. 141 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 5/7/2021 4:07 PM DATE MODIFIED: 5/7/2021 4:07 PM Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 4 Risk Management 87. Describe residual risk. ANSWER:
Residual risk is the “leftover” risk that is not completely removed, shifted, or included in planning; it is the risk that remains after current controls are implemented.
POINTS: REFERENCES:
1 p. 157 H1: Managing Risk QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 5/7/2021 4:08 PM DATE MODIFIED: 5/7/2021 4:08 PM 88. What is the difference between intrinsic value and acquired value? ANSWER:
Intrinsic value is the essential worth of the asset under consideration; acquired value is the value beyond intrinsic value that some information assets acquire over time. POINTS: 1 REFERENCES: p. 161 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 5/7/2021 4:08 PM DATE MODIFIED: 5/7/2021 4:09 PM 89. Why do some argue that it is virtually impossible to accurately determine the true value of information and information-bearing assets? ANSWER:
POINTS: REFERENCES:
Some costs are easily determined but other costs are almost impossible to determine, such as the dollar value of the loss in market share if information on a firm’s new product offerings is released prematurely and the company loses its competitive edge. A further complication is that over time, some information assets acquire value that is beyond their essential or intrinsic value. This higher acquired value is the more appropriate value in most cases. 1 p. 161 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis
Copyright Cengage Learning. Powered by Cognero.
Page 29
Name:
Class:
Date:
Mod 4 Risk Management QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 5/17/2021 7:33 PM DATE MODIFIED: 5/17/2021 7:37 PM Essay 90. One of the first components of risk identification is identification, inventory, and categorization of assets, including all elements, or attributes, of an organization’s information system. List and describe these asset attributes. People comprise employees and nonemployees. ANSWER: Procedures fall into two categories: IT and business standard procedures, and IT and business-sensitive procedures. Data components account for the management of information in all its states: transmission, processing, and storage. Software components are assigned to one of three categories: applications, operating systems, or security components. Hardware is assigned to one of two categories: the usual systems devices and their peripherals, and the devices that are part of information security control systems. Hardware components are separated into two categories: devices and peripherals, and networks. POINTS: 1 REFERENCES: p. 130 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 3/8/2017 9:43 PM 91. When valuing information assets, what criteria could be considered in establishing or determining the value of the assets? Which information asset is most critical to the organization’s success? ANSWER: Which information asset generates the most revenue? Which of these assets plays the biggest role in generating revenue or delivering services? Which information asset would be the most expensive to replace? Which information asset would be the most expensive to protect? Which information asset would most expose the company to liability or embarrassment if revealed? POINTS:
1
Copyright Cengage Learning. Powered by Cognero.
Page 30
Name:
Class:
Date:
Mod 4 Risk Management REFERENCES:
p. 135 H1: The Risk Management Process H2: Risk Assessment: Risk Identification QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.04.4 - Describe how risk is identified and documented DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 9/14/2016 10:43 AM 92. What is a cost-benefit analysis (CBA) and how can it be calculated? In its simplest definition, CBA (or economic feasibility) determines whether a particular ANSWER: control is worth its cost. CBAs may be calculated before a control or safeguard is implemented to determine if the control is worth implementing. While many techniques exist, the CBA is most easily calculated using the ALE from earlier assessments before implementation of the proposed control, which is known as ALE(prior). Subtract the revised ALE, which is estimated based on the control being in place; this revised value is known as ALE(post). Complete the calculation by subtracting the annualized cost of a safeguard (ACS). CBA = ALE(prior) - ALE(post) - ACS where the annualized loss expectancy equals the single loss expectancy multiplied by the annualized rate of occurrence. ALE = SLE x ARO and the single loss expectancy equals the exposure factor multiplied by the asset value, SLE = EF x AV. POINTS: REFERENCES:
1 p. 160 H1: Managing Risk H2: Feasibility and Cost-Benefit Analysis QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.04.7 - List the functions and structure of the circulatory system. DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 3/8/2017 9:45 PM
Copyright Cengage Learning. Powered by Cognero.
Page 31
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning True / False 1. The business impact analysis is a preparatory activity common to both CP and risk management. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning p. 177 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 4:56 PM DATE MODIFIED: 6/14/2021 5:28 PM 2. An external event is an event with negative consequences that could threaten the organization’s information assets or operations; also referred to as an incident candidate. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 177 H1: Fundamentals Of Contingency Planning QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 5:03 PM DATE MODIFIED: 5/19/2021 5:05 PM 3. The continuity planning management team (CPMT) is the group of senior managers and project members organized to conduct and lead all contingency planning efforts. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 177 H1: Fundamentals Of Contingency Planning QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 5:06 PM Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning DATE MODIFIED:
5/19/2021 5:08 PM
4. The disaster recovery planning team (DRPT) is the team responsible for designing and managing the DR plan by specifying the organization’s preparation, response, and recovery from disasters. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning p. 179 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 5:09 PM DATE MODIFIED: 5/19/2021 5:10 PM 5. A business influence analysis (BIA) is an investigation and assessment of adverse events that can affect the organization. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning p. 180 H2: Business Impact Analysis QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 5:20 PM DATE MODIFIED: 5/19/2021 5:21 PM 6. A business process is a task performed by an organization or one of its units in support of the organization’s overall mission and operations. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis p. 181 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning
DATE CREATED: DATE MODIFIED:
disaster recovery, and business continuity 5/19/2021 5:22 PM 5/19/2021 5:23 PM
7. A business process is a task performed by an organization or one of its units in support of the organization’s overall mission and operations. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis p. 181 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 5:24 PM DATE MODIFIED: 5/19/2021 5:24 PM 8. A recovery time objective (RTO) is the total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis p. 182 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 5:30 PM DATE MODIFIED: 6/3/2021 3:34 PM 9. The work recovery time (WRT) is the amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis p. 183 Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 5:33 PM DATE MODIFIED: 5/19/2021 5:34 PM 10. The total time needed to place the business function back in service must be longer than the maximum tolerable downtime. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis p. 184 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 5:36 PM DATE MODIFIED: 5/19/2021 5:37 PM 11. Prior to the development of each of the types of contingency planning documents, the CP team should work to develop the policy environment. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning H2: Contingency Planning Policies p. 185 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 5:40 PM DATE MODIFIED: 5/19/2021 5:43 PM 12. The computer security incident response team is composed solely of technical IT professionals who are prepared to detect, react to, and recover from an incident. a. True b. False ANSWER: False POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning REFERENCES:
H1: Incident Response p. 186 H2: Getting Started QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:11 PM DATE MODIFIED: 6/3/2021 3:34 PM 13. An incident is an adverse event that could result in a loss of information assets and threatens the viability of the entire organization. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 186 H1: Incident Response QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:07 PM DATE MODIFIED: 5/19/2021 6:08 PM 14. Incident response is an organization’s set of planning and preparation efforts for detecting, reacting to, and recovering from an incident. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 186 H1: Incident Response QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:10 PM DATE MODIFIED: 5/19/2021 6:11 PM 15. Procedures are planned for each identified incident scenario with incident handling procedures established for before and during the incident. a. True b. False ANSWER: False Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning POINTS: REFERENCES:
1 H1: Incident Response H2: Incident Response Planning p. 188 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:21 PM DATE MODIFIED: 5/19/2021 6:24 PM 16. Database shadowing duplicates data in real-time data storage, but does not back up the databases at the remote site. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 189 H1: Incident Response H2: Incident Response Planning QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 3/8/2017 6:30 PM 17. Incident classification is the process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Incident Response H2: Detecting Incidents p. 191 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:26 PM DATE MODIFIED: 6/3/2021 3:35 PM 18. Use of dormant accounts is a probable indicator of an actual incident. a. True b. False Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning ANSWER: POINTS: REFERENCES:
False 1 H1: Incident Response H2: Detecting Incidents p. 191 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:30 PM DATE MODIFIED: 5/19/2021 6:32 PM 19. Changes to systems logs are a possible indicator of an actual incident. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Incident Response H2: Detecting Incidents p. 191 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:32 PM DATE MODIFIED: 5/19/2021 6:35 PM 20. Reported attacks are a probable indicator of an actual incident. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Incident Response H2: Detecting Incidents p. 192 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:35 PM DATE MODIFIED: 6/3/2021 3:35 PM 21. Two ways to activate an alert roster are simultaneously and in parallel. a. True Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning b. False ANSWER: POINTS: REFERENCES:
False 1 H1: Incident Response H2: Reacting to Incidents p. 193 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:38 PM DATE MODIFIED: 6/3/2021 3:36 PM 22. An alert message is a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Incident Response H2: Reacting to Incidents p. 194 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:41 PM DATE MODIFIED: 6/3/2021 3:37 PM 23. Incident damage assessment is used to determine the impact from a breach of confidentiality, integrity, and availability on information and information assets. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Incident Response H2: Recovering from Incidents p. 195 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:45 PM DATE MODIFIED: 5/19/2021 6:46 PM Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning 24. An after-action review is an opportunity for everyone who was involved in planning for an incident or disaster to sit down and discuss what will happen when the plan is implemented. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Incident Response H2: Recovering from Incidents p. 196 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:48 PM DATE MODIFIED: 6/3/2021 3:40 PM 25. The organization must choose one of two philosophies that will affect its approach to IR and DR as well as subsequent involvement of digital forensics and law enforcement: the two approaches are protect and forget, and apprehend and prosecute. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Incident Response H2: Recovering from Incidents p. 199 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 6:50 PM DATE MODIFIED: 6/3/2021 3:40 PM 26. Forensics can provide a determination of the source or origin of an event, problem, or issue like an incident. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Digital Forensics p. 200 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 5/19/2021 6:53 PM Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning DATE MODIFIED:
6/3/2021 3:41 PM
27. An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 200 H1: Digital Forensics QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM 28. Evidentiary material is any information that could potentially support an organization’s legal or policy-based case against a suspect. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 200 H1: Digital Forensics QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 5/19/2021 6:55 PM DATE MODIFIED: 5/19/2021 6:55 PM 29. Root cause analysis is the coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 200 H1: Digital Forensics QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning DATE CREATED: DATE MODIFIED:
5/19/2021 6:56 PM 6/3/2021 3:41 PM
30. An affidavit is permission to search for evidentiary material at a specified location or to seize items to return to an investigator’s lab for examination. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Digital Forensics p. 201 H2: Affidavits and Search Warrants QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 5/19/2021 6:57 PM DATE MODIFIED: 6/3/2021 3:42 PM 31. An affidavit is a sworn testimony that certain facts are in the possession of an investigating officer and that they warrant the examination of specific items located at a specific place. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Digital Forensics p. 201 H2: Affidavits and Search Warrants QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 5/19/2021 7:00 PM DATE MODIFIED: 6/3/2021 3:42 PM 32. The chain of evidence is the detailed documentation of the collection, storage, transfer, and ownership of evidentiary material from the crime scene through its presentation in court and its eventual disposition. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Digital Forensics H2: Digital Forensics Methodology p. 204 QUESTION TYPE: True / False Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 5/19/2021 7:02 PM DATE MODIFIED: 5/19/2021 7:03 PM 33. A disaster recovery plan shows the organization’s intended efforts to establish operations at an alternate site in the aftermath of a disaster. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Disaster Recovery p. 206 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 6/3/2021 3:43 PM 34. Disaster classification is the process of examining an adverse event or incident and determining whether it constitutes an actual disaster. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Disaster Recovery p. 209 H2: Disaster Classification QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 7:05 PM DATE MODIFIED: 5/19/2021 7:07 PM 35. A rapid-onset disaster is one that gradually degrades the capacity of an organization to withstand their effects. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Disaster Recovery p. 209 H2: Disaster Classification Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 7:08 PM DATE MODIFIED: 6/3/2021 3:44 PM 36. A cold site provides many of the same services and options of a hot site, but at a lower cost. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 214 H1: Business Continuity H2: Continuity Strategies QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM 37. Using a service bureau is a BC strategy in which an organization contracts with a service agency to provide a facility for a fee. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 214 H1: Business Continuity H2: Continuity Strategies QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 7:09 PM DATE MODIFIED: 5/19/2021 7:10 PM 38. Crisis response is an organization’s set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster. a. True b. False ANSWER: False POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning REFERENCES:
H1: Crisis Management p. 217 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.4 - Define the components of crisis management DATE CREATED: 6/3/2021 5:25 PM DATE MODIFIED: 6/3/2021 5:28 PM Modified True / False 39. The business impact analysis is a preparatory activity common to both CP and risk management, ANSWER: True POINTS: 1 REFERENCES: p. 177 H1: Fundamentals Of Contingency Planning QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 7:42 PM DATE MODIFIED: 5/19/2021 7:43 PM 40. A(n) alarming event is an event with negative consequences that could threaten the organization’s information assets or operations._____ ANSWER: False - adverse POINTS: 1 REFERENCES: p. 177 H1: Fundamentals Of Contingency Planning QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 5/19/2021 7:47 PM 41. The disaster recovery preparation team (DRPT) is the team responsible for designing and managing the DR plan by specifying the organization’s preparation, response, and recovery from disasters. _____ ANSWER: False - planning POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning p. 179 QUESTION TYPE: Modified True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 7:48 PM DATE MODIFIED: 6/3/2021 3:45 PM 42. A business policy is a task performed by an organization or one of its units in support of the organization’s overall mission and operations. _____ ANSWER: False - process POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning p. 181 H2: Business Impact Analysis QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 7:51 PM DATE MODIFIED: 5/19/2021 7:53 PM 43. The work response time (WRT) is the amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. _____ ANSWER: False - recovery POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning p. 181 H2: Business Impact Analysis QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 7:55 PM DATE MODIFIED: 5/19/2021 7:56 PM 44. A(n) disaster is any adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. _____ ANSWER: False - incident POINTS: 1 REFERENCES: p. 186 H1: Incident Response H2: Getting Started QUESTION TYPE: Modified True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 5/19/2021 7:46 PM 45. A(n) DR plan ensures that critical business functions continue if a catastrophic incident or disaster occurs. _____ False - business continuity (BC) ANSWER: False - business continuity False - BC POINTS: 1 REFERENCES: p. 212 H1: Business Continuity QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 5/19/2021 7:46 PM 46. The recovery point objective (RPO) is the point in time prior to a disruption or system outage to which mission/business process data can be recovered after an outage. _____ ANSWER: True POINTS: 1 REFERENCES: p. 182 H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 5/19/2021 7:46 PM 47. Prior to the development of each of the types of contingency planning documents, the CP team should work to develop the policy environment. _____ ANSWER: True POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning H2: Contingency Planning Policies p. 185 QUESTION TYPE: Modified True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 7:57 PM DATE MODIFIED: 6/3/2021 3:46 PM 48. The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification. _____ ANSWER: True POINTS: 1 REFERENCES: p. 191 H1: Incident Response H2: Detecting Incidents QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 5/19/2021 7:46 PM 49. Reported attacks are a definite indicator of an actual incident. _____ ANSWER: False - probable POINTS: 1 REFERENCES: H1: Incident Response H2: Detecting Incidents p. 192 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 8:00 PM DATE MODIFIED: 5/19/2021 8:01 PM 50. A(n) sequential roster is activated as the first person calls a few people on the roster, who in turn call a few other people. _____ ANSWER: False - hierarchical POINTS: 1 REFERENCES: p. 193 H1: Incident Response H2: Reacting To Incidents QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 5/19/2021 7:46 PM 51. Incident detail assessment is used to determine the impact from a breach of confidentiality, integrity, and availability on information and information assets. _____ False - damage ANSWER: POINTS: 1 REFERENCES: H1: Incident Response H2: Recovering from Incidents p. 195 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 8:02 PM DATE MODIFIED: 5/19/2021 8:04 PM 52. The organization must choose one of two philosophies that will affect its approach to IR and DR as well as subsequent involvement of digital forensics and law enforcement: protect and forget or apprehend and prosecute _____ ANSWER: True POINTS: 1 REFERENCES: p. 199 H1: Incident Response H2: Recovering from Incidents QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 6/3/2021 3:49 PM 53. A service bureau is an agency that provides a service for a fee. _____ ANSWER: True POINTS: 1 REFERENCES: p. 214 H1: Business Continuity H2: Continuity Strategies QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning
DATE CREATED: DATE MODIFIED:
disaster recovery, and business continuity 9/14/2016 10:38 AM 5/19/2021 7:46 PM
54. A(n) disaster recovery plan includes the steps necessary to ensure the continuation of the organization when a disaster’s scope or scale exceeds the ability of the organization to restore operations, usually through relocation of critical business functions to an alternate location. _____ False - business continuity (BC) ANSWER: False - business continuity False - BC POINTS: 1 REFERENCES: p. 212 H1: Business Continuity QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/19/2021 7:46 PM 55. An after-action re-assessment is an opportunity for everyone who was involved in an incident or disaster to sit down and discuss what happened. _____ ANSWER: False - review POINTS: 1 REFERENCES: H1: Incident Response H2: Recovering from Incidents p. 196 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 8:05 PM DATE MODIFIED: 5/19/2021 8:07 PM 56. A planning check is a testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster. _____ ANSWER: False - desk POINTS: 1 REFERENCES: p. 217 H1: Crisis Management QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning LEARNING OBJECTIVES: POIS.WHMA.22.05.4 - Define the components of crisis management DATE CREATED: 6/3/2021 5:30 PM DATE MODIFIED: 6/3/2021 5:31 PM Multiple Choice 57. Which type of organizations should prepare for the unexpected? a. Organizations of every size and purpose should also prepare for the unexpected. b. Large organizations which have many assets at risk. c. Small organizations that can easily recover. d. Only those without good insurance. ANSWER: a POINTS: 1 REFERENCES: H1: Introduction To Incident Response And Contingency Planning p. 176 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.1 - Discuss the need for contingency planning DATE CREATED: 5/20/2021 10:44 AM DATE MODIFIED: 6/3/2021 3:50 PM 58. Ideally, the _____, systems administrators, the chief information security officer (CISO), and key IT and business managers should be actively involved during the creation and development of all CP components a. chief information officer (CIO) b. chief executive officer (CEO) c. chief financial officer (CFO) d. senior auditor ANSWER: a POINTS: 1 REFERENCES: p. 177 H1: Fundamentals Of Contingency Planning QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/20/2021 10:41 AM DATE MODIFIED: 5/20/2021 10:43 AM 59. The CPMT should include a _____ who is a high-level manager to support, promote, and endorse the findings of the project and could be the COO or (ideally) the CEO/president. a. champion b. executive-in-charge c. project manager d. project instigator ANSWER: a POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning p. 178 Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/20/2021 10:48 AM DATE MODIFIED: 5/20/2021 10:51 AM 60. Which if these is the primary reason contingency response teams should not have overlapping membership with one person on multiple teams? a. To spread the work out among b. So individuals don't find themselves with different responsibilities in more people. different locations at the same time. c. To allow people to specialize d. To avoid cross-division rivalries. in one area. ANSWER: b POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning p. 179 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/20/2021 10:53 AM DATE MODIFIED: 6/3/2021 3:50 PM 61. The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages? a. Determine mission/business processes and recovery b. Identify recovery priorities for system criticality resources c. Identify resource requirements d. All of these are BIA stages ANSWER: d POINTS: 1 REFERENCES: p. 181 H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 5/20/2021 10:38 AM 62. A fundamental difference between a BIA and risk management is that risk management focuses on identifying threats, vulnerabilities, and attacks to determine which controls can protect information, while the BIA assumes _____. a. controls have been bypassed b. controls have proven ineffective c. controls have failed d. All of the above ANSWER: d Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning POINTS: REFERENCES:
1 p. 181 H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 63. The point in time before a disruption or system outage to which business process data can be recovered after an outage is ____. a. recovery time objective (RTO) b. recovery point objective (RPO) c. work recovery time (WRT) d. maximum tolerable downtime (MTD) ANSWER: b POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis p. 182 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/20/2021 5:56 PM DATE MODIFIED: 5/20/2021 5:57 PM 64. The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources is ____. a. recovery time objective (RTO) b. recovery point objective (RPO) c. work recovery time (WRT) d. maximum tolerable downtime (MTD) ANSWER: a POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis p. 182 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning DATE CREATED: DATE MODIFIED:
5/20/2021 5:58 PM 5/20/2021 5:59 PM
65. The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption is _____. a. recovery time objective (RTO) b. recovery point objective (RPO) c. work recovery time (WRT) d. maximum tolerable downtime (MTD) ANSWER: d POINTS: 1 REFERENCES: H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis p. 183 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/20/2021 5:53 PM DATE MODIFIED: 5/20/2021 5:57 PM 66. The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____. a. off-site storage b. remote journaling c. electronic vaulting d. database shadowing ANSWER: c POINTS: 1 REFERENCES: p. 189 H1: Incident Response H2: Incident Response Planning QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM 67. Most common data backup schemes involve ______. a. RAID b. disk-to-disk-to-cloud c. neither RAID nor disk-to-disk-to-cloud d. both RAID and disk-to-disk-to-cloud ANSWER: d POINTS: 1 REFERENCES: H1: Incident Response Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning H2: Incident Response Policy p. 189 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/3/2020 6:52 PM DATE MODIFIED: 1/21/2023 4:35 PM 68. The transfer of transaction data in real time to an off-site facility is called ____. a. off-site storage b. remote journaling c. electronic vaulting d. database shadowing ANSWER: b POINTS: 1 REFERENCES: p. 189 H1: Incident Response H2: Incident Response Planning QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 1/2/2017 2:36 PM DATE MODIFIED: 3/8/2017 6:39 PM 69. The storage of duplicate online transaction data, along with the duplication of the databases, at a remote site on a redundant server is called _____. a. application recovery b. electronic vaulting c. remote journaling d. database shadowing ANSWER: d POINTS: 1 REFERENCES: H1: Incident Response H2: Incident Response Planning p. 189 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/3/2020 7:13 PM DATE MODIFIED: 5/20/2021 10:25 AM 70. An organization aggregates all local backups to a central repository and then backs up that repository to an online vendor with a ____ backup strategy. a. disk-to-disk-to-tape b. differential c. RAID d. disk-to-disk-to-cloud ANSWER: d Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning POINTS: REFERENCES:
1 H1: Incident Response H2: Incident Response Planning p. 189 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 4/16/2020 9:59 AM DATE MODIFIED: 5/20/2021 10:26 AM 71. ____ uses a number of hard drives to store information across multiple drive units. a. Legacy backup b. RAID c. Continuous database protection d. Virtualization ANSWER: b POINTS: 1 REFERENCES: H1: Incident Response H2: Incident Response Planning p. 189 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 4/16/2020 9:59 AM DATE MODIFIED: 5/20/2021 10:26 AM 72. The most common schedule for tape-based backup is a _____ backup, either incremental or differential, with a weekly off-site full backup. a. daily on-site b. hourly off-site c. 12-hour on-site d. daily off-site ANSWER: a POINTS: 1 REFERENCES: H1: Incident Response H2: Incident Response Planning p. 190 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/3/2020 7:04 PM DATE MODIFIED: 5/20/2021 10:22 AM 73. A(n) _____ is a document containing contact information for the people to be notified in the event of an incident. a. emergency notification system b. alert roster c. phone list d. call registry Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning ANSWER: POINTS: REFERENCES:
b 1 p. 193 H1: Incident Response H2: Reacting To Incidents QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 6/3/2021 3:54 PM 74. _____ is the rapid determination of the scope of the breach in the confidentiality, integrity, and availability of information and information assets during or just following an incident. a. Damage assessment b. Containment development c. Incident response d. Disaster assessment ANSWER: a POINTS: 1 REFERENCES: p. 195 H1: Incident Response H2: Recovering from Incidents QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:21 PM 75. Data backup should be based on a(n) ____ policy that specifies how long log data should be maintained. a. replication b. business resumption c. incident response d. retention ANSWER: d POINTS: 1 REFERENCES: H1: Incident Response H2: Recovering from Incidents p. 197 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 4/16/2020 9:59 AM DATE MODIFIED: 5/20/2021 10:23 AM 76. A crime involving digital media, computer technology, or related components may best be called an act of _____. a. computer theft Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning b. digital abuse c. computer trespass d. digital malfeasance ANSWER: POINTS: REFERENCES:
d 1 p. 200 H1: Digital Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 5/20/2021 6:05 PM DATE MODIFIED: 6/14/2021 5:28 PM 77. The sworn testimony that certain facts are in the possession of an investigating officer and that they warrant the examination of specific items located at a specific place is called a(n) _____. a. writ of habeus corpus b. search warrant c. sworn warrant d. affidavit ANSWER: d POINTS: 1 REFERENCES: H1: Digital Forensics p. 201 H2: Affidavits and Search Warrants QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 5/20/2021 6:08 PM DATE MODIFIED: 5/20/2021 6:09 PM 78. Digital forensics involves the _____, identification, extraction, documentation, and interpretation of digital media. a. investigation b. determination c. confiscation d. preservation ANSWER: d POINTS: 1 REFERENCES: p. 200 H1: Digital Forensics QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning
DATE CREATED: DATE MODIFIED:
investigations 5/20/2021 6:03 PM 6/3/2021 3:56 PM
79. The detailed documentation of the collection, storage, transfer, and ownership of evidentiary material from the crime scene through its presentation in court and its eventual disposition. is called a(n) _____. a. chain of evidence b. search warrant c. audit trail d. evidence affidavit ANSWER: a POINTS: 1 REFERENCES: H1: Digital Forensics H2: Digital Forensics Methodology p. 204 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 5/20/2021 6:11 PM DATE MODIFIED: 5/20/2021 6:12 PM 80. The process of examining an adverse event or incident and determining whether it constitutes an actual disaster is known as _____. a. disaster indication b. incident review c. disaster classification d. event escalation ANSWER: c POINTS: 1 REFERENCES: p. 209 H1: Disaster Recovery H2: Disaster Classification QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/20/2021 6:13 PM DATE MODIFIED: 5/20/2021 6:15 PM 81. A ____ site provides only rudimentary services and facilities. a. commercial b. warm c. hot d. cold ANSWER: d Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning POINTS: REFERENCES:
1 p. 214 H1: Business Continuity H2: Continuity Strategies QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 9/14/2016 10:38 AM 82. A resumption location known as a ____ is a fully configured computer facility capable of establishing operations at a moment’s notice. a. mobile site b. cold site c. service bureau d. hot site ANSWER: d POINTS: 1 REFERENCES: 214 H1: Digital Forensics H2: Continuity Strategies QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 4/16/2020 9:59 AM DATE MODIFIED: 1/6/2021 3:00 PM 83. A potential disadvantage of a timeshare site-resumption strategy is: a. more than one organization might need the facility
b. more expensive than other options d. all of the above
c. requires additional investment in time and technology to get up to speed in the event of a disaster ANSWER: a POINTS: 1 REFERENCES: H1: Business Continuity H2: Continuity Strategies p. 214 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 4/16/2020 9:59 AM DATE MODIFIED: 6/3/2021 3:58 PM Copyright Cengage Learning. Powered by Cognero.
Page 29
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning 84. A ____ is an agency that provides physical facilities in the event of a disaster for a fee. a. time-share b. service bureau c. cold site d. mobile site ANSWER: b POINTS: 1 REFERENCES: H1: Business Continuity H2: Continuity Strategies p. 214 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 4/16/2020 9:59 AM DATE MODIFIED: 5/20/2021 10:33 AM 85. A ____ is a contractual document guaranteeing certain minimal levels of service provided by a vendor. a. memorandum of understanding b. mutual agreement c. service agreement d. time-share agreement ANSWER: c POINTS: 1 REFERENCES: H1: Business Continuity H2: Continuity Strategies p. 215 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 4/16/2020 9:59 AM DATE MODIFIED: 5/20/2021 10:35 AM 86. Each of the following is a role for the crisis management response team EXCEPT: a. Informing local emergency services to respond to the crisis b. Keeping the public informed about the event c. Communicating with major customers and other stakeholders d. Supporting personnel and their loved ones during the crisis ANSWER: a POINTS: 1 REFERENCES: p. 217 H1: Crisis Management QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.05.4 - Define the components of crisis management DATE CREATED: 6/3/2021 5:32 PM Copyright Cengage Learning. Powered by Cognero.
Page 30
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning DATE MODIFIED:
6/3/2021 5:35 PM
Completion 87. The business _____ analysis is a preparatory activity common to both CP and risk management, impact ANSWER: POINTS: 1 REFERENCES: p. 177 H1: Fundamentals Of Contingency Planning QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/25/2021 8:09 PM DATE MODIFIED: 5/25/2021 8:10 PM 88. A business _____ is a task performed by an organization or one of its units in support of the organization’s overall mission and operations. process ANSWER: POINTS: 1 REFERENCES: p. 181 H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/25/2021 8:11 PM DATE MODIFIED: 5/25/2021 8:12 PM 89. The _____ recovery time is the amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. work ANSWER: POINTS: 1 REFERENCES: p. 183 H1: Fundamentals Of Contingency Planning H2: Business Impact Analysis QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/25/2021 8:13 PM Copyright Cengage Learning. Powered by Cognero.
Page 31
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning DATE MODIFIED:
6/3/2021 3:59 PM
90. Prior to the development of each of the types of contingency planning documents, the CP team should work to develop the corresponding _____ environment. policy ANSWER: POINTS: 1 REFERENCES: p. 185 H1: Fundamentals Of Contingency Planning H2: Contingency Planning Policies QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/25/2021 8:15 PM DATE MODIFIED: 5/25/2021 8:16 PM 91. A(n) _____ is an adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization. incident ANSWER: POINTS: 1 REFERENCES: p. 186 H1: Incident Response QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 92. Incident _____ is the set of activities taken to plan for, detect, and correct the impact of an incident on information assets. response ANSWER: POINTS: 1 REFERENCES: p. 186 H1: Incident Response QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM Copyright Cengage Learning. Powered by Cognero.
Page 32
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning 93. The transfer of live transactions in real time to an off-site facility is called _____. remote journaling ANSWER: POINTS: 1 REFERENCES: p. 189 H1: Incident Response H2: Incident Response Planning QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 94. Incident _____ is the process of examining a potential incident, or incident candidate, and determining whether the candidate constitutes an actual incident. classification ANSWER: POINTS: 1 REFERENCES: p. 191 H1: Incident Response H2: Detecting Incidents QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 95. As they are a definite indicator of an incident, many organizations have policies that prohibit the installation of _____ tools without the written permission of the CISO. hacker ANSWER: hacking POINTS: 1 REFERENCES: p. 192 H1: Incident Response H2: Detecting Incidents QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 6/3/2021 4:00 PM Copyright Cengage Learning. Powered by Cognero.
Page 33
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning 96. A(n) _____ is a scripted description of an incident—usually just enough information so that each individual knows what portion of the IRP to implement, and not enough to slow down the notification process. alert message ANSWER: POINTS: 1 REFERENCES: p. 194 H1: Incident Response H2: Reacting to Incidents QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 97. Incident _____ assessment is used to determine the impact from a breach of confidentiality, integrity, and availability on information and information assets. damage ANSWER: POINTS: 1 REFERENCES: p. 195 H1: Incident Response H2: Recovering from Incidents QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/25/2021 8:18 PM DATE MODIFIED: 5/25/2021 8:18 PM 98. A(n) _____ is a detailed examination of the events that occurred during an incident or disaster, from first detection to final recovery. AAR ANSWER: after-action review AAR (after-action review) after-action review (AAR) POINTS: 1 REFERENCES: p. 196 H1: Incident Response H2: Recovering from Incidents QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity Copyright Cengage Learning. Powered by Cognero.
Page 34
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning DATE CREATED: DATE MODIFIED:
9/14/2016 10:38 AM 6/3/2021 4:01 PM
99. Digital _____ is the process of collecting, analyzing, and preserving computer-related evidence. forensics ANSWER: POINTS: 1 REFERENCES: p. 200 H1: Digital Forensics QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 5/19/2021 4:43 PM 100. Of the three types of mitigation plans, the _____ plan is the most strategic and long-term, as it focuses on the steps to ensure the continuation of the organization. BC ANSWER: Business Continuity BC (business continuity) business continuity (BC) POINTS: 1 REFERENCES: p. 212 H1: Business Continuity QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 5/19/2021 7:47 PM 101. A(n) _____ plan ensures that critical business functions continue if a catastrophic incident or disaster occurs. business continuity ANSWER: business continuity (BC) BC POINTS: 1 REFERENCES: p. 212 H1: Business Continuity QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity Copyright Cengage Learning. Powered by Cognero.
Page 35
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning DATE CREATED: DATE MODIFIED:
9/14/2016 10:38 AM 4/17/2021 2:20 PM
102. A(n) _____ site is a fully configured computer facility with all services, communications links, and physical plant operations provided, including heating and air conditioning. hot ANSWER: POINTS: 1 REFERENCES: p. 214 H1: Business Continuity H2: Continuity Strategies QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 103. A(n) _____ is a contract between two or more organizations that specifies how each will assist the other in the event of a disaster. mutual agreement ANSWER: POINTS: 1 REFERENCES: p. 214 H1: Business Continuity H2: Continuity Strategies QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM 104. _____ management is an organization’s set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster. Crisis ANSWER: POINTS: 1 REFERENCES: H1: Crisis Management p. 217 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.4 - Define the components of crisis management DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 4/17/2021 2:20 PM Copyright Cengage Learning. Powered by Cognero.
Page 36
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning 105. _____ material is any information that could potentially support an organization’s legal or policy-based case against a suspect. Evidentiary ANSWER: POINTS: 1 REFERENCES: p. 200 H1: Digital Forensics QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 5/25/2021 8:20 PM DATE MODIFIED: 5/25/2021 8:21 PM 106. Disaster _____ is the process of examining an adverse event or incident and determining whether it constitutes an actual disaster. classification ANSWER: POINTS: 1 REFERENCES: H1: Disaster Recovery H2: Disaster Classification p. 209 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/25/2021 8:22 PM DATE MODIFIED: 5/25/2021 8:22 PM 107. The CMPT should include individuals from all functional areas of the organization in order to _____ communications and cooperation. facilitate ANSWER: POINTS: 1 REFERENCES: p. 217 H1: Crisis Management QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.4 - Define the components of crisis management DATE CREATED: 6/3/2021 5:36 PM DATE MODIFIED: 6/3/2021 5:37 PM Essay Copyright Cengage Learning. Powered by Cognero.
Page 37
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning 108. Compare electronic vaulting and remote journaling. The transfer of large batches of data to an off-site facility is called electronic vaulting. The ANSWER: transfer of live transactions to an off-site facility is called remote journaling. It differs from electronic vaulting in that 1) only transactions are transferred, not archived data, and 2) the transfer is in real time. Electronic vaulting is much like a traditional backup, with a dump of data to the off-site storage, but remote journaling involves activities on a systems level, much like server fault tolerance, with the data written to two locations simultaneously. POINTS: 1 REFERENCES: p. 189 H1: Incident Response H2: Incident Response Planning QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 9/14/2016 10:38 AM DATE MODIFIED: 3/8/2017 6:46 PM 109. Summarize the strategies that can be chosen by an organization when planning for business continuity. The determining factor when selecting a strategy is usually cost. In general, ANSWER: organizations have three exclusive options: hot sites, warm sites, and cold sites. Options are also available for three shared functions: time-shares, service bureaus, and mutual agreements. POINTS: REFERENCES:
1 p. 214 H1: Business Continuity H2: Continuity Strategies QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 1/2/2017 3:33 PM DATE MODIFIED: 1/2/2017 3:35 PM Subjective Short Answer 110. Which two communities of interest are usually associated with contingency planning? Which community must give authority to ensure broad support for the plans? ANSWER:
POINTS:
Most often, the information technology and information security communities are involved in contingency planning. The general business community must give authority to ensure broad support for the plans. 1
Copyright Cengage Learning. Powered by Cognero.
Page 38
Name:
Class:
Date:
Mod 5 Incident Response and Contingency Planning REFERENCES:
p. 176 H1: Introduction To Incident Response And Contingency Planning QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.1 - Discuss the need for contingency planning DATE CREATED: 5/19/2021 7:13 PM DATE MODIFIED: 5/19/2021 7:15 PM 111. List and describe the criteria used to determine whether an actual incident is occurring. An actual incident is occurring if information assets are the targets of attack, if there is a ANSWER: good chance that the attack will succeed, and if the attack threatens the confidentiality, integrity, or availability of information resources. POINTS: 1 REFERENCES: p. 191 H1: Incident Response H2: Detecting Incidents QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.2 - Describe the major components of incident response, disaster recovery, and business continuity DATE CREATED: 5/19/2021 7:17 PM DATE MODIFIED: 5/19/2021 7:18 PM 112. When is digital forensics used in a business setting? ANSWER: Digital forensics is used in a business setting to investigate policy or legal violations by an employee, contractor, or outsider, and to investigate attacks on a physical asset or information asset. POINTS: 1 REFERENCES: p. 200 H1: Digital Forensics QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.05.3 - Identify the processes used in digital forensics investigations DATE CREATED: 5/19/2021 7:22 PM DATE MODIFIED: 5/19/2021 7:22 PM
Copyright Cengage Learning. Powered by Cognero.
Page 39
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security True / False 1. The key difference between laws and ethics is that ethics carry the authority of a governing body and laws do not. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Introduction To Law And Ethics In Information Security p. 224 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 9/14/2016 10:35 AM 2. A key difference between a policy and a law is that ignorance of a law is an acceptable defense. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Introduction To Law And Ethics In Information Security H2: Policy Versus Law p. 225 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 5:41 PM 3. For policy to become enforceable, it only needs to be distributed, read, understood, and agreed to. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Introduction To Law And Ethics In Information Security H2: Policy Versus Law p. 225 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 5:46 PM 4. Due care and due diligence require that an organization make a valid effort to protect others and continually maintain Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security this level of effort, ensuring these actions are effective. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Introduction To Law And Ethics In Information Security H2: Organizational Liability and the Need for Counsel p. 225 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 9/14/2016 10:35 AM 5. Criminal laws address activities and conduct harmful to society and are categorized as public law. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Introduction To Law And Ethics In Information Security H2: Types of Law p. 226 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 5:42 PM 6. The Computer Security Act of 1987, the cornerstone of many computer-related federal laws and enforcement effort, was originally written as an extension and clarification of the Comprehensive Crime Control Act of 1984. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Relevant U.S. Laws H2: General Computer Crime Laws p. 226 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 5:43 PM Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security 7. In the context of information security, confidentiality is the right of individuals or groups to protect themselves and their information from unauthorized access. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Relevant U.S. Laws H2: Privacy p. 227 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 5:47 PM 8. The FTC recommends that people place an initial fraud alert (among other things) when they suspect they are victims of identity theft. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 236 H1: Relevant U.S. Laws H2: Identity Theft QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 12/28/2016 3:05 PM DATE MODIFIED: 12/28/2016 3:06 PM 9. The Council of Europe Convention on Cybercrime has not been well received by advocates of intellectual property rights because it de-emphasizes prosecution for copyright infringement. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: International Laws And Legal Bodies H2: Council of Europe Convention on Cybercrime p. 241 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.3 - Identify major national and international laws that affect the practice of information Identify special security controls and privacy considerations Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security
DATE CREATED: DATE MODIFIED:
for personnel management security 9/14/2016 10:35 AM 5/10/2021 7:39 PM
10. The United States has implemented a version of the DMCA law called the Database Right, in order to comply with Directive 95/46/EC. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 242 H1: International Laws And Legal Bodies H2: Digital Millennium Copyright Act QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.3 - Identify major national and international laws that affect the practice of information Identify special security controls and privacy considerations for personnel management security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 9/14/2016 10:35 AM 11. Studies on ethics and computer use reveal that people of different nationalities have different perspectives; difficulties arise when one nationality’s ethical behavior violates the ethics of another national group. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 243 H1: Ethics And Information Security H2: Ethical Differences Across Cultures QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 9/14/2016 10:35 AM 12. Cultural differences can make it difficult to determine what is ethical and not ethical between cultures, except when it comes to the use of computers, where ethics are considered universal. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 243 H1: Ethics And Information Security H2: Ethical Differences Across Cultures Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 5:50 PM 13. Unethical and illegal behavior is generally caused by ignorance (of policy and/or the law), by accident, and by inadequate protection mechanisms. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 246 H1: Ethics And Information Security H2: Deterring Unethical and Illegal Behavior QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 9/14/2016 10:35 AM 14. Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 246 H1: Ethics And Information Security H2: Deterring Unethical and Illegal Behavior QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 9/14/2016 10:35 AM 15. Laws, policies, and their associated penalties only provide deterrence if offenders fear the penalty, expect to be caught, and expect the penalty to be applied if they are caught. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Ethics And Information Security H2: Deterring Unethical and Illegal Behavior Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security p. 247 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 5:50 PM 16. Employees are not deterred by the potential loss of certification or professional accreditation resulting from a breach of a code of conduct, because this loss has no effect on employees' marketability and earning power. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 247 H1: Codes Of Ethics Of Professional Organizations QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 5:51 PM 17. The Department of Homeland Security is the only U.S. federal agency charged with the protection of American information resources and the investigation of threats to, or attacks on, those resources. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Key U.S. Federal Agencies p. 249 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.5 - Explain the roles of some U.S. law enforcement agencies with an interest in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 5:51 PM 18. The Department of Homeland Security works with academic campuses nationally, focusing on resilience, recruitment, internationalization, growing academic maturity, and academic research. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 249 H1: Key U.S. Federal Agencies Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security H2: Department of Homeland Security QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.5 - Explain the roles of some U.S. law enforcement agencies with an interest in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 5:51 PM 19. The Secret Service is charged with safeguarding the nation’s financial infrastructure and payments systems to preserve the integrity of the economy. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 252 H1: Key U.S. Federal Agencies H2: U.S. Secret Service QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.5 - Explain the roles of some U.S. law enforcement agencies with an interest in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 9/14/2016 10:35 AM 20. Since it was established in January 2001, every FBI field office has started an InfraGard program to collaborate with public and private organizations and the academic community. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Key U.S. Federal Agencies H2: Federal Bureau of Investigation (FBI) p. 255 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.5 - Explain the roles of some U.S. law enforcement agencies with an interest in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 5:52 PM 21. The NSA is responsible for signal intelligence, information assurance products and services, and enabling computer network operations to gain a decision advantage for the United States and its allies. a. True b. False ANSWER: True Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security POINTS: REFERENCES:
1 p. 255 H1: Key U.S. Federal Agencies H2: National Security Agency (NSA) QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.5 - Explain the roles of some U.S. law enforcement agencies with an interest in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:06 PM Modified True / False 22. Ethics are the moral attitudes or customs of a particular group. _____ ANSWER: False - Cultural mores False - Mores POINTS: 1 REFERENCES: p. 224 H1: Introduction To Law And Ethics In Information Security QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:07 PM 23. Civil law addresses activities and conduct harmful to society and is actively enforced by the state. _____ ANSWER: False - Criminal POINTS: 1 REFERENCES: H1: Introduction To Law And Ethics In Information Security H2: Types of Law p. 226 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:50 PM 24. Privacy is the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality._____ ANSWER: True POINTS: 1 REFERENCES: p. 227 H1: Relevant U.S. Laws Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security H2: Privacy QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:50 PM 25. Information denigration refers to pieces of nonprivate data that, when combined, may create information that violates privacy. _____ ANSWER: False - aggregation POINTS: 1 REFERENCES: p. 228 H1: Relevant U.S. Laws H2: Privacy QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 5/25/2021 8:33 PM DATE MODIFIED: 5/25/2021 8:35 PM 26. The Economic Espionage Act of 1996 protects American ingenuity, intellectual property, and competitive advantage. _____ ANSWER: True POINTS: 1 REFERENCES: p. 236 H1: Relevant U.S. Laws H2: Export and Espionage Laws QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:50 PM 27. Intellectual privacy is recognized as a protected asset in the United States. _____ False - property ANSWER: POINTS: 1 REFERENCES: p. 237 H1: Relevant U.S. Laws H2: U.S. Copyright Law Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:50 PM 28. The Graham-Leach-Bliley Act is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms. _____ ANSWER: False - Sarbanes-Oxley False - Public Company Accounting Reform and Investor Protection False - SOX POINTS: 1 REFERENCES: p. 237 H1: Relevant U.S. Laws H2: Financial Reporting QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:07 PM 29. The Digital Millennium Copyright Act is the American law created in response to Directive 95/46/EC, adopted in 1995 by the European Union. _____ ANSWER: True POINTS: 1 REFERENCES: p. 241 H1: International Laws And Legal Bodies H2: Digital Millennium Copyright Act QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.3 - Identify major national and international laws that affect the practice of information Identify special security controls and privacy considerations for personnel management security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:50 PM 30. In a study on software license infringement, licenses from the United States were significantly more permissive than those from the Netherlands and other countries. _____ False - less ANSWER: POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security REFERENCES:
p. 244 H1: Ethics And Information Security H2: Ethical Differences Across Cultures QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:50 PM 31. Laws, policies, and their associated penalties only provide deterrence if, among other things, potential offenders fear the probability of a penalty being applied. _____ ANSWER: True POINTS: 1 REFERENCES: H1: Ethics And Information Security H2: Deterring Unethical and Illegal Behavior p. 247 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:50 PM 32. The code of ethics put forth by (ISC)2 focuses on four mandatory canons: “Protect society, the commonwealth, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.” _____ ANSWER: True POINTS: 1 REFERENCES: p. 248 H1: Codes Of Ethics Of Professional Organizations H2: Major IT and InfoSec Professional Organizations QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:08 PM 33. The Department of Homeland Security was created in 2003 by the 9/11 Memorial Act of 2002. _____ ANSWER: False - Homeland Security POINTS: 1 REFERENCES: p. 249 H1: Key U.S. Federal Agencies H2: Department of Homeland Security Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.5 - Explain the roles of some U.S. law enforcement agencies with an interest in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:50 PM 34. The U.S. Secret Service is currently within the Department of the Treasury. _____ ANSWER: False - Homeland Security POINTS: 1 REFERENCES: p. 252 H1: Key U.S. Federal Agencies H2: U.S. Secret Service QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.5 - Explain the roles of some U.S. law enforcement agencies with an interest in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:50 PM 35. The communications networks of the United States carry(ies) more funds than all of the armored cars in the world combined. _____ ANSWER: True POINTS: 1 REFERENCES: p. 252 H1: Key U.S. Federal Agencies H2: U.S. Secret Service QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.5 - Explain the roles of some U.S. law enforcement agencies with an interest in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:50 PM 36. The Federal Bureau of Investigation’s National InfraGard Program serves its members in four basic ways: Maintains an intrusion alert network using encrypted e-mail; maintains a secure Web site for communication about suspicious activity or intrusions; sponsors local chapter activities; and operates a help desk for questions. _____ ANSWER: True POINTS: 1 REFERENCES: p. 255 H1: Key U.S. Federal Agencies H2: Federal Bureau of Investigation (FBI) Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.5 - Explain the roles of some U.S. law enforcement agencies with an interest in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:50 PM 37. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kennedy– Kassebaum Act, protects the confidentiality and security of healthcare data. _____ ANSWER: True POINTS: 1 REFERENCES: H1: Relevant U.S. Laws H2: Privacy p. 229 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 5/25/2021 8:37 PM DATE MODIFIED: 6/21/2021 6:09 PM Multiple Choice 38. _____ law comprises a wide variety of laws pertaining to relationships among individuals and organizations. a. Criminal b. Civil c. Statutory d. Constitutional ANSWER: b POINTS: 1 REFERENCES: p. 226 H1: Introduction To Law And Ethics In Information Security H2: Types of Law QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:10 PM 39. _____ law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments. a. Public b. Private c. Civil d. Criminal ANSWER: a Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security POINTS: REFERENCES:
1 p. 226 H1: Introduction To Law And Ethics In Information Security H2: Types of Law QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 40. The Computer _____ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts. a. Violence b. Fraud c. Theft d. Usage ANSWER: b POINTS: 1 REFERENCES: p. 226 H1: Relevant U.S. Laws H2: General Computer Crime Laws QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 41. According to the National Information Infrastructure Protection Act of 1996, the severity of the penalty for computer crimes depends on the value of the information obtained and whether the offense is judged to have been committed for each of the following except _____. a. for purposes of commercial advantage b. for private financial gain c. to harass d. in furtherance of a criminal act ANSWER: c POINTS: 1 REFERENCES: p. 226 H1: Relevant U.S. Laws H2: General Computer Crime Laws QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 42. The _____ defines stiffer penalties for prosecution of terrorism-related activities. Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security a. USA PATRIOT Act b. Sarbanes-Oxley Act c. Gramm-Leach-Bliley Act d. Economic Espionage Act ANSWER: a POINTS: 1 REFERENCES: p. 226 H1: Relevant U.S. Laws H2: General Computer Crime Laws QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:11 PM 43. The National Information Infrastructure Protection Act of 1996 modified which act? a. USA PATRIOT Act b. USA PATRIOT Improvement and Reauthorization Act c. Computer Security Act d. Computer Fraud and Abuse Act ANSWER: d POINTS: 1 REFERENCES: p. 226 H1: Relevant U.S. Laws H2: General Computer Crime Laws QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 5:57 PM 44. Which of the following acts defines and formalizes laws to counter threats from computer-related acts and offenses? a. Electronic Communications Privacy Act of 1986 b. Freedom of Information Act (FOIA) of 1966 c. Computer Fraud and Abuse Act of 1986 d. All of the other answers are correct ANSWER: c POINTS: 1 REFERENCES: p. 226 H1: Relevant U.S. Laws H2: General Computer Crime Laws QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security
DATE CREATED: DATE MODIFIED:
organizations of importance to information security 9/14/2016 10:35 AM 6/21/2021 6:17 PM
45. In 2002, Congress passed the Federal Information Security Management Act (FISMA), which mandates that all federal agencies _____. a. provide security awareness training b. periodic assessment of risk c. develop policies and procedures based on risk assessments d. all of the other answers are correct ANSWER: d POINTS: 1 REFERENCES: p. 227 H1: Relevant U.S. Laws H2: General Computer Crime Laws QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 12/28/2016 2:59 PM DATE MODIFIED: 6/21/2021 6:14 PM 46. What is the subject of the Computer Security Act of 1987? a. Federal agency information security b. Telecommunications common carriers c. Cryptography software vendors d. All of the other answers are correct ANSWER: a POINTS: 1 REFERENCES: p. 227 H1: Relevant U.S. Laws H2: General Computer Crime Laws QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:15 PM 47. The Privacy of Customer Information Section of the common carrier regulation states that any proprietary information shall be used explicitly for providing services, and not for any _____ purposes. a. troubleshooting b. billing c. customer service d. marketing ANSWER: d Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security POINTS: REFERENCES:
1 p. 228 H1: Relevant U.S. Laws H2: Privacy QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 48. The Health Insurance Portability and Accountability Act of 1996, also known as the _____ Act, protects the confidentiality and security of health-care data by establishing and enforcing standards and by standardizing electronic data interchange. a. Gramm-Leach-Bliley b. Kennedy-Kessebaum c. Privacy d. HITECH ANSWER: b POINTS: 1 REFERENCES: p. 229 H1: Relevant U.S. Laws H2: Privacy QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 49. Which of the following acts is a collection of statutes that regulate the interception of wire, electronic, and oral communications? a. Electronic Communications Privacy Act b. Financial Services Modernization Act c. Sarbanes-Oxley Act d. Economic Espionage Act ANSWER: a POINTS: 1 REFERENCES: p. 229 H1: Relevant U.S. Laws H2: Privacy QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 5:58 PM Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security 50. Which of the following acts is also widely known as the Gramm-Leach-Bliley Act? a. Financial Services Modernization Act b. Communications Act c. Computer Security Act d. Health Insurance Portability and Accountability Act ANSWER: a POINTS: 1 REFERENCES: p. 230 H1: Relevant U.S. Laws H2: Privacy QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 9/14/2016 10:35 AM 51. Information about a person’s history, background, and attributes that can be used to commit identity theft is known as _____ information. a. virtually interpreted b. privately held c. personally identifiable d. identity defined ANSWER: c POINTS: 1 REFERENCES: H1: Relevant U.S. Laws H2: Identity Theft p. 234 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 5/25/2021 8:41 PM DATE MODIFIED: 5/25/2021 8:43 PM 52. The unauthorized taking of person information with the intent of committing fraud and abuse of a person’s financial and personal reputation, purchasing goods and services without authorization, and generally impersonating the victim for illegal or unethical purposes.is known as _____. a. non-criminal fraud b. ransoming c. identity theft d. identity extortion ANSWER: c Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security POINTS: REFERENCES:
1 H1: Relevant U.S. Laws H2: Identity Theft p. 234 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 5/25/2021 8:45 PM DATE MODIFIED: 5/25/2021 8:47 PM 53. The _____ attempts to prevent trade secrets from being illegally shared. a. Electronic Communications Privacy Act b. Sarbanes-Oxley Act c. Financial Services Modernization Act d. Economic Espionage Act ANSWER: d POINTS: 1 REFERENCES: p. 236 H1: Relevant U.S. Laws H2: Export and Espionage Laws QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 54. The _____ of 1999 provides guidance on the use of encryption and provides protection from government intervention. a. Prepper Act b. Economic Espionage Act c. USA PATRIOT Act d. Security and Freedom through Encryption Act ANSWER: d POINTS: 1 REFERENCES: p. 236 H1: Relevant U.S. Laws H2: Export and Espionage Laws QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security 55. _____ use allows copyrighted materials to be used to support news reporting, teaching, scholarship, and similar activities, if the use is for educational or library purposes, is not for profit, and is not excessive. a. Justified b. Fair c. Personal d. Limited ANSWER: b POINTS: 1 REFERENCES: H1: Relevant U.S. Laws H2: U.S. Copyright Law p. 237 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 5/25/2021 8:49 PM DATE MODIFIED: 6/21/2021 6:18 PM 56. What is the subject of the Sarbanes-Oxley Act? a. Banking b. Financial reporting c. Privacy d. Trade secrets ANSWER: b POINTS: 1 REFERENCES: p. 237 H1: Relevant U.S. Laws H2: Financial Reporting QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 5:59 PM 57. Payment Card Industry _____ Standards are designed to enhance the security of customers’ payment card account data. a. Data Safety b. Data Security c. Data Practices d. Account Security ANSWER: b POINTS: 1 REFERENCES: H1: Relevant U.S. Laws H2: Payment Card Industry Data Security Standards (PCI DSS) p. 238 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security
DATE CREATED: DATE MODIFIED:
organizations of importance to information security 5/25/2021 8:52 PM 6/21/2021 6:18 PM
58. In 2001, the Council of Europe drafted the European Council Cybercrime Convention, which empowers an international task force to oversee a range of security functions associated with _____ activities. a. online terrorist b. electronic commerce c. cyberactivist d. Internet ANSWER: d POINTS: 1 REFERENCES: p. 240 H1: International Laws And Legal Bodies H2: Council of Europe Convention on Cybercrime QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.3 - Identify major national and international laws that affect the practice of information Identify special security controls and privacy considerations for personnel management security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:19 PM 59. The Digital _____ Copyright Act is the American contribution to an international effort by the World Intellectual Properties Organization (WIPO) to reduce the impact of copyright, trademark, and privacy infringement. a. Management b. Master c. Information d. Millennium ANSWER: d POINTS: 1 REFERENCES: H1: International Laws And Legal Bodies H2: Digital Millennium Copyright Act p. 241 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.3 - Identify major national and international laws that affect the practice of information Identify special security controls and privacy considerations for personnel management security DATE CREATED: 5/25/2021 8:57 PM DATE MODIFIED: 5/25/2021 8:58 PM 60. In the 1999 study of computer use-ethics, which of the following countries reported the least tolerant attitudes toward misuse of organizational computing resources? a. Australia b. United States c. Singapore d. Sweden ANSWER: c POINTS: 1 REFERENCES: p. 244 Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security H1: Ethics And Information Security H2: Ethical Differences Across Cultures QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:20 PM 61. Individuals with authorization and privileges to manage information within the organization are most likely to cause harm or damage _____. a. with intent b. by accident and/or through unintentional negligence c. with malice d. none of the other answers are correct ANSWER: b POINTS: 1 REFERENCES: p. 246 H1: Ethics And Information Security H2: Deterring Unethical and Illegal Behavior QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:21 PM 62. There are three general causes of unethical and illegal behavior: _____, Accident, and Intent. a. Curiosity b. Ignorance c. Revenge d. None of the other answers are correct ANSWER: b POINTS: 1 REFERENCES: p. 246 H1: Ethics And Information Security H2: Deterring Unethical and Illegal Behavior QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 5/25/2021 9:00 PM DATE MODIFIED: 6/21/2021 6:22 PM 63. Criminal or unethical _____ goes to the state of mind of the individual performing the act. a. ignorance b. intent c. accident d. all of the other answers are correct ANSWER: b POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security REFERENCES:
p. 246 H1: Ethics And Information Security H2: Deterring Unethical and Illegal Behavior QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:23 PM 64. Laws, policies, and their associated penalties only provide deterrence if which of the following conditions is present? a. Fear of penalty b. Probability of being caught c. Probability of penalty being administered d. All of the other answers are correct ANSWER: d POINTS: 1 REFERENCES: p. 247 H1: Ethics And Information Security H2: Deterring Unethical and Illegal Behavior QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:24 PM 65. _____ is a professional association that focuses on auditing, control, and security. The membership comprises both technical and managerial professionals. a. ISACA b. Information Systems Security Association (ISSA) c. EC-Council d. SANS ANSWER: a POINTS: 1 REFERENCES: p. 249 H1: Codes Of Ethics Of Professional Organizations H2: Major IT and InfoSec Professional Organizations QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 5/25/2021 9:06 PM DATE MODIFIED: 5/25/2021 9:09 PM 66. The _____ is a respected professional society that was established in 1947. Today it is “the world’s largest educational and scientific computing society. a. Association for Computing Machinery b. Information Systems Security Association (ISSA) Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security c. International Information Systems Security Certification d. EC-Council Consortium, Inc. ANSWER: a POINTS: 1 REFERENCES: H1: Codes Of Ethics Of Professional Organizations H2: Major IT and InfoSec Professional Organizations p. 248 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 5/25/2021 9:03 PM DATE MODIFIED: 5/25/2021 9:04 PM Completion 67. _____ are rules that mandate or prohibit certain behavior and are enforced by the government. Laws ANSWER: POINTS: 1 REFERENCES: p. 224 H1: Introduction To Law And Ethics In Information Security QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 68. _____ are the fixed moral attitudes or customs of a particular group. Cultural mores ANSWER: Mores POINTS: 1 REFERENCES: H1: Introduction To Law And Ethics In Information Security p. 224 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:25 PM 69. _____ is the legal obligation of an entity that extends beyond criminal or contract law. Liability ANSWER: POINTS: 1 REFERENCES: p. 224 Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security H1: Introduction To Law And Ethics In Information Security H2: Organizational Liability and the Need for Counsel QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 70. “Long arm _____” refers to the long arm of the law reaching across the country or around the world to draw an accused individual into its court systems whenever it can establish jurisdiction. jurisdiction ANSWER: POINTS: 1 REFERENCES: p. 225 H1: Introduction To Law And Ethics In Information Security H2: Organizational Liability and the Need for Counsel QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 71. Managerial statements that dictate certain behavior within an organization are known as _____. policies ANSWER: POINTS: 1 REFERENCES: p. 225 H1: Introduction To Law And Ethics In Information Security H2: Policy Versus Law QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:26 PM 72. Family law, commercial law, and labor law are all encompassed by _____ law. private ANSWER: POINTS: 1 REFERENCES: p. 226 H1: Introduction To Law And Ethics In Information Security H2: Types of Law Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 73. The _____ Act of 2001 provides law enforcement agencies with broader latitude in order to combat terrorism-related activities. U.S.A. PATRIOT ANSWER: USA PATRIOT POINTS: 1 REFERENCES: p. 226 H1: Relevant U.S. Laws H2: General Computer Crime Laws QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 74. _____ information is a form of collective data that relates to a group or category of people and that has been altered to remove characteristics or components that make it possible to identify individuals within the group. Aggregate ANSWER: POINTS: 1 REFERENCES: p. 228 H1: Relevant U.S. Laws H2: Privacy QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:25 PM 75. The _____ Act of 1986 is a collection of statutes that regulates the interception of wire, electronic, and oral communications. Electronic Communications Privacy ANSWER: POINTS: 1 REFERENCES: H1: Relevant U.S. Laws H2: Privacy Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security p. 229 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 76. The _____ Act of 1999 contains a number of provisions focusing on facilitating affiliation among banks, securities firms, and insurance companies. Financial Services Modernization ANSWER: Gramm-Leach-Bliley GLB POINTS: 1 REFERENCES: p. 230 H1: Relevant U.S. Laws H2: Privacy QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 77. _____ theft is the unauthorized taking of personal information with the intent of committing fraud or another illegal or unethical purpose. Identity ANSWER: ID POINTS: 1 REFERENCES: p. 234 H1: Relevant U.S. Laws H2: Identity Theft QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 12/28/2016 3:03 PM DATE MODIFIED: 6/21/2021 6:27 PM 78. The _____ Act of 1996 attempts to prevent trade secrets from being illegally shared. Economic Espionage ANSWER: POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security REFERENCES:
p. 236 H1: Relevant U.S. Laws H2: Export and Espionage Laws QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 79. The _____ Act seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded companies. Sarbanes-Oxley ANSWER: Sarbanes Oxley Corporate and Auditing Accountability and Responsibility SOX POINTS: 1 REFERENCES: p. 237 H1: Relevant U.S. Laws H2: Financial Reporting QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:28 PM 80. The _____ of 1966 allows any person to request access to federal agency records or information not determined to be a matter of national security. Freedom of Information Act ANSWER: FOIA POINTS: 1 REFERENCES: p. 238 H1: Relevant U.S. Laws H2: Freedom of Information Act of 1966 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:28 PM 81. The _____ Card Industry Data Security Standards are designed to enhance the security of customers’ account data. Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security ANSWER: POINTS: REFERENCES:
Payment 1 p. 238 H1: Relevant U.S. Laws H2: Payment Card Industry Data Security Standards (PCI DSS) QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 12/28/2016 3:08 PM DATE MODIFIED: 6/21/2021 6:29 PM 82. The _____ is the American contribution to an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially when accomplished via the removal of technological copyright protection measures. Digital Millennium Copyright Act (DMCA) ANSWER: Digital Millennium Copyright Act DMCA POINTS: 1 REFERENCES: p. 241 H1: International Laws And Legal Bodies H2: Digital Millennium Copyright Act QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.3 - Identify major national and international laws that affect the practice of information Identify special security controls and privacy considerations for personnel management security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 83. Software license infringement is also often called software _____. piracy ANSWER: POINTS: 1 REFERENCES: p. 244 H1: Ethics And Information Security H2: Ethical Differences Across Cultures QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 84. According to the 1999 international study of computer-use ethics, many people from many cultural backgrounds Copyright Cengage Learning. Powered by Cognero.
Page 29
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security indicated that unless an organization explicitly forbids _____ use of its computing resources, such use is acceptable personal ANSWER: POINTS: 1 REFERENCES: p. 244 H1: Ethics And Information Security H2: Ethical Differences Across Cultures QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 6/21/2021 6:32 PM 85. Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is _____. education ANSWER: POINTS: 1 REFERENCES: p. 244 H1: Ethics And Information Security H2: Ethics and Education QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 86. The _____ is a respected professional society that was established in 1947 as “the world’s first educational and scientific computing society.” Association of Computing Machinery ANSWER: ACM POINTS: 1 REFERENCES: H1: Codes Of Ethics Of Professional Organizations H2: Major IT and InfoSec Professional Organizations p. 248 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 87. The _____ is a nonprofit organization that focuses on the development and implementation of information security certifications and credentials. International Information Systems Security Certification Consortium, Inc. (ISC)2 ANSWER: Copyright Cengage Learning. Powered by Cognero.
Page 30
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security International Information Systems Security Certification Consortium, Inc. (ISC)2 International Information Systems Security Certification Consortium, Inc. (ISC)2 (ISC)2 ISC2
POINTS: 1 REFERENCES: p. 248 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM 88. The _____ is a professional association that focuses on auditing, control, and security and whose membership comprises both technical and managerial professionals. Information Systems Audit and Control Association (ISACA) ANSWER: Information Systems Audit and Control Association ISACA POINTS: 1 REFERENCES: p. 249 H1: Codes Of Ethics Of Professional Organizations H2: Major IT and InfoSec Professional Organizations QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 5/11/2021 6:49 PM Essay 89. What are the requirements for a policy to become enforceable? For a policy to become enforceable, it must have: ANSWER: Dissemination (distribution) - The organization must be able to demonstrate that the relevant policy has been made readily available for review by the employee. Review (reading) - The organization must be able to demonstrate that it disseminated the document in an intelligible form, including versions for illiterate, non-English reading, and reading-impaired employees. Comprehension (understanding) - The organization must be able to demonstrate that the employee understood the requirements and content of the policy. Compliance (agreement) - The organization must be able to demonstrate that the employee Copyright Cengage Learning. Powered by Cognero.
Page 31
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security agrees to comply with the policy, through act or affirmation. Uniform enforcement - The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment. POINTS: 1 REFERENCES: p. 225 H1: Introduction To Law And Ethics In Information Security H2: Policy Versus Law QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 3/8/2017 6:05 PM 90. List the five fundamental principles of HIPAA. 1. Consumer control of medical information ANSWER: 2. Boundaries on the use of medical information 3. Accountability for the privacy of private information 4. Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual 5. Security of health information POINTS: 1 REFERENCES: p. 229 H1: Relevant U.S. Laws H2: Privacy QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 9/14/2016 10:35 AM 91. What are the provisions of the Digital Millennium Copyright Act (DMCA)? The DMCA includes the following provisions: ANSWER: • • •
Prohibits the circumvention of protections and countermeasures implemented by copyright owners to control access to protected content Prohibits the manufacture of devices to circumvent protections and countermeasures that control access to protected content Bans trafficking in devices manufactured to circumvent protections and countermeasures that control access to protected content
Copyright Cengage Learning. Powered by Cognero.
Page 32
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security • •
Prohibits the altering of information attached or embedded into copyrighted material Excludes Internet service providers from certain forms of contributory copyright infringement
POINTS: REFERENCES:
1 p. 242 H1: International Laws And Legal Bodies H2: Digital Millennium Copyright Act QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.3 - Identify major national and international laws that affect the practice of information Identify special security controls and privacy considerations for personnel management security DATE CREATED: 12/28/2016 3:10 PM DATE MODIFIED: 12/28/2016 3:11 PM 92. Laws, policies, and their associated penalties only provide deterrence if three conditions are present. List and describe them. Fear of penalty: Potential offenders must fear the penalty. ANSWER: Probability of being apprehended: Potential offenders must believe there is a strong possibility of being caught. Probability of penalty being applied: Potential offenders must believe that the penalty will be administered. POINTS: 1 REFERENCES: p. 247 H1: Ethics And Information Security H2: Deterring Unethical and Illegal Behavior QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 9/14/2016 10:35 AM DATE MODIFIED: 9/14/2016 10:35 AM Subjective Short Answer 93. What is civil law, and what does it accomplish? ANSWER: Civil law represents a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizations and people. Civil law encompasses family law, commercial law, and labor law. POINTS: REFERENCES:
1 p. 226
Copyright Cengage Learning. Powered by Cognero.
Page 33
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security H1: Introduction to Law And Ethics In Information Security H2: Types of Law QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.2 - Describe the relevant laws, regulations, and professional organizations of importance to information security DATE CREATED: 5/25/2021 9:16 PM DATE MODIFIED: 5/25/2021 9:16 PM 94. If you work for a financial services organization such as a bank or credit union, which 1999 law affects your use of customer data? What other effects does it have? ANSWER: The law that affects the use of customer data by financial institutions is the Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999. Specifically, this act requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information. It also requires due notice to customers so they can request that their information not be shared with third parties. In addition, the act ensures that an organization’s privacy policies are fully disclosed when a customer initiates a business relationship and then distributed at least annually for the duration of the professional association. POINTS: REFERENCES:
1 p. 230 H1: Relevant U.S. Laws H2: Privacy QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.4 - Discuss the role of privacy as it applies to law and ethics in information security DATE CREATED: 5/25/2021 9:19 PM DATE MODIFIED: 5/25/2021 9:19 PM 95. What is the difference between law and ethics? ANSWER: Laws are rules that mandate or prohibit certain behavior in society; they are drawn from ethics, which define socially acceptable behavior. The key difference between laws and ethics is that laws carry the sanctions of a governing authority and ethics do not. Ethics are based on cultural mores: the fixed moral attitudes or customs of a particular group. POINTS: REFERENCES: QUESTION TYPE: HAS VARIABLES:
1 p. 242 H1: Ethics and Information Security Subjective Short Answer False
Copyright Cengage Learning. Powered by Cognero.
Page 34
Name:
Class:
Date:
Mod 6 Legal, Ethical, and Professional Issues in Information Security STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.06.1 - Explain the differences between laws and ethics DATE CREATED: 5/25/2021 9:13 PM DATE MODIFIED: 5/25/2021 9:13 PM
Copyright Cengage Learning. Powered by Cognero.
Page 35
Name:
Class:
Date:
Mod 7 Security and Personnel True / False 1. The general management community of interest must work with information security professionals to integrate solid information security concepts into the personnel management practices of the organization. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Introduction To Security And Personnel p. 262 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 3/10/2017 9:58 AM 2. The information security function cannot be placed within physical security, as a peer of physical security or protective services. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Positioning The Security Function p. 263 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.1 - Describe where and how the information security function should be positioned within organizations DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:12 AM 3. In many organizations, information security teams lack established roles and responsibilities. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 266 H1: Staffing The Information Security Function H2: Qualifications and Requirements QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 7 Security and Personnel DATE MODIFIED:
3/10/2017 9:59 AM
4. In many cases, organizations look for a technically qualified information security generalist who has a solid understanding of how an organization operates. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 266 H1: Staffing The Information Security Function H2: Qualifications and Requirements QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:12 AM 5. The use of standardized job descriptions can increase the degree of professionalism in the information security field. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 267 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:23 AM 6. "Builders" in the field of information security provide day-to-day systems monitoring and are used to support an organization’s goals and objectives. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 268 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 7 Security and Personnel
DATE CREATED: DATE MODIFIED:
information security function 9/14/2016 10:49 AM 6/23/2021 11:24 AM
7. The security manager position is much more general than that of the CISO. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Staffing The Information Security Function H2: Information Security Positions p. 271 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 3/10/2017 9:59 AM 8. Security administrators provide day-to-day systems monitoring to support an organization’s goals and objectives. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Staffing The Information Security Function H2: Information Security Positions p. 268 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:24 AM 9. The position of security analyst can be an entry-level position. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 272 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 7 Security and Personnel LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:24 AM 10. Existing information security-related certifications are typically well understood by those responsible for hiring in organizations. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 273 H1: Credentials For Information Security Professionals QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 3/10/2017 9:59 AM 11. The (ISC)2 CISSP concentrations are available for currently certified CISSP professionals to demonstrate knowledge that is part of the CISSP common body of knowledge. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 273 H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:27 AM 12. The (ISC)2 CISSP-ISSEP concentrationfocuses on the knowledge area including systems lifecycle management, threat intelligence and incident managements. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications p. 274 Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 7 Security and Personnel QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:28 AM 13. The SSCP examination is much more rigorous than the CISSP examination. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 274 H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 3/10/2017 9:59 AM 14. CompTIA offers a vendor-specific certification program called the Security+ certification. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 280 H1: Credentials For Information Security Professionals H2: CompTIA Certifications QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 9/14/2016 10:49 AM 15. The advice "Know more than you say, and be more skillful than you let on" for information security professionals indicates that an information security professional should avoid speaking to users in technical jargon. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 283 Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 7 Security and Personnel H1: Credentials For Information Security Professionals H2: Advice for Information Security Professionals QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:29 AM 16. The process of integrating information security perspectives into the hiring process includes with reviewing and updating all job descriptions. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Employment Policies And Practices H2: Job Descriptions p. 284 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:29 AM 17. A background check must always be conducted to determine the level of trust the business can place in a candidate for an information security position. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 284 H1: Employment Policies And Practices H2: Background Check QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/15/2021 5:41 PM 18. An organization should integrate security awareness education into a new hire’s ongoing job orientation and make it a part of every employee’s on-the-job security training. a. True b. False Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 7 Security and Personnel ANSWER: POINTS: REFERENCES:
True 1 p. 285 H1: Employment Policies And Practices H2: On-the-Job Security Training QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 3/10/2017 10:01 AM 19. To maintain a secure facility, all contract employees should be escorted from room to room, as well as into and out of the facility. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Employment Policies And Practices H2: Security Considerations for Temporary Employees, Consultants, and Other Workers p. 290 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 9/14/2016 10:49 AM 20. Organizations are not required by law to protect employee information that is sensitive or personal. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Personnel Control Strategies H2: Privacy and the Security of Personnel Data p. 289 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 9/14/2016 10:49 AM Modified True / False Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 7 Security and Personnel 21. The general management community of interest must plan for the proper staffing of the information security function. _____ ANSWER: False - information security POINTS: 1 REFERENCES: p. 262 H1: Introduction To Security And Personnel QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 5/26/2021 10:42 AM 22. Upper management should learn more about the budgetary needs of the information security function and the positions within it. _____ ANSWER: True POINTS: 1 REFERENCES: p. 266 H1: Staffing The Information Security Function H2: Qualifications and Requirements QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:54 AM 23. Many hiring managers in information security prefer to recruit a security professional who already has proven HR skills and professional experience, since qualified candidates with information security experience are scarce. _____ False - IT ANSWER: POINTS: 1 REFERENCES: p. 267 H1: Staffing The Information Security Function H2: Entry into the Information Security Profession QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 5/26/2021 10:42 AM Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 7 Security and Personnel 24. "Administrators" provide the policies, guidelines, and standards in the Schwartz classification. _____ ANSWER: False - Definers POINTS: 1 REFERENCES: p. 268 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:55 AM 25. Security managers accomplish objectives identified by the CISO and resolve issues identified by technicians. _____ ANSWER: True POINTS: 1 REFERENCES: p. 271 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 5/26/2021 10:42 AM 26. The most common credential for a CISO-level position is the Security+ certification. _____ False - CISM ANSWER: False - Certified Information Security Manager POINTS: 1 REFERENCES: H1: Staffing The Information Security Function H2: Staffing The Information Security Function p. 268 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/15/2021 5:44 PM 27. ISSEP stands for Information Systems Security Experienced Professional. _____ ANSWER: False - Engineering Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 7 Security and Personnel POINTS: REFERENCES:
1 p. 274 H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 5/26/2021 10:42 AM 28. ISSAP stands for Information Systems Security Architecture Professional. _____ ANSWER: True POINTS: 1 REFERENCES: p. 274 H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 5/26/2021 10:42 AM 29. ISSMP stands for Information Systems Security Monitoring Professional. _____ ANSWER: False - Management POINTS: 1 REFERENCES: p. 274 H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 5/26/2021 10:42 AM 30. The CISA credential is geared toward experienced information security managers and others who may have similar management responsibilities. _____ ANSWER: False - CISM POINTS: 1 REFERENCES: p. 276 Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 7 Security and Personnel H1: Credentials For Information Security Professionals H2: ISACA Certifications QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 5/26/2021 10:42 AM 31. ISACA promotes the CISA certification as being appropriate for accounting, networking, and security professionals. _____ ANSWER: False - auditing POINTS: 1 REFERENCES: p. 276 H1: Credentials For Information Security Professionals H2: ISACA Certifications QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/23/2021 11:56 AM 32. GIAC stands for Global Information Architecture Certification. _____ ANSWER: False - Assurance POINTS: 1 REFERENCES: p. 277 H1: Credentials For Information Security Professionals H2: SANS Certifications QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 33. Friendly departures include termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting. _____ ANSWER: False - Hostile POINTS: 1 REFERENCES: p. 286 H1: Employment Policies And Practices Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 7 Security and Personnel H2: Termination QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 34. Mandatory training provides the organization with the ability to audit the work of an individual. _____ ANSWER: False - vacation POINTS: 1 REFERENCES: p. 288 H1: Personnel Control Strategies QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 11:57 AM 35. In many organizations, information security teams lack established _____ and responsibilities. _____ ANSWER: False - roles POINTS: 1 REFERENCES: p. 266 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 5/26/2021 2:30 PM DATE MODIFIED: 5/26/2021 2:31 PM 36. Security administrators are accountable to provide day-to-day systems monitoring to support an organization’s goals and objectives. ANSWER: True POINTS: 1 REFERENCES: H1: Staffing The Information Security Function H2: Information Security Positions p. 268 QUESTION TYPE: Modified True / False Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 7 Security and Personnel HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 5/26/2021 2:34 PM DATE MODIFIED: 5/26/2021 2:34 PM Multiple Choice 37. To assess the effect that changes will have on the organization’s personnel management practices, the organization should conduct a behavioral feasibility study before the program is _____. a. considered b. planned c. budgeted d. implemented ANSWER: d POINTS: 1 REFERENCES: p. 262 H1: Introduction To Security And Personnel QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 5/26/2021 2:37 PM DATE MODIFIED: 6/23/2021 11:57 AM 38. The model commonly used by large organizations places the information security department within the _____ department. a. management b. information technology c. physical security d. production ANSWER: b POINTS: 1 REFERENCES: p. 263 H1: Positioning The Security Function QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 11:58 AM 39. The latest forecasts for information security-related positions expect _____ openings than in many previous years.. a. the same number of b. more c. many fewer d. fewer ANSWER: b POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 7 Security and Personnel REFERENCES:
H1: Staffing The Information Security Function p. 264 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 5/26/2021 2:42 PM DATE MODIFIED: 6/23/2021 11:59 AM 40. Many who move to business-oriented information security were formerly_____ who were often involved in national security or cybersecurity. a. marketing managers b. military personnel c. business analysts d. lawyers ANSWER: b POINTS: 1 REFERENCES: p. 267 H1: Staffing The Information Security Function H2: Entry into the Information Security Profession QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:00 PM 41. The information security function can be placed within the _____. a. insurance and risk management function b. administrative services function c. legal department d. All of the other answers are correct ANSWER: d POINTS: 1 REFERENCES: p. 263 H1: Positioning The Security Function QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:01 PM 42. In most cases, organizations look for a technically qualified information security _____ who has a solid understanding of how an organization operates. a. generalist b. specialist Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 7 Security and Personnel c. internist ANSWER: POINTS: REFERENCES:
d. expert
a 1 p. 266 H1: Staffing The Information Security Function H2: Qualifications and Requirements QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 5/26/2021 2:45 PM DATE MODIFIED: 5/26/2021 2:46 PM 43. Many who enter the field of information security are technical professionals such as _____ who find themselves working on information security applications and processes more often than traditional IT assignments. a. networking experts or systems administrators b. database administrators c. programmers d. All of the other answers are correct ANSWER: d POINTS: 1 REFERENCES: p. 267 H1: Staffing The Information Security Function H2: Entry into the Information Security Profession QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:02 PM 44. Which of the following is not one of the categories of positions defined by Schwartz? a. Definer b. User c. Builder d. Administrator ANSWER: b POINTS: 1 REFERENCES: p. 267 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:02 PM 45. _____ are the technically qualified individuals tasked to configure firewalls, deploy IDSs, implement security Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 7 Security and Personnel software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that an organization’s security technology is properly implemented. a. CSOs b. CISOs c. Security managers d. Security analysts ANSWER: d POINTS: 1 REFERENCES: p. 267 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:03 PM 46. According to Schwartz, "_____" are the real techies who create and install security solutions. a. Builders b. Administrators c. Engineers d. Definers ANSWER: a POINTS: 1 REFERENCES: p. 268 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:03 PM 47. The _____ is the title most commonly associated with the top information security officer in the organization. a. CISO b. CFO c. CTO d. CEO ANSWER: a POINTS: 1 REFERENCES: p. 268 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 7 Security and Personnel DATE MODIFIED:
6/23/2021 12:26 PM
48. In some organizations, the CISO’s position may be combined with physical security responsibilities or may even report to a security manager who is responsible for both logical (information) security and physical security and such a position is generally referred to as a _____. a. CSO b. CPSO c. CTO d. CNSO ANSWER: a POINTS: 1 REFERENCES: H1: Staffing The Information Security Function H2: Information Security Positions p. 270 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 5/26/2021 2:50 PM DATE MODIFIED: 5/26/2021 2:51 PM 49. Security managers accomplish _____ identified by the CISO and resolve issues identified by technicians a. strategies b. tactics c. objectives d. tasks ANSWER: c POINTS: 1 REFERENCES: H1: Staffing The Information Security Function H2: Information Security Positions p. 271 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 5/26/2021 2:55 PM DATE MODIFIED: 5/26/2021 2:58 PM 50. The breadth and depth covered in each of the domains makes the _____ one of the most difficult-to-attain certifications on the market. a. Security+ b. CISA c. CISSP d. ISEP ANSWER: c POINTS: 1 REFERENCES: p. 273 H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 7 Security and Personnel LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:27 PM 51. The (ISC)2 _____ certification program has added a number of concentrations that can demonstrate advanced knowledge beyond the basic certification's common body of knowledge. a. CISA b. C|CISO c. CISM d. CISSP ANSWER: d POINTS: 1 REFERENCES: p. 273 H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:29 PM 52. The ISSEP concentration allows CISSP certificate holders to demonstrate expert knowledge of all of the following except _____. a. systems security engineering b. technical management c. international laws d. certification and accreditation/risk management framework ANSWER: c POINTS: 1 REFERENCES: p. 274 H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:30 PM 53. The ISSMP concentration examination is designed to provide CISSPs with a mechanism to demonstrate competence in _____. a. enterprise security management practices b. security management practices c. business continuity planning and disaster recovery planning d. All of these answers are correct ANSWER: d POINTS: 1 REFERENCES: p. 274 H1: Credentials For Information Security Professionals Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 7 Security and Personnel H2: (ISC)-2 Certifications QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:31 PM 54. Like the CISSP, the SSCP certification is more applicable to the security_____ than to the security _____. a. technician, manager b. manager, engineer c. manager, technician d. technician, executive ANSWER: c POINTS: 1 REFERENCES: p. 274 H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 55. The CISA credential is promoted by ISACA as the certification that is appropriate for all but which type of professionals? a. accounting b. security c. networking d. auditing ANSWER: a POINTS: 1 REFERENCES: p. 276 H1: Credentials For Information Security Professionals H2: ISACA Certifications QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:31 PM 56. The former System Administration, Networking, and Security Organization is now better known as _____. a. SANO b. SAN c. SANS d. SANSO ANSWER: c POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 7 Security and Personnel REFERENCES:
p. 277 H1: Credentials For Information Security Professionals H2: SANS Certifications QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 57. The Cybersecurity Analyst+ certification from _____ is an intermediate certification with both knowledge-based and performance-based assessment. a. SANS b. ISACA c. CompTIA d. ACM ANSWER: c POINTS: 1 REFERENCES: H1: Credentials For Information Security Professionals H2: CompTIA Certifications p. 280 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 5/26/2021 3:01 PM DATE MODIFIED: 5/26/2021 3:03 PM 58. Many organizations use a(n) _____ interview to remind the employee of contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization. a. hostile b. departure c. exit d. termination ANSWER: c POINTS: 1 REFERENCES: p. 286 H1: Employment Policies And Practices H2: Termination QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 59. _____ are hired by the organization to serve in a temporary position or to supplement the existing workforce. a. Temporary employees b. Consultants c. Contractors d. Self-employees Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 7 Security and Personnel ANSWER: POINTS: REFERENCES:
a 1 p. 289 H1: Personnel Control Strategies H2: Security Considerations for Temporary Employees, Consultants, and Other Workers QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 60. _____ is a cornerstone in the protection of information assets and in the prevention of financial loss. a. Fire suppression b. Business separation c. Separation of duties d. Collusion ANSWER: c POINTS: 1 REFERENCES: p. 287 H1: Personnel Control Strategies QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 61. _____ is the requirement that every employee be able to perform the work of another employee. a. Two-man control b. Collusion c. Duty exchange d. Task rotation ANSWER: d POINTS: 1 REFERENCES: p. 288 H1: Personnel Control Strategies QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM Completion 62. To assess the effect that changes will have on the organization’s personnel management practices, the organization should conduct a _____feasibility study before the program is implemented. Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 7 Security and Personnel ANSWER: POINTS: REFERENCES:
behavioral 1 p. 262 H1: Introduction To Security And Personnel QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:32 PM 63. It is important to gather employee _____ early about the information security program and respond to it quickly. feedback ANSWER: POINTS: 1 REFERENCES: p. 262 H1: Introduction To Security And Personnel QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 64. Because the goals and objectives of _____ and CISOs tend to contradict each other, InformationWeek recommends: “The people who do and the people who watch shouldn't report to a common manager.” ANSWER: POINTS: REFERENCES:
CIOs 1 p. 263 H2: Information Security Positions QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:33 PM 65. The _____ acts as the spokesperson for the information security team. CSO ANSWER: Chief Security Officer Chief Security Officer (CSO) Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 7 Security and Personnel CISO Chief Information Security Officer Chief Information Security Officer (CISO) CISO or CSO CSO or CISO POINTS: 1 REFERENCES: p. 267 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:35 PM 66. Though CISOs are business managers first and technologists second, they must be conversant in all areas of information security, including the technical, planning, and _____ areas. policy ANSWER: POINTS: 1 REFERENCES: p. 268 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 67. Security _____ are accountable for the day-to-day operation of the information security program. managers ANSWER: POINTS: 1 REFERENCES: p. 271 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 7 Security and Personnel 68. The CISSP certification requires both the successful completion of the examination and a(n) _____ by a qualified third party, typically another similarly certified professional, the candidate’s employer, or a licensed, certified, or commissioned professional. endorsement ANSWER: POINTS: 1 REFERENCES: p. 273 H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:36 PM 69. The Associate of (ISC)2 program is geared toward those who want to take the CISSP or SSCP exam before obtaining the requisite _____ for certification. experience ANSWER: POINTS: 1 REFERENCES: p. 276 H1: Credentials For Information Security Professionals H2: (ISC)-2 Certifications QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:37 PM 70. ISACA offers the CGEIT as well as the CISA and _____ certifications. CISM ANSWER: POINTS: 1 REFERENCES: p. 276 H1: Credentials For Information Security Professionals H2: ISACA Certifications QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 7 Security and Personnel 71. SANS developed a series of technical security certifications in 1999 that are known as the Global Information _____ Certification or GIAC family of certifications. Assurance ANSWER: POINTS: 1 REFERENCES: p. 277 H1: Credentials For Information Security Professionals H2: SANS Certifications QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 72. _____ are designed to recognize experts in their respective fields. Certifications ANSWER: POINTS: 1 REFERENCES: p. 281 H1: Credentials For Information Security Professionals H2: Certification Costs QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.3 - List and describe the credentials that information security professionals can earn to gain recognition in the field DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:37 PM 73. Once a candidate has accepted a job offer, the employment _____ becomes an important security instrument. contract ANSWER: POINTS: 1 REFERENCES: p. 285 H1: Employment Policies And Practices H2: Employee Contracts QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 74. When new employees are introduced into the organization’s culture and workflow, they should receive an extensive Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 7 Security and Personnel information security briefing as part of their employee _____. orientation ANSWER: POINTS: 1 REFERENCES: p. 285 H1: Employment Policies And Practices H2: New Hire Orientation QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 75. _____ departures include resignation, retirement, promotion, or relocation. Friendly ANSWER: POINTS: 1 REFERENCES: p. 286 H1: Employment Policies And Practices H2: Termination QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:41 AM 76. Separation of _____ is used to reduce the chance of an individual violating information security and breaching the confidentiality, integrity, or availability of information. duties ANSWER: POINTS: 1 REFERENCES: p. 287 H1: Personnel Control Strategies QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 77. Related to the concept of separation of duties is that of _____, the requirement that two individuals review and approve each other’s work before the task is categorized as finished. two-person control ANSWER: Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 7 Security and Personnel two person control POINTS: 1 REFERENCES: p. 287 H1: Personnel Control Strategies QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 1:54 PM 78. Job _____ can greatly increase the chance that an employee’s misuse of the system or abuse of information will be detected by another employee. rotation ANSWER: POINTS: 1 REFERENCES: p. 288 H1: Personnel Control Strategies QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 79. A(n) _____ agency provides specifically qualified individuals at the paid request of another company. temp ANSWER: temporary POINTS: 1 REFERENCES: p. 289 H1: Personnel Control Strategies H2: Security Considerations for Temporary Employees, Consultants, and Other Workers QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 80. The process of ensuring that no unnecessary access to data exists and that employees are able to perform only the minimum operations necessary on a set of data is referred to as the principle of _____. least privilege ANSWER: Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 7 Security and Personnel POINTS: REFERENCES:
1 p. 289 H1: Personnel Control Strategies QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 5/26/2021 10:42 AM 81. _____________ are contracted workers hired for a specific one-time purpose, commonly to provide expertise the organization does not have internally. consultants ANSWER: POINTS: 1 REFERENCES: p. 290 H1: Personnel Control Strategies H2: Security Considerations for Temporary Employees, Consultants, and Other Workers QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 6/23/2021 12:38 PM Essay 82. What functions does the CISO perform? The CISO performs the following functions: ANSWER: - Manages the overall information security program for the organization - Drafts or approves information security policies - Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans - Develops information security budgets based on available funding - Sets priorities for the purchase and implementation of information security projects and technology - Makes decisions or recommendations on the recruiting, hiring, and firing of security staff - Acts as the spokesperson for the information security team POINTS: 1 REFERENCES: p. 268 H1: Staffing The Information Security Function H2: Information Security Positions QUESTION TYPE: Essay HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 7 Security and Personnel STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.2 - Explain the issues and concerns related to staffing the information security function DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 9/14/2016 10:50 AM 83. What tasks must be performed when an employee prepares to leave an organization? When an employee prepares to leave an organization, the following tasks must be ANSWER: performed: - Access to the organization’s systems must be disabled. - Removable media must be returned. - Hard drives must be secured. - File cabinet locks must be changed. - The office door lock must be changed. - Keycard access must be revoked. - Personal effects must be removed from the organization’s premises. POINTS: 1 REFERENCES: p. 286 H1: Employment Policies And Practices H2: Termination QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 9/14/2016 10:50 AM DATE MODIFIED: 3/10/2017 10:08 AM 84. Describe the concept of separation of duties. Among several internal control strategies, separation of duties is a cornerstone in the ANSWER: protection of information assets and in the prevention of financial loss. Separation of duties is used to reduce the chance of an individual violating information security and breaching the confidentiality, integrity, or availability of information. The control stipulates that the completion of a significant task that involves sensitive information should require at least two people. The idea behind this separation is that if only one person has the authorization to access a particular set of information, there may be nothing the organization can do to prevent this individual from copying the information and removing it from the premises. Separation of duties is especially important, and thus commonly implemented, when the information in question is financial. POINTS: 1 REFERENCES: p. 287 H1: Personnel Control Strategies QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.07.5 - Discuss the role of the pharyngeal arches in the development of the structures of the face. Copyright Cengage Learning. Powered by Cognero.
Page 29
Name:
Class:
Date:
Mod 7 Security and Personnel DATE CREATED: DATE MODIFIED:
9/14/2016 10:50 AM 3/10/2017 10:08 AM
Subjective Short Answer 85. Why is it important to use specific and clearly defined job descriptions for hiring information security professionals? ANSWER:
Using standard job descriptions is important because they can increase the degree of professionalism in the information security field and improve the consistency of roles and responsibilities among organizations. POINTS: 1 REFERENCES: H1: Employment Policies and Practices H2: Job Descriptions p. 267 QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 5/26/2021 3:10 PM DATE MODIFIED: 5/26/2021 3:10 PM 86. Why shouldn’t an organization give a job candidate a tour of secure areas during an interview? Candidates who are shown around can retain enough information about operations or ANSWER: information security functions to represent a potential threat. POINTS: 1 REFERENCES: p. 284 H1: Employment Policies and Practices H2: Interviews QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 5/26/2021 3:15 PM DATE MODIFIED: 5/26/2021 3:16 PM 87. How do security considerations for temporary or contract employees differ from those for regular full-time employees? Temporary employees typically provide secretarial or administrative support and may be ANSWER: exposed to a wide range of information. From a security standpoint, temporary employees should have only as much information access as they need to perform their duties. Although organizations often want temporary employees to sign nondisclosure agreements and fair use policies to avoid security breaches, this procedure can create a situation that is awkward and potentially dangerous. Therefore, the temporary employee’s supervisor should restrict the information to which the temp has access and ensure adherence to good Copyright Cengage Learning. Powered by Cognero.
Page 30
Name:
Class:
Date:
Mod 7 Security and Personnel security practices, especially clean desk policies and those for the security of classified data. Typical contract employees include groundskeepers, maintenance workers, electrical contractors, mechanical service contractors, and other service and repair workers. Although some contract employees may require access to virtually all areas of the organization to do their jobs, they seldom need access to information or information resources. Contract workers may need access to various facilities, but such access should not be allowed automatically. POINTS: 1 REFERENCES: H1: Employment Policies and Practices H2: Termination p. 285 QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.07.4 - Discuss how an organization’s employment policies and practices can support the information security effort DATE CREATED: 5/26/2021 3:07 PM DATE MODIFIED: 5/26/2021 3:07 PM
Copyright Cengage Learning. Powered by Cognero.
Page 31
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs True / False 1. Discretionary access control is an approach whereby the organization specifies use of resources based on the assignment of data classification schemes to resources and clearance levels to users. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Introduction to Access Controls p. 296 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.1 - Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 3/8/2017 9:46 PM 2. Lattice-based access control is a form of access control in which users are assigned a matrix of authorizations for particular areas of access. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 296 H1: Introduction to Access Controls QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.1 - Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 12/2/2017 1:50 PM 3. Task-based controls are associated with the assigned role a user performs in an organization, such as a position or temporary assignment like project manager. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 297 H1: Introduction to Access Controls QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.1 - Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems DATE CREATED: 9/14/2016 10:43 AM Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs DATE MODIFIED:
9/14/2016 10:43 AM
4. Authentication is the process of validating and verifying an unauthenticated entity’s purported identity. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Introduction to Access Controls H2: Access Control Mechanisms p. 298 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.2 - Define authentication and explain the three commonly used authentication factors DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 3/8/2017 4:57 PM 5. Accountability is the matching of an authenticated entity to a list of information assets and corresponding access levels. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 301 H2: Access Control Mechanisms H1: Introduction to Access Controls QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.1 - Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 9/14/2016 10:43 AM 6. Firewalls fall into several major categories of processing modes: packet-filtering firewalls, application layer proxy firewalls, media access control layer firewalls, and hybrids. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Firewall Technologies p. 308 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs DATE CREATED: DATE MODIFIED:
9/14/2016 10:43 AM 6/24/2021 9:31 AM
7. A firewall cannot be deployed as a separate network containing a number of supporting devices. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 308 H1: Firewall Technologies QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 9/14/2016 10:43 AM 8. Packet-filtering firewalls scan network data packets looking for compliance with the rules of the firewall’s database or violations of those rules. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 309 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 9/14/2016 10:43 AM 9. The ability of a router to restrict traffic to a specific service is an advanced capability and not considered a standard feature for most routers. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 311 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 9/14/2016 10:43 AM 10. The application layer proxy firewall is capable of functioning both as a firewall and an application layer proxy server. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 312 H2: Firewall Processing Modes H1: Firewall Technologies QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 3/8/2017 9:47 PM 11. Using an application layer firewall means the associated Web server must be exposed to a higher level of risk by placing it in the DMZ. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 312 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 6/24/2021 9:32 AM 12. All organizations with a router at the boundary between the organization’s internal networks and the
external service provider will experience improved network performance due to the complexity of the ACLs used to filter the packets. a. True b. False ANSWER: POINTS: REFERENCES:
False 1 p. 314
Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:43 AM DATE MODIFIED: 9/14/2016 10:43 AM 13. The DMZ can be a dedicated port on the firewall device linking a single bastion host. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 316 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 14. The screened subnet protects the DMZ systems and information from outside threats by providing a network with intermediate security, which means the network is less secure than the general-public networks but more secure than the internal network. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 317 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 9:50 PM 15. An extranet is a segment of the DMZ where no authentication and authorization controls are put into place. a. True b. False ANSWER: False Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs POINTS: REFERENCES:
1 p. 317 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 9:50 PM 16. Good policy and practice dictates that each firewall device, whether a filtering router, bastion host, or other firewall implementation, must have its own set of configuration rules. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 318 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 17. Syntax errors in firewall policies are usually difficult to identify. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Firewall Technologies H2: Configuring and Managing Firewalls p. 318 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 9:50 PM 18. When Web services are offered outside the firewall, HTTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture. a. True b. False Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs ANSWER: POINTS: REFERENCES:
True 1 p. 318 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 19. Good firewall rules include denying all data that is not verifiably authentic. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 319 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 9:51 PM 20. Firewalls can only filter packets by port number. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 319 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 9:32 AM 21. It is important that e-mail traffic reach your e-mail server and only your e-mail server. a. True b. False ANSWER: True POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs REFERENCES:
H1: Firewall Technologies H2: Configuring and Managing Firewalls p. 321 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 22. Though not used as much in Windows environments, terminal emulation is still useful to systems administrators on Unix/Linux systems. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 321 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 9:52 PM 23. A content filter, also known as a reverse firewall, is a network device that allows administrators to restrict access to internal content from external users. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 324 H1: Firewall Technologies H2: Content Filters QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 9:34 AM 24. A content filter is essentially a set of scripts or programs that restricts user access to certain networking protocols and Internet locations. a. True b. False ANSWER: True Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs POINTS: REFERENCES:
1 p. 324 H1: Firewall Technologies H2: Content Filters QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 25. Internet connections via dial-up lines are regaining popularity due to recent technological developments. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Protecting Remote Connections H2: Remote Access p. 325 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 26. A RADIUS system decentralizes the responsibility for authenticating each user by validating the user's credentials on the network accessserver. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 326 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 9:34 AM 27. Even if Kerberos servers are subjected to denial-of-service attacks, a client can still request additional services. a. True b. False ANSWER: False POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs REFERENCES:
p. 327 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 28. A VPN, used properly, allows communication across the Internet as if it were a private network. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Protecting Remote Connections H2: Virtual Private Networks (VPNs) p. 329 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.6 - Identify line angles, point angles, and divisions into thirds. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 9:36 AM 29. Most current operating systems require specialized software to connect to VPN servers, as support for VPN services is no longer built into the clients. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Protecting Remote Connections H2: Virtual Private Networks (VPNs) p. 329 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.6 - Identify line angles, point angles, and divisions into thirds. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM Modified True / False 30. Access control is the method by which systems determine whether and how to admit a user into a trusted area of the organization, whether systems or physical locations. _____ ANSWER: True POINTS: 1 REFERENCES: p. 296 Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs H1: Introduction to Access Controls QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.1 - Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:01 AM 31. Authentication is a mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system. _____ ANSWER: False - Identification POINTS: 1 REFERENCES: H1: Introduction to Access Controls H2: Access Control Mechanisms p. 298 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.2 - Define authentication and explain the three commonly used authentication factors DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 32. The false reject rate describes the number of legitimate users who are denied access because of a failure in the biometric device. _____ ANSWER: True POINTS: 1 REFERENCES: H1: Introduction to Access Controls H2: Biometrics p. 302 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.2 - Define authentication and explain the three commonly used authentication factors DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 33. One of the biggest challenges in the use of the trusted computer base (TCB) is the existence of explicit channels. _____ ANSWER: False - covert POINTS: 1 REFERENCES: p. 305 H1: Introduction to Access Controls Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs H2: Access Control Architecture Models QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.1 - Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 34. In static filtering, configuration rules must be manually created, sequenced, and modified within the firewall. _____ ANSWER: True POINTS: 1 REFERENCES: p. 311 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 35. A routing table tracks the state and context of each packet in a conversation by recording which station sent which packet and when. _____ False - state ANSWER: POINTS: 1 REFERENCES: p. 311 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:02 AM 36. The primary disadvantage of stateful packet inspection firewalls is the additional processing required to manage and verify packets against the state table. _____ ANSWER: True POINTS: 1 REFERENCES: p. 311 H1: Firewall Technologies H2: Firewall Processing Modes Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 37. The static packet filtering firewall can react to an emergent event and update or create rules to deal with that event. _____ ANSWER: False - dynamic POINTS: 1 REFERENCES: p. 311 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 38. Port Address Translation assigns non-routing local addresses to computer systems in the local area network and uses ISP-assigned addresses on a one-to-one basis. _____ ANSWER: False - Network POINTS: 1 REFERENCES: p. 314 H1: Firewall Technologies H2: Firewall Architectures QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:03 AM 39. When a bastion host approach is used, the host contains two CPUs, forcing all traffic to go through the device. _____ False - NICs ANSWER: False - Network Interface Cards False - Network-Interface-Cards False - Network Cards False - Network Interfaces POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs REFERENCES:
p. 314 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:04 AM 40. A common DMZ arrangement is a subnet firewall that consists of two or more internal bastion hosts behind a packetfiltering router, with each host protecting the trusted network. _____ ANSWER: True POINTS: 1 REFERENCES: H1: Firewall Technologies H2: Firewall Architectures p. 316 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 41. Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. _____ ANSWER: True POINTS: 1 REFERENCES: p. 319 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:05 AM 42. A(n) intranet is a segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public. _____ ANSWER: False - extranet POINTS: 1 REFERENCES: p. 317 Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs H1: Firewall Technologies H2: Firewall Architectures QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 43. When Web services are offered outside the firewall, SMTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture. _____ ANSWER: False - HTTP False - Hypertext Transfer Protocol False - Hypertext Transfer Protocol (HTTP) POINTS: 1 REFERENCES: p. 318 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:05 AM 44. Most firewalls use packet header information to determine whether a specific packet should be allowed to pass through or should be dropped. _____ ANSWER: True POINTS: 1 REFERENCES: p. 319 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 45. Best practices in firewall rule set configuration state that the firewall device never allows administrative access directly from the public network. _____ ANSWER: True POINTS: 1 REFERENCES: p. 318 Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:06 AM 46. Traceroute, formally known as an ICMP Echo request, is used by internal systems administrators to ensure that clients and servers can communicate. _____ ANSWER: False - Pings False - Ping POINTS: 1 REFERENCES: p. 321 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 47. The presence of external requests for Telnet services can indicate a potential attack. _____ ANSWER: True POINTS: 1 REFERENCES: p. 321 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 48. In order to keep the Web server inside the internal network, direct all HTTP requests to the internal filtering firewall and configure the internal filtering router/firewall to allow only that device to access the internal Web server. _____ ANSWER: False - proxy server False - proxy POINTS: 1 REFERENCES: p. 322 H1: Firewall Technologies Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs H2: Configuring and Managing Firewalls QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 49. A content filter, also known as a proxy server, is essentially a set of scripts or programs that restricts user access to certain networking protocols and Internet locations.. _____ ANSWER: False - reverse firewall POINTS: 1 REFERENCES: p. 324 H1: Firewall Technologies H2: Content Filters QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:07 AM 50. An attacker who suspects that an organization has dial-up lines can use a device called a(n) war dialer to locate the connection points. _____ ANSWER: True POINTS: 1 REFERENCES: p. 326 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 51. Kerberos uses asymmetric key encryption to validate an individual user to various network resources. _____ ANSWER: False - symmetric POINTS: 1 REFERENCES: p. 327 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Modified True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 52. RADIUS, as described in RFC 4120, keeps a database containing the private keys of clients and servers—in the case of a client, this key is simply the client’s encrypted password. _____ False - Kerberos ANSWER: POINTS: 1 REFERENCES: p. 327 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:08 AM 53. Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet. _____ ANSWER: True POINTS: 1 REFERENCES: H1: Protecting Remote Connections H2: Virtual Private Networks (VPNs) p. 329 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.6 - Identify line angles, point angles, and divisions into thirds. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 54. A popular use for tunnel mode VPNs is the end-to-end transport of encrypted data. _____ ANSWER: False - transport POINTS: 1 REFERENCES: p. 329 H1: Protecting Remote Connections H2: Virtual Private Networks (VPNs) QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.6 - Identify line angles, point angles, and divisions into thirds. DATE CREATED: 9/14/2016 10:44 AM Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs DATE MODIFIED:
6/24/2021 10:08 AM
Multiple Choice 55. _____ access control is a form of _____ access control in which users are assigned a matrix of authorizations for particular areas of access. a. task-based, discretionary b. role-based, nondiscretionary c. mandatory, discretionary d. lattice-based, nondiscretionary ANSWER: d POINTS: 1 REFERENCES: p. 296 H1: Introduction to Access Controls QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.1 - Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:10 AM 56. Which of the following is not a major processing mode category for firewalls? a. Packet-filtering b. Application Layer Proxy c. Media Access Control Layer d. Router Passthrough ANSWER: POINTS: REFERENCES:
d 1 p. 309 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/15/2021 5:38 PM 57. _____ firewalls examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information. a. Packet-filtering b. Application gateway c. Circuit gateway d. MAC layer ANSWER: a POINTS: 1 REFERENCES: p. 309 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 58. The restrictions most commonly implemented in packet-filtering firewalls are based on _____. a. IP source and destination address b. Direction (inbound or outbound) c. TCP or UDP source and destination port requests d. All of these answers are correct ANSWER: d POINTS: 1 REFERENCES: p. 309 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:10 AM 59. _____ filtering requires that the firewall's filtering rules for allowing and denying packets are manually developed and installed with the firewall. a. Dynamic b. Static c. Stateful d. Stateless ANSWER: b POINTS: 1 REFERENCES: p. 311 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:11 AM 60. A _____ filtering firewall can react to an emergent event and update or create rules to deal with the event. a. dynamic b. static c. stateful d. stateless ANSWER: a POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs REFERENCES:
p. 311 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 61. _____ inspection firewalls keep track of each network connection between internal and external systems. a. Static b. Dynamic c. Stateful d. Stateless ANSWER: c POINTS: 1 REFERENCES: p. 311 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 62. The application layer proxy firewall is also known as a(n) _____. a. application firewall b. client firewall c. proxy firewall d. All of these are correct ANSWER: a POINTS: 1 REFERENCES: p. 312 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:12 AM 63. The proxy server is often placed in an unsecured area of the network or is placed in the _____ zone. a. fully trusted b. hot c. demilitarized d. cold ANSWER: c Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs POINTS: REFERENCES:
1 p. 312 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 64. The _____ is an intermediate area between a trusted network and an untrusted network. a. perimeter b. DMZ c. domain d. firewall ANSWER: b POINTS: 1 REFERENCES: p. 312 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 65. __________ make filtering decisions based on the specific host computer’s identity, as represented by its network interface card (NIC) address, and operate at the data link layer of the OSI model or the subnet layer of the TCP/IP model. a. Media Access Control Layer b. Circuit gateway c. Application gateway d. Packet-filtering ANSWER: a POINTS: 1 REFERENCES: p. 312 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:12 AM 66. Because the _____ host stands as a sole defender on the network perimeter, it is commonly referred to as the sacrificial host. a. trusted b. domain Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs c. DMZ d. bastion ANSWER: POINTS: REFERENCES:
d 1 p. 314 H1: Firewall Technologies H2: Firewall Architectures QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:13 AM 67. The dominant architecture used to secure network access today is the _____ firewall. a. static b. bastion c. unlimited d. screened subnet ANSWER: d POINTS: 1 REFERENCES: p. 316 H1: Firewall Technologies H2: Firewall Architectures QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 68. Configuring firewall _____ is viewed as much an art as it is a science. a. policies b. subnets c. VPNs d. protocols ANSWER: a POINTS: 1 REFERENCES: p. 318 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:15 AM 69. Telnet protocol packets usually go to TCP port _____, whereas SMTP packets go to port _____. a. 23, 52 b. 80, 52 Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs c. 80, 25 d. 23, 25 ANSWER: POINTS: REFERENCES:
d 1 p. 319 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 70. Known as the ping service, _____is a common method for hacker reconnaissance and should be turned off to prevent snooping. a. RADIUS b. ICMP c. telnet d. DNS ANSWER: b POINTS: 1 REFERENCES: p. 318 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:16 AM 71. In most common implementation models, the content filter has two components: _____. a. allow and deny b. filtering and encoding c. rating and decryption d. rating and filtering ANSWER: d POINTS: 1 REFERENCES: p. 324 H1: Firewall Technologies H2: Content Filters QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:17 AM 72. _____ and TACACS are systems that authenticate the credentials of users who are trying to access an organization’s network via a dial-up connection. a. RADIUS b. RADIAL Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs c. TUNMAN ANSWER: POINTS: REFERENCES:
d. IPSEC a 1 p. 326 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 73. Which of the following versions of TACACS is still in use? a. TACACS v2 b. Extended TACACS c. TACACS+ d. All of these are correct ANSWER: c POINTS: 1 REFERENCES: p. 327 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:17 AM 74. The service within Kerberos that generates and issues session keys is known as _____. a. VPN b. KDC c. AS d. TGS ANSWER: b POINTS: 1 REFERENCES: p. 327 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 75. Kerberos _____ provides tickets to clients who request services. a. KDS b. TGS c. AS d. VPN ANSWER: b Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs POINTS: REFERENCES:
1 p. 327 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 76. In SESAME, the user is first authenticated to an authentication server and receives a token. The token is then presented to a privilege attribute server as proof of identity to gain a(n) _____. a. VPN b. ECMA c. ticket d. PAC ANSWER: d POINTS: 1 REFERENCES: p. 328 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 77. A(n) _____ is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. a. SVPN b. VPN c. SESAME d. KERBES ANSWER: b POINTS: 1 REFERENCES: p. 329 H1: Protecting Remote Connections H2: Virtual Private Networks (VPNs) QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.6 - Identify line angles, point angles, and divisions into thirds. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 78. In _____ mode, the data within an IP packet is encrypted, but the header information is not. a. tunnel b. transport c. public d. symmetric ANSWER: b Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs POINTS: REFERENCES:
1 p. 329 H1: Protecting Remote Connections H2: Virtual Private Networks (VPNs) QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.6 - Identify line angles, point angles, and divisions into thirds. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:57 PM 79. The primary benefit of a VPN that uses _____ is that an intercepted packet reveals nothing about the true destination system. a. intermediate mode b. tunnel mode c. reversion mode d. transport mode ANSWER: b POINTS: 1 REFERENCES: p. 329 H1: Protecting Remote Connections H2: Virtual Private Networks (VPNs) QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.08.6 - Identify line angles, point angles, and divisions into thirds. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM Completion 80. A(n) _____ contains a computer chip that can verify and validate several pieces of information instead of just a PIN. smart card ANSWER: POINTS: 1 REFERENCES: p. 300 H1: Introduction to Access Controls H2: Access Control Mechanisms QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.1 - Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 81. The _____ describes the number of legitimate users who are denied access because of a failure in the biometric device. This failure is known as a Type I error. false reject rate ANSWER: POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs REFERENCES:
p. 302 H1: Introduction to Access Controls H2: Biometrics QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.2 - Define authentication and explain the three commonly used authentication factors DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 8:15 PM 82. A(n) _____ is a combination of hardware and software that filters or prevents specific information from moving between the outside world and the inside world. firewall ANSWER: POINTS: 1 REFERENCES: p. 308 H1: Firewall Technologies QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 83. A packet-_____ firewall installed on a TCP/IP-based network typically functions at the IP level and determines whether to drop a packet (deny) or forward it to the next network connection (allow) based on the rules programmed into the firewall. filtering ANSWER: POINTS: 1 REFERENCES: p. 309 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 84. _____ is a firewall type that keeps track of each network connection between internal and external systems using a table and that expedites the processing of those communications. Stateful packet inspection (SPI) ANSWER: Stateful packet inspection Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs SPI Stateful inspection firewall POINTS: 1 REFERENCES: p. 311 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 85. The _____ packet-filtering firewall can react to an emergent event and update or create rules to deal with that event. dynamic ANSWER: POINTS: 1 REFERENCES: p. 311 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 86. The application firewall is also known as a(n) application layer _____ server. proxy ANSWER: POINTS: 1 REFERENCES: p. 312 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:19 AM 87. _____ firewalls combine the elements of other types of firewalls—that is, the elements of packet filtering and proxy services, or of packet filtering and circuit gateways. Hybrid ANSWER: Copyright Cengage Learning. Powered by Cognero.
Page 29
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs POINTS: REFERENCES:
1 p. 312 H1: Firewall Technologies H2: Firewall Processing Modes QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 88. Because the bastion host stands as a sole defender on the network perimeter, it is commonly referred to as a(n) _____ host. sacrificial ANSWER: POINTS: 1 REFERENCES: p. 314 H1: Firewall Technologies H2: Firewall Architectures QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:20 AM 89. The architecture of a(n) _____ firewall protects a DMZ. screened subnet ANSWER: POINTS: 1 REFERENCES: p. 316 H1: Firewall Technologies H2: Firewall Architectures QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/15/2021 5:39 PM 90. Both _____ and Next Generation Firewalls (NGFW) are hybrid firewalls categorized by their ability to perform the work of an SPI firewall, network IDPS, content filter, spam filter, and malware scanner and filter. UTM ANSWER: Unified Threat Management Copyright Cengage Learning. Powered by Cognero.
Page 30
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs Unified Threat Management (UTM) POINTS: 1 REFERENCES: H1: Firewall Technologies H2: Firewall Processing Modes p. 313 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:21 AM 91. At the very least, _____ access to the organization’s Domain Name System (DNS) server should be blocked to prevent illegal zone transfers and to prevent attackers from taking down the organization’s entire network. telnet ANSWER: terminal emulation terminal remote desktop POINTS: 1 REFERENCES: H1: Firewall Technologies H2: Configuring and Managing Firewalls p. 318 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:22 AM 92. A firewall device must never be accessible directly from the _____ network. public ANSWER: untrusted unprotected POINTS: 1 REFERENCES: p. 319 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:23 AM Copyright Cengage Learning. Powered by Cognero.
Page 31
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs 93. A(n) _____ filter is a software filter—technically not a firewall—that allows administrators to restrict access to content from within a network. content ANSWER: POINTS: 1 REFERENCES: p. 324 H1: Firewall Technologies H2: Content Filters QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 94. Content filters are often called _____ firewalls. reverse ANSWER: POINTS: 1 REFERENCES: p. 324 H1: Firewall Technologies H2: Content Filters QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 95. A(n) _____ dialer is an automatic phone-dialing program that dials every number in a configured range and checks to see if a person, answering machine, or modem picks up. war ANSWER: POINTS: 1 REFERENCES: p. 326 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 96. The Remote _____ Dial-In User Service system centralizes the management of user authentication by placing the responsibility for authenticating each user in the central RADIUS server. Authentication ANSWER: POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 32
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs REFERENCES:
p. 326 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 97. The _____ Access Controller Access Control System contains a centralized database, and it validates the user’s credentials at the TACACS server. Terminal ANSWER: POINTS: 1 REFERENCES: p. 326 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 98. The _____ authentication system is named after the three-headed dog of Greek mythology that guards the gates to the underworld. Kerberos ANSWER: POINTS: 1 REFERENCES: p. 327 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 99. In Kerberos, a(n) _____ is an identification card for a particular client that verifies to the server that the client is requesting services and that the client is a valid member of the Kerberos system and therefore authorized to receive services. ticket ANSWER: POINTS: 1 REFERENCES: p. 327 H1: Protecting Remote Connections Copyright Cengage Learning. Powered by Cognero.
Page 33
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs H2: Remote Access QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 100. Kerberos is based on the principle that the _____ knows the secret keys of all clients and servers on the network. Key Distribution Center (KDC) ANSWER: Key Distribution Center KDC POINTS: 1 REFERENCES: p. 327 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 101. SESAME uses _____ key encryption to distribute secret keys. public ANSWER: POINTS: 1 REFERENCES: p. 328 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 102. A(n) _____ private network is a secure network connection between systems that uses the data communication capability of an unsecured and public network. virtual ANSWER: POINTS: 1 REFERENCES: p. 329 H1: Protecting Remote Connections H2: Virtual Private Networks (VPNs) QUESTION TYPE: Completion Copyright Cengage Learning. Powered by Cognero.
Page 34
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.6 - Identify line angles, point angles, and divisions into thirds. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 5/27/2021 3:58 PM 103. A trusted _____ uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected. VPN ANSWER: POINTS: 1 REFERENCES: p. 329 H1: Protecting Remote Connections H2: Virtual Private Networks (VPNs) QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.6 - Identify line angles, point angles, and divisions into thirds. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:24 AM 104. A _____ mode VPN establishes two perimeter servers to encrypt all traffic that will traverse an unsecured network. The entire client packet is encrypted and added as the data portion of a packet addressed from one perimeter server to another. tunnel ANSWER: POINTS: 1 REFERENCES: p. 330 H1: Protecting Remote Connections H2: Virtual Private Networks (VPNs) QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.6 - Identify line angles, point angles, and divisions into thirds. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 10:25 AM Essay 105. Briefly describe the best practice rules for firewall use. 1. All traffic from the trusted network is allowed out. ANSWER: 2. The firewall device is never directly accessible from the public network for configuration or management purposes. 3. Simple Mail Transport Protocol (SMTP) data is allowed to pass through the firewall, but it should all be routed to a well-configured SMTP gateway to filter and route messaging traffic securely. 4. All Internet Control Message Protocol (ICMP) data should be denied. 5. Telnet (terminal emulation) access to all internal servers from the public networks Copyright Cengage Learning. Powered by Cognero.
Page 35
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs should be blocked. 6. When Web services are offered outside the firewall, HTTP traffic should be denied from reaching your internal networks through the use of some form of proxy access or DMZ architecture. 7. All data that is not verifiably authentic should be denied. POINTS: 1 REFERENCES: p. 318 H1: Firewall Technologies H2: Configuring and Managing Firewalls QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.4 - Explain the various approaches to firewall implementation DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 10:15 PM 106. List and describe the interacting services of the Kerberos system. Kerberos consists of three interacting services, all of which use a database library: ANSWER: 1. Authentication server (AS), which is a Kerberos server that authenticates clients and servers. 2. Key Distribution Center (KDC), which generates and issues session keys. 3. Kerberos ticket granting service (TGS), which provides tickets to clients who request services. In Kerberos a ticket is an identification card for a particular client that verifies to the server that the client is requesting services and that the client is a valid member of the Kerberos system and therefore authorized to receive services. The ticket consists of the client’s name and network address, a ticket validation starting and ending time, and the session key, all encrypted in the private key of the server from which the client is requesting services. POINTS: 1 REFERENCES: p. 327 H1: Protecting Remote Connections H2: Remote Access QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.5 - Locate the surfaces of each tooth. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 1/30/2017 2:50 PM 107. What must a VPN accomplish to offer a secure and reliable capability while relying on public networks? - Encapsulation of incoming and outgoing data, wherein the native protocol of the client is ANSWER: embedded within the frames of a protocol that can be routed over the public network as well as be usable by the server network environment. - Encryption of incoming and outgoing data to keep the data contents private while in transit over the public network but usable by the client and server computers and/or the local networks on both ends of the VPN connection. - Authentication of the remote computer and, perhaps, the remote user as well. Copyright Cengage Learning. Powered by Cognero.
Page 36
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs Authentication and the subsequent authorization of the user to perform specific actions are predicated on accurate and reliable identification of the remote system and/or user. POINTS: 1 REFERENCES: p. 329 H1: Protecting Remote Connections H2: Virtual Private Networks (VPNs) QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.08.6 - Identify line angles, point angles, and divisions into thirds. DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 10:16 PM Subjective Short Answer 108. What is the typical relationship among the untrusted network, the firewall, and the trusted network? The untrusted network is usually the Internet or another segment of a public access ANSWER: network, while the trusted network is typically a privately owned network. The firewall serves as a mechanism to filter traffic from the untrusted network into the trusted network and foster assurance that the traffic is legitimate. POINTS: 1 REFERENCES: p. 308 H1: Firewall Technologies QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.3 - Describe firewall technologies and the various categories of firewalls DATE CREATED: 5/27/2021 8:37 PM DATE MODIFIED: 5/27/2021 8:38 PM 109. What is biometric access control? What are the four truly unique human characteristics used in biometrics? Biometric access control is the use of physiological characteristics to provide ANSWER: authentication for a provided identification.
POINTS: REFERENCES:
The human characteristics usually considered truly unique for use in biometrics are: • Fingerprints • Retina of the eye (blood vessel pattern) • Iris of the eye (random pattern of features found in the iris, including freckles, pits, striations, vasculature, coronas, and crypts) • DNA 1 p. 301 H1: Introduction to Access Controls H2: Biometrics
Copyright Cengage Learning. Powered by Cognero.
Page 37
Name:
Class:
Date:
Mod 8 Security Technology: Access Controls, Firewalls, and VPNs QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.2 - Define authentication and explain the three commonly used authentication factors DATE CREATED: 5/27/2021 8:41 PM DATE MODIFIED: 5/27/2021 8:43 PM 110. What is deperimeterization? Deperimeterization is the recognition that there is no clear information security ANSWER: boundary between an organization and the outside world, meaning that the organization must be prepared to protect its information both inside and outside its digital walls. POINTS: 1 REFERENCES: p. 331 H1: Final Thoughts On Remote Access And Access Controls H2: Deperimeterization QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.08.1 - Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems DATE CREATED: 5/27/2021 8:45 PM DATE MODIFIED: 5/27/2021 8:47 PM
Copyright Cengage Learning. Powered by Cognero.
Page 38
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools True / False 1. Intrusion detection consists of procedures and systems that identify system intrusions and take steps to limit the intrusion and return operations to a normal state when an intrusion is detected. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Introduction To Intrusion Detection And Prevention Systems p. 339 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:30 PM 2. An IDPS can be configured to call a phone number or perform another type of signal or message. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 339 H1: Introduction To Intrusion Detection And Prevention Systems QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:31 PM 3. A false positive is the failure of an IDPS system to react to an actual attack event. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Terminology p. 340 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools DATE MODIFIED:
9/14/2016 10:44 AM
4. The process by which attackers change the format and/or timing of their activities to avoid being detected by the IDPS is known as a false attack stimulus. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 340 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Terminology QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 5. In DNS cache poisoning, valid packets exploit poorly configured DNS servers to inject false information and corrupt the servers’ answers to routine DNS queries from other systems on the network. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 345 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 10:25 PM 6. NIDPSs can reliably ascertain whether an attack was successful. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 345 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools
DATE CREATED: DATE MODIFIED:
intrusion detection and prevention systems 9/14/2016 10:44 AM 3/8/2017 10:25 PM
7. HIDPSs are also known as system integrity verifiers. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 348 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 8. An HIDPS can monitor system logs for predefined events. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 348 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 10:25 PM 9. An HIDPS can detect local events on host systems and detect attacks that may elude a network-based IDPS. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 348 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 10:26 PM 10. An HIDPS is optimized to detect multihost scanning, and it is able to detect the scanning of non-host network devices, such as routers or switches. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 348 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 10:26 PM 11. The anomaly-based IDPS collects statistical summaries by observing traffic that is known to be normal. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Detection Methods p. 350 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 12. IDPS responses can be classified as active or passive. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 354 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Response Behavior QUESTION TYPE: True / False Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 13. A passive IDPS response is a definitive action automatically initiated when certain types of alerts are triggered. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 354 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Response Behavior QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 14. The Simple Network Management Protocol contains trap functions, which allow a device to send a message to the SNMP management console indicating that a certain threshold has been crossed, either positively or negatively. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 355 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Response Behavior QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 15. In order to determine which IDPS best meets an organization’s needs to consider the system environment, security goals and objectives and the existing security policy. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 358 H1: Introduction To Intrusion Detection And Prevention Systems Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools H2: Selecting IDPS Approaches and Products QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:32 PM 16. Your organization’s operational goals, constraints, and culture should not affect the selection of the IDPS and other security tools and technologies to protect your systems. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Introduction To Intrusion Detection And Prevention Systems H2: Selecting IDPS Approaches and Products p. 357 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 17. Among the considerations in evaluating an IDPS are the product's scalability, testing, support provisions, and ability to provide information on the source of attacks. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 359 H1: Introduction To Intrusion Detection And Prevention Systems H2: Selecting IDPS Approaches and Products QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:32 PM 18. Intrusion detection and prevention systems perform monitoring and analysis of system events and user behaviors. a. True b. False ANSWER: True Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools POINTS: REFERENCES:
1 p. 360 H1: Introduction To Intrusion Detection And Prevention Systems H2: Strengths and Limitations of IDPSs QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 19. Intrusion detection and prevention systems can deal effectively with newly published attacks or variants of existing attacks. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 360 H1: Introduction To Intrusion Detection And Prevention Systems H2: Strengths and Limitations of IDPSs QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:32 PM 20. A fully distributed IDPS control strategy is an IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 362 H1: Introduction To Intrusion Detection And Prevention Systems H2: Deployment and Implementation of an IDPS QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 2/6/2017 9:26 PM 21. Security tools that provide decoy systems designed to lure potential attackers away from critical systems include honeypots, honeynets, and padded cell systems. Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools a. True b. False ANSWER: POINTS: REFERENCES:
True 1 H1: Honeypots, Honeynets, And Padded Cell Systems p. 367 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:33 PM 22. An IDS helps to secure networks by identifying where the network needs securing. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Scanning And Analysis Tools p. 370 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:36 PM 23. To assist in footprint intelligence collection, attackers may use an enhanced Web scanner that, among other things, can scan entire Web sites for valuable pieces of information, such as server names and e-mail addresses. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 371 H1: Scanning And Analysis Tools QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 3/8/2017 10:28 PM 24. TCP/IP services can run only on their commonly used port number as specified in their original Internet standard. a. True Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools b. False ANSWER: POINTS: REFERENCES:
False 1 H1: Scanning And Analysis Tools H2: Port Scanners p. 372 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:37 PM 25. Administrators should encourage users to experiment with hackerware tools as they assist the organization in detecting potential vulnerabilities in the systems. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 373 H1: Scanning And Analysis Tools H2: Firewall Analysis Tools QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:38 PM 26. Once the OS is known, the vulnerabilities to which a system is susceptible can more easily be determined. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 373 H1: Scanning And Analysis Tools H2: Operating System Detection Tools QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:38 PM 27. The Metasploit Framework is a collection of exploits coupled with an interface that allows the penetration tester to Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools automate the custom exploitation of vulnerable systems. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 375 H1: Scanning And Analysis Tools H2: Vulnerability Scanners QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 9/14/2016 10:44 AM 28. A passive vulnerability scanner is one that initiates traffic on the network in order to determine security holes. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 376 H1: Scanning And Analysis Tools H2: Vulnerability Scanners QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 1/30/2017 6:33 PM 29. Passive scanners are advantageous in that they can find client-side vulnerabilities that are typically not found by active scanners. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 376 H1: Scanning And Analysis Tools H2: Vulnerability Scanners QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:44 AM Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools DATE MODIFIED:
6/24/2021 4:40 PM
30. To use a packet sniffer legally, the administrator only needs to be on a network that the organization owns, and have authorization of the network’s owners. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 378 H1: Scanning And Analysis Tools H2: Packet Sniffer QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:40 PM Modified True / False 31. Alarm filtering and compaction is the process of grouping almost identical alarms that occur nearly at the same time into a single higher-level alarm. _____ ANSWER: False - clustering POINTS: 1 REFERENCES: p. 339 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Terminology QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:41 PM 32. A(n) event is an indication that a system has just been attacked or is under attack. _____ False - alert ANSWER: False - alarm POINTS: 1 REFERENCES: p. 339 vH1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Terminology QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/3/2021 6:44 PM 33. Alarm events that are accurate and noteworthy but do not pose significant threats to information security are called noise. _____ ANSWER: True POINTS: 1 REFERENCES: p. 340 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Terminology QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/3/2021 6:44 PM 34. Avoidance is the process by which an attacker changes the format and/or timing of activities to avoid being detected by an IDPS. _____ ANSWER: False - evasion POINTS: 1 REFERENCES: p. 340 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Terminology QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:42 PM 35. The integrity value, which is based upon fuzzy logic, helps an administrator determine how likely it is that an IDPS alert or alarm indicates an actual attack in progress. _____ ANSWER: False - confidence POINTS: 1 REFERENCES: p. 340 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Terminology QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/3/2021 6:44 PM 36. A(n) known vulnerability is a published weakness or fault in an information asset or its protective systems that may be exploited and result in loss. _____ ANSWER: True POINTS: 1 REFERENCES: p. 341 H1: Introduction To Intrusion Detection And Prevention Systems H2: Why Use an IDPS? QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/3/2021 6:44 PM 37. The activities that gather public information about the organization and its network activities and assets is called fingerprinting. _____ ANSWER: False - footprinting POINTS: 1 REFERENCES: p. 341 H1: Introduction To Intrusion Detection And Prevention Systems H2: Why Use an IDPS? QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/3/2021 6:44 PM 38. In the process of protocol application verification, the NIDPSs look for invalid data packets. _____ ANSWER: False - stack POINTS: 1 REFERENCES: p. 344 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools
DATE CREATED: DATE MODIFIED:
intrusion detection and prevention systems 9/14/2016 10:44 AM 6/3/2021 6:44 PM
39. A HIDPS is also known as a system validity verifier. _____ ANSWER: False - integrity POINTS: 1 REFERENCES: p. 348 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:44 AM DATE MODIFIED: 6/24/2021 4:43 PM 40. A(n) NIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing. _____ ANSWER: False - HIDPS POINTS: 1 REFERENCES: p. 349 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 41. Preconfigured, predetermined attack patterns are called signatures. _____ ANSWER: True POINTS: 1 REFERENCES: p. 350 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Detection Methods QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools DATE MODIFIED:
6/3/2021 6:44 PM
42. A(n) log file monitor is similar to an NIDPS. _____ ANSWER: True POINTS: 1 REFERENCES: p. 351 H1: Introduction To Intrusion Detection And Prevention Systems H2: Log File Monitors QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 43. The centralized IDPS implementation approach occurs when all detection functions are managed in a central location. _____ False - control ANSWER: POINTS: 1 REFERENCES: p. 361 H1: Introduction To Intrusion Detection And Prevention Systems H2: Deployment and Implementation of an IDPS QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 4:45 PM 44. A(n) partially distributed IDPS control strategy combines the best of other IDPS strategies. _____ ANSWER: True POINTS: 1 REFERENCES: H1: Introduction To Intrusion Detection And Prevention Systems H2: Deployment and Implementation of an IDPS p. 362 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 45. When a collection of honeypots connects several honeypot systems on a subnet, it may be called a(n) honeynet. _____ ANSWER: True Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools POINTS: REFERENCES:
1 p. 367 H1: Honeypots, Honeynets, And Padded Cell Systems QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 46. A hardened honeypot is also known as a protected cell system. _____ ANSWER: False - padded POINTS: 1 REFERENCES: p. 367 H1: Honeypots, Honeynets, And Padded Cell Systems QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 4:46 PM 47. The disadvantages of using the honeypot or padded cell approach include the fact that the technical implications of using such devices are not well understood. _____ ANSWER: False - legal POINTS: 1 REFERENCES: p. 368 H1: Honeypots, Honeynets, And Padded Cell Systems H2: Trap-and-Trace Systems QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 48. When using trap-and-trace, the trap usually consists of a honeypot or padded cell and a(n) packet sniffer. _____ ANSWER: False - alarm False - alert POINTS: 1 REFERENCES: p. 368 H1: Honeypots, Honeynets, And Padded Cell Systems Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools H2: Trap-and-Trace Systems QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 4:48 PM 49. Enticement is the illegal and unethical action of luring an individual into committing a crime to get a conviction. _____ ANSWER: False - Entrapment POINTS: 1 REFERENCES: p. 368 H1: Honeypots, Honeynets, And Padded Cell Systems H2: Trap-and-Trace Systems QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 4:49 PM 50. Fingerprinting is the organized research of the Internet addresses owned or controlled by a target organization. _____ ANSWER: False - Footprinting POINTS: 1 REFERENCES: p. 370 H1: Scanning And Analysis Tools QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 51. For Linux or BSD systems, a tool called “Sam Spade” allows a remote individual to “mirror” entire Web sites. _____ ANSWER: False - wget POINTS: 1 REFERENCES: p. 371 H1: Scanning And Analysis Tools QUESTION TYPE: Modified True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 4:49 PM 52. Port scanners are tools used both by attackers and defenders to identify (or footprint) the computers that are active on a network, as well as the ports and services active on those computers, the functions and roles the machines are fulfilling, and other useful information. _____ ANSWER: False - fingerprint POINTS: 1 REFERENCES: p. 372 H1: Scanning And Analysis Tools H2: Port Scanners QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 4:50 PM 53. A(n) port is the equivalent of a network channel or connection point in a data communications system. _____ ANSWER: True POINTS: 1 REFERENCES: p. 372 H1: Scanning And Analysis Tools H2: Port Scanners QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 54. A(n) monitoring vulnerability scanner is one that listens in on the network and determines vulnerable versions of both server and client software. _____ ANSWER: False - passive POINTS: 1 REFERENCES: p. 376 H1: Scanning And Analysis Tools H2: Vulnerability Scanners QUESTION TYPE: Modified True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 55. For 802.11 wireless networks, a wireless security toolkit should include the ability to sniff wireless traffic, and scan wireless hosts. _____ ANSWER: True POINTS: 1 REFERENCES: H1: Scanning And Analysis Tools H2: Wireless Security Tools p. 379 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 4:52 PM Multiple Choice 56. A(n) _____ works like a burglar alarm in that it detects a violation (some system activities analogous to an opened or broken window) and activates an alarm. a. IDPS b. WiFi c. UDP d. DoS ANSWER: a POINTS: 1 REFERENCES: p. 339 H1: Introduction To Intrusion Detection And Prevention Systems QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 57. Intrusion _____ activities finalize the restoration of operations to a normal state and seek to identify the source and method of the intrusion in order to ensure that the same type of attack cannot occur again. a. prevention b. reaction c. detection d. correction ANSWER: d POINTS: 1 REFERENCES: p. 339 Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools H1: Introduction To Intrusion Detection And Prevention Systems QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 58. A(n) _____ is an event that triggers an alarm when no actual attack is in progress. a. false neutral b. false attack stimulus c. false negative d. noise ANSWER: b POINTS: 1 REFERENCES: p. 340 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Terminology QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 59. _____ is the process of classifying IDPS alerts so that they can be more effectively managed. a. Alarm filtering b. Alarm clustering c. Alarm compaction d. Alarm attenuation ANSWER: a POINTS: 1 REFERENCES: p. 340 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Terminology QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 60. Activities that scan networks for active systems and then identify the network services offered by the host systems are known as _____. a. port knocking b. doorknob rattling c. footprinting d. fingerprinting ANSWER: d POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools REFERENCES:
p. 341 H1: Introduction To Intrusion Detection And Prevention Systems H2: Why Use an IDPS? QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 4:53 PM 61. A(n) _____ IDPS is focused on protecting network information assets. a. network-based b. host-based c. application-based d. server-based ANSWER: a POINTS: 1 REFERENCES: p. 343 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 62. _____ are usually passive devices, but cannot analyze encrypted packets, making some traffic invisible to the process. a. NIDPSs b. HIDPSs c. AppIDPSs d. SIDPSs ANSWER: a POINTS: 1 REFERENCES: p. 343 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 4:54 PM 63. A(n) _____ port, also known as a monitoring port, is a specially configured connection on a network device that is capable of viewing all of the traffic that moves through the entire device. a. NIDPS b. SPAN c. DPS d. IDSE ANSWER: b Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools POINTS: REFERENCES:
1 p. 344 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 64. To determine whether an attack has occurred or is underway, NIDPSs compare measured activity to known _____ in their knowledge base. a. vulnerabilities b. fingerprints c. signatures d. footprints ANSWER: c POINTS: 1 REFERENCES: p. 344 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 65. Most network behavior analysis system sensors can be deployed in _____ mode only, using the same connection methods as network-based IDPSs. a. passive b. active c. reactive d. dynamic ANSWER: a POINTS: 1 REFERENCES: p. 347 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 66. Network behavior analysis system _____ sensors are typically intended for network perimeter use, so they are deployed in close proximity to the perimeter firewalls, often between the firewall and the Internet border router to limit Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools incoming attacks that could overwhelm the firewall. a. inline b. offline c. passive d. bypass ANSWER: a POINTS: 1 REFERENCES: p. 347 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 67. _____ benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files. a. NIDPSs b. HIDPSs c. AppIDPSs d. SIDPSs ANSWER: b POINTS: 1 REFERENCES: p. 348 H1: Introduction To Intrusion Detection And Prevention Systems H2: Log File Monitors QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 68. A(n) _____ reviews the log files generated by servers, network devices, and even other IDPSs looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred. a. LFM b. stat IDPS c. AppIDPS d. HIDPS ANSWER: a POINTS: 1 REFERENCES: p. 351 H1: Introduction To Intrusion Detection And Prevention Systems H2: Log File Monitors QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools DATE MODIFIED:
6/24/2021 4:55 PM
69. Which of the following is NOT a described IDPS control strategy? a. centralized b. fully distributed c. partially distributed d. decentralized ANSWER: d POINTS: 1 REFERENCES: p. 361 H1: Introduction To Intrusion Detection And Prevention Systems H2: Deployment and Implementation of an IDPS QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 4:58 PM 70. _____ are decoy systems designed to lure potential attackers away from critical systems. a. Honeypots b. Bastion hosts c. Wasp nests d. Designated targets ANSWER: a POINTS: 1 REFERENCES: p. 367 H1: Honeypots, Honeynets, And Padded Cell Systems QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 71. _____ applications use a combination of techniques to detect an intrusion and then follow it back to its source. a. Honeynet b. Trap-and-trace c. HIDPS d. Packet sniffer ANSWER: b POINTS: 1 REFERENCES: p. 368 H1: Honeypots, Honeynets, And Padded Cell Systems H2: Trap-and-Trace Systems QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools DATE MODIFIED:
6/24/2021 4:58 PM
72. _____ is the action of luring an individual into committing a crime to get a conviction. a. Entrapment b. Enticement c. Intrusion d. Padding ANSWER: a POINTS: 1 REFERENCES: p. 369 H1: Honeypots, Honeynets, And Padded Cell Systems H2: Trap-and-Trace Systems QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 73. In TCP/IP networking, port _____ is not used. a. 0 b. 1 c. 13 d. 1023 ANSWER: a POINTS: 1 REFERENCES: p. 372 H1: Scanning and Analysis Tools H2: Port Scanners QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 74. Which of the following ports is commonly used for the HTTP protocol? a. 20 b. 25 c. 53 d. 80 ANSWER: d POINTS: 1 REFERENCES: p. 372 H1: Scanning and Analysis Tools H2: Port Scanners QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools DATE CREATED: DATE MODIFIED:
9/14/2016 10:45 AM 9/14/2016 10:45 AM
75. The ability to detect a target computer’s _____ is very valuable to an attacker. a. manufacturer b. operating system c. peripherals d. BIOS ANSWER: b POINTS: 1 REFERENCES: p. 373 H1: Scanning and Analysis Tools H2: Operating System Detection Tools QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 76. _____ testing is a straightforward testing technique that looks for vulnerabilities in a program or protocol by feeding random input to the program or a network running the protocol. a. Buzz b. Fuzz c. Spike d. Black ANSWER: b POINTS: 1 REFERENCES: p. 374 H1: Scanning and Analysis Tools H2: Vulnerability Scanners QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 77. Some vulnerability scanners feature a class of attacks called _____, that are so dangerous they should only be used in a lab environment. a. aggressive b. divisive c. destructive d. disruptive ANSWER: c POINTS: 1 REFERENCES: p. 375 H1: Scanning and Analysis Tools H2: Vulnerability Scanners QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:43 PM 78. A _____ vulnerability scanner listens in on the network and identifies vulnerable versions of both server and client software. a. passive b. aggressive c. active d. secret ANSWER: a POINTS: 1 REFERENCES: p. 376 H1: Scanning and Analysis Tools H2: Vulnerability Scanners QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 79. A(n) _____ is a software program or hardware appliance that can intercept, copy, and interpret network traffic. a. port scanner b. packet sniffer c. honeypot d. honey packet ANSWER: b POINTS: 1 REFERENCES: p. 377 H1: Scanning and Analysis Tools H2: Packet Sniffer QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 5:00 PM 80. To use a packet sniffer legally, the administrator must _____. a. be on a network that the organization owns b. be under direct authorization of the network’s owners c. have knowledge and consent of the content’s d. All of these are correct creators ANSWER: d POINTS: 1 REFERENCES: p. 378 H1: Scanning and Analysis Tools Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools H2: Packet Sniffer QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 5:01 PM Completion 81. A(n) _____ occurs when an attacker attempts to gain entry or disrupt the normal operations of an information system, almost always with the intent to do harm. intrusion ANSWER: POINTS: 1 REFERENCES: p. 338 H1: Introduction To Intrusion Detection And Prevention Systems QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 82. Alarm _____ and compaction is a consolidation of almost identical alarms that happen at close to the same time into a single higher-level alarm. clustering ANSWER: POINTS: 1 REFERENCES: p. 339 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Terminology QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 83. The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called _____. noise ANSWER: POINTS: 1 REFERENCES: p. 340 H1: Introduction To Intrusion Detection And Prevention Systems Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools H2: IDPS Terminology QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 84. Site _____ awareness is an IDPS’s ability to dynamically modify its configuration in response to environmental activity. policy ANSWER: POINTS: 1 REFERENCES: p. 340 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Terminology QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 5:02 PM 85. IDPSs can also help administrators detect the preambles to attacks; this is known as attack _____. reconnaissance ANSWER: POINTS: 1 REFERENCES: p. 341 H1: Introduction To Intrusion Detection And Prevention Systems H2: Why Use an IDPS? QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 5:03 PM 86. The _____ port is also known as a switched port analysis (SPAN) port or mirror port. monitoring ANSWER: POINTS: 1 REFERENCES: p. 344 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Completion Copyright Cengage Learning. Powered by Cognero.
Page 29
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 87. In _____ protocol verification, the higher-order protocols are examined for unexpected packet behavior or improper use. application ANSWER: POINTS: 1 REFERENCES: p. 344 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 88. HIDPSs are also known as system _____ verifiers. integrity ANSWER: POINTS: 1 REFERENCES: p. 348 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 89. A(n) _____-based IDPS resides on a particular computer or server and monitors activity only on that system. host ANSWER: POINTS: 1 REFERENCES: p. 348 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 30
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 90. Three methods dominate IDPS detection methods: the _____-based approach,(sometimes called knowledge-based detection or misuse detection), the statistical anomaly-based approach, and the stateful packet inspection approach. signature ANSWER: POINTS: 1 REFERENCES: p. 350 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Detection Methods QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 5:09 PM 91. A signature-based IDPS is sometimes called a(n) _____-based IDPS or misuse detection. knowledge ANSWER: POINTS: 1 REFERENCES: p. 350 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Detection Methods QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 5:09 PM 92. When the measured activity is outside the baseline parameters, it is said to exceed the _____ level. clipping ANSWER: POINTS: 1 REFERENCES: p. 350 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Detection Methods QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems Copyright Cengage Learning. Powered by Cognero.
Page 31
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools DATE CREATED: DATE MODIFIED:
9/14/2016 10:45 AM 6/3/2021 6:44 PM
93. The IDPS __________ includes the management software, which collects information from the remote sensors, analyzes the systems or networks, and determines whether the current situation has deviated from the preconfigured baseline. console ANSWER: POINTS: 1 REFERENCES: p. 361 H1: Introduction To Intrusion Detection And Prevention Systems H2: Deployment and Implementation of an IDPS QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 5:10 PM 94. A(n) _____ system contains pseudo-services that emulate well-known services, but is configured in ways that make it look vulnerable to attacks, in order to lure potential attackers away from critical systems. honeypot ANSWER: POINTS: 1 REFERENCES: p. 367 H1: Honeypots, Honeynets, And Padded Cell Systems QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 5:11 PM 95. When a collection of honeypots connects several honeypot systems on a subnet, it may be called a(n) _____. honeynet ANSWER: POINTS: 1 REFERENCES: p. 367 H1: Honeypots, Honeynets, And Padded Cell Systems QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM Copyright Cengage Learning. Powered by Cognero.
Page 32
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools 96. A(n) _____ is a honeypot that has been protected so that it cannot be easily compromised. padded cell ANSWER: POINTS: 1 REFERENCES: p. 367 H1: Honeypots, Honeynets, And Padded Cell Systems QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 97. __________ are applications that record information about outbound communications and are similar to trap-and-trace systems. Pen registers ANSWER: POINTS: 1 REFERENCES: p. 369 H1: Honeypots, Honeynets, And Padded Cell Systems H2: Trap-and-Trace Systems QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 5:11 PM 98. _____ is the process of attracting attention to a system by placing tantalizing bits of information in key locations. Enticement ANSWER: POINTS: 1 REFERENCES: p. 369 H1: Honeypots, Honeynets, And Padded Cell Systems H2: Trap-and-Trace Systems QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.3 - Define and describe honeypots, honeynets, and padded cell systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 99. The _____ is a series of steps or processes used by an attacker, in a logical sequence, to launch an attack against a target system or network. Copyright Cengage Learning. Powered by Cognero.
Page 33
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools ANSWER: POINTS: REFERENCES:
attack protocol 1 p. 370 H1: Scanning and Analysis Tools QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 5:12 PM 100. _____ is a systematic survey of all of the target organization’s Internet addresses to identify the network services offered by the hosts in that range.. Fingerprinting ANSWER: POINTS: 1 REFERENCES: p. 371 H1: Scanning and Analysis Tools QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/24/2021 5:13 PM 101. _____ scanning will allow an Nmap user to bounce a scan across a firewall by using one of the idle DMZ hosts as the initiator of the scan. Idle ANSWER: POINTS: 1 REFERENCES: p. 373 H1: Scanning and Analysis Tools H2: Firewall Analysis Tools QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 102. A(n) _____ vulnerability scanner is one that initiates traffic on the network in order to determine security holes. active ANSWER: POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 34
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools REFERENCES:
p. 374 H1: Scanning and Analysis Tools H2: Vulnerability Scanners QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 103. A(n) _____ vulnerability scanner listens in on the network and identifies vulnerable versions of both server and client software. passive ANSWER: POINTS: 1 REFERENCES: H1: Scanning and Analysis Tools H2: Vulnerability Scanners p. 376 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/6/2021 3:43 PM 104. A packet _____ is a software program or hardware appliance that can intercept, copy, and interpret network traffic. sniffer ANSWER: POINTS: 1 REFERENCES: p. 377 H1: Scanning and Analysis Tools H2: Packet Sniffers QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM 105. To secure data in transit across any network, organizations must use _____ to be assured of content privacy. encryption ANSWER: POINTS: 1 REFERENCES: p. 378 H1: Scanning and Analysis Tools Copyright Cengage Learning. Powered by Cognero.
Page 35
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools H2: Packet Sniffers QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/3/2021 6:44 PM Essay 106. List and describe at least four reasons to acquire and use an IDPS. 1. To prevent problem behaviors by increasing the perceived risk of discovery and ANSWER: punishment for those who would attack or otherwise abuse the system 2. To detect attacks and other security violations that are not prevented by other security measures 3. To detect and deal with the preambles to attacks (commonly experienced as network probes and other "doorknob rattling" activities) 4. To document the existing threat to an organization 5. To act as quality control for security design and administration, especially of large and complex enterprises 6. To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors POINTS: 1 REFERENCES: p. 340 H1: Introduction To Intrusion Detection And Prevention Systems H2: Why Use an IDPS? QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 3/8/2017 10:46 PM 107. List and describe the three advantages of NIDPSs. 1. Good network design and placement of NIDPS devices can enable an organization to ANSWER: use a few devices to monitor a large network. 2. NIDPSs are usually passive devices and can be deployed into existing networks with little or no disruption to normal network operations. 3. NIDPSs are not usually susceptible to direct attack and may not be detectable by attackers. POINTS: 1 REFERENCES: p. 345 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Essay Copyright Cengage Learning. Powered by Cognero.
Page 36
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 3/8/2017 10:46 PM 108. List and describe the four advantages of HIDPSs. 1. An HIDPS can detect local events on host systems and detect attacks that may elude a ANSWER: network-based IDS. 2. An HIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing. 3. The use of switched network protocols does not affect an HIDPS. 4. An HIDPS can detect inconsistencies in how applications and systems programs were used by examining the records stored in audit logs. This can enable it to detect some types of attacks, including Trojan horse programs. POINTS: 1 REFERENCES: p. 349 H1: Introduction To Intrusion Detection And Prevention Systems H2: Types of IDPSs QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.1 - Identify and describe the categories and models of intrusion detection and prevention systems DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 3/8/2017 10:47 PM Subjective Short Answer 109. How does a signature-based IDPS differ from a behavior-based IDPS? ANSWER:
A signature-based system looks for patterns of behavior that match a library of known behaviors. A behavior-based system watches for activities that suggest an alert-level activity is occurring, based on sequences of actions or the timing between otherwise unrelated events. POINTS: 1 REFERENCES: p. 350 H1: Introduction To Intrusion Detection And Prevention Systems H2: IDPS Detection Methods QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 6/7/2021 1:54 PM Copyright Cengage Learning. Powered by Cognero.
Page 37
Name:
Class:
Date:
Mod 9 Sec Tech: Intrusion Detec & Prevention Sys and Other Sec Tools DATE MODIFIED:
6/7/2021 1:57 PM
110. What is a SIEM and what is its primary purpose? A security information and event management (SIEM) system is an information ANSWER: management system specifically tasked to collect and correlate events and other log data from a number of servers or other network devices for the purpose of interpreting, filtering, correlating, analyzing, storing, reporting, and acting on the resulting information. A SIEM system supports threat detection and informs many aspects of threat intelligence. It is also instrumental in managing aspects of compliance vulnerability management. It often plays a pivotal role in an organization’s security incident management through data collection and analysis by enabling near real-time and historical analysis of security events. It integrates data from multiple sources, including local events and contextual data sources. POINTS: 1 REFERENCES: p. 352 H2: Security Information and Event Management (SIEM) H1: Introduction To Intrusion Detection And Prevention Systems QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.2 - Describe the detection approaches employed by modern intrusion detection and prevention systems DATE CREATED: 6/7/2021 1:54 PM DATE MODIFIED: 6/7/2021 3:12 PM 111. What is network footprinting and how is it related to network fingerprinting? ANSWER:
Footprinting is organized research of the Internet addresses owned or controlled by a target organization. The attacker uses public Internet data sources to perform keyword searches that identify the network addresses of the organization. This research is augmented by browsing the organization’s Web pages. Web pages usually contain information about internal systems, the people who develop the Web pages, and other tidbits that can be used for social engineering attacks. The fingerprinting phase uses the TCP/IP address ranges that were collected during the footprinting phase to identify the network services offered by the hosts in that range.
POINTS: REFERENCES:
1 p. 371 H1: Scanning And Analysis Tools QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.09.4 - List and define the major categories of scanning and analysis tools and describe the specific tools used within each category DATE CREATED: 6/7/2021 1:54 PM DATE MODIFIED: 6/27/2021 11:52 AM
Copyright Cengage Learning. Powered by Cognero.
Page 38
Name:
Class:
Date:
Mod 10 Cryptography True / False 1. In 1953, Giovan Batista Bellaso introduced the idea of the passphrase (password) as a key for encryption. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Introduction To Cryptography H2: The History of Cryptology P. 385 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 9/14/2016 10:45 AM 2. In 1917, Gilbert S. Vernam, an AT&T employee, invented a polyalphabetic cipher machine that used a non-repeating random key. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 385 H1: Introduction To Cryptography H2: The History of Cryptology QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 3/9/2017 11:11 PM 3. Sequence encryption is a series of encryptions and decryptions between a number of systems, wherein each system in a network decrypts the message sent to it and then reencrypts it using different keys and sends it to the next neighbor. This process continues until the message reaches the final destination. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 386 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 10 Cryptography LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 3/9/2017 11:12 PM 4. The permutation cipher simply rearranges the values within a block to create the ciphertext. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Encryption Methods H2: Transposition Cipher p. 390 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 9/14/2016 10:45 AM 5. In addition to being credited with inventing a substitution cipher, Julius Caesar was associated with an early version of the transposition cipher. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 391 H1: Encryption Methods H2: Transposition Cipher QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 9/14/2016 10:45 AM 6. You cannot combine the XOR operation with a block cipher operation. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 391 H1: Encryption Methods H2: Exclusive OR QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 10 Cryptography LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 9/14/2016 10:45 AM 7. To perform the Caesar cipher encryption operation, the pad values are added to numeric values that represent the plaintext that needs to be encrypted. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 392 H1: Encryption Methods H2: Vernam Cipher QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 9/14/2016 10:45 AM 8. One encryption method made popular by spy movies is the book cipher, which involves using the text in a book to encrypt and decrypt messages. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 393 H1: Encryption Methods H2: Book-Based Ciphers QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 6/27/2021 11:56 AM 9. Hashing functions require the use of keys. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 394 H1: Encryption Methods H2: Hash Functions QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 10 Cryptography LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 9/14/2016 10:45 AM 10. A cryptovariable is a value representing the application of a hash algorithm on a message. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 398 H1: Cryptographic Algorithms H2: Encryption Key Size QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 9/14/2016 10:45 AM 11. A brute force function is a mathematical algorithm that generates a message summary or digest (sometimes called a fingerprint) to confirm message identity and integrity. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 394 H1: Encryption Methods H2: Hash Functions QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 3/9/2017 11:14 PM 12. Popular cryptosystems use a hybrid combination of symmetric and asymmetric algorithms. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Cryptographic Tools H2: Hybrid Cryptography Systems p. 403 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 10 Cryptography
DATE CREATED: DATE MODIFIED:
cryptographic tools 9/14/2016 10:45 AM 9/14/2016 10:45 AM
13. Adopted by NIST in 1976 as a federal standard, DES uses a 64-bit block size and key. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 396 H1: Cryptographic Algorithms H2: Symmetric Encryption QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:45 AM DATE MODIFIED: 9/14/2016 10:45 AM 14. 3DES was created to offer the same strength as the DES algorithm but ran three times as fast, thus saving time. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 396 H1: Cryptographic Algorithms H2: Symmetric Encryption QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 9/14/2016 10:46 AM 15. The AES algorithm was the first public-key encryption algorithm to use a 256-bit key length. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 398 H1: Cryptographic Algorithms H2: Asymmetric Encryption QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 10 Cryptography DATE MODIFIED:
3/9/2017 11:15 PM
16. When an asymmetric cryptographic process uses the sender’s private key to encrypt a message, the sender’s public key must be used to decrypt the message. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 397 H1: Cryptographic Algorithms H2: Asymmetric Encryption QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 9/14/2016 10:46 AM 17. Asymmetric encryption systems use a single key to both encrypt and decrypt a message. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 397 H1: Cryptographic Algorithms H2: Asymmetric Encryption QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 3/9/2017 11:15 PM 18. Usually, as the length of a cryptovariable increases, the number of random guesses that have to be made in order to break the code is reduced. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 399 H1: Cryptographic Algorithms H2: Encryption Key Size QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 10 Cryptography DATE MODIFIED:
3/9/2017 11:16 PM
19. PKI systems are based on public-key cryptosystems and include digital certificates and certificate authorities. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 401 H1: Cryptographic Tools H2: Public Key Infrastructure (PKI) QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 3/9/2017 11:21 PM 20. The registration authority (RA) is a third party that issues, manages, authenticates, signs, and revokes users’ digital certificates. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 401 H1: Cryptographic Tools H2: Public Key Infrastructure (PKI) QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 11:56 AM 21. Nonrepudiation means that customers or partners can be held accountable for transactions, such as online purchases, which they cannot later deny. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 400 H1: Cryptographic Tools H2: Public Key Infrastructure (PKI) QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 10 Cryptography
DATE CREATED: DATE MODIFIED:
cryptographic tools 9/14/2016 10:46 AM 9/14/2016 10:46 AM
22. The most common hybrid system is based on the Diffie-Hellman key exchange, which is a method for exchanging private keys using public-key encryption. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 403 H1: Cryptographic Tools H2: Hybrid Cryptography Systems QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 3/9/2017 11:17 PM 23. Steganography is a data hiding method that involves embedding information within other files, such as digital pictures or other images. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 404 H1: Cryptographic Tools H2: Steganography QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 9/14/2016 10:46 AM 24. Standard HTTP (S-HTTP) is an extended version of the Hypertext Transfer Protocol that provides for the encryption of individual messages transmitted via the Internet between a client and server using AES over HTTP. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Protocols For Secure Communications H2: Securing Internet Communication with HTTPS and SSL p. 405 Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 10 Cryptography QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 11:57 AM 25. SSL builds on the encoding format of the digital encryption standard (DES) protocol and uses digital signatures based on public-key cryptosystems to secure e-mail. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 407 H1: Protocols For Secure Communications H2: Securing E-Mail with S/MIME, PEM, and PGP QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:03 PM 26. Bluetooth is a de facto industry standard for short-range wireless communications between devices. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 409 H1: Protocols For Secure Communications H2: Securing Wireless Networks with WPA and RSN QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 9/14/2016 10:46 AM 27. Secure Electronic Transactions was developed by MasterCard and Visa in 1997 to protect against electronic payment fraud. a. True b. False ANSWER: True POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 10 Cryptography REFERENCES:
p. 409 H1: Protocols For Secure Communications H2: Securing Web Transactions with SET, SSL, and HTTPS QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 3/9/2017 11:26 PM 28. The encapsulating security payload protocol provides secrecy for the contents of network communications as well as system-to-system authentication and data integrity verification. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 410 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 9/14/2016 10:46 AM 29. The HTTPS security solution provides six services: authentication by digital signatures, message encryption, compression, e-mail compatibility, segmentation, and key management. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 412 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/14/2021 7:27 PM 30. Internet Protocol Security (IPSec) is an open-source protocol framework for security development within the TCP/IP family of protocols. a. True Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 10 Cryptography b. False ANSWER: POINTS: REFERENCES:
True 1 p. 410 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 3/9/2017 11:27 PM Modified True / False 31. Encryption is the process of converting the ciphertext message back into plaintext so that it can be readily understood. _____ ANSWER: False - Decryption POINTS: 1 REFERENCES: P. 386 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 32. A(n) key is the set of steps used to convert an unencrypted message into an encrypted sequence of bits that represent the message; it sometimes refers to the programs that enable the cryptographic processes. _____ ANSWER: False - algorithm POINTS: 1 REFERENCES: p. 385 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 10 Cryptography 33. To encipher means to decrypt, decode, or convert ciphertext into the equivalent plaintext. _____ ANSWER: False - decipher POINTS: 1 REFERENCES: p. 386 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 34. Ciphertext or a cryptogram is an encoded message, or a message that has been successfully encrypted. _____ ANSWER: True POINTS: 1 REFERENCES: p. 386 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 35. In a book cipher, the key consists of a list of codes representing the page number, line number, and word number of the plaintext word. _____ ANSWER: False - ciphertext False - cryptogram False - encrypted text POINTS: 1 REFERENCES: p. 393 H1: Encryption Methods H2: Book-Based Ciphers QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:04 PM 36. Hash algorithms are mathematical functions that create a message digest by converting variable-length messages into Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 10 Cryptography a single fixed-length value. _____ ANSWER: True POINTS: 1 REFERENCES: p. 394 H1: Encryption Methods H2: Book-Based Ciphers QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:05 PM 37. A multipart authentication code (MAC) is a key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest. _____ ANSWER: False - message POINTS: 1 REFERENCES: p. 394 H1: Encryption Methods H2: Book-Based Ciphers QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 38. Encryption methodologies that require the same secret key to encipher and decipher the message are using public-key encryption. _____ False - private ANSWER: POINTS: 1 REFERENCES: p. 396 H1: Cryptography Algorithms H2: Symmetric Encryption QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:06 PM 39. PKI is the a federal information processing standard that specifies a cryptographic algorithm developed to replace both DES and 3DES. _____ ANSWER: False - AES False - Advanced Encryption Standard Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 10 Cryptography False - Advanced Encryption Standard (AES) POINTS: 1 REFERENCES: p. 396 H1: Cryptography Algorithms H2: Symmetric Encryption QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:07 PM 40. AES implements a block cipher called the Rijndael Block Cipher with a variable block length and a key length of 128, 192 or 256 bits. _____ ANSWER: True POINTS: 1 REFERENCES: p. 397 H1: Cryptography Algorithms H2: Symmetric Encryption QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:08 PM 41. Symmetric encryption uses two different but related keys, and either key can be used to encrypt or decrypt the message. _____ ANSWER: False - Asymmetric POINTS: 1 REFERENCES: p. 396 H1: Cryptography Algorithms H2: Asymmetric Encryption QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 42. Within a PKI, a(n) registration authority issues, manages, authenticates, signs, and revokes users’ digital certificates, which typically contain the user name, public key, and other identifying information. _____ ANSWER: False - certificate POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 10 Cryptography REFERENCES:
p. 401 H1: Cryptographic Tools H2: Public Key Infrastructure (PKI) QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 43. The Digital Signature Standard established by NIST is used for electronic document authentication by federal information systems. It is based on a variant of the ElGamal algorithm. _____ ANSWER: True POINTS: 1 REFERENCES: p. 402 H1: Cryptographic Tools H2: Digital Signatures QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 44. A(n) distinguished name uniquely identifies a certificate entity to a user’s public key. _____ ANSWER: True POINTS: 1 REFERENCES: p. 403 H1: Cryptographic Tools H2: Digital Certificates QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 45. Diffie-Hellman key exchange uses asymmetric encryption to exchange session keys - limited use symmetric keys for temporary communications.. _____ ANSWER: True POINTS: 1 REFERENCES: p. 403 Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 10 Cryptography H1: Cryptographic Tools H2: Hybrid Cryptography Systems QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:09 PM 46. The number of horizontal and vertical pixels captured and recorded is known as an image’s contrast. _____ ANSWER: False - resolution POINTS: 1 REFERENCES: p. 403 H1: Cryptographic Tools H2: Steganography QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:09 PM 47. The most popular modern version of steganography involves hiding information within files that contain digital pictures or other images. _____ ANSWER: True POINTS: 1 REFERENCES: p. 403 H1: Cryptographic Tools H2: Steganography QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 48. HTTPS is an extended version of Hypertext Transfer Protocol that provides for the encryption of protected e-mail transmitted via the Internet between a client and server. _____ ANSWER: False - Web pages POINTS: 1 REFERENCES: p. 406 H1: Protocols For Secure Communications Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 10 Cryptography H2: Securing Internet Communication with HTTPS and SSL QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/14/2021 7:43 PM 49. Privacy Enhanced Mail was proposed by the Internet Engineering Task Force and is a standard that uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures. _____ ANSWER: True POINTS: 1 REFERENCES: p. 407 H1: Protocols For Secure Communications H2: Securing E-Mail with S/MIME, PEM, and PGP QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 50. Secure Multipurpose Internet Mail Extensions builds on the encoding format of the MIME protocol and uses digital signatures based on public-key cryptosystems to secure e-mail. _____ ANSWER: True POINTS: 1 REFERENCES: p. 407 H1: Protocols For Secure Communications H2: Securing E-Mail with S/MIME, PEM, and PGP QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 51. PGP is a de facto industry standard for short-range wireless communications between devices. _____ ANSWER: False - Bluetooth POINTS: 1 REFERENCES: p. 409 H1: Protocols For Secure Communications H2: Securing Wireless Networks with WPA and RSN Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 10 Cryptography QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:10 PM 52. Internet Protocol Security is designed to protect data integrity, user confidentiality, and authenticity at the IP packet level. _____ ANSWER: True POINTS: 1 REFERENCES: p. 410 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM 53. In transport mode IPSec the entire IP packet is encrypted and is then placed as the content portion of another IP packet. _____ False - tunnel ANSWER: POINTS: 1 REFERENCES: p. 410 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:11 PM 54. The authentication header (AH) protocol provides secrecy for the contents of network communications as well as system-to-system authentication and data integrity verification. _____ False - encapsulating security payload (ESP) ANSWER: False - encapsulating security payload False - ESP POINTS: 1 REFERENCES: p. 410 Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 10 Cryptography H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:12 PM 55. Pretty Good Privacy (PGP) uses the freeware ZIP algorithm to compress the message after it has been digitally signed but before it is encrypted. _____ ANSWER: True POINTS: 1 REFERENCES: p. 412 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:00 PM Multiple Choice 56. _____ is the process of converting an original message into a form that is unreadable to unauthorized individuals. a. Encryption b. Decryption c. Cryptology d. Cryptography ANSWER: a POINTS: 1 REFERENCES: p. 386 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 57. _____ is the entire range of values that can possibly be used to construct an individual key. a. Code b. Keyspace c. An algorithm d. A cryptogram Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 10 Cryptography ANSWER: POINTS: REFERENCES:
b 1 p. 386 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 58. _____ is the amount of effort (usually in hours) required to perform cryptanalysis to decode an encrypted message when the key or algorithm (or both) are unknown. a. Cryptology b. Decryption c. Cryptography d. Work factor ANSWER: d POINTS: 1 REFERENCES: p. 386 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:13 PM 59. A _____ is the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext from the ciphertext. a. password b. cipher c. key d. passphrase ANSWER: c POINTS: 1 REFERENCES: p. 386 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 60. Bit stream methods commonly use algorithm functions like the _____ OR operation. Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 10 Cryptography a. exclusive c. extensive ANSWER: POINTS: REFERENCES:
b. extreme d. enhanced a 1 p. 386 H1: Encryption Methods QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:15 PM 61. More advanced substitution ciphers use two or more alphabets, and are referred to as _____ substitutions. a. pollysyllabic b. monoalphabetic c. polyalphabetic d. polynomic ANSWER: c POINTS: 1 REFERENCES: p. 387 H1: Encryption Methods H2: Substitution Cipher QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:15 PM 62. _____ functions are mathematical algorithms that generate a message summary or digest to confirm the identity of a specific message and to confirm that there have not been any changes to the content. a. Hash b. MAC c. Key d. Encryption ANSWER: a POINTS: 1 REFERENCES: p. 394 H1: Encryption Methods H2: Hash Functions QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:16 PM 63. A _____ is a key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest. a. signature b. MAC Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 10 Cryptography c. fingerprint ANSWER: POINTS: REFERENCES:
d. digest
b 1 p. 394 H1: Encryption Methods H2: Hash Functions QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 64. SHA-1 produces a(n) _____-bit message digest, which can then be used as an input to a digital signature algorithm. a. 48 b. 56 c. 160 d. 256 ANSWER: c POINTS: 1 REFERENCES: p. 394 H1: Encryption Methods H2: Hash Functions QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:02 PM 65. Using a database of precomputed hashes from sequentially calculated passwords called a(n) _____, an attacker can simply look up a hashed password and read out the text version. a. hash matrix b. smurf list c. rainbow table d. hashapedia ANSWER: c POINTS: 1 REFERENCES: p. 395 H1: Encryption Methods H2: Hash Functions QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:17 PM 66. A method of encryption that requires the same secret key to encipher and decipher the message is known as _____ encryption. a. asymmetric b. symmetric Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 10 Cryptography c. public ANSWER: POINTS: REFERENCES:
d. hash
b 1 p. 396 H1: Cryptographic Algorithms H2: Symmetric Encryption QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:18 PM 67. _____ is the current federal information processing standard that specifies a cryptographic algorithm used within the U.S. government to protect information in federal agencies that are not a part of the national defense infrastructure. a. DES b. 2DES c. AES d. 3DES ANSWER: c POINTS: 1 REFERENCES: p. 397 H1: Cryptographic Algorithms H2: Symmetric Encryption QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 68. DES uses a(n) _____-bit block size. a. 32 b. 64 c. 128 d. 256 ANSWER: b POINTS: 1 REFERENCES: p. 396 H1: Cryptographic Algorithms H2: Symmetric Encryption QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:02 PM 69. The _____ algorithm, developed in 1977, was the first public-key encryption algorithm published for commercial use. a. DES b. RSA c. MAC d. AES Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 10 Cryptography ANSWER: POINTS: REFERENCES:
b 1 p. 398 H1: Cryptographic Algorithms H2: Asymmetric Encryption QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 70. _____ is an integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely. a. MAC b. PKI c. DES d. AES ANSWER: b POINTS: 1 REFERENCES: p. 400 H1: Cryptographic Tools H2: Public Key Infrastructure (PKI) QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 71. In PKI, the CA periodically distributes a(n) _____ to all users that identifies all revoked certificates. a. CRL b. RA c. MAC d. RDL ANSWER: a POINTS: 1 REFERENCES: p. 401 H1: Cryptographic Tools H2: Public Key Infrastructure (PKI) QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 72. _____ are encrypted message components that can be mathematically proven to be authentic. a. Digital signatures b. MACs Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 10 Cryptography c. Message certificates ANSWER: POINTS: REFERENCES:
d. Message digests a 1 p. 402 H1: Cryptographic Tools H2: Digital Signatures QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 73. Digital signatures should be created using processes and products that are based on the _____. a. DSS b. NIST c. SSL d. HTTPS ANSWER: a POINTS: 1 REFERENCES: p. 402 H1: Cryptographic Tools H2: Digital Signatures QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 74. An X.509 v3 certificate binds a _____, which uniquely identifies a certificate entity, to a user’s public key. a. message digest b. fingerprint c. distinguished name d. digital signature ANSWER: c POINTS: 1 REFERENCES: p. 403 H1: Cryptographic Tools H2: Digital Certificates QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:02 PM 75. The _____ is responsible for the fragmentation, compression, encryption, and attachment of an SSL header to the cleartext prior to transmission. Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 10 Cryptography a. Standard HTTP c. HTTPS ANSWER: POINTS: REFERENCES:
b. SFTP d. SSL Record Protocol d 1 p. 406 H1: Protocols For Secure Communications H2: Securing Internet Communication with HTTPS and SSL QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/14/2021 8:04 PM 76. At the World Championships in Athletics in Helsinki in August 2005, a virus called Cabir infected dozens of _____, the first time this occurred in a public setting. a. iPad tablets b. Bluetooth mobile phones c. WiFi routers d. hearing aids ANSWER: b POINTS: 1 REFERENCES: p. 410 H1: Protocols For Secure Communications H2: Securing Wireless Networks with WPA and RSN QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:18 PM 77. _____ is an open-source protocol framework that can be used to secure communications across any IP-based network such as LANs, WANs, and the Internet. a. PEM b. SSH-2 c. IPSec d. SET ANSWER: c POINTS: 1 REFERENCES: p. 410 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 10 Cryptography DATE MODIFIED:
6/27/2021 12:19 PM
78. The _____ protocol provides system-to-system authentication and data integrity verification, but does not provide secrecy for the content of a network communication. a. ESP b. AH c. HA d. SEP ANSWER: b POINTS: 1 REFERENCES: p. 410 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 79. _____ was developed by Phil Zimmermann and uses the IDEA cipher for message encoding. a. PEM b. PGP c. S/MIME d. SSL ANSWER: b POINTS: 1 REFERENCES: p. 407 H1: Protocols For Secure Communications H2: Securing E-Mail with S/MIME, PEM, and PGP QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 80. _____ is a hybrid cryptosystem that combines some of the best available cryptographic algorithms and has become the open-source de facto standard for encryption and authentication of e-mail and file storage applications. a. PGP b. DES c. AH d. ESP ANSWER: a POINTS: 1 REFERENCES: p. 412 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 10 Cryptography
DATE CREATED: DATE MODIFIED:
communications 9/14/2016 10:46 AM 6/6/2021 4:01 PM
Completion 81. The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption is called _____. cryptanalysis ANSWER: POINTS: 1 REFERENCES: H1: Introduction To Cryptography p. 384 QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 2/1/2017 6:50 PM DATE MODIFIED: 6/6/2021 4:02 PM 82. The science of encryption is known as _____. cryptology ANSWER: POINTS: 1 REFERENCES: p. 384 H1: Introduction To Cryptography QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 83. _____ is the process of making and using codes to secure the transmission of information. Cryptography ANSWER: POINTS: 1 REFERENCES: p. 386 H1: Introduction To Cryptography QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 10 Cryptography DATE MODIFIED:
6/6/2021 4:01 PM
84. A(n) _____ or cryptosystem is an encryption method or process encompassing the algorithm, key(s) or cryptovariable(s), and procedures used to perform encryption and decryption. cipher ANSWER: POINTS: 1 REFERENCES: p. 386 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 85. To _____ means to encrypt, encode, or convert plaintext into the equivalent ciphertext. encipher ANSWER: POINTS: 1 REFERENCES: p. 386 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 86. The process of hiding messages within the digital encoding of a picture or graphic is called _____. steganography ANSWER: POINTS: 1 REFERENCES: p. 386 H1: Introduction To Cryptography H2: Key Cryptology Terms QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM Copyright Cengage Learning. Powered by Cognero.
Page 29
Name:
Class:
Date:
Mod 10 Cryptography 87. In a(n) _____ cipher, you replace one value with another. substitution ANSWER: POINTS: 1 REFERENCES: p. 387 H1: Encryption Methods H2: Substitution Cipher QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:20 PM 88. A(n) _____ substitution uses one alphabet. monoalphabetic ANSWER: POINTS: 1 REFERENCES: p. 387 H1: Encryption Methods H2: Substitution Cipher QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 89. The _____ cipher simply rearranges the values within a block to create the ciphertext. transposition ANSWER: permutation POINTS: 1 REFERENCES: p. 390 H1: Encryption Methods H2: Transposition Cipher QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 90. The _____ operation is a function of Boolean algebra in which two bits are compared, and if the two bits are identical, the result is a binary 0. exclusive OR ANSWER: XOR exclusive OR (XOR) Copyright Cengage Learning. Powered by Cognero.
Page 30
Name:
Class:
Date:
Mod 10 Cryptography POINTS: REFERENCES:
1 p. 391 H1: Encryption Methods H2: Exclusive OR QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:21 PM 91. Also known as the one-time pad, the _____ cipher, which was developed at AT&T, uses a set of characters only one time for each encryption process. Vernam ANSWER: POINTS: 1 REFERENCES: p. 392 H1: Encryption Methods H2: Vernam Cipher QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 92. A message _____ is a fingerprint of the author’s message that is compared with the recipient’s locally calculated hash of the same message. digest ANSWER: POINTS: 1 REFERENCES: p. 394 H1: Encryption Methods H2: Hash Functions QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 93. Hashing functions do not require the use of keys, but it is possible to attach a message _____ code to allow only specified recipients to access the message digest. authentication ANSWER: POINTS: 1 REFERENCES: p. 394 H1: Encryption Methods Copyright Cengage Learning. Powered by Cognero.
Page 31
Name:
Class:
Date:
Mod 10 Cryptography H2: Hash Functions QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:22 PM 94. The Secure _____ Standard issued by the National Institute of Standards and Technology specifies secure algorithms, such as SHA-1, for computing a condensed representation of a message or data file. Hash ANSWER: POINTS: 1 REFERENCES: p. 394 H1: Encryption Methods H2: Hash Functions QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 95. One of the most widely known cryptographic algorithms is the _____, which was developed by IBM and is based on the company’s Lucifer algorithm. DES ANSWER: Data Encryption Standard POINTS: 1 REFERENCES: p. 396 H1: Cryptographic Algorithms H2: Symmetric Encryption QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 96. The successor to 3DES is the _____ Encryption Standard. Advanced ANSWER: POINTS: 1 REFERENCES: p. 397 H1: Cryptographic Algorithms H2: Symmetric Encryption QUESTION TYPE: Completion Copyright Cengage Learning. Powered by Cognero.
Page 32
Name:
Class:
Date:
Mod 10 Cryptography HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 97. The more common name for asymmetric encryption is _____-key encryption. public ANSWER: POINTS: 1 REFERENCES: p. 397 H1: Cryptographic Algorithms H2: Asymmetric Encryption QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 98. A mathematical _____ is a secret mechanism that enables you to easily accomplish the reverse function in a one-way function. trapdoor ANSWER: POINTS: 1 REFERENCES: p. 398 H1: Cryptographic Algorithms H2: Asymmetric Encryption QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 99. In the context of a PKI, a(n) _____ authority operates under the trusted collaboration of the certificate authority and can be delegated day-to-day certification functions, such as verifying registration information about new registrants, generating end-user keys, revoking certificates, and validating that users possess a valid certificate. registration ANSWER: POINTS: 1 REFERENCES: p. 401 H1: Cryptographic Tools H2: Public Key Infrastructure (PKI) QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 33
Name:
Class:
Date:
Mod 10 Cryptography LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 100. Digital _____ are public-key container files that allow computer programs to validate the key and identify to whom it belongs. certificates ANSWER: POINTS: 1 REFERENCES: p. 400 H1: Cryptographic Tools H2: Public Key Infrastructure (PKI) QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 101. Digital _____ are encrypted messages that can be mathematically proven to be authentic. signatures ANSWER: POINTS: 1 REFERENCES: p. 402 H1: Cryptographic Tools H1: Cryptographic Tools QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 102. A digital _____ is an electronic document or container file that contains a key value and identifying information about the entity that controls the key. certificate ANSWER: POINTS: 1 REFERENCES: p. 402 H1: Cryptographic Tools H2: Digital Certificates QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular Copyright Cengage Learning. Powered by Cognero.
Page 34
Name:
Class:
Date:
Mod 10 Cryptography
DATE CREATED: DATE MODIFIED:
cryptographic tools 9/14/2016 10:46 AM 6/6/2021 4:01 PM
103. Netscape developed the _____ Layer protocol to use public-key encryption to secure a channel over the Internet, thus enabling secure communications. Secure Socket ANSWER: Secure Sockets POINTS: 1 REFERENCES: p. 405 H1: Protocols For Secure Communications H2: Securing Internet Communication with HTTPS and SSL QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 104. In IPSec _____ mode, only the IP data is encrypted, not the IP headers. transport ANSWER: POINTS: 1 REFERENCES: p. 410 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/6/2021 4:01 PM 105. The encapsulating security _____ protocol provides secrecy for the contents of network communications as well as system-to-system authentication and data integrity verification. payload ANSWER: POINTS: 1 REFERENCES: p. 410 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure Copyright Cengage Learning. Powered by Cognero.
Page 35
Name:
Class:
Date:
Mod 10 Cryptography
DATE CREATED: DATE MODIFIED:
communications 9/14/2016 10:46 AM 6/6/2021 4:01 PM
106. Originally released as freeware, _____ is a hybrid cryptosystem that combines some of the best available cryptographic algorithms as an open-source de facto standard for encryption and authentication of e-mail and file storage. Pretty Good Privacy ANSWER: PGP Pretty Good Privacy (PGP) POINTS: 1 REFERENCES: p. 412 H1: Protocols For Secure Communications H1: Protocols For Secure Communications QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 6/27/2021 12:23 PM Essay 107. Describe how hash functions work and what they are used for. Hash functions are mathematical algorithms that generate a message summary or digest to ANSWER: confirm the identity of a specific message and to confirm that there have not been any changes to the content. While they do not create ciphertext, hash functions confirm message identity and integrity, both of which are critical functions in e-commerce. Hashing functions do not require the use of keys, but it is possible to attach a message authentication code (MAC)—a key-dependent, one-way hash function—that allows only specific recipients (symmetric key holders) to access the message digest. POINTS: 1 REFERENCES: p. 394 H1: Encryption Methods H2: Hash Functions QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 3/9/2017 11:41 PM 108. Describe symmetric and asymmetric encryption. Symmetric Encryption. Encryption methodologies that require the same secret key to ANSWER: encipher and decipher the message use what is called private-key encryption or symmetric Copyright Cengage Learning. Powered by Cognero.
Page 36
Name:
Class:
Date:
Mod 10 Cryptography encryption. Symmetric encryption methods use mathematical operations that can be programmed into extremely fast computing algorithms so that the encryption and decryption processes are executed quickly, even by small computers. The primary challenge of symmetric key encryption is getting the key to the receiver, a process that must be conducted out of band (meaning through a channel or band other than the one carrying the ciphertext) to avoid interception. Asymmetric Encryption. Another category of encryption techniques is asymmetric encryption. While symmetric encryption systems use a single key both to encrypt and decrypt a message, asymmetric encryption uses two different but related keys, and either key can be used to encrypt or decrypt the message. Asymmetric encryption can be used to provide elegant solutions to problems of secrecy and verification. This technique has its highest value when one key is used as a private key, which means that it is kept secret (much like the key of symmetric encryption), known only to the owner of the key pair, and the other key serves as a public key, which means that it is stored in a public location where anyone can use it. POINTS: 1 REFERENCES: p. 397 H1: Cryptographic Algorithms H2: Asymmetric Encryption QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.2 - Explain the basic principles of cryptography DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 3/9/2017 11:42 PM 109. Describe digital certificates. Digital certificates are public-key container files that allow computer programs to validate ANSWER: the key and identify to whom it belongs. The certificate is often issued and certified by a third party, usually a certificate authority. A digital signature attached to the certificate’s container file certifies the file’s origin and integrity. A certificate authority (CA) issues, manages, authenticates, signs, and revokes users’ digital certificates, which typically contain the user name, public key, and other identifying information. POINTS: 1 REFERENCES: p. 402 H1: Cryptographic Tools H2: Digital Certificates QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 9/14/2016 10:46 AM DATE MODIFIED: 9/14/2016 10:46 AM Subjective Short Answer Copyright Cengage Learning. Powered by Cognero.
Page 37
Name:
Class:
Date:
Mod 10 Cryptography 110. What are cryptography and cryptanalysis? ANSWER:
The science of encryption, known as cryptology, encompasses cryptography, and cryptanalysis. Cryptography is the process of making and using codes to secure information. Cryptanalysis is the process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption.
POINTS: REFERENCES:
1 p. 384 H1: Introduction To Cryptography QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.1 - Chronicle the most significant events and discoveries in the history of cryptology DATE CREATED: 6/15/2021 5:16 PM DATE MODIFIED: 6/27/2021 12:23 PM 111. What are the components and benefits of PKI? ANSWER:
Public key infrastructure (PKI) systems are based on public-key cryptosystems and include digital certificates and certificate authorities (CAs). Digital certificates allow the PKI components and their users to validate keys and identify key owners. Certificate authorities In PKI, are third parties that manages users’ digital certificates. PKI allows the implementation of several key characteristics of information security, including authentication, integrity, privacy, authorization, and nonrepudiation.
POINTS: REFERENCES:
1 p. 400 H1: Cryptographic Tools H2: Public Key Infrastructure (PKI) QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.3 - Describe the operating principles of the most popular cryptographic tools DATE CREATED: 6/15/2021 5:18 PM DATE MODIFIED: 6/27/2021 12:25 PM 112. What is IPSec and what are its two operating modes? IP Security (IPSec) is an open-source protocol framework for security development within ANSWER: the TCP/IP family of protocol standards. Copyright Cengage Learning. Powered by Cognero.
Page 38
Name:
Class:
Date:
Mod 10 Cryptography It is used to secure communications across IP-based networks such as LANs, WANs, and the Internet. IPSec operates in two modes: transport and tunnel. In transport mode, only the IP data is encrypted, not the IP headers. This allows intermediate nodes to read the source and destination addresses. In tunnel mode, the entire IP packet is encrypted and then placed into the content portion of another IP packet. This requires other systems at the beginning and end of the tunnel to act as proxies to send and receive the encrypted packets. These systems then transmit the decrypted packets to their true destinations. POINTS: REFERENCES:
1 p. 410 H1: Protocols For Secure Communications H2: Securing TCP/IP with IPSec and PGP QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.10.4 - List and explain the major protocols used for secure communications DATE CREATED: 6/15/2021 5:19 PM DATE MODIFIED: 6/27/2021 12:26 PM
Copyright Cengage Learning. Powered by Cognero.
Page 39
Name:
Class:
Date:
Mod 11 Implementing Information Security True / False 1. The implementation phase is the longest and most expensive phase of the systems development life cycle (SDLC). a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: The Systems Development Life Cycle H2: Traditional Development Methods p. 421 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 9/14/2016 10:29 AM 2. The investigation phase of the SDLC involves specification of the objectives, constraints, and scope of the project. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 420 H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 6/27/2021 5:54 PM 3. The physical design is the blueprint for the desired solution. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 420 H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:29 AM Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 11 Implementing Information Security DATE MODIFIED:
9/14/2016 10:29 AM
4. In the physical design phase, specific technologies are selected. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 420 H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 12/4/2016 2:19 PM 5. The water-ski model is a type of SDLC in which each phase of the process flows from the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 419 H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 12/4/2016 2:23 PM 6. The project plan as a whole must describe how to acquire and implement the needed security controls and create a setting in which those controls achieve the desired outcomes. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Information Security Project Management H2: Developing the Project Plan p. 429 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 11 Implementing Information Security
DATE CREATED: DATE MODIFIED:
success of an information security project 9/14/2016 10:48 AM 9/14/2016 10:48 AM
7. In general, the design phase is accomplished by changing the configuration and operation of the organization’s information systems to make them more secure. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 428 H1: Information Security Project Management QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 9/14/2016 10:48 AM 8. Planning for the implementation phase of a security project requires the creation of a detailed project plan. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 429 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 9/14/2016 10:48 AM 9. Each organization has to determine its own project management methodology for IT and information security projects. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Information Security Project Management p. 429 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 11 Implementing Information Security
DATE CREATED: DATE MODIFIED:
success of an information security project 9/14/2016 10:48 AM 9/14/2016 10:48 AM
10. The first step in the work breakdown structure (WBS) is to break down the project plan into its action steps. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Information Security Project Management H2: Developing the Project Plan p. 429 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:21 PM 11. The work breakdown structure (WBS) can only be prepared with a complex, specialized desktop PC application. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 429 H1: Information Security Project Management H2: Developing the Project Plan LO: 11.2 H2: Developing the Project Plan QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 3/10/2017 8:20 AM 12. Planners need to estimate the effort required to complete each task, subtask, or action step in the project plan. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 431 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: True / False Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 11 Implementing Information Security HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 3/10/2017 8:20 AM 13. To justify the amount budgeted for a security project, it may be useful for the organization to adopt the budgets of larger, more successful organizations. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Information Security Project Management H2: Project Planning Considerations p. 433 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.3 - Discuss the many organizational considerations that a project plan must address DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:22 PM 14. The budgets of public organizations are usually the product of legislation or public meetings. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 432 H1: Information Security Project Management H2: Project Planning Considerations QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.3 - Discuss the many organizational considerations that a project plan must address DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 9/14/2016 10:48 AM 15. The need for qualified, trained, and available personnel constrains the project plan. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Information Security Project Management H2: Project Planning Considerations p. 433 Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 11 Implementing Information Security QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.3 - Discuss the many organizational considerations that a project plan must address DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 9/14/2016 10:48 AM 16. The size of the organization and the normal conduct of business may preclude a large training program on new security procedures or technologies. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 434 H1: Information Security Project Management H2: Project Planning Considerations QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.3 - Discuss the many organizational considerations that a project plan must address DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 9/14/2016 10:48 AM 17. All organizations should designate a champion from the general management community of interest to supervise the implementation of an information security project plan. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Information Security Project Management H2: The Need for Project Management p. 434 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.4 - Describe the need for professional project management for complex projects DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 9/14/2016 10:48 AM 18. When an estimate is flawed, as when the number of effort-hours required is underestimated, the plan should be corrected and downstream tasks updated to reflect the change. a. True b. False ANSWER: True POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 11 Implementing Information Security REFERENCES:
H1: Information Security Project Management H2: The Need for Project Management p. 435 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.4 - Describe the need for professional project management for complex projects DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 9/14/2016 10:48 AM 19. The primary drawback to the direct changeover approach is that if the new system fails or needs modification, users may be without services while the system’s bugs are worked out. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Technical Aspects Of Implementation H2: Conversion Strategies p. 437 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 9/14/2016 10:48 AM 20. The networks layer of the bull’s eye is the outermost ring of the bull’s eye. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 438 H1: Technical Aspects Of Implementation H2: The Bull’s-Eye Model QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 3/10/2017 8:21 AM 21. The bull’s-eye model can be used to evaluate the sequence of steps taken to integrate parts of the information security blueprint into a project plan. a. True b. False Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 11 Implementing Information Security ANSWER: POINTS: REFERENCES:
True 1 p. 439 H1: Technical Aspects Of Implementation H2: The Bull’s-Eye Model QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 3/10/2017 8:21 AM 22. As dictated by the bull’s-eye model, until sound and usable IT and information security policies are developed, communicated, and enforced, no additional resources should be spent on other controls. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 438 H1: Technical Aspects Of Implementation H2: The Bull’s-Eye Model QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:23 PM 23. Every organization needs to develop an information security department or program of its own. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 439 H1: Technical Aspects Of Implementation H2: To Outsource or Not QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.4 - Describe the need for professional project management for complex projects DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 9/14/2016 10:48 AM 24. "Unfreezing" in the Lewin change model involves thawing hard-and-fast habits and established procedures. a. True Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 11 Implementing Information Security b. False ANSWER: POINTS: REFERENCES:
True 1 H1: Nontechnical Aspects Of Implementation H2: The Culture of Change Management p. 442 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.11.6 - Compare and contrast among the types of gloves used in dentistry. DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 3/10/2017 8:22 AM 25. Weak management support, with overly delegated responsibility and no champion, sentences a project to almostcertain failure. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 443 H1: Nontechnical Aspects Of Implementation H2: Considerations for Organizational Change QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.11.6 - Compare and contrast among the types of gloves used in dentistry. DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 9/14/2016 10:48 AM Modified True / False 26. The Security Development Life Cycle (SDLC) is a general methodology for the design and implementation of an information system. _____ False - Systems ANSWER: POINTS: 1 REFERENCES: p. 419 H1: The Systems Development Life Cycle QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 6/6/2021 4:07 PM Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 11 Implementing Information Security 27. The Analysis phase of the SDLC examines the event or plan that initiates the process and specifies the objectives, constraints, and scope of the project. _____ ANSWER: False - Investigation POINTS: 1 REFERENCES: p. 420 H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 6/6/2021 4:07 PM 28. SecOps focuses on integrating the need for the development team to provide iterative and rapid improvements to system functionality and the need for the operations team to improve security and minimize the disruption from software release cycles. _____ False - DevOps ANSWER: POINTS: 1 REFERENCES: p. 419 H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:29 AM DATE MODIFIED: 6/27/2021 6:23 PM 29. Performance management is the process of identifying and controlling the resources applied to a project as well as measuring progress and adjusting the process as progress is made toward the goal. _____ False - Project ANSWER: POINTS: 1 REFERENCES: p. 428 H1: Information Security Project Management QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:07 PM Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 11 Implementing Information Security 30. Planning for the implementation phase requires the creation of a detailed request for proposal, which is often assigned either to a project manager or the project champion. _____ ANSWER: False - project plan POINTS: 1 REFERENCES: p. 431 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:07 PM 31. In project planning, the tasks or action steps that come before the specific task at hand are commonly referred to as milestones. _____ ANSWER: False - predecessors POINTS: 1 REFERENCES: p. 432 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:24 PM 32. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _____ ANSWER: True POINTS: 1 REFERENCES: p. 429 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:07 PM Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 11 Implementing Information Security 33. In the early stages of planning, the project planner should attempt to specify completion dates only for major action steps within the project. _____ ANSWER: False - milestones POINTS: 1 REFERENCES: p. 431 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:24 PM 34. The RFP determines the impact that a specific technology or approach can have on the organization’s information assets and what it may cost. _____ ANSWER: False - cost-benefit analysis False - CBA False - cost-benefit analysis (CBA) False - cost benefit analysis False - cost benefit analysis (CBA) False - (CBA) cost-benefit analysis False - (CBA) cost benefit analysis POINTS: 1 REFERENCES: p. 432 H1: Information Security Project Management H2: Project Planning Considerations QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.3 - Discuss the many organizational considerations that a project plan must address DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:07 PM 35. The optimal time frame for training is usually one to three weeks before the new policies and technologies come online. _____ ANSWER: True POINTS: 1 REFERENCES: p. 434 H1: Information Security Project Management H2: Project Planning Considerations QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 11 Implementing Information Security LEARNING OBJECTIVES: POIS.WHMA.22.11.3 - Discuss the many organizational considerations that a project plan must address DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:25 PM 36. Most information security projects require a trained project developer - CISO or a skilled IT manager who is trained in project management techniques. _____ False - manager ANSWER: POINTS: 1 REFERENCES: p. 434 H1: Information Security Project Management H2: The Need for Project Management QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.4 - Describe the need for professional project management for complex projects DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:26 PM 37. Once a project is underway, it is managed using a process known as gap analysis, which ensures that progress is measured periodically. _____ ANSWER: True POINTS: 1 REFERENCES: p. 435 H1: Information Security Project Management H2: The Need for Project Management QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.4 - Describe the need for professional project management for complex projects DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:07 PM 38. Corrective action decisions are usually expressed in terms of trade-offs. _____ ANSWER: True POINTS: 1 REFERENCES: p. 435 H1: Information Security Project Management H2: The Need for Project Management QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.4 - Describe the need for professional project management for Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 11 Implementing Information Security
DATE CREATED: DATE MODIFIED:
complex projects 9/14/2016 10:48 AM 6/6/2021 4:07 PM
39. A direct changeover is also known as going “fast turnkey.” _____ ANSWER: False - cold turkey POINTS: 1 REFERENCES: H1: Technical Aspects Of Implementation H2: Conversion Strategies p. 437 QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:07 PM 40. The primary drawback to the direct changeover approach is that if the new system fails or needs modification, users may be without services while the system’s bugs are worked out. _____ ANSWER: True POINTS: 1 REFERENCES: p. 437 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:27 PM 41. The parallel operations strategy works well when an isolated group can serve as a test area, which prevents any problems with the new system dramatically interfering with the performance of the organization as a whole. _____ ANSWER: False - pilot implementation POINTS: 1 REFERENCES: p. 438 H1: Technical Aspects Of Implementation H2: Conversion Strategies QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 11 Implementing Information Security DATE CREATED: DATE MODIFIED:
9/14/2016 10:48 AM 6/6/2021 4:07 PM
42. A proven method for prioritizing a program of complex change is the bull’s-eye method. _____ ANSWER: True POINTS: 1 REFERENCES: p. 438 H1: Technical Aspects Of Implementation H2: The Bull’s-Eye Model QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:07 PM 43. An ideal organization fosters resilience to change, meaning the the organization understands that change is a necessary part of the culture and that embracing change is more productive than fighting it.. _____ ANSWER: True POINTS: 1 REFERENCES: p. 443 H1: Nontechnical Aspects Of Implementation H2: Considerations for Organizational Change QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.11.6 - Compare and contrast among the types of gloves used in dentistry. DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:27 PM Multiple Choice 44. A methodology and formal development strategy for the design and implementation of an information system is referred to as a _____. a. systems design b. development life project c. systems development life cycle d. systems schema ANSWER: c POINTS: 1 REFERENCES: p. 418 H1: Introduction To Information Security Implementation QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 11 Implementing Information Security
DATE CREATED: DATE MODIFIED:
becomes a project plan 9/14/2016 10:30 AM 6/6/2021 4:06 PM
45. An emerging methodology to integrate the effort of the development team and the operations team to improve the functionality and security of applications is known as _____. a. SecSDLC b. DevOps c. JAD/RAD d. SecOps ANSWER: b POINTS: 1 REFERENCES: p. 419 H1: Introduction To Information Security Implementation QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 6/27/2021 6:28 PM 46. A type of SDLC in which each phase has results that flow into the next phase is called the _____ model. a. agile b. SA&D c. waterfall d. Method 7 ANSWER: c POINTS: 1 REFERENCES: p. 419 H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 6/27/2021 6:28 PM 47. During the _____ phase, specific technologies are selected to support the alternatives identified and evaluated in the prior phases. a. investigation b. implementation c. analysis d. physical design ANSWER: d POINTS: 1 REFERENCES: p. 420 H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: Multiple Choice Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 11 Implementing Information Security HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 6/6/2021 4:06 PM 48. Which of the following phases is often considered the longest and most expensive phase of the systems development life cycle? a. investigation b. logical design c. implementation d. maintenance and change ANSWER: d POINTS: 1 REFERENCES: p. 421 H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 9/14/2016 10:30 AM 49. Organizations are moving toward more _____-focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product. a. security b. reliability c. accessibility d. availability ANSWER: a POINTS: 1 REFERENCES: p. 428 H1: The Systems Development Life Cycle H2: The NIST Approach to Securing the SDLC QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 6/6/2021 4:06 PM 50. The _____ design phase of an SDLC methodology is implementation independent, meaning that it contains no reference to specific technologies, vendors, or products. a. conceptual b. logical c. integral d. physical ANSWER: b POINTS: 1 REFERENCES: p. 420 Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 11 Implementing Information Security H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 6/6/2021 4:06 PM 51. Effective planning for information security involves: a. collecting information about an organization's objectives. b. collecting information about an organization's information security environment. c. collecting information about an organization's technical architecture. d. All of these answers are correct ANSWER: d POINTS: 1 REFERENCES: p. 428 H1: Information Security Project Management QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:29 PM 52. Tasks or action steps that come after the task at hand are called _____. a. predecessors b. successors c. derivatives d. parents ANSWER: b POINTS: 1 REFERENCES: p. 432 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:29 PM 53. A(n) _____ is a simple project management planning tool used to break the project plan into smaller and smaller steps. a. RFP b. WBS c. ISO 17799 d. SDLC ANSWER: b Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 11 Implementing Information Security POINTS: REFERENCES:
1 p. 429 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:35 PM 54. If the task is to write firewall specifications for the preparation of a(n) _____, the planner would note that the deliverable is a specification document suitable for distribution to vendors. a. WBS b. CBA c. SDLC d. RFP ANSWER: d POINTS: 1 REFERENCES: p. 430 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:06 PM 55. The date for sending the final RFP to vendors is considered a milestone because it signals that __________. a. the budget is approved b. all approvals have been obtained c. all RFP preparation work is complete d. the bid by date has passed ANSWER: c POINTS: 1 REFERENCES: p. 431 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:38 PM 56. A(n) _____ determines the impact that a specific technology or approach can have on the organization’s information assets and what it may cost. a. RFP b. WBS Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 11 Implementing Information Security c. SDLC d. CBA ANSWER: POINTS: REFERENCES:
d 1 p. 432 H1: Information Security Project Management H2: Project Planning Considerations QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.3 - Discuss the many organizational considerations that a project plan must address DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:40 PM 57. Many public organizations must spend all budgeted funds within the fiscal year—otherwise, the subsequent year’s budget is _____. a. increased by the unspent amount b. not affected unless the deficit is repeated c. automatically audited for questionable expenditures d. reduced by the unspent amount ANSWER: d POINTS: 1 REFERENCES: p. 432 H1: Information Security Project Management H2: Project Planning Considerations QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.3 - Discuss the many organizational considerations that a project plan must address DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:06 PM 58. In a _____ when significant deviation occurs, corrective action is taken to bring the deviating task back into compliance with the project plan; otherwise, the project is revised in light of the new information. a. gap analysis b. wrap-up c. direct changeover d. turnover ANSWER: a POINTS: 1 REFERENCES: H1: Information Security Project Management H2: The Need for Project Management p. 435 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.4 - Describe the need for professional project management for complex projects DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 6:54 PM Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 11 Implementing Information Security 59. The goal of the _____ is to resolve any pending project-related issues, critique the overall effort of the project, and draw conclusions about how to improve the project management process for the future. a. direct changeover b. project wrap-up c. phased implementation d. pilot implementation ANSWER: b POINTS: 1 REFERENCES: p. 436 H1: Information Security Project Management H2: The Need for Project Management QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.4 - Describe the need for professional project management for complex projects DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 7:04 PM 60. Some cases of _____ are simple, such as requiring employees to begin using a new password on an announced date. a. phased implementation b. direct changeover c. pilot implementation d. wrap-up ANSWER: b POINTS: 1 REFERENCES: p. 437 H1: Technical Aspects Of Implementation H2: Conversion Strategies QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:06 PM 61. A _____ is usually the best approach to security project implementation. a. direct changeover b. phased implementation c. pilot implementation d. parallel operation ANSWER: b POINTS: 1 REFERENCES: p. 438 H1: Technical Aspects Of Implementation H2: Conversion Strategies QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 11 Implementing Information Security DATE MODIFIED:
6/6/2021 4:06 PM
62. In a _____ implementation, the entire security system is put in place in a single office, department, or division before expanding to the rest of the organization. a. loop b. direct c. parallel d. pilot ANSWER: d POINTS: 1 REFERENCES: p. 438 H1: Technical Aspects Of Implementation H2: Conversion Strategies QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:06 PM 63. The _____ methodology has been used by many organizations and requires that issues be addressed from the general to the specific, and that the focus be on systematic solutions instead of individual problems. a. parallel b. direct changeover c. bull’s-eye d. wrap-up ANSWER: c POINTS: 1 REFERENCES: p. 438 H1: Technical Aspects Of Implementation H2: The Bull’s-Eye Model QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/16/2021 2:06 PM 64. The _____ level of the bull’s-eye model establishes the ground rules for the use of all systems and describes what is appropriate and what is inappropriate; it enables all other information security components to function correctly. a. Policies b. Networks c. Systems d. Applications ANSWER: a POINTS: 1 REFERENCES: p. 438 H1: Technical Aspects Of Implementation H2: The Bull’s-Eye Model QUESTION TYPE: Multiple Choice HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 11 Implementing Information Security LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:06 PM 65. The _____ layer of the bull's-eye model includes computers used as servers, desktop computers, and systems used for process control and manufacturing. a. Policies b. Networks c. Systems d. Applications ANSWER: c POINTS: 1 REFERENCES: p. 439 H1: Technical Aspects Of Implementation H2: The Bull’s-Eye Model QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:06 PM 66. The _____ layer of the bull's-eye model receives attention last. a. Policies b. Networks c. Systems d. Applications ANSWER: d POINTS: 1 REFERENCES: p. 439 H1: Technical Aspects Of Implementation H2: The Bull’s-Eye Model QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:06 PM 67. Technology _____ guides how frequently technical systems are updated, and how technical updates are approved and funded, and also facilitates communication about technical advances and issues across the organization.. a. wrap-up b. governance c. turnover d. changeover ANSWER: b POINTS: 1 REFERENCES: p. 440 H1: Technical Aspects Of Implementation H2: Technology Governance and Change Control Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 11 Implementing Information Security QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 7:05 PM 68. By managing the _____, the organization can reduce unintended consequences by having a process to resolve the potential conflict and disruption that uncoordinated change can introduce. a. conversion process b. wrap-up c. process of change d. governance ANSWER: c POINTS: 1 REFERENCES: p. 440 H1: Technical Aspects Of Implementation H2: Technology Governance and Change Control QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:06 PM 69. The Lewin change model includes _____. a. unfreezing b. moving c. refreezing d. All of these are correct ANSWER: d POINTS: 1 REFERENCES: p. 442 H1: Nontechnical Aspects Of Implementation H2: The Culture of Change Management QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.11.6 - Compare and contrast among the types of gloves used in dentistry. DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 7:06 PM 70. Project managers can reduce resistance to change by involving employees in the project plan. In the systems development parts of a project, this is referred to as _____. a. DMZ b. SDLC c. WBS d. JAD ANSWER: d POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 11 Implementing Information Security REFERENCES:
p. 442 H1: Nontechnical Aspects Of Implementation H2: Considerations for Organizational Change QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: DENT.SING.22.11.6 - Compare and contrast among the types of gloves used in dentistry. DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:06 PM Completion 71. A(n) _____ is a formal approach to solving a problem by means of a structured sequence of procedures. methodology ANSWER: POINTS: 1 REFERENCES: p. 419 H1: The Systems Development Life Cycle QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 6/6/2021 4:05 PM 72. The _____ phase of the SDLC consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems. analysis ANSWER: POINTS: 1 REFERENCES: p. 420 H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 6/27/2021 7:06 PM 73. During the _____ phase of the SDLC, the process begins by examining the event or plan that initiated the process. During this phase, the objectives, constraints, and scope of the project are specified. investigation ANSWER: POINTS: 1 REFERENCES: p. 420 Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 11 Implementing Information Security H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 6/27/2021 7:07 PM 74. During the implementation phase of the SDLC, the organization translates its blueprint for information security into a project _____. plan ANSWER: POINTS: 1 REFERENCES: p. 429 H1: Information Security Project Management QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 7:07 PM 75. The _____ of any given project plan should be carefully reviewed and kept as small as possible, given the project’s objectives. scope ANSWER: POINTS: 1 REFERENCES: p. 434 H1: Information Security Project Management H2: The Need for Project Management QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.4 - Describe the need for professional project management for complex projects DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 7:09 PM 76. A(n) _____ is a completed document or program module that can either serve as the beginning point for a later task or become an element in the finished project. deliverable ANSWER: POINTS: 1 REFERENCES: p. 429 H1: Information Security Project Management Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 11 Implementing Information Security H2: Developing the Project Plan QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 77. _____ is a phenomenon in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work. Projectitis ANSWER: POINTS: 1 REFERENCES: p. 430 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 78. A(n) _____ is a specific point in the project plan when a task that has a noticeable impact on the plan's progress is complete. milestone ANSWER: POINTS: 1 REFERENCES: p. 431 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 79. The tasks or action steps that come before the specific task at hand are called _____. predecessors ANSWER: POINTS: 1 REFERENCES: p. 432 H1: Information Security Project Management Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 11 Implementing Information Security H2: Developing the Project Plan QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 80. Tasks or action steps that come after the task at hand are called _____. successors ANSWER: POINTS: 1 REFERENCES: p. 432 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 81. In the early stages of planning, the project planner should attempt to specify completion dates only for major project _____. milestones ANSWER: POINTS: 1 REFERENCES: p. 431 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 7:10 PM 82. Regardless of an organization’s information security needs, the amount of effort that can be expended depends on the available funds; therefore, a _____ is typically prepared in the analysis phase of the SecSDLC and must be reviewed and verified prior to the development of the project plan. CBA ANSWER: cost-benefit analysis cost benefit analysis cost-benefit analysis (CBA) Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 11 Implementing Information Security cost benefit analysis (CBA) CBA (cost-benefit analysis) CBA (cost benefit analysis) POINTS: 1 REFERENCES: p. 432 H1: Information Security Project Management H2: Project Planning Considerations QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.3 - Discuss the many organizational considerations that a project plan must address DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 83. Project _____ is a description of a project’s features, capabilities, functions, and quality level, and is used as the basis of a project plan. scope ANSWER: POINTS: 1 REFERENCES: p. 434 H1: Information Security Project Management H2: Project Planning Considerations QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.3 - Discuss the many organizational considerations that a project plan must address DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 84. Once a project is underway, it is managed to completion using a process known as _____ analysis. gap ANSWER: POINTS: 1 REFERENCES: p. 435 H1: Information Security Project Management H2: The Need for Project Management QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.4 - Describe the need for professional project management for complex projects DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 7:11 PM 85. A direct _____ involves stopping the old system and starting the new one without any overlap. Copyright Cengage Learning. Powered by Cognero.
Page 29
Name:
Class:
Date:
Mod 11 Implementing Information Security ANSWER: POINTS: REFERENCES:
changeover 1 p. 437 H1: Technical Aspects Of Implementation H2: Conversion Strategies QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 86. A(n) _____ implementation is the most common conversion strategy and involves a measured rollout of the planned system with a part of the system being brought out and disseminated across an organization before the next piece is implemented. phased ANSWER: POINTS: 1 REFERENCES: p. 438 H1: Technical Aspects Of Implementation H2: Conversion Strategies QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 87. The _____ operations strategy involves running the new system concurrently with the old system. parallel ANSWER: POINTS: 1 REFERENCES: p. 438 H1: Technical Aspects Of Implementation H2: Conversion Strategies QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 88. At the center of the bull's-eye model are the _____ used by the organization to accomplish its work. applications ANSWER: Copyright Cengage Learning. Powered by Cognero.
Page 30
Name:
Class:
Date:
Mod 11 Implementing Information Security POINTS: REFERENCES:
1 p. 439 H1: Technical Aspects Of Implementation H2: The Bull’s-Eye Model QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 89. Technology _____ is a complex process that organizations use to manage the impact and costs of technology implementation, innovation, and obsolescence. governance ANSWER: POINTS: 1 REFERENCES: p. 440 H1: Technical Aspects Of Implementation H2: Technology Governance and Change Control QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 90. Medium- and large-sized organizations deal with the impact of technical change on the organization's operation through a(n) _____ control process. change ANSWER: POINTS: 1 REFERENCES: p. 440 H1: Technical Aspects Of Implementation H2: Technology Governance and Change Control QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 91. One of the oldest models of change is the Lewin change model, which consists of three stages: unfreezing, _____, and refreezing. moving ANSWER: Copyright Cengage Learning. Powered by Cognero.
Page 31
Name:
Class:
Date:
Mod 11 Implementing Information Security POINTS: REFERENCES:
1 p. 442 H1: Nontechnical Aspects Of Implementation H2: The Culture of Change Management QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.11.6 - Compare and contrast among the types of gloves used in dentistry. DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/6/2021 4:05 PM 92. The level of _____ to change impacts the ease with which an organization is able to implement procedural and managerial changes. resistance ANSWER: POINTS: 1 REFERENCES: p. 442 H1: Nontechnical Aspects Of Implementation H2: Considerations for Organizational Change QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: DENT.SING.22.11.6 - Compare and contrast among the types of gloves used in dentistry. DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 7:12 PM 93. In systems development _____ means getting key representatives of user groups to serve as members of the development process. joint application development ANSWER: JAD joint application development (JAD) POINTS: 1 REFERENCES: p. 419 H1: Introduction To Information Security Implementation QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 6/27/2021 7:14 PM Essay Copyright Cengage Learning. Powered by Cognero.
Page 32
Name:
Class:
Date:
Mod 11 Implementing Information Security 94. List and describe the phases of the traditional systems development life cycle. Investigation ANSWER: The first phase, investigation, is the most important. What problem is the system being developed to solve? The investigation phase begins by examining the event or plan that initiates the process. During this phase, the objectives, constraints, and scope of the project are specified. A preliminary cost-benefit analysis evaluates the perceived benefits and their appropriate levels of cost. At the conclusion of this phase and at every phase afterward, a process will be undertaken to assess economic, technical, and behavioral feasibilities and ensure that implementation is worth the organization’s time and effort. Analysis The analysis phase begins with the information gained during the investigation phase. This phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems. Analysts begin by determining what the new system is expected to do and how it will interact with existing systems. This phase ends with documentation of the findings and an update of the feasibility analysis. Logical Design In the logical design phase, the information gained from the analysis phase is used to begin creating a systems solution for a business problem. In any systems solution, the first and driving factor must be the business need. Based on the business need, applications are selected to provide needed services, and then the team chooses data support and structures capable of providing the needed inputs. Finally, based on all of this, specific technologies are delineated to implement the physical solution. The logical design, therefore, is the blueprint for the desired solution. The logical design is implementation-independent, meaning that it contains no reference to specific technologies, vendors, or products. Instead, it addresses how the proposed system will solve the problem at hand. In this stage, analysts generate estimates of costs and benefits to allow for a general comparison of available options. At the end of this phase, another feasibility analysis is performed. Physical Design During the physical design phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design. The selected components are evaluated based on a make-or-buy decision—the option to develop components in-house or purchase them from a vendor. Final designs integrate various components and technologies. After yet another feasibility analysis, the entire solution is presented to the organization’s management for approval. Implementation In the implementation phase, any needed software is created. Components are ordered, received, and tested. Afterward, users are trained and supporting documentation created. Once all components are tested individually, they are installed and tested as a system. A feasibility analysis is again prepared, and the sponsors are then presented with the system for a performance review and acceptance test. Maintenance and Change The maintenance and change phase is the longest and most expensive of the process. This phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until the team determines that the process should begin again from the investigation phase. At periodic points, the system is tested for compliance, and the feasibility of continuance versus discontinuance is evaluated. Upgrades, updates, and patches are managed. As the needs of the organization change, the systems that support the organization must also change. When a current system can no longer support Copyright Cengage Learning. Powered by Cognero.
Page 33
Name:
Class:
Date:
Mod 11 Implementing Information Security the evolving mission of the organization, the system is retired from use and ongoing maintenance stops. If the services provided by the retired system are still needed, a new project is planned and implemented. POINTS: 1 REFERENCES: p. 419 H1: The Systems Development Life Cycle H2: Traditional Development Methods QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.1 - Explain how an organization’s information security blueprint becomes a project plan DATE CREATED: 9/14/2016 10:30 AM DATE MODIFIED: 6/27/2021 7:14 PM 95. What are the major steps in executing the project plan? The major steps in executing the project plan are: ANSWER: Planning the project Supervising tasks and action steps Wrapping up POINTS: 1 REFERENCES: p. 429 H1: Information Security Project Management QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:48 AM DATE MODIFIED: 9/14/2016 10:48 AM 96. What minimum attributes for project tasks does the WBS document? Work to be accomplished (activities and deliverables) ANSWER: Individuals (or skill set) assigned to perform the task Start and end dates for the task (when known) Amount of effort required for completion in hours or work days Estimated capital expenses for the task Estimated noncapital expenses for the task Identification of dependencies between and among tasks POINTS: 1 REFERENCES: p. 429 H1: Information Security Project Management H2: Developing the Project Plan QUESTION TYPE: Essay HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 34
Name:
Class:
Date:
Mod 11 Implementing Information Security STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.2 - Explain the significance of the project manager’s role in the success of an information security project DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 9/14/2016 10:49 AM 97. What can the organization do by managing the process of change through a change control process? By managing the process of change, the organization can do the following: ANSWER: - Improve communication about change across the organization - Enhance coordination between groups within the organization as change is scheduled and completed - Reduce unintended consequences by having a process to resolve the conflict and disruption that change can introduce - Improve quality of service as potential failures are eliminated and groups work together - Assure management that all groups are complying with the organization’s policies regarding technology governance, procurement, accounting, and information security POINTS: 1 REFERENCES: p. 440 H1: Technical Aspects Of Implementation H2: Technology Governance and Change Control QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 9/14/2016 10:49 AM DATE MODIFIED: 6/27/2021 7:16 PM Subjective Short Answer 98. What is a milestone, and why is it significant to project planning? A milestone is a specific point in the project plan when a task and its action steps are ANSWER: complete and have a noticeable impact on the progress of the project plan as a whole. For example, the date for sending the final RFP to vendors is considered a milestone because it signals all RFP preparation is complete. POINTS: REFERENCES:
1 p. 431 H2: Developing the Project Plan H1: The Systems Development Life Cycle QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.3 - Discuss the many organizational considerations that a project plan must address DATE CREATED: 6/19/2021 9:39 AM Copyright Cengage Learning. Powered by Cognero.
Page 35
Name:
Class:
Date:
Mod 11 Implementing Information Security DATE MODIFIED:
6/19/2021 9:41 AM
99. What is gap analysis? How is it used to keep a project in control? ANSWER:
Once a project is under way, it is managed using a process known as gap analysis (also known as a negative feedback loop or cybernetic loop), which ensures that progress is measured periodically. When significant deviation occurs, corrective action is taken to bring the deviating task back into compliance with the project plan; otherwise, the project is revised in light of the new information. POINTS: 1 REFERENCES: p. 435 H1: Information Security Project Management H2: The Need for Project Management QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.4 - Describe the need for professional project management for complex projects DATE CREATED: 6/19/2021 9:39 AM DATE MODIFIED: 6/27/2021 7:17 PM 100. List and describe the four basic conversion strategies that are used when converting to a new system. Under which circumstances is each strategy the best approach? Direct changeover—Also known as going “cold turkey,” a direct changeover involves ANSWER: stopping the old method and beginning the new one. This could be as simple as having employees follow the existing procedure one week and then use a new procedure the next. Some cases of direct changeover are simple, such as a change requiring employees to use a new password that has a stronger degree of authentication, beginning on an announced date. Some cases may be more complex, such as requiring the entire company to change procedures when the network team disables an old firewall and activates a new one. The primary drawback to a direct changeover is that if the new system fails or needs modification, users may be without services while the system’s bugs are worked out. Complete testing of the new system in advance of the direct changeover helps to reduce the probability of such problems. Phased implementation—A phased implementation is the most common conversion strategy; it involves rolling out a piece of the system across the entire organization. This could mean that the security group implements only a small portion of the new security profile, giving users a chance to get used to it and resolving small issues as they arise. This is usually the best approach to security project implementation. For example, if the organization plans to introduce a new VPN solution that employees can use to connect to the organization’s network while they’re traveling, one department per week might be added to the group allowed to use the new VPN. This process would continue until all departments are using the new approach. Pilot implementation—This strategy involves implementing all security improvements in a single office, department, or division and resolving issues within that group before expanding to the rest of the organization. The pilot implementation works well when an isolated group can serve as the “guinea pig,” which keeps the implementation from dramatically affecting the organization’s performance as a whole. The operation of a research and development group, for example, may not affect the organization’s real-time Copyright Cengage Learning. Powered by Cognero.
Page 36
Name:
Class:
Date:
Mod 11 Implementing Information Security operations and could assist security in resolving issues that emerge. Parallel operations—The parallel operations strategy involves running the new methods alongside the old methods. In general, this means running two systems concurrently. In terms of information systems, it might involve running two firewalls concurrently, for example. Although this approach is usually complex, it can reinforce an organization’s information security by allowing the old system(s) to serve as a backup for the new systems if they fail or are compromised. Drawbacks usually include the need to deal with both systems and maintain both sets of procedures. POINTS: REFERENCES:
1 p. 437 H1: Technical Aspects Of Implementation H2: Conversion Strategies QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.11.5 - Discuss technical strategies and models for implementing a project plan DATE CREATED: 6/19/2021 9:39 AM DATE MODIFIED: 6/19/2021 9:43 AM
Copyright Cengage Learning. Powered by Cognero.
Page 37
Name:
Class:
Date:
Mod 12 Information Security Maintenance True / False 1. If an organization deals successfully with change and has created procedures and systems that can be adjusted to the environment, the existing security improvement program will probably continue to work well. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Introduction To Information Security Maintenance p. 448 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.1 - Discuss the need for ongoing maintenance of the information security program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 3/29/2018 7:10 PM 2. Over time, policies and procedures may become inadequate due to changes in the organization's mission and operational requirements, threats, or the environment. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” p. 449 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 9/14/2016 10:51 AM 3. An effective information security governance program requires no ongoing review once it is well established. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 449 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM Copyright Cengage Learning. Powered by Cognero.
Page 1
Name:
Class:
Date:
Mod 12 Information Security Maintenance DATE MODIFIED:
2/4/2017 7:25 PM
4. There are several key ongoing activities that can assist in monitoring and improving an organization’s information governance activities, including plans of action and milestones, measurement and metrics, continuous assessment and configuration management. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” p. 450 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:12 PM 5. Documentation procedures are not required for configuration and change management processes. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 469 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 9/14/2016 10:51 AM 6. While management models such as the ISO 27000 series and NIST SP 800 series deal with methods to manage and operate systems, a maintenance model is designed to focus the organization’s effort on securing systems. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 470 H1: The Security Maintenance Model QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM Copyright Cengage Learning. Powered by Cognero.
Page 2
Name:
Class:
Date:
Mod 12 Information Security Maintenance DATE MODIFIED:
6/28/2021 8:13 PM
7. External monitoring entails forming intelligence from various data sources and then giving that intelligence context and meaning for use by decision makers within the organization. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: The Security Maintenance Model H2: Monitoring the External Environment p. 470 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 3/2/2018 7:14 PM 8. Carnegie Mellon University's CC-CERT is generally viewed as the definitive authority for computer emergency response teams. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 471 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:13 PM 9. Intelligence for external monitoring can come from a number of sources: vendors, CERT organizations, public network sources, and membership sites. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 471 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 3
Name:
Class:
Date:
Mod 12 Information Security Maintenance LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 3/10/2017 5:51 PM 10. Over time, external monitoring processes should capture information about the external environment in a format that can be referenced across the organization as threats emerge and for historical use. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 474 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 3/10/2017 5:51 PM 11. The internal monitoring domain is the component of the maintenance model that focuses on identifying, assessing, and managing the physical security of assets in an organization. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 474 H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 9/14/2016 10:51 AM 12. Organizations should maintain a carefully planned and fully populated inventory of all their computing devices, including hardware, and software - both operating systems and applications. The process of collecting this information is often referred to as characterization.. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 474 Copyright Cengage Learning. Powered by Cognero.
Page 4
Name:
Class:
Date:
Mod 12 Information Security Maintenance H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:18 PM 13. The target selection step of Internet vulnerability assessment involves using the external monitoring intelligence to configure a test engine (such as Nessus) for the tests to be performed. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation p. 485 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 9/14/2016 10:51 AM 14. internet vulnerability assessment is an assessment approach designed to find and document vulnerabilities that may be present in the organization’s internal networks. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation p. 485 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:18 PM 15. As the platform security validation (PSV) is designed to find and document vulnerabilities in misconfigured systems used in the organization, all systems that are mission critical should be enrolled PSV measurement. a. True b. False Copyright Cengage Learning. Powered by Cognero.
Page 5
Name:
Class:
Date:
Mod 12 Information Security Maintenance ANSWER: POINTS: REFERENCES:
True 1 p. 487 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:20 PM 16. Wireless vulnerability assessment begins with the planning, scheduling, and notification of all Internet connections, and is usually performed on the organization's networks using every possible approach to penetration testing. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 487 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:21 PM 17. Remediation of vulnerabilities can be accomplished by accepting or transferring the risk, removing the threat, or repairing the vulnerability, but the best solution in most cases is to repair the vulnerability, often by applying patch software or implementing a permanent alternative work practice. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 489 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:22 PM Copyright Cengage Learning. Powered by Cognero.
Page 6
Name:
Class:
Date:
Mod 12 Information Security Maintenance 18. The vulnerability database is an essential part of effective remediation because it helps organizations keep track of specific vulnerabilities as they are reported and remediated. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 488 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:22 PM 19. Remediation is the processes of removing or repairing flaws in information assets that cause a vulnerability or reducing or removing the risk associated with the vulnerability. a. True b. False ANSWER: POINTS: REFERENCES:
True 1 p. 488 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:23 PM 20. The most common vulnerability repair is the disabling of an application's associated port; this usually allows the system function in the expected fashion and removes the vulnerability. a. True b. False ANSWER: False POINTS: 1 REFERENCES: p. 489 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability Copyright Cengage Learning. Powered by Cognero.
Page 7
Name:
Class:
Date:
Mod 12 Information Security Maintenance
DATE CREATED: DATE MODIFIED:
assessment, and remediation tie into information security maintenance 9/14/2016 10:51 AM 6/28/2021 8:40 PM
21. Policy needs to be reviewed and refreshed from time to time to ensure that it’s providing a current foundation for the information security program. a. True b. False ANSWER: True POINTS: 1 REFERENCES: H1: The Security Maintenance Model H2: Readiness and Review p. 489 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.6 - Explain how to build readiness and review procedures into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 9/14/2016 10:51 AM 22. Major planning components should be reviewed on a periodic basis to ensure that they are current, accurate, and appropriate. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 489 H1: The Security Maintenance Model H2: Readiness and Review QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.6 - Explain how to build readiness and review procedures into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 9/14/2016 10:51 AM 23. Rehearsal adds value by exercising the procedures, identifying shortcomings, and providing security personnel the opportunity to improve the security plan before it is needed. a. True b. False ANSWER: True POINTS: 1 REFERENCES: p. 490 H1: The Security Maintenance Model H2: Readiness and Review Copyright Cengage Learning. Powered by Cognero.
Page 8
Name:
Class:
Date:
Mod 12 Information Security Maintenance QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.6 - Explain how to build readiness and review procedures into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 9/14/2016 10:51 AM 24. Physical security is not as important as logical or computer security to an information security program. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Physical Security p. 490 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.7 - Discuss physical security controls DATE CREATED: 6/23/2021 9:54 AM DATE MODIFIED: 6/28/2021 8:41 PM 25. A secure facility uses a different defense-in-depth strategy as logical network security. a. True b. False ANSWER: False POINTS: 1 REFERENCES: H1: Physical Security H2: Physical Access Controls p. 491 QUESTION TYPE: True / False HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.7 - Discuss physical security controls DATE CREATED: 6/23/2021 9:55 AM DATE MODIFIED: 6/23/2021 9:57 AM Modified True / False 26. An effective information security governance program requires constant change. _____ ANSWER: False - review POINTS: 1 REFERENCES: p. 449 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Modified True / False HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 9
Name:
Class:
Date:
Mod 12 Information Security Maintenance STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 27. NIST Special Publication (SP) 800-100, “Information Security Handbook: A Guide for Managers,” provides managerial guidance for the establishment and implementation of an information security program; in particular, it addresses the ongoing tasks expected of an information security manager once the program is working and day-to-day operations are established. _____ ANSWER: True POINTS: 1 REFERENCES: p. 449 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:43 PM 28. The security development life cycle (SDLC) is the overall process of developing, implementing, and retiring information systems through a multistep approach—from initiation to maintenance and eventually disposal. _____ False - systems ANSWER: POINTS: 1 REFERENCES: p. 450 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:46 PM 29. For configuration management and control, it is important to document the proposed or actual changes in the system security plan. _____ ANSWER: True POINTS: 1 REFERENCES: p. 450 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 10
Name:
Class:
Date:
Mod 12 Information Security Maintenance LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 30. Configuration change management is an approach to implementing system change that uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track changes through completion, and maintain systems security and supporting documentation. _____ False - inventory ANSWER: POINTS: 1 REFERENCES: p. 453 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:47 PM 31. A significant number of help-desk trouble tickets are the result of user access issues involving hackers and other mechanisms of authentication, authorization, and accountability, which can be reduced but not eliminated by proper user training and ongoing awareness campaigns. _____ False - passwords ANSWER: POINTS: 1 REFERENCES: p. 466 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:48 PM 32. In some organizations, status management is the identification, inventory, and documentation of the current information system's status—hardware, software, and networking configurations. _____ ANSWER: False - configuration POINTS: 1 REFERENCES: p. 466 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program Copyright Cengage Learning. Powered by Cognero.
Page 11
Name:
Class:
Date:
Mod 12 Information Security Maintenance DATE CREATED: DATE MODIFIED:
9/14/2016 10:51 AM 6/28/2021 8:48 PM
33. CCM assists in streamlining change management processes and prevents changes that could detrimentally affect the security posture of a system before they happen. _____ ANSWER: True POINTS: 1 REFERENCES: p. 467 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:49 PM 34. CERT stands for "computer emergency recovery team." _____ False - response ANSWER: POINTS: 1 REFERENCES: p. 471 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 35. TechTarget is a set of moderated mailing lists full of detailed, full-disclosure discussions and announcements about computer security vulnerabilities and is sponsored in part by SecurityFocus. _____ False - Bugtraq ANSWER: POINTS: 1 REFERENCES: p. 473 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:50 PM Copyright Cengage Learning. Powered by Cognero.
Page 12
Name:
Class:
Date:
Mod 12 Information Security Maintenance 36. Specific warning plans are issued when developing threats and specific attacks pose a measurable risk to the organization. _____ ANSWER: False - bulletins POINTS: 1 REFERENCES: p. 473 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:51 PM 37. The basic function of the external monitoring process is to monitor activity, report results, and escalate warnings. _____ ANSWER: True POINTS: 1 REFERENCES: p. 473 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 38. The primary goal of the external monitoring domain is to maintain an informed awareness of the state of all the organization’s networks, information systems, and information security defenses. _____ False - internal ANSWER: POINTS: 1 REFERENCES: p. 474 H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM Copyright Cengage Learning. Powered by Cognero.
Page 13
Name:
Class:
Date:
Mod 12 Information Security Maintenance 39. Organizations should have a carefully planned and fully populated inventory of all their network devices, communication channels, and computing devices. _____ ANSWER: True POINTS: 1 REFERENCES: p. 474 H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 40. A traffic analysis is a procedure that compares the current state of a network segment against a known previous state of the same network segment (the baseline of systems and services). _____ False - difference ANSWER: POINTS: 1 REFERENCES: p. 475 H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:53 PM 41. An example of the type of vulnerability exposed via traffic analysis occurs when an organization is trying to determine if all its device signatures have been adequately masked. _____ ANSWER: True POINTS: 1 REFERENCES: p. 475 H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM Copyright Cengage Learning. Powered by Cognero.
Page 14
Name:
Class:
Date:
Mod 12 Information Security Maintenance 42. The process of identifying and documenting specific and provable flaws in the organization’s information asset environment is called vulnerability assessment (VA). _____ ANSWER: True POINTS: 1 REFERENCES: p. 481 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 43. The internal vulnerability assessment is usually performed against every device that is exposed to the Internet, using every possible penetration testing approach. _____ False - Internet ANSWER: POINTS: 1 REFERENCES: p. 485 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 44. A vulnerability analyst screens test results for possible vulnerabilities logged during scanning by performing three tasks: classify the test level, validate its existence and document the results. _____ False - risk ANSWER: POINTS: 1 REFERENCES: p. 485 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:54 PM Copyright Cengage Learning. Powered by Cognero.
Page 15
Name:
Class:
Date:
Mod 12 Information Security Maintenance 45. WAP driving is the use of mobile scanning techniques to identify open wireless access points. _____ False - War ANSWER: POINTS: 1 REFERENCES: p. 488 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:55 PM 46. The final function in the vulnerability assessment and remediation domain is the maintenance phase. _____ ANSWER: False - remediation POINTS: 1 REFERENCES: p. 488 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:55 PM 47. The best method of remediation in most cases is to repair a vulnerability often by applying patch software or implementing a permanent alternative work practice. _____ ANSWER: True POINTS: 1 REFERENCES: p. 489 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:56 PM 48. When possible, major incident response plan elements should be rehearsed, which adds value by providing the Copyright Cengage Learning. Powered by Cognero.
Page 16
Name:
Class:
Date:
Mod 12 Information Security Maintenance opportunity to improve the security plan before it is needed. _____ ANSWER: True POINTS: 1 REFERENCES: p. 489 H1: The Security Maintenance Model H2: Readiness and Review QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.6 - Explain how to build readiness and review procedures into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:57 PM 49. Because early CMM approaches were intended to improve the software development process, their use in assessing and improving security management systems was somewhat limited. _____ ANSWER: True POINTS: 1 REFERENCES: p. 490 H1: The Security Maintenance Model H2: Readiness and Review QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.6 - Explain how to build readiness and review procedures into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:58 PM 50. A type of rehearsal known as a war game, or simulation exercise, puts a subset of plans in place to create a realistic test environment. _____ ANSWER: True POINTS: 1 REFERENCES: p. 490 H1: The Security Maintenance Model H2: Readiness and Review QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.6 - Explain how to build readiness and review procedures into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:58 PM 51. A(n) data center is a small room or enclosure with separate entry and exit points, designed to restrain a person who Copyright Cengage Learning. Powered by Cognero.
Page 17
Name:
Class:
Date:
Mod 12 Information Security Maintenance fails an access authorization attempt. _____ ANSWER: False - mantrap POINTS: 1 REFERENCES: p. 493 H1: Physical Security H2: Physical Access Controls QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.7 - Discuss physical security controls DATE CREATED: 6/23/2021 9:59 AM DATE MODIFIED: 6/28/2021 8:59 PM 52. Fire suppression systems typically work by denying an environment one of the three requirements for a fire to burn: temperature (an ignition source), fuel, and oxygen. ANSWER: True POINTS: 1 REFERENCES: p. 494 H1: Physical Security H2: Fire Security and Safety QUESTION TYPE: Modified True / False HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.7 - Discuss physical security controls DATE CREATED: 6/23/2021 10:02 AM DATE MODIFIED: 6/23/2021 10:02 AM Multiple Choice 53. _____ are a component of the "security triple." a. Threats b. Assets c. Vulnerabilities d. All of these are correct ANSWER: d POINTS: 1 REFERENCES: p. 448 H1: Introduction To Information Security Maintenance QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.1 - Discuss the need for ongoing maintenance of the information security program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 8:59 PM 54. A primary mailing list for new vulnerabilities, called simply _____, provides time-sensitive coverage of emerging vulnerabilities, documenting how they are exploited and reporting on how to remediate them. Individuals can register for Copyright Cengage Learning. Powered by Cognero.
Page 18
Name:
Class:
Date:
Mod 12 Information Security Maintenance the flagship mailing list or any one of the entire family of its mailing lists. a. Bugs b. Bugfix c. Buglist d. Bugtraq ANSWER: d POINTS: 1 REFERENCES: p. 473 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 55. U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) coordinates CERT services at ________. a. US-CERT b. Bugtraq c. CM-CERT d. CERT/CC ANSWER: a POINTS: 1 REFERENCES: p. 472 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 9:00 PM 56. The _____ Web site is home to several security tools including the leading free network exploration tool, Nmap. a. insecure.org b. Packet Storm c. Security Focus d. Snort-sigs ANSWER: a POINTS: 1 REFERENCES: p. 472 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM Copyright Cengage Learning. Powered by Cognero.
Page 19
Name:
Class:
Date:
Mod 12 Information Security Maintenance DATE MODIFIED:
6/28/2021 9:01 PM
57. The _____ commercial site focuses on current security tool resources. a. Nmap-hackerz b. Packet Storm c. Security Laser d. Snort-SIGs ANSWER: b POINTS: 1 REFERENCES: p. 472 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 58. The monitoring process has three primary deliverables. Which of the following is NOT one of them?. a. Specific warning bulletins issued when developing threats and specific b. Periodic summaries of attacks pose a measurable risk to the organization external information c. Detailed intelligence on the highest-risk warnings d. All of these are correct ANSWER: d POINTS: 1 REFERENCES: p. 473 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 9:03 PM 59. Detailed intelligence on the highest risk warnings can include identifying which _____ apply to which vulnerabilities as well as which types of defenses have been found to work against the specific vulnerabilities reported. a. risks b. vendor updates c. threats d. assets ANSWER: b POINTS: 1 REFERENCES: p. 474 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external Copyright Cengage Learning. Powered by Cognero.
Page 20
Name:
Class:
Date:
Mod 12 Information Security Maintenance
DATE CREATED: DATE MODIFIED:
and internal environment 9/14/2016 10:51 AM 6/28/2021 9:04 PM
60. A process called _____ examines the data packets that flows through a system and its associated devices to identify the most frequently used devices. a. difference analysis b. traffic analysis c. schema analysis d. data flow assessment ANSWER: b POINTS: 1 REFERENCES: p. 475 H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 9:05 PM 61. One approach that can improve the situational awareness of the information security function is to use a process known as _____ to quickly identify changes to the internal environment. a. baselining b. difference analysis c. differentials d. revision ANSWER: b POINTS: 1 REFERENCES: p. 475 H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 62. The _____ process is designed to find and document vulnerabilities that may be present because there are misconfigured systems in use within the organization. a. ASP b. ISP c. SVP d. PSV ANSWER: d POINTS: 1 REFERENCES: p. 487 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation Copyright Cengage Learning. Powered by Cognero.
Page 21
Name:
Class:
Date:
Mod 12 Information Security Maintenance QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 63. _____, a level beyond vulnerability testing, is a set of security tests and evaluations that simulate attacks by a malicious external source like a hacker. a. Penetration testing b. Penetration simulation c. Attack simulation d. Attack testing ANSWER: a POINTS: 1 REFERENCES: p. 482 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 9:06 PM 64. Common vulnerability assessment processes include: a. Internet VA b. wireless VA c. intranet VA d. all of these are correct answers ANSWER: d POINTS: 1 REFERENCES: p. 481 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 9:07 PM 65. _____ penetration testing, also known as disclosure testing, is usually used when a specific system or network segment is suspect and the organization wants the pen tester to focus on a particular aspect of the target. a. White box b. Black box c. Gray box d. Green box ANSWER: a POINTS: 1 Copyright Cengage Learning. Powered by Cognero.
Page 22
Name:
Class:
Date:
Mod 12 Information Security Maintenance REFERENCES:
p. 485 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 9:07 PM 66. A step commonly used for Internet vulnerability assessment includes _____, which occurs when the penetration test engine is unleashed at the scheduled time using the planned target list and test selection. a. scanning b. subrogation c. delegation d. targeting ANSWER: a POINTS: 1 REFERENCES: p. 485 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 67. The _____ vulnerability assessment is a process designed to find and document selected vulnerabilities that are likely to be present on the organization's internal network. a. intranet b. Internet c. LAN d. WAN ANSWER: a POINTS: 1 REFERENCES: p. 486 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 68. The _____ vulnerability assessment is designed to find and document vulnerabilities that may be present in the organization’s wireless local area networks. a. wireless b. phone-in Copyright Cengage Learning. Powered by Cognero.
Page 23
Name:
Class:
Date:
Mod 12 Information Security Maintenance c. battle-dialing ANSWER: POINTS: REFERENCES:
d. network a 1 p. 487 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 69. _____ allows for major security control components to be reviewed on a periodic basis to ensure that they are current, accurate, and appropriate. a. System review b. Vulnerability assessment c. Program review d. Application review ANSWER: c POINTS: 1 REFERENCES: p. 489 H1: The Security Maintenance Model H2: Readiness and Review QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.6 - Explain how to build readiness and review procedures into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 9:07 PM 70. Most guards have clear __________ that help them to act decisively in unfamiliar situations. a. MACs b. SOPs c. POSs d. OPSs ANSWER: b POINTS: 1 REFERENCES: H1: Physical Security p. 492 H2: Physical Security Controls QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.7 - Discuss physical security controls DATE CREATED: 9/14/2016 10:47 AM DATE MODIFIED: 9/14/2016 10:47 AM 71. __________ occurs when an authorized person opens a door, and other people, who may or may not be authorized, also enter. Copyright Cengage Learning. Powered by Cognero.
Page 24
Name:
Class:
Date:
Mod 12 Information Security Maintenance a. Crowdsurfing c. Shoulder surfing ANSWER: POINTS: REFERENCES:
b. Tailgating d. Hitchhiking b 1 p. 492 H1: Physical Security H2: Physical Access Controls QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.7 - Discuss physical security controls DATE CREATED: 9/14/2016 10:47 AM DATE MODIFIED: 6/28/2021 9:08 PM 72. Which of the following are NOT technologies commonly deployed in biometric locks? a. retina scanners b. palm readers c. voice readers d. breathalyzer ANSWER: d POINTS: 1 REFERENCES: p. 493 H1: Physical Security H2: Physical Security Controls QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.7 - Discuss physical security controls DATE CREATED: 9/14/2016 10:47 AM DATE MODIFIED: 6/28/2021 9:10 PM 73. One of the leading causes of damage to sensitive circuitry is __________. a. CPU b. EPA c. ESD d. HVAC ANSWER: c POINTS: 1 REFERENCES: p. 495 H1: Physical Security H2: Heating, Ventilation, and Air Conditioning QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.7 - Discuss physical security controls DATE CREATED: 9/14/2016 10:47 AM DATE MODIFIED: 9/14/2016 10:47 AM 74. A device that assures the delivery of electric power without interruption is a(n) __________. a. GFCI b. HVAC c. GPS d. UPS Copyright Cengage Learning. Powered by Cognero.
Page 25
Name:
Class:
Date:
Mod 12 Information Security Maintenance ANSWER: POINTS: REFERENCES:
d 1 p. 495 H1: Physical Security H2: Power Management and Conditioning QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.7 - Discuss physical security controls DATE CREATED: 9/14/2016 10:47 AM DATE MODIFIED: 9/14/2016 10:47 AM 75. Computing and other electrical equipment used in areas where water can accumulate must be uniquely grounded using __________ equipment. a. UPS b. HVAC c. GFCI d. ESD ANSWER: c POINTS: 1 REFERENCES: p. 495 H1: Physical Security H2: Power Management and Conditioning QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.7 - Discuss physical security controls DATE CREATED: 9/14/2016 10:47 AM DATE MODIFIED: 3/10/2017 12:15 AM 76. Data or the trends in data that may indicate the effectiveness of security countermeasures or technical and managerial controls implemented in the organization are known as performance _____. a. indices b. monitors c. measurements d. evaluators ANSWER: c POINTS: 1 REFERENCES: p. 455 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 6/23/2021 10:41 AM DATE MODIFIED: 6/23/2021 10:43 AM 77. The InfoSec measurement development process recommended by NIST is divided into major activities that include all Copyright Cengage Learning. Powered by Cognero.
Page 26
Name:
Class:
Date:
Mod 12 Information Security Maintenance of the following EXCEPT _____. a. Identification and definition of the current InfoSec program. b. Development and selection of specific measurements to gauge the implementation, effectiveness, efficiency, and impact of the security controls. c. Usage of the selected metrics. d. All other answers here are included in the NIST development process recommendation. ANSWER: c POINTS: 1 REFERENCES: H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” p. 457 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 6/23/2021 10:44 AM DATE MODIFIED: 6/23/2021 10:49 AM 78. _____ is one of the most crucial ongoing responsibilities in security management with strategic, tactical, and operating elements that must align with and support organizational and IT objectives. a. Organizing b. Controlling c. Supervision d. Planning ANSWER: d POINTS: 1 REFERENCES: H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” p. 460 QUESTION TYPE: Multiple Choice HAS VARIABLES: False LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 6/23/2021 10:44 AM DATE MODIFIED: 6/23/2021 10:55 AM Completion 79. Almost all aspects of a company’s environment are dynamic, meaning _____ that were originally assessed in the early stages of the project’s systems development life cycle have probably changed and new priorities have emerged. threats ANSWER: assets POINTS: 1 REFERENCES: p. 448 H1: Introduction To Information Security Maintenance QUESTION TYPE: Completion HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 27
Name:
Class:
Date:
Mod 12 Information Security Maintenance STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.1 - Discuss the need for ongoing maintenance of the information security program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 9:12 PM 80. An automated tool known as a log _____ can consolidate system logs, perform comparative analysis, and detect common occurrences or behavior of interest. analyzer ANSWER: POINTS: 1 REFERENCES: p. 461 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 9:13 PM 81. It is critical that any effort performed within the security program follows a _____ improvement approach involving periodic review and assessment of any implemented change. continuous ANSWER: POINTS: 1 REFERENCES: p. 449 H1: Security Management Maintenance Models QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/28/2021 9:13 PM 82. A _____ configuration is a current record of the configuration of the information system for use in comparisons to future states. baseline ANSWER: POINTS: 1 REFERENCES: p. 453 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program Copyright Cengage Learning. Powered by Cognero.
Page 28
Name:
Class:
Date:
Mod 12 Information Security Maintenance DATE CREATED: DATE MODIFIED:
9/14/2016 10:51 AM 6/6/2021 4:13 PM
83. One key advantage to having formal help-desk software is the ability to create and develop a _____ of common problems and solutions, which can be searched when a user problem comes up. knowledge base ANSWER: database POINTS: 1 REFERENCES: p. 466 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/29/2021 6:11 PM 84. The objective of the _____ monitoring domain within the maintenance model is to provide early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that the organization needs in order to mount an effective and timely defense. external ANSWER: POINTS: 1 REFERENCES: p. 470 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/29/2021 6:24 PM 85. When an organization uses specific hardware and software products as part of its information security program, the _____ often provides either direct support or indirect tools that allow user communities to support each other. vendors ANSWER: vendor POINTS: 1 REFERENCES: p. 471 H1: The Security Maintenance Model H2: Monitoring the External Environment QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 29
Name:
Class:
Date:
Mod 12 Information Security Maintenance LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/19/2021 11:03 PM 86. The primary goal of the _____ monitoring domain is an informed awareness of the state of all the organization’s networks, information systems, and information security defenses. internal ANSWER: POINTS: 1 REFERENCES: p. 474 H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 87. The process of collecting detailed information about devices in a network that may not be owned by the organization but are essential to its continued partnership with another company, is often referred to as _____. characterization ANSWER: POINTS: 1 REFERENCES: p. 474 H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/29/2021 6:24 PM 88. Partner _____ are the network devices, communications channels, and applications that may not be owned by the organization but are essential to the organization’s cooperation with another company. interconnections ANSWER: POINTS: 1 REFERENCES: p. 474 H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 30
Name:
Class:
Date:
Mod 12 Information Security Maintenance LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/29/2021 6:25 PM 89. A(n) _____ analysis is a procedure that compares the current state of a network segment (the systems and services it offers) against a known previous state of that same network segment (the baseline of systems and services). difference ANSWER: POINTS: 1 REFERENCES: p. 475 H1: The Security Maintenance Model H2: Monitoring the Internal Environment QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.4 - Identify the key factors involved in monitoring the external and internal environment DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 90. The primary objective of the planning and _____ domain is to keep a lookout over the entire information security program in part by identifying and planning ongoing information security activities that further reduce risk. risk assessment ANSWER: POINTS: 1 REFERENCES: p. 476 H1: The Security Maintenance Model H2: Planning and Risk Assessment QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/29/2021 6:26 PM 91. A recommended approach to the information security program planning and review function is to take advantage of the fact that most larger organizations have annual _____ budget planning cycles to develop an annual list of project ideas. capital ANSWER: POINTS: 1 REFERENCES: p. 477 H1: The Security Maintenance Model H2: Planning and Risk Assessment QUESTION TYPE: Completion HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 31
Name:
Class:
Date:
Mod 12 Information Security Maintenance STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/29/2021 6:27 PM 92. The primary goal of the vulnerability assessment and _____ domain is to identify specific, documented vulnerabilities and remediate them in a timely fashion. remediation ANSWER: POINTS: 1 REFERENCES: p. 481 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 93. The _____ tester’s ultimate responsibility is to identify weaknesses in the security of the organization’s systems and networks and then present findings to the system owners in a detailed report. pen ANSWER: penetration POINTS: 1 REFERENCES: p. 482 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 94. The _____ vulnerability assessment is designed to find and document vulnerabilities that may be present in the organization's public network. Internet ANSWER: POINTS: 1 REFERENCES: p. 485 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Completion Copyright Cengage Learning. Powered by Cognero.
Page 32
Name:
Class:
Date:
Mod 12 Information Security Maintenance HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 95. The _____ step of an Internet vulnerability assessment occurs when a knowledgeable and experienced vulnerability analyst screens test results for candidate vulnerabilities logged during scanning. analysis ANSWER: POINTS: 1 REFERENCES: p. 485 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/29/2021 6:28 PM 96. A(n) _____ risk is one that is higher than the risk appetite of the organization. significant ANSWER: POINTS: 1 REFERENCES: p. 485 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 97. As part of the analysis step of Internet Vulnerability Assessment is to _____ the existence of the vulnerability when appropriate. validate ANSWER: POINTS: 1 REFERENCES: p. 485 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Completion HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 33
Name:
Class:
Date:
Mod 12 Information Security Maintenance STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/29/2021 6:30 PM 98. The _____ step in the intranet vulnerability assessment is identical to the one followed in Internet vulnerability analysisand involves documenting the details of the vulnerability in a database. record-keeping ANSWER: POINTS: 1 REFERENCES: p. 486 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/29/2021 6:31 PM 99. The _____ vulnerability assessment is designed to find and document vulnerabilities that may be present in the organization's wireless local area networks. wireless ANSWER: POINTS: 1 REFERENCES: p. 487 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 100. In wireless vulnerability assessment's _____ selection, all areas of the organization’s premises should be scanned with a portable wireless network scanner. target ANSWER: POINTS: 1 REFERENCES: p. 488 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Completion HAS VARIABLES: False Copyright Cengage Learning. Powered by Cognero.
Page 34
Name:
Class:
Date:
Mod 12 Information Security Maintenance STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/29/2021 6:32 PM 101. An attacker's use of a laptop while driving around looking for open wireless connections is often called _____ driving. war ANSWER: POINTS: 1 REFERENCES: p. 487 H1: The Security Maintenance Model H2: Vulnerability Assessment and Remediation QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/29/2021 6:32 PM 102. The primary goal of the readiness and _____ domain is to keep the information security program functioning as designed and improve it continuously over time. review ANSWER: POINTS: 1 REFERENCES: p. 489 H1: The Security Maintenance Model H2: Readiness and Review QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.6 - Explain how to build readiness and review procedures into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM 103. Rehearsals that use plans as realistically as possible are called _____ games. war ANSWER: POINTS: 1 REFERENCES: p. 490 H1: The Security Maintenance Model H2: Readiness and Review QUESTION TYPE: Completion HAS VARIABLES: False STUDENT ENTRY MODE: Basic Copyright Cengage Learning. Powered by Cognero.
Page 35
Name:
Class:
Date:
Mod 12 Information Security Maintenance LEARNING OBJECTIVES: POIS.WHMA.22.12.6 - Explain how to build readiness and review procedures into information security maintenance DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/6/2021 4:13 PM Essay 104. List the five steps to developing a CCM plan. Identify Change ANSWER: Evaluate Change Request Implementation Decision Implement Approved Change Request Continuous Monitoring POINTS: 1 REFERENCES: p. 468 H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.3 - Define a model for a full maintenance program DATE CREATED: 9/14/2016 10:51 AM DATE MODIFIED: 6/19/2021 11:17 PM 105. What is configuration and change management (CCM) and why is it important? For configuration and change management (CCM), also known as configuration ANSWER: management (CM), it is important to document proposed or actual changes in the system security plan. Information systems are typically in a constant state of evolution, with upgrades to hardware, software, and firmware and possible modifications to the system’s surrounding environment. Documenting information system changes and assessing their potential impact on system security is an essential part of continuous monitoring and key to avoiding a lapse in system security accreditation. Monitoring security controls helps to identify potential security problems in the information system that are not identified during the security impact analysis. This analysis is conducted as part of the CM and control process. POINTS: REFERENCES:
1 H1: Introduction to Information Security Maintenance H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” p. 452 QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.1 - Discuss the need for ongoing maintenance of the information security program DATE CREATED: 6/23/2021 9:47 AM Copyright Cengage Learning. Powered by Cognero.
Page 36
Name:
Class:
Date:
Mod 12 Information Security Maintenance DATE MODIFIED:
6/29/2021 6:34 PM
106. What is a security facility? Provide an description of a secure facility from the employee's perspective, from with the parking lot to their office. A secure facility is A physical location with access barriers and controls in place to ANSWER: minimize the risk of attacks from physical threats. A secure facility includes the same defense-in-depth strategy as logical network security. Any intrusion attempt, whether natural or human-made, should be confronted with multiple layers of defense, including those for the facility’s location, the drive to and onto the facility grounds, and multiple layers of physical access controls needed to gain access to information. This could start with a facility guard at the employee parking lot, continue through a keycard mantrap, and end in the lock-and-key process necessary to access employees’ individual offices. POINTS: REFERENCES:
1 p. 491 H1: Physical Security H2: Physical Access Controls QUESTION TYPE: Essay HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.7 - Discuss physical security controls DATE CREATED: 9/14/2016 10:47 AM DATE MODIFIED: 6/29/2021 6:37 PM Subjective Short Answer 107. What is a management maintenance model? What does it accomplish? A management model deals with methods to manage and operate a particular business ANSWER: operation. It is designed to provide clear guidelines for accomplishing the outlined goals of the organization. POINTS: 1 REFERENCES: H1: Security Management Maintenance Models p. 449 QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.2 - Describe recommended security management models DATE CREATED: 6/23/2021 9:47 AM DATE MODIFIED: 6/23/2021 11:01 AM 108. What is the difference between vulnerability assessment and penetration testing? The primary goal of the vulnerability assessment is to identify specific, documented ANSWER: vulnerabilities using the inventory of environment characteristics stored in the risk, threat, and attack database. These vulnerabilities are stored, tracked, and reported in the vulnerability database until they are remediated. Penetration testing, a level beyond vulnerability testing, is a set of security tests and evaluations that simulate attacks by a Copyright Cengage Learning. Powered by Cognero.
Page 37
Name:
Class:
Date:
Mod 12 Information Security Maintenance malicious hacker. A penetration test, or pen test, is usually performed periodically as part of a full security audit. In most security tests, such as vulnerability assessments, great care is taken not to disrupt normal business operations, but in pen testing the analyst tries to get as far as possible by simulating the actions of an attacker. POINTS: 1 REFERENCES: p. 482 H2: Vulnerability Assessment and Remediation H1: The Security Maintenance Model QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.5 - Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance DATE CREATED: 6/23/2021 9:47 AM DATE MODIFIED: 6/23/2021 11:04 AM 109. What is InfoSec performance management and what is it used for? InfoSec performance management is the process of designing, implementing, and ANSWER: managing the use of collected data elements (called measurements or metrics) to determine the effectiveness of the overall security program. Performance measurements (or performance measures) are the data points or trends computed from such measurements that may indicate the effectiveness of security countermeasures or technical and managerial controls implemented in the organization. Some countermeasures are technical, while others are managerial. Both types require some method of assessing the results of their use. Control approaches that are not effective should be modified or replaced, and those that are effective should be supported and continued. Measurement supports managerial decision making, increased accountability, and improved effectiveness of the InfoSec function. Also, by enabling the collection, analysis, and reporting of critical performance data, measurements help organizations align InfoSec performance and objectives with the organization’s overall mission. POINTS: 1 REFERENCES: H1: Security Management Maintenance Models H2: NIST SP 800-100, “Information Security Handbook: A Guide for Managers” p. 455 QUESTION TYPE: Subjective Short Answer HAS VARIABLES: False STUDENT ENTRY MODE: Basic LEARNING OBJECTIVES: POIS.WHMA.22.12.2 - Describe recommended security management models DATE CREATED: 6/23/2021 9:47 AM DATE MODIFIED: 6/29/2021 6:40 PM
Copyright Cengage Learning. Powered by Cognero.
Page 38
Instructor Solution Manual for Principles of Information Security 7th Edition
richard@qwconsultancy.com
1|Pa ge
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
Instructor Manual Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 5 Module Outline .............................................................................................................................. 5 Discussion Questions .................................................................................................................. 18 Suggested Usage for Lab Activities ............................................................................................ 19 Additional Activities and Assignments ....................................................................................... 21 Additional Resources................................................................................................................... 21 Cengage Video Resources ....................................................................................................................... 21 Internet Resources .................................................................................................................................. 21 Appendix ...................................................................................................................................... 22 Grading Rubrics ....................................................................................................................................... 22
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
Purpose and Perspective of the Module The first module of the course in information security provides learners the foundational knowledge to become well versed in the protection systems of any size need within an organization today. The module begins with fundamental knowledge of what information security is and the how computer security evolved into what we know now as information security today. Additionally, learners will gain knowledge on the how information security can be viewed either as an art or a science and why that is the case.
Cengage Supplements The following product-level supplements are available in the Instructor Resource Center and provide additional information that may help you in preparing your course: • • • • •
PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual
Module Objectives The following objectives are addressed in this module: 1.1
Define information security.
1.2
Discuss the history of computer security and explain how it evolved into information security.
1.3
Define key terms and critical concepts of information security.
1.4
Describe the information security roles of professionals within an organization.
Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 1.1–1.2 1.3 1.4 1.1–1.4
PPT slide
Activity/Assessment
Duration
2 19–20 34–35 39–40 MindTap
Icebreaker: Interview Simulation Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3 Module 01 Review Questions
10 minutes 2 minutes 2 minutes 2 minutes 30–40 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
1.1 – 1.4 1.1 – 1.4
MindTap MindTap
Module 01 Case Exercises Module 01 Exercises
1.1 – 1.4 1.1 – 1.4
MindTap MindTap
Module 01 Security for Life Module 01 Quiz
30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: computer security: In the early days of computers, this term specified the protection of the physical location and assets associated with computer technology from outside threats, but it later came to represent all actions taken to protect computer systems from losses. security: A state of being secure and free from danger or harm as well as the actions taken to make someone or something secure. information security: Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology. network security: A subset of communications security; the protection of voice and data networking components, connections, and content. C.I.A. triad: The industry standard for computer security since the development of the mainframe; the standard is based on three characteristics that describe the attributes of information that are important to protect: confidentiality, integrity, and availability. confidentiality: An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems. personally identifiable information (PII): Information about a person’s history, background, and attributes that can be used to commit identity theft that typically includes a person’s name, address, Social Security number, family information, employment history, and financial information. integrity: An attribute of information that describes how data is whole, complete, and uncorrupted. availability: An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction. accuracy: An attribute of information that describes how data is free of errors and has the value that the user expects.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
authenticity: An attribute of information that describes how data is genuine or original rather than reproduced or fabricated. utility: An attribute of information that describes how data has value or usefulness for an end purpose. possession: An attribute of information that describes how the data’s ownership or control is legitimate or authorized. McCumber Cube: A graphical representation of the architectural approach used in computer and information security that is commonly shown as a cube composed of 3×3×3 cells, similar to a Rubik’s Cube. information system: The entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization. physical security: The protection of material items, objects, or areas from unauthorized access and misuse. bottom-up approach: A method of establishing security policies and/or practices that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems. top-up approach: A methodology of establishing security policies and/or practices that is initiated by upper management. chief information officer (CIO): An executive-level position that oversees the organization’s computing technology and strives to create efficiency in the processing and access of the organization’s information. chief information security officer (CISO): The title typically assigned to the top information security manager in an organization. data owners: Individuals who control and are therefore ultimately responsible for the security and use of a particular set of information. data custodians: Individuals who are responsible for the storage, maintenance, and protection of information. data stewards: See data custodians. data trustees: Individuals who are assigned the task of managing a particular set of information and coordinating its protection, storage, and use. data users: Internal and external stakeholders (customers, suppliers, and employees) who interact with information in support of their organization’s planning and operations. community of interest: A group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
[return to top]
What's New in This Module The following elements are improvements in this module from the previous edition: • • •
This Module was Chapter 1 in the 6th edition. The content that covered Systems Development was moved to Module 11: Implementation. The Module was given a general update and given more current examples.
[return to top]
Module Outline Introduction to Information Security (1.1, 1.2, PPT Slides 4–17) I.
Recognize that organizations, regardless of their size or purpose, have information they must protect and store internally and externally.
II.
Analyze the importance and reasoning an organization must be responsible for the information they collect, store, and use.
III.
Review the concept of computer security and when the need for it initially arose.
IV.
Discuss how badges, keys, and facial recognition of authorized personnel are required to access military locations deemed sensitive.
V.
Describe the primary threats to security: physical theft of equipment, product espionage, and sabotage.
VI.
Examine information security practices in the World War II era and compare with modern day needs.
The 1960s I.
Explain the purpose of the Department of Defense’s Advanced Research Procurement Agency (ARPA) and their need to create redundant networked communications systems so that the military can exchange information.
II.
Identify Dr. Larry Roberts as the creator of the ARPANET project and now the modern-day Internet.
The 1970s and ’80s I.
Critique the use of ARPANET and how it became more widely used and consequentially misused.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
II.
Recognize that Robert M. Metcalfe expressed concerns about ARPANET and how it could be easily hacked into due to password structure vulnerabilities, lack of safety protocols, and widely distributed phone numbers for system access.
III.
Conclude that a lack of controls in place provided users limited safeguards to protect themselves from unauthorized remote users.
IV.
Discuss how dial-up connections lacked safety protocols when connecting to ARPANET.
V.
Recall that authorizations into the system and a lack of user identification were significant security risks for ARPANET during this time.
VI.
Evaluate the movement of stronger security protocols thanks to the implementation of conclusions from the Rand Report R-609.
VII.
Relate how the need of physical security protocols grew to include computer security protocols as part of a holistic information security plan.
MULTICS I.
Define the purpose of the Multiplexed Information and Computing Service (MULTICS) and its importance to information security.
II.
Relate that the restructuring of the MULTICS project created the UNIX operating system in 1969.
III.
Contrast the facts that the MULTICS system had multiple security levels planned, whereas the new UNIX system did not have them included.
IV.
Examine the decentralization of data processing and why it is important to modernday information security protocols.
V.
Distinguish that in the late 1970s microprocessors transformed computing capabilities but also established new security threats.
VI.
Recall the Defense Advanced Research Projects Agency (DARPA) created the Computer Emergency Response Team (CERT) in 1988.
VII.
Conclude that not until the mid-1980s computer security was a non-issue for federal information systems.
The 1990s I.
Understand that as more computers and their networks became more common, the need to connect networks rose in tandem during this time. Hence, the Internet was born out of the need to have a global network of networks.
II.
Analyze the consequences of how exponential growth of the Internet early on resulted in security being a low priority over other core components.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
III.
Identify that the networked computers were the most common style of computing during this time. However, a result of this was the lessened ability to secure a physical computer and stored data is more exposed to security threats internally and externally.
IV.
Recognize that toward the turn of the new millennium, numerous large corporations demonstrated the need and integration of security into their internal systems. Antivirus products grew in popularity and information security grown into its own discipline because of these proactive initiatives.
2000 to Present I.
Recall the fact that millions of unsecured computer networks and billions of computing devices are communicating with each other.
II.
Recognize and apply the fact that cyberattacks are increasing and have caused governments and corporations to resign themselves to stronger information security protocols.
III.
Examine the exponential rise in mobile computing and how these devices bring their own set of vulnerabilities with respect to information security.
IV.
Apply the fact that one’s ability to secure the information stored in their device is influenced by security protocols on the others they are connected to.
V.
Establish that wireless networks and their associated risks often have minimal security protocols in place and can be a catalyst for anonymous attacks.
What Is Security? (1.3, PPT Slides 18 and 21–26) I.
Define the term security and why it is important to have multiple layers of it to protect people, operations, infrastructure, functions, communications, and information.
II.
Emphasize the role of the Committee on National Security Systems (CNSS) and its role in defining information security. This includes the protection of critical elements such as systems and hardware that stores, transmits, and use information.
III.
Recognize the importance of the C.I.A. Triad but which is no longer an adequate model to apply to modern information security needs.
Key Information Security Concepts I.
Comprehend and define the following security terms and concepts: •
Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers must gain illegal access to a system. Access controls regulate this ability.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
•
Asset: The organizational resource that is being protected. An asset can be logical, such as a Web site, software information, or data, or an asset can be physical, such as a person, computer system, hardware, or other tangible object. Assets, particularly information assets, are the focus of what security efforts are attempting to protect.
•
Attack: An intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect. Someone who casually reads sensitive information not intended for his or her use is committing a passive attack. A hacker attempting to break into an information system is an intentional attack. A lightning strike that causes a building fire is an unintentional attack. A direct attack is perpetrated by a hacker using a PC to break into a system. An indirect attack is a hacker compromising a system and using it to attack other systems—for example, as part of a botnet (slang for robot network). This group of compromised computers, running software of the attacker’s choosing, can operate autonomously or under the attacker’s direct control to attack systems and steal user information or conduct distributed denial-of-service attacks. Direct attacks originate from the threat itself. Indirect attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat.
•
Control, safeguard, or countermeasure: Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security within an organization. The various levels and types of controls are discussed more fully in the following modules.
•
Exploit: A technique used to compromise a system. This term can be a verb or a noun. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain, or an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or created by the attacker. Exploits make use of existing software tools or custom-made software components.
•
Exposure: A condition or state of being exposed; in information security, exposure exists when a vulnerability is known to an attacker.
•
Loss: A single instance of an information asset suffering damage or destruction, unintended or unauthorized modification or disclosure, or denial of use. When an organization’s information is stolen, it has suffered a loss. Protection profile or security posture is the entire set of controls and safeguards—including policy, education, training and awareness, and technology—that the organization implements to protect the asset. The terms are sometimes used interchangeably
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
with the term security program although a security program often comprises managerial aspects of security, including planning, personnel, and subordinate programs. •
Risk: The probability of an unwanted occurrence, such as an adverse event or loss. Organizations must minimize risk to match their risk appetite—the quantity and nature of risk they are willing to accept.
•
Subjects and objects of attack: A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack: the target entity. See Figure 1-8. A computer can also be both the subject and object of an attack. For example, it can be compromised by an attack (object) and then used to attack other systems (subject).
•
Threat: Any event or circumstance that has the potential to adversely affect operations and assets. The term threat source is commonly used interchangeably with the more generic term threat. The two terms are technically distinct, but to simplify discussion, the text will continue to use the term threat to describe threat sources.
•
Threat agent: The specific instance or a component of a threat. For example, the threat source of “trespass or espionage” is a category of potential danger to information assets, while “external professional hacker” (like Kevin Mitnick, who was convicted of hacking into phone systems) is a specific threat agent. A lightning strike, hailstorm, or tornado is a threat agent that is part of the threat source known as “acts of God/acts of nature.”
•
Threat event: An occurrence of an event caused by a threat agent. An example of a threat event might be damage caused by a storm. This term is commonly used interchangeably with the term attack.
•
Threat source: A category of objects, people, or other entities that represents the origin of danger to an asset—in other words, a category of threat agents. Threat sources are always present and can be purposeful or undirected. For example, threat agent “hackers,” as part of the threat source “acts of trespass or espionage,” purposely threaten unprotected information systems, while threat agent “severe storms,” as part of the threat source “acts of God/acts of nature,” incidentally threaten buildings and their contents.
•
Vulnerability: A potential weakness in an asset or its defensive control system(s). Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door. Some well-known vulnerabilities have been examined, documented, and published; others remain latent (or undiscovered).
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
Critical Characteristics of Information I.
Recognize that when a characteristic of information changes, the value of that information may increase but more so decreases.
II.
Comprehend and define the following security terms and concepts: confidentiality, personally identifiable information (PII), integrity, availability, accuracy, authenticity, utility, and possession.
Confidentiality I.
Define the purpose of confidentiality and the measures that must be in place to protect information. •
Information classification
•
Securely storing documents
•
Applying general security policies and protocols
•
Educating information custodians and end users
II.
Analyze common reasons confidentiality breaches occur.
III.
Review the concept of personally identifiable information (PII) and its application to confidentiality.
Integrity I.
Examine the concept of integrity and its application to information security principles.
II.
Justify that file corruption is not strictly the result of hackers or other external forces but can include internal forces such as noise, low-voltage circuits, and retransmissions.
Availability I.
Define the concept of availability and how it allows users to access information without restriction in their required formats.
Accuracy I.
Understand that accuracy of data transmitted in information is important as it must be free of mistakes or errors, and it aligns with end user’s expectations.
Authenticity I.
Identify the fact that information is authentic when it is given to a user in the same state that it was created, placed, stored, or transferred.
II.
Evaluate the example of e-mail spoofing and how messages sent look authentic on the surface but are, in fact, not.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
Utility I.
Examine the usefulness of information and how it can be applied for an end purpose.
Possession I.
Recall this attribute as one where the ownership or control of information has legitimacy or authorization.
II.
Assess the scenario where a breach of possession does not always equate to a breach of confidentiality.
CNSS Security Model I.
II.
Discuss the concept of the McCumber Cube and its application into computer and information security protocols. •
Quantify via Figure 1-9 (page 14) within the text that there are a total of 27 areas (3 x 3 x 3) that must be properly addressed during a security process.
•
Understand the fact that as policy, education, and technology increase, so too the needs for confidentiality, integrity, availability, storage, processing, and transmission.
Conclude that a common exclusion in this model is the need for guidelines and policies that provide direction for implementation technologies and the practices of doing so.
Components of an Information System (1.3, PPT Slide 27) I.
Gain an understanding that to have a full understanding of the importance of an information system, one must have an awareness of what all is included within it.
II.
Review the six most common elements of an information system. •
Software
•
Hardware
•
Data
•
People
•
Procedures
•
Networks
Software
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
I.
Compare and contrast the different types of software that are used to digitally operate an information system. These include applications or programs, operating systems, and assorted command utilities. II. Justify the core reason that software is used is to carry information through an organization.
Hardware I.
Classify that this part of an information system is the physical technologies that house and execute software, stores and transports data, and provides an interface for entry and removal of information within it. II. Acquire an understanding of the concept of physical security and its importance to an information system.
Data I.
Recall that data that is stored, processed, and/or transmitted must be protected as it is the most valuable asset an organization possesses. II. Gain awareness that the protection of physical information is just as important as the protection of electronic information.
People I.
Establish that people are often the weakest link of an information system since they provide direction, design, develop, and ultimately use and game them to operate in the business world.
Procedures I.
Recall that procedures are written instructions that are created to accomplish a specific task or action. Note that they may or may not use the technology of an information system. II. Recognize that they provide the foundation for technical controls and security systems that must be designed so they can be implemented.
Networks I.
Acknowledge the fact that modern information processing systems are highly complex and rely on numerous internal and external connections. II. Conclude that networks are the highway in which information systems pass data and users complete their tasks on a daily basis. III. Justify that proper network controls in an organization are vital to managing information flows and the security of data transmitted internally and externally. Quick Quiz 1
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
1. True or False: Network security addresses the issues needed to protect items, objects, or areas. Answer: False 2. Which type of security addresses the protection of all communications media, technology, and content? a. information b. network c. physical d. communication Answer: d 3. Which type of security encompasses the protection of voice and data networking components, connections, and content? a. information b. network c. physical d. communications Answer: b 4. What term is used to describe the quality or state of ownership or control of information? a. confidentiality b. possession c. authenticity d. integrity Answer: b 5. True or False: If information has a state of being genuine or original and is not a fabrication, it has the characteristic of authenticity. Answer: True
Security and the Organization (1.4, PPT Slides 28–33, 36–38, and 41) I.
Analyze components that make up security as a program and the professionals who are tasked with maintaining it within an organization.
Balancing Information Security and Access © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
I.
Recall that everyone does not have carte blanche access to all data that is transmitted, processed, or stored within or outside an organization.
II. Comprehend that security is never an absolute as it is a process and not a goal. III. Interpret that security is a delicate balance between protection and availability.
Approaches to Information Security Implementation I.
Compare and contrast the two most commonly used approaches to information security implementation: bottom-up and top-down. •
•
Bottom-up approaches implement security policies and/or policies from the ground up where system administrators are responsible for improving the security of the system. A top-down approach is quite the opposite where upper management determines security policies for an organization. This is usually the Chief Information Officer (CIO) or the Vice President of Information Technology (VP-IT).
II. Conclude that often a bottom-up approach rarely works, and a top-down approach has the most effectiveness in an organization.
Security Professionals I.
Compare and contrast the different positions that are part of an implementation for an information security program. •
The Chief Information Officer (CIO) is the senior technology officer of an organization and provides guidance to the owner or CEO strategic planning that affects information management in an organization.
•
The Chief Security Officer (CISO) assesses, manages, and implements information security in an organization.
Senior Management I.
II.
Examine that the Chief Information Officer (CIO) is the senior technology officer although other titles such as vice president of information, VP of information technology, and VP of systems may also be used. The CIO is primarily responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization. Contrast with the CIO that the Chief Information Security Officer (CISO) is the individual primarily responsible for the assessment, management, and implementation of securing the information in the organization. The CISO may also be referred to as the manager for security, the security administrator, or a similar title.
Information Security Project Team
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
I.
Review the core team members of an information security project team and their specific role: •
•
•
•
•
• •
Champion: A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization. Team leader: A project manager, who may be a departmental line manager or staff unit manager and who understands project management, personnel management, and information security technical requirements. Security policy developers: Individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies. Risk assessment specialists: Individuals who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used. Security professionals: Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint. Systems administrators: Individuals whose primary responsibility is administering the systems that house the information used by the organization. End users: Those whom the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.
Data Responsibilities I.
Compare and contrast persons who own and safeguard data within an organization. •
•
•
Data Owners: Those responsible for the security and use of a particular set of information. Data owners usually determine the level of data classification associated with the data, as well as changes to that classification required by organizational change. Data Custodians: Those responsible for the storage, maintenance, and protection of the information. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner. Data Trustees: Individuals appointed by data owners who oversee the management of an information set and its use. Though these are often executives, they appoint someone else to handle these responsibilities.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
Data Users: End users who work with the information to perform their daily jobs supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role. II. Recall that data stewards are also known as data custodians. •
Communities of Interest I.
Establish an understanding that each organization develops and maintains its own unique culture and values. II. Recall that a community of interest is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives. III. Disseminate the fact there can be many different communities of interest in an organization which aid in information security practices.
Information Security Management and Professionals I.
Apply knowledge that these professionals are aligned with an information security’s community of interest.
II.
Review the fact that their goal is to protect an organization’s information and stored information from internal and external attacks.
Information Technology Management and Professionals I.
Recognize that these individuals are often a team of IT managers and skilled professionals in a number of areas: systems design, programming, and networks at a minimum.
II.
Establish an understanding their goals do not always align with the information security community based on an organization’s structure. Conflict may result if there are inconsistencies between them.
Organization Management and Professionals I.
Analyze that this group of persons in an organization are often other managers and professionals who are consumers of information being secure.
Information Security: Is It an Art or a Science? (PPT Slides 42–43) I.
Gain an understanding that the implementation of information security has often been described as a combination of art and science due to the complex nature of information systems. II. Discuss the concept of a “security artisan” and explain how it is based on the way individuals see technologists as computers became more commonplace in the workplace.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
Security as Art I.
Recognize that there are no hard and fast rules regulating the installation of various security mechanisms, nor are there many universally accepted complete solutions. II. Conclude that there is no one user’s manual that can solve all security issues that a system may encounter. As an organization becomes more complex, so do the controls and technology needed to keep it together.
Security as a Science I.
Establish an understanding that technologies that are developed are enacted by highly trained computer scientists and engineers who are required to operate at rigorous levels of performance. II. Conclude that specific scientific conditions often cause virtually all actions that occur in a computer system. Nearly everything that negatively occurs in a system is a result of an interaction between software and hardware. III. Justify that with enough time and resources, developers could eliminate faults that occur.
Security as a Social Science I.
Understand a combination of both components of art and science make security a social science. II. Identify a social science as the examination of people’s behavior and their interactions with (information) systems. III. Conclude that end users who need the information security personnel protect are often the weakest links in the security chain. Quick Quiz 2 1. When projects are initiated at the highest levels of an organization and then pushed to all levels, they are said to follow which approach? b. executive-led c. trickle down d. top-down e. bottom-up Answer: c 2. ________ ensures that only users with the rights, privileges, and need to access information are able to do so. a. confidentiality b. enhanced credentials c. software engineers © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
d. awareness Answer: a 3. True or False: The person responsible for the storage, maintenance, and protection of the information is the data custodian. Answer: True 4. Which critical characteristic of information discussed is one that focuses on the fact when information stored, transferred, created, or placed is in the same state as it was received? a. utility b. possession c. accuracy d. authenticity Answer: d 5. Which of the following examines the behavior of individuals as they interact with systems, whether societal systems or information systems? a. community science b. social science c. societal science d. interaction management Answer: b [return to top]
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. What are the defining differences between computer security and information security? (1.2, PPT Slides 5, 7–9, and 13) Duration 15 minutes.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
2. When reviewing the critical characteristics of information, which one is the most important? Why is that the case and should all receive equal attention? (1.3, PPT Slides 18 and 25–26) Duration 15 minutes. 3. Do information security professionals have superiority over one another outside of their ranking in an organization? Why or why not? (1.4, PPT Slides 29–33) Duration 15 minutes. [return to top]
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks
Web Browser Security
Malware Defense
Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques. Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used.
Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.
1 to 1.5 hours
1 to 1.5 hours
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
Windows Password Management
Backup and Recovery and File Integrity Monitoring
OS Processes and Services
Log Management & Security
Footprinting, Scanning, and Enumeration
AlienVault OSSIM
Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab.
30 minutes to 1 hour
15–20 minutes
60–90 minutes
30 minutes to 1 hour
40–60 minutes
2–3 hours
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
Image Analysis Using Autopsy
Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include the following: 1. Using the Internet, find a recent feature article about a CISO or other IT professional with CISO job functions. Write a short summary of that individual and how he or she came to hold that position. The publications ComputerWorld and Information Week often have these kinds of features. Have students list the hardware assets found in a computing lab and then list the attributes of those assets. They should provide as many facts about each asset as possible. 2. Using a library with current periodicals, find a recent news article about a topic related to information security. Write a one- to two-page review of the article and how it is related to the principles of information security introduced in the textbook. [return to top]
Additional Resources Cengage Video Resources •
MindTap Video: What is Information Security
Internet Resources • • • •
Internet Society—Histories of the Internet CNSS National Information Assurance Glossary Microsoft Security Development Lifecycle The Role of a Chief Security Officer
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 1: Introduction to Information Security
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points.
Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3
2
1
0
Exceeds Expectations
Meets Expectations • Student demonstrates accurate understanding of the concept. • Student applies the concept appropriately. • Student develops a complete response to the prompt.
Needs Improvement • Student’s response demonstrates a gap in understanding of the concept. • Student applies the concept incorrectly. • Student’s response is poorly developed or incomplete.
Inadequate • Student’s response is missing or incomplete. • Student’s response demonstrates a critical gap in understanding. • Student is unable to apply the concept.
• Student demonstrates accurate understanding of the concept. • Student applies the concept appropriately. • Student uses sound critical analysis to develop an insightful and comprehensive response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 9 Module Outline ............................................................................................................................ 10 Discussion Questions .................................................................................................................. 35 Suggested Usage for Lab Activities ............................................................................................ 35 Additional Activities and Assignments ....................................................................................... 37 Additional Resources................................................................................................................... 37 Cengage Video Resources ....................................................................................................................... 37 Internet Resources .................................................................................................................................. 37 Appendix ...................................................................................................................................... 39 Grading Rubrics ....................................................................................................................................... 39
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
Purpose and Perspective of the Module Protecting information is one of the most important tasks an organization must monitor around the clock and regardless as to where personnel are located. In this module, students will gain knowledge as to the purpose of information security and the need that is present in organizations. Next, they will gain an understanding of why a successful information security program is the shared responsibility of the entire organization and not just departments that focus on technology. In the second half of the module, emphasis is placed on threats that occur to trigger information security solutions and common attacks of them. The final part of the module lists common information security issues that result from poor software development efforts.
Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. • • • • •
PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual
Module Objectives The following objectives are addressed in this module: 2.1
Discuss the need for information security.
2.2
Explain why a successful information security program is the shared responsibility of the entire organization.
2.3
List and describe the threats posed to information security and common attacks associated with those threats.
2.4
List the common information security issues that result from poor software development efforts.
Complete List of Module Activities and Assessments For additional guidance, refer to the MindTap Educator Guide. Module Objective
PPT slide
Activity/Assessment
Duration
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
2.1, 2.2, and 2.3 2.3 and 2.4 2.4 2.1–2.4
11–12
Knowledge Check Activity 1
2 minutes
31–32 64–65 77 MindTap MindTap MindTap
Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 02 Review Questions Module 02 Case Exercises Module 02 Exercises
MindTap MindTap
Module 02 Security for Life Module 02 Quiz
2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: information asset: The focus of information security; information that has value to the organization and the systems that store, process, and transmit the information. media: As a subset of information assets, the systems, technologies, and networks that store and transmit information. data: Items of fact collected by an organization; includes raw numbers, facts, and words. information: Data that has been organized, structured, and presented to provide additional insight into its context, worth, and usefulness. database: A collection of related data stored in a structured form and usually managed by specialized systems. database security: A subset of information security that focuses on the assessment and protection of information stored in data repositories. exploit: A technique used to compromise a system; may also describe the tool, program, or script used in the compromise. intellectual property (IP): Original ideas and inventions created, owned, and controlled by a particular person or organization; IP includes the representation of original ideas. software piracy: The unauthorized duplication, installation, or distribution of copyrighted computer software, which is a violation of intellectual property. availability disruption: An interruption or disruption in service, usually from a service provider, which causes an adverse event within an organization.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
service level agreement (SLA): A document or part of a document that specifies the expected level of service from a service provider, including provisions for minimum acceptable availability and penalties or remediation procedures for downtime. uptime: The percentage of time a particular service is available. downtime: The percentage of time a particular service is not available. blackout: A long-term interruption (outage) in electrical power availability. brownout: A long-term decrease in quality of electrical power availability. fault: A short-term interruption in electrical power availability. noise: The presence of additional and disruptive signals in network communications or electrical power delivery. sag: A short-term decrease in electrical power availability. spike: A short-term increase in electrical power availability, also known as a swell. surge: A long-term increase in electrical power availability. competitive intelligence: The collection and analysis of information about an organization’s business competitors through legal and ethical means to gain business intelligence and competitive advantage. industrial espionage: The collection and analysis of information about an organization’s business competitors, often through illegal or unethical means, to gain an unfair competitive advantage; also known as corporate spying. shoulder surfing: The direct, covert operation of individual information or system use. trespass: Unauthorized entry into the real or virtual property of another party. hacker: A person who accesses systems and information without authorization and often illegally. expert hacker: A hacker who uses extensive knowledge of the inner workings of computer hardware and software to gain unauthorized access to systems and information, and who often creates automated exploits, scripts, and tools used by other hackers; also known as an elite hacker. novice hacker: A relatively unskilled hacker who uses the work of expert hackers to perform attacks; also known as a neophyte, n00b, newbie, script kiddie, or packet monkey. professional hacker: A hacker who conducts attacks for personal financial benefit or for a crime organization or foreign government; not to be confused with a penetration tester. penetration tester: An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems; also known as a pen tester. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
pen tester: See penetration tester. script kiddies: Novice hackers who use expertly written software to attack a system; also known as skids, skiddies, or script bunnies. packet monkey: A novice hacker who uses automated exploits to engage in denial-ofservice attacks. privilege escalation: The unauthorized modification of an authorized or unauthorized system user account to gain advanced access and control over system resources. jailbreaking: Escalating privileges to gain administrator-level or root access control over a smartphone operating system; typically associated with Apple iOS smartphones. See also rooting. rooting: Escalating privileges to gain administrator-level control over a computer system (including smartphones); typically associated with Android OS smartphones. See also jailbreaking. cracker: A hacker who intentionally removes or bypasses software copyright protection designed to prevent unauthorized duplication or use. phreaker: A hacker who manipulates the public telephone system to make free calls or disrupt services. cracking: Attempting to reverse-engineer, remove, or bypass a password or other access control protection, such as the copyright protection on software (see cracker). brute force password attack: An attempt to guess a password by attempting every possible combination of characters and numbers in it. 10.4 password rule: An industry recommendation for password structure and strength that specifies passwords should be at least 10 characters long and contain at least one of the following four elements: an uppercase letter, one lowercase letter, one number, and one special character. dictionary password attack: A variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target’s personal information. rainbow table: A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system’s encrypted password file. social engineering: The process of using interpersonal skills to convince people to reveal access credentials or other valuable information to an attacker. business e-mail compromise (BEC): A social engineering attack involving the compromise of an organization’s e-mail system followed by a series of forged e-mail messages directing
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
employees to transfer funds to a specified account, or to purchase gift cards and send them to an individual outside the organization. advance-fee fraud (AFF): A form of social engineering, typically conducted via e-mail, in which an organization or some third party indicates that the recipient is due an exorbitant amount of money and needs only to send a small advance fee or personal banking information to facilitate the transfer. phishing: A form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information. spear phishing: A highly targeted phishing attack. pretexting: A form of social engineering in which the attacker pretends to be an authority figure who needs information to confirm the target’s identity, but the real object is to trick the target into revealing confidential information; commonly performed by telephone. information extortion: The act of an attacker or trusted insider who steals or interrupts access to information from a computer system and demands compensation for its return or for an agreement not to disclose the information. cyberextortion: See information extortion. ransomware: Computer software specifically designed to identify and encrypt valuable information in a victim’s system in order to extort payment for the key needed to unlock the encryption. hacktivist: A hacker who seeks to interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency. cyberactivist: See hacktivist. doxing: A practice of using online resources to find and then disseminate compromising information, perhaps without lawful authority, with the intent to embarrass or harm the reputation of an individual or organization. The term originates from dox, an abbreviation of documents. cyberterrorism: The conduct of terrorist activities via networks or Internet pathways. cyberterrorist: A hacker who attacks systems to conduct terrorist activities via networks or Internet pathways. cyberwarfare: Formally sanctioned offensive operations conducted by a government or state against information or systems of another government or state; sometimes called information warfare.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
malware: Computer software specifically designed to perform malicious or unwanted actions. malicious software: See malware. zero-day attack: An attack that makes use of malware that is not yet known by the antimalware software companies. adware: Malware intended to provide undesired marketing and advertising, including popups and banners on a user’s screens. spyware: Any technology that aids in gathering information about people or organizations without their knowledge. virus: A type of malware that is attached to other executable programs and, when activated, replicates and propagates itself to multiple systems, spreading by multiple communications vectors. macro virus: A type of virus written in a specific language to target applications that use the language and activated when the application’s product is opened; typically affects documents, slideshows, e-mails, or spreadsheets created by office suite applications. boot virus: Also known as a boot sector virus, a type of virus that targets the boot sector or Master Boot Record (MBR) of a computer system’s hard drive or removable storage media. memory-resident virus: A virus that is capable of installing itself in a computer’s operating system, starting when the computer is activated, and residing in the system’s memory even after the host application is terminated; also known as a resident virus. non-memory-resident virus: A virus that terminates after it has been activated, infected its host system, and replicated itself; does not reside in an operating system or memory after executing and is also known as a non-resident virus. worm: A type of malware that is capable of activation and replication without being attached to an existing program. Trojan horse: A malware program that hides its true nature and reveals its designed behavior only when activated. polymorphic threat: Malware that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for preconfigured signatures. malware hoax: A message that reports the presence of nonexistent malware and wastes valuable time as employees share the message. back door: A malware payload that provides access to a system by bypassing normal access controls or an intentional access control bypass left by a system designer to facilitate development.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
trap door: See back door. maintenance hook: See back door. denial-of-service (DoS) attack: An attack that attempts to overwhelm a computer target’s ability to handle incoming communications, prohibiting legitimate users from accessing those systems. distributed denial-of-service (DDoS) attack: A form of attack in which a coordinated stream of requests is launched against a target from multiple locations at the same time using bots or zombies. bot: An abbreviation of robot, an automated software program that executes certain commands when it receives a specific input; also known as a zombie. zombie: See bot. spam: Undesired e-mail, typically commercial advertising transmitted in bulk. mail bomb: An attack designed to overwhelm the receiver with excessive quantities of email. packet sniffer: A software program or hardware appliance that can intercept, copy, and interpret network traffic. sniffer: See packet sniffer. spoofing: The use of a communications identifier, such as a phone number, network address, or e-mail address, that is not accurately assigned to the source. IP spoofing: A technique for gaining unauthorized access to computers using a forged or modified source IP address to give the perception that messages are coming from a trusted host. pharming: The redirection of legitimate user Web traffic to illegitimate Web sites with the intent to collect personal information. Domain Name System (DNS) cache poisoning: The intentional hacking and modification of a DNS database to redirect legitimate traffic to illegitimate Internet locations; also known as DNS spoofing. man-in-the-middle: A group of attacks whereby a person intercepts a communications stream and inserts himself in the conversation to convince each of the legitimate parties that he is the other communications partner; some of these attacks involve encryption functions. TCP hijacking: A form of man-in-the-middle attack whereby the attacker inserts himself into TCP/IP-based communications. session hijacking: See TCP hijacking.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
mean time between failure (MTBF): The average amount of time between hardware failures, calculated as the total amount of operation time for a specified number of units divided by the total number of failures. mean time to failure (MTTF): The average amount of time until the next hardware failure. mean time to diagnose (MTTD): The average amount of time a computer repair technician needs to determine the cause of a failure. mean time to repair (MTTR): The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit. annualized failure rate (AFR): The probability of a failure of hardware based on the manufacturer’s data of failures per year. cross-site scripting (XSS): A Web application fault that occurs when an application running on a Web server inserts commands into a user’s browser session and causes information to be sent to a hostile server. buffer overrun: An application error that occurs when more data is sent to a program buffer than it is designed to handle. integer bug: A class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers. command injection: An application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function. theft: The illegal taking of another’s property, which can be physical, electronic, or intellectual. [return to top]
What's New in This Module The following elements are improvements in this module from the previous edition: • • •
This module was Chapter 2 in the 6th edition. The sections on the threats and attacks were updated to reflect the latest trends, and examples were updated. The entire module was refreshed with a general update and given more current examples.
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
Module Outline Introduction to the Need for Information Security (2.1, 2.2, PPT Slides 3–9) I.
Discuss the view that information security is unlike any other aspect of information technology. The primary mission is to ensure things stay the way they are. Point out that if there were no threats to information and systems, we could focus on improving systems that support the information.
II.
Explain that organizations must understand the environment in which information systems operate so that their information security programs can address actual and potential problems.
III.
Emphasize to students the four important functions for an organization with respect to information security: •
Protecting the organization’s ability to function
•
Protecting the data and information the organization collects and uses
•
Enabling the safe operation of applications running on the organization’s IT systems
•
Safeguarding the organization’s technology assets
Business Needs First I.
Explain that without the underlying business to generate revenue and use information, it has a likelihood to lose value and the need for it would go to zero.
II.
Stress that the decisions that need to be made with respect to information security and their assets should be done carefully and holistically.
III.
Emphasize that the responsibility of protecting information within an organization is everyone’s responsibility. Regardless of their title, rank in the firm, or position, everyone must proactively protect the data it stores and uses.
Protecting Functionality I.
Discuss the fact that general management, IT management, and information security management are responsible for implementing information security to protect the ability of the organization to function.
II.
Relate to students that information security is a management issue in addition to a technical issue; it is a people issue in addition to the technical issue.
III.
Explain that to assist management in addressing the need for information security, communities of interest must communicate in terms of business impact and the
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
cost of business interruption, and they must avoid arguments expressed only in technical terms.
Protecting Data That Organizations Collect and Use I.
Stress to students that they should understand that many organizations realize that one of their most valuable assets is their data. Without data, an organization loses its record of transactions and/or its ability to deliver value to its customers.
II.
Explain the concept of data security. This concept is about protecting data in motion and data at rest, a critical aspect of information security. An effective information security program is essential to the protection of the integrity and value of the organization’s data.
III.
Detail how information is stored. This is often stored using databases and database security is important because it applies a broad range of control mechanisms to numerous areas of information security.
Enabling the Safe Operation of Applications I.
Distinguish an understanding that a modern organization needs to create an environment that protects and safeguards applications, specifically ones that are important elements to the infrastructure of a firm—operating systems, platforms, operational applications, e-mail, instant messaging applications, and text messaging platforms.
Safeguarding Technology Assets in Organizations I.
Relate to students that as an organization grows, so does its need for more robust technologies and commercial-grade solutions.
II.
Explain the example that is provided in the textbook that lists core components of security technologies (a commercial-grade, unified security architecture device, complete with intrusion detection and prevention systems, public key infrastructure (PKI), and virtual private network (VPN) capabilities).
III.
Establish that although cloud services provide another way to solve business information management challenges, they inherit their own set of risks and concerns that must be defended against.
Information Security Threats and Attacks (2.3, PPT Slides 10 and 13–23) I.
Remind students that to make sound decisions about information security as well as to create and enforce policies, management must be informed of the various kinds of threats facing the organization and its applications, data, and information systems.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
II.
Explain that a threat is an object, person, or other entity that represents a constant danger to an asset. Point out that an attack represents an ongoing act against the asset that could result in a loss. Also mention that threat agents use exploits to take advantage of vulnerabilities where controls are not present or are no longer effective.
4.8 Billion Potential Hackers I.
State that about 62 percent of the world’s population (about 4.8 billion) have some form of internet access, which is significantly up from 2015, when 49.2 percent of the population had access.
II.
Discuss the agreement that the threat from external sources increases when an organization connects to the Internet.
III.
Guide students to briefly review the world Internet usage spread in Table 2-1.
Other Studies of Threats I.
Point out to students that according to a recent study and survey, 67.1 precent of responding organizations suffered malware infections. Also, more than 98 percent of responding organizations identified malware as the second-highest threat source behind electronic phishing/spoofing.
II.
Discuss Tables 2-2, 2-3, and 2-4 that outline threats from internal and external stakeholders as well as general threats to information assets.
Common Attack Pattern Enumeration and Classification (CAPEC) I.
Introduce students to the CAPEC Web site, which can be used by security professionals to understand attacks.
II.
Explain that this resource is a good tool for information security professionals to use to gain additional insight on how attacks occur procedurally.
The 12 Categories of Threats (2.3, 2.4, PPT Slides 24–72) I.
Apply the use of Table 2-5 to explain the 12 categories of threats that represent a clear and present danger to an organization’s people, information, and systems. In summary, they are the following: •
Compromises to intellectual property
•
Deviations in quality of service
•
Espionage or trespass
•
Forces of nature
•
Human error or failure
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
II.
•
Information extortion
•
Sabotage or vandalism
•
Software attacks
•
Technical hardware failures or errors
•
Technical software failures or errors
•
Technological obsolescence
•
Theft
Recognize that a threat to an organization may include more than one of these categories, depending on the severity of the attack.
Compromises to Intellectual Property I.
Explain that many organizations create or support the development of intellectual property (IP) as part of their business operations. Intellectual property is defined as “the ownership of ideas and control over the tangible or virtual representation of those ideas.”
II.
Recall that intellectual property for an organization includes trade secrets, copyrights, trademarks, and patents. Once intellectual property has been defined and properly identified, breaches to IP constitute a threat to the security of this information. Most common IP breaches involve the unlawful use or duplication of software-based intellectual property, known as software piracy.
Software Piracy I.
Emphasize to students that the most common IP breaches involve the unlawful use or duplication of software-based intellectual property, known as software piracy.
II.
Outline that in addition to the laws surrounding software piracy, two watchdog organizations investigate allegations of software abuse: the Software and Information Industry Association (SIIA), formerly the Software Publishers Association, and the Business Software Alliance (BSA).
III.
Quantify the severity of software privacy with the following statistics mentioned in the text:
IV.
•
The BSA estimates that 37 percent of software installed on personal computers globally was not properly licensed in 2018.
•
Some countries indicate unlicensed rates of more than 50 percent.
Recall that malware attacks significantly increase with the use of unlicensed software.
Copyright Protection and User Registration © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
I.
Discuss that enforcement of copyright laws has been attempted through several technical security mechanisms, such as digital watermarks, embedded code, and copyright codes.
II.
Identify that online registrations combat piracy because users must register their software to complete the installation process. Caution students that key generators can be used to override and outsmart online registration tools and still result in intellectual property losses.
Deviations in Quality of Service I. Summarize that concerns in this category represent situations in which a product or service is not delivered to the organization as expected. II. Explain that the organization’s information system depends on the successful operation of many interdependent support systems, including power grids, telecom networks, parts suppliers, service vendors, and even the janitorial staff and garbage haulers.
Internet Service Issues I.
Explain that Internet service, communications, and power irregularities are three sets of service issues that dramatically affect the availability of information and systems. This is regardless of if a person is at the office or connecting through a virtual private network (VPN) connection.
II.
Justify that the U.S. government’s Federal Communications Commission (FCC) maintains a Network Outage Reporting System (NORS), which according to FCC regulation 47 C.F.R. Part 4, requires communications providers to report outages that disrupt communications at certain facilities, like emergency services and airports.
III.
Report that when an Internet service provider fails to meet the terms in a service level agreement (SLA), it is often fined to cover client losses, although the lost business exceeds anything recovered. This is even with vendors promoting high availability of uptime (or low downtime).
IV.
Apply the example of Amazon and how a 30- to 40-minute outage cost them a significant amount of money ($3-4 million) in just that short amount of time.
V.
Identify the most common causes of downtime and the financial impact of those incidents from the data provided in Figure 2-4.
Communication and Other Service Provider Issues I.
Describe communications and other service provider issues: other utility services can impact organizations as well. Among these are telephone, water, wastewater,
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
trash pickup, cable television, natural or propane gas, and custodial services. The loss of these services can impair the ability of an organization to function properly.
Power Irregularities I.
Describe power irregularities: irregularities from power utilities are common and can lead to fluctuations, such as power excesses, power shortages, and power losses. In the United States, we are “fed” 120-volt, 60-cycle power usually through 15-amp and 20-amp circuits.
II.
Explain that voltage levels are subject to a spike (momentary increase), surge (prolonged increase), sag (momentary decrease), brownout (prolonged drop in voltage), fault (momentary complete loss of power) or blackout (a lengthier loss of power).
III.
Emphasize that organizations with dedicated power needs must think of backup solutions such as generators to provide power in the event an outage were to occur. This is especially the case for information technology and security-related systems.
IV.
Predict that because sensitive electronic equipment—especially networking equipment, computers, and computer-based systems—is susceptible to fluctuations, controls should be applied to manage power quality.
Espionage or Trespass I.
Explain that this threat represents a well-known and broad category of electronic and human activities that breach the confidentiality of information.
II.
Establish that when an unauthorized individual gains access to the information an organization is trying to protect, that act is categorized as a deliberate act of espionage or trespass.
III.
Contrast the thoughts that some people assume that information-gathering techniques are illegal when, in fact, they are not. When they are done properly, this is referred to as competitive intelligence. However, if a legal or ethical threshold is crossed, persons doing this are conducting industrial espionage.
IV.
Describe the concept of shoulder surfing. Emphasize that these commonly occur at computer terminals, desks, ATM machines, smartphones, or other places where a person is accessing confidential information.
V.
Justify the notion that users should constantly be aware of the presence of others when they are always accessing sensitive data.
Hackers I.
Present the fact that trespassing often leads to unauthorized, real, or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
II.
Discuss that the classic perpetrator of deliberate acts of espionage or trespass is the hacker. In the gritty world of reality, a hacker uses skill, guile, or fraud to attempt to bypass the controls placed around information that is the property of someone else. The hacker frequently spends long hours examining the types and structures of the targeted systems.
III.
Remind students that there are generally two skill levels among hackers. The first is the expert hacker, who develops software scripts and program exploits used by the second category, the novice, or unskilled hacker.
IV.
Explain that the expert hacker is usually a master of several programming languages, networking protocols, and operating systems and exhibits a mastery of the technical environment of the chosen targeted system.
V.
Demonstrate that expert hackers who have become bored with directly attacking systems have turned to writing software. The software they write are automated exploits that allow novice hackers to become script kiddies (or packet monkeys)— hackers of limited skill who use expertly written software to exploit a system, but do not fully understand or appreciate the systems they hack.
VI.
Compare and contrast the difference between professional hackers and penetration (pen) testers. Although they are doing the same thing, which is testing the information and network defenses, professional hackers are doing it illegally, whereas pen testers are conducting them ethically and professionally.
Escalation of Privileges I.
Discuss the term privilege escalation. Explain that a common example of privilege escalation is called jailbreaking or rooting.
II.
Justify that according to the U.S. Copyright Office, the practice of jailbreaking smartphones was considered legal as a special exemption under the Digital Millennium Copyright Act, but jailbreaking a tablet (such as the iPad) was not and often voids any manufacturer warranty.
Hacker Variants I.
Describe that there are other terms for system rule breakers as mentioned in the text: •
Crackers are now commonly associated with an individual who “cracks” or removes software protection that is designed to prevent unauthorized duplication.
•
Phreakers hack the public telephone network to make free calls, disrupt services, and generally wreak havoc. Although more common in the 1970’s, they can still do a number on phone systems.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
Password Attacks I.
Emphasize that password attacks fall under the category of espionage and are a serious offense.
II.
Outline the four approaches to password cracking: •
brute force password attack: An attempt to guess a password by attempting every possible combination of characters and numbers in it.
•
dictionary password attack: A variation of the brute force password attack that attempts to narrow the range of possible passwords guessed by using a list of common passwords and possibly including attempts based on the target’s personal information.
•
rainbow table: A table of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system’s encrypted password file.
•
social engineering: An attempt to gain access by contacting low-level employees and offering to help with their computer issues.
III.
Evaluate the purpose and composition of the 10.4 password rule and how it can provide a method for users to generate a stronger password that is less likely to be hacked.
IV.
Recommend that students review Table 2-6 and see how the odds increase the more characters are in a password, and the time it would take to do so based on a 2020-era computer system.
Social Engineering Password Attacks I.
Stress that by hackers posing as friendly help-desk associates or repair techs, they have an easy inroad into servers and systems even if they resolve a user’s issue.
II.
Critique the scenario where hackers can work inside an organization and even at a help desk using this method to gain systems access where they would otherwise be denied entry. This is true even if their background check comes up clean.
III.
Distinguish the fact that attempts to gain access like this are often subtle and go unnoticed until it is too late.
Forces of Nature I.
Discuss how forces of nature, force majeure, or acts of God pose some of the most dangerous threats, because they are unexpected and can occur with little warning.
II.
Emphasize that pandemics, such as the 2020 COVID-19 outbreak, are considered a force of nature even though most things remained operational.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
III.
Explain that these threats can disrupt not only the lives of individuals but also the storage, transmission, and use of information. Since it is not possible to avoid many of these threats, management must implement controls to limit damage and prepare contingency plans for continued operations.
IV.
Outline the 11 forces of nature that are outlined in the text. They are the following: •
Fires
•
Floods
•
Earthquakes
•
Lightning
•
Landslides or mudslides
•
Tornados or severe windstorms
•
Hurricanes, typhoons, and tropical depressions
•
Tsunamis
•
Electrostatic discharge (ESD)
•
Dust contamination
•
Solar activity
Fire I.
Outline ways a fire can cause damage to computing equipment up to the point of compromising all or part of a system. This includes the fire itself, suppression systems such as sprinklers, or water from firefighting hoses.
II.
Demonstrate that this threat often can be mitigated with fire casualty insurance or business interruption insurance policies.
Floods I.
Detail the net effects a flood can do to a facility and computing equipment. On top of damaging the systems, building access may also be compromised.
II.
Explain that this specific threat often may be mitigated with flood insurance or business interruption insurance. This is especially important if the business is in a potential flood zone as deemed by FEMA.
Earthquakes I.
Present that an earthquake can cause direct damage to information system equipment and/or the facilities that house the equipment.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
II.
Stress that not only physical structures are at risk. Give the example in the text of a large earthquake off the coast of Taiwan that severed underwater communications cables.
III.
Explain that this specific threat can sometimes be mitigated with casualty or business interruption insurance. Often, as mentioned, it is covered under its own policy.
Lightning I.
Illustrate what a lightning strike is. It is an abrupt, discontinuous natural electric discharge in the atmosphere.
II.
Recognize that lightning strikes not only can damage all or part of an information system but also cause building damage, fires, or other damage.
III.
Emphasize proactive measures that can be taken by installing specialized lightning rods placed strategically on and around the organization’s facilities and by installing special circuit protectors in the organization’s electrical service.
IV.
Classify that this type of natural cause can sometimes be mitigated with multipurpose casualty or business interruption insurance.
Landslides, Mudslides, and Avalanches I.
Relate that these are downward slides of masses of earth, rock, or snow and are sometimes sudden or with minimal notice so evacuations can take place.
II.
Direct students to understand the impacts here to buildings that house the systems. Depending on the severity of the incident, they may be destroyed or temporarily buried.
III.
Classify that this type of natural cause can sometimes be mitigated with multipurpose casualty or business interruption insurance.
Tornados and Severe Windstorms I.
Contrast the differences between a tornado and wind shear events.
II.
Denote that a tornado facility housing the information systems can directly damage all or part of the structure, depending on the strength of the funnel cloud and wind speed.
III.
Explain that this brief but impactful type of natural disaster may be mitigated with casualty or business interruption insurance.
Hurricanes, Typhoons, and Tropical Depressions I.
Compare the difference between a typhoon and a hurricane. Note that it is virtually the same thing with the exception of its location in the world.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
II.
Stress that excessive rainfall and high winds from these storms can directly damage all or part of the information system or, more likely, the building that houses it. Organizations in coastal or low-lying areas may suffer flooding as well, which would restrict access to the buildings that house information systems.
III.
Guide students to understand that this brief but impactful type of natural disaster may be mitigated with casualty or business interruption insurance.
Tsunamis I.
Describe the impact of a tsunami and the severity of impact that just one event may cause.
II.
Apply the tsunami that occurred in 2011 as a threat that affected the world directly and indirectly.
III.
Explain how in most cases that this threat can sometimes be mitigated with casualty insurance or business interruption insurance.
Electrostatic Discharge I.
Illustrate what an electrostatic discharge (ESD) is and the impact it can have to flammable mixtures or electronic components.
II.
Stress that as little as 10 volts can cause catastrophic damage to information systems equipment, and humans cannot detect static electricity until it reaches about 1,500 volts. Discharges from walking across dry carpet can exceed 12,000 volts.
III.
Emphasize that the financial repercussions of static discharge could result in millions of dollars of damage and significant loss of production time in information processing. Although ESD can disrupt information systems, it is not usually an insurable loss unless covered by business interruption insurance.
Dust Contamination I.
Relate that dust particle buildups and debris inside systems can dramatically reduce the effectiveness and efficiency of the equipment. This often leads to unexpected shutdowns and overheating.
II.
Stress that this can often shorten the life of information systems and disrupt normal operations.
Solar Activity I.
Recognize that solar flares or extremes in radiation can affect power grids and power lines, blow out transformers, and shut down power stations.
II.
Emphasize that businesses that rely on satellites should have alternate options available should communications from them be disrupted.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
Human Error or Failure I.
Describe this category and comment to students that it includes the possibility of acts performed without intent or malicious purpose by an individual who is an employee of an organization.
II.
Discuss the fact that employees constitute one of the greatest threats to information security, as they are the individuals closest to the organizational data. Employee mistakes can easily lead to the following: revelation of classified data, entry of erroneous data, accidental deletion or modification of data, storage of data in unprotected areas, and failure to protect information.
III.
Note that many threats can be prevented with controls, ranging from simple procedures, such as requiring the user to type a critical command twice, to more complex procedures, such as the verification of commands by a second party.
IV.
Explain that this threat represents a well-known and broad category of electronic and human activities that breach the confidentiality of information.
Social Engineering I.
Define within the context of information security that social engineering is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.
II.
Explain that people are the weakest link. You can have the best technology— firewalls, intrusion-detection systems, biometric devices—and somebody can call an unsuspecting employee and obtain a wealth of information.
Business E-Mail Compromise (BEC) I.
Stress that this is one of the newest forms of social engineering attack methods being deployed on organizations today.
II.
Detail the process of how an attacker gains access to the system either through another social engineering attack or technical exploit and then proceeds to request that employees within the organization, usually administrative assistants to highlevel executives, transfer funds to an outside account or purchase gift cards and send them to someone outside the organization.
III.
Emphasize that in 2019 alone, there were 24,000 BEC complaints and projected losses of more than $1.7 billion dollars.
Advance-Fee Fraud I. Compare and contrast one of most common social engineering attacks, known as the advance-fee fraud (AFF) and phishing.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
II.
Stress that AFF is also known as 4-1-9 fraud due to it being named after a Nigerian Penal Code and not an area code in northern Ohio.
III.
Examine a sample letter, as illustrated in Figure 2-9, which illustrates this scheme in practice.
IV.
Outline to students that this scam is one for stealing funds from credulous people, first by requiring them to participate in a proposed money-making venture by sending money up front, and then by soliciting an endless series of fees. In the most serious cases, kidnapping, extortion, or murder can result.
V.
Quantify that most recently in 2020, up to $100 billion dollars has been swindled using this method.
Phishing I.
Distinguish phishing as an attempt to gain personal or financial information from an individual, usually by posing as a legitimate entity.
II.
Emphasize that a variant is spear phishing, a label that applies to any highly targeted phishing attack. While normal phishing attacks target as many recipients as possible, a spear phisher sends a message that appears to be from an employer, a colleague, or other legitimate correspondent to a small group, or even one specific person.
III.
Discuss that phishing attacks use two primary techniques, often used in combination with one another: URL manipulation and Web site forgery.
Pretexting I.
Point out another form of social engineering is called pretexting, which is sometimes referred to as phone phishing.
II. Emphasize that VOIP phone services have made it easy to spoof caller IDs and hence hide the identity of someone who may be on the other end of the line.
Information Extortion I.
Illustrate how information extortion involves the possibility of an attacker or trusted insider stealing information from a computer system and demanding compensation for its return or for an agreement to not disclose the information. Extortion is common in credit card number theft.
II.
Give examples provided in the textbook of different information extortion incidents and the impacts to their respective businesses. Translate to students that regardless of a company’s size or function, they are susceptible to extortion.
Ransomware
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
I.
Explain that the latest type of attack in this category is known as ransomware, which is a malware attack on the host system that denies access to the user and then offers to provide a key to allow access back to the user’s system and data for a fee.
II.
Compare and contrast the two different types of ransomwares: lockscreen and encryption.
III.
•
Lockscreen ransomware denies access to the system by disabling access to the desktop and preventing the user from bypassing the ransom screen that demands payment for access.
•
Encryption ransomware is more severe, as it requires payment up front to access one’s hard drive after their information has been encrypted.
Illustrate the three examples of ransomware activities highlighted in the text and stress to students that these types of attacks occur daily, and an information security team must be on guard to overcome and nullify these.
Sabotage or Vandalism I.
Summarize that this type of threat involves the deliberate sabotage of a computer system or business or acts of vandalism to either destroy an asset or damage the image of an organization.
II.
Emphasize that these threats can range from petty vandalism by employees to organized sabotage against an organization.
III.
Identify that organizations frequently rely on image to support the generation of revenue, and vandalism to a Web site can erode consumer confidence, thus reducing the organization’s sales and net worth. Compared to Web site defacement, vandalism within a network is more malicious in intent and less public.
Online Activism I.
Explain that security experts are noticing a rise in another form of online vandalism, hacktivist or cyberactivist operations. A more extreme version is referred to as cyberterrorism (which is explained next).
II.
Stress that the concept of doxing is where a hacker would use online resources to find and disseminate compromising information for the purpose of harming or harassing an individual, group, or government entity. Apply Figure 2-14 as an example of this in action.
Cyberterrorism and Cyberwarfare I. Detail the purpose of cyberterrorism and what the United States and other government bodies are doing to combat this.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
II. Differentiate between the three examples provided in the text with respect to supposed cyberterrorism attacks and why it is important to be on guard. III. Relate that some government entities express concern that cyberattacks that are aimed at disrupting their entities are likely to be seen as cyberwarfare. Note that their purpose is to take down critical infrastructure. IV. Apply one of the most recent attacks on critical infrastructure in the United States— the Colonial Pipeline shutdown that wreaked havoc in the eastern part of the country—as an example of a cyberterrorism threat in the eyes of the federal government.
Positive Online Activism I. Compare cyberterrorism to more positive online activism, such as using Facebook, Twitter, and so on to perform fundraising and raise awareness of social issues. II. Stress that positive online activism is a legal right to enact provided it does not cross the moral threshold of doing illegal activities. Quick Quiz 1 1. True or False: The three communities of interest are general management, operations management, and information security management. Answer: False 2. Hackers of limited skill who use expertly written software to attack a system are known as which of the following? a. cyberterrorists b. script kiddies c. jailbreakers d. social engineers Answer: b 3. Which of the following occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it? a. information extortion b. technological extortion c. insider trading d. information hoarding Answer: a
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
4. Which type of attacker will hack systems to conduct terrorist activities via network or Internet pathways? a. cyberattackers b. electronic terrorists c. cyberterrorists d. electronic hackers Answer: c 5. True or False: Cyberterrorism has thus far been largely limited to acts such as the defacement of NATO Web pages during the war in Kosovo. Answer: True 6. True or False: When looking at forces of nature that could cause destruction or damage to information systems, electrostatic discharge (ESD) is not considered to be one of them. Answer: False
Software Attacks I.
Emphasize that an attack is a deliberate act that exploits a vulnerability to compromise a controlled system. This attack can consist of specially crafted software that attackers trick users into installing on their systems.
II.
State that the most common form of software attacks is malware, viruses, worms, back doors, denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, e-mail communication, and communication interception attacks.
Malware I.
Describe malware as malicious code or malicious software. Point out that other attacks that use software, such as redirect attacks and denial-of-service attacks, also fall under this threat. Note that the malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information.
II.
Explain that the polymorphic, or multivector, worm is a state-of-the-art attack system. Point out that these attack programs use up to six known attack vectors to exploit a variety of vulnerabilities in commonly found information system devices.
III.
Emphasize to students that when an attack makes use of malware that is not yet known by the antimalware software companies, it is said to be a zero-day attack.
IV.
Summarize other forms of malware, including covert software applications—bots, spyware, and adware—that are designed to work out of sight of users, or via an
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
apparently innocuous user action. Use Table 2-7 to review some of the most dangerous malware attacks to date.
Viruses I.
State that a computer virus consists of code segments that perform malicious actions. Point out to students that one of the most common methods of virus transmission is via e-mail attachments.
II.
Mention that viruses can be classified by how they spread themselves. Discuss the most common types of information system viruses, which are the macro virus and the boot virus.
III.
Explain the classification known as memory-resident and non-memory-resident viruses. Note that resident viruses are capable of reactivating when the computer is booted and continuing their actions until the system is shut down.
IV.
Differentiate between different types of attack replication vectors illustrated in Table 2-8 within the text and stress that regardless of which one is used, the impact can still be crippling to an organization.
Worms I.
Explain that worms are viruses that replicate themselves like bunnies until all available resources have been exhausted.
II.
Relate to the speed that worms can spread by applying the examples of the Nimda outbreak in 2001 and the Klez worm that infiltrated computers much in the same way.
III.
Examine the consequences of a perpetrator creating and distributing a virus. Use the example of Jeffrey Lee Parson, an 18-year-old high school student who committed such an act.
IV.
Compare and contrast the definitions of a worm with a Trojan horse. Note that a Trojan horse on the surface looks legitimate, but once opened, it instills a virus onto the devices it infects. Recommend students review Figure 2-15 for an illustration of this in practice.
V.
Illustrate that a more modern version of a Trojan horse attack is known as a SMiShing, in which the victim is tricked into downloading malware onto a mobile phone via a text message. SMiShing is an abbreviation for SMS phishing.
VI.
Evaluate the ever-changing nature of a polymorphic threat and how it changes its size and other characteristics to stay one step ahead of antivirus software programs.
VII.
Consequentially, point out that malware hoaxes, or messages sent that warn of dangerous viruses when no credible threat exists, result in significant resources and
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
time wasted. Point out the author’s comment that there are Web sites that can be checked to determine the validity and credibility of a supposed threat.
Back Doors I.
Discuss how by using a known or previously unknown and newly discovered access mechanism, an attacker can gain access to a system or network resource through a back door. Point out that these doors are often referred to as maintenance hooks.
II.
Stress that a back door, or trap door, access process is difficult to detect because the person or program that places it often makes the access exempt from the system’s usual audit logging features and makes every attempt to keep the back door hidden from the system’s legitimate owners.
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks I.
Explain that a denial-of-service attack begins when an attacker sends many connections or information requests to a target. So many requests are made that the target system cannot handle them successfully along with other legitimate requests for service. This may result in the system crashing or simply becoming unable to perform ordinary functions.
II.
Define a distributed denial-of-service attack as one in which a coordinated stream of requests is launched against a target from many locations at the same time.
III.
Relate how compromised machines are turned into bots or zombies that can be directed remotely by the attacker to participate in the attack. Apply Figure 2-16 as part of providing this point to students.
IV.
Emphasize that in most cases, the attacks are short-lived, but their impacts are significant and can last well beyond the time it took to initiate the act.
E-Mail Attacks I.
Recall that spam is unsolicited commercial e-mail. While many consider spam a nuisance rather than an attack, it is emerging as a vector for some attacks.
II.
Explain that mail bombing is another form of e-mail attack that is also a denial of service (DoS), in which an attacker routes large quantities of e-mail to the target.
III.
Comment that phishing attacks may occur via e-mail, but they are aligned with social engineering designed to trick users to perform an action then making them a target of a larger DoS e-mail attack.
Communications Interception Attacks I.
Explain that common software-based communications attacks include several subcategories designed to intercept and collect information in transit. Point out to
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
27
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
students that the emergence of the Internet of Things (IoT) increases the possibility of these types of attacks. II.
Describe that a packet sniffer is a software program or hardware appliance that can intercept, copy, and interpret network traffic. Stress that these can be extremely dangerous because of them being virtually impossible to detect.
III.
Establish that Internet protocol spoofing (or IP spoofing) is another way that hackers take trusted IP addresses and modify their packet headers and insert fake addresses. Apply the sequence shown in Figure 2-17 to demonstrate how the process occurs. Emphasize, however, that most modern routers can offer some level of protection from this.
IV.
Describe the term pharming and that it is “the redirection of legitimate Web traffic to an illegitimate site for the purpose of obtaining private information.” Note that pharming may also exploit the Domain Name System (DNS) by causing it to transform the legitimate host name into the invalid site’s IP address. This form of pharming is also known as DNS cache poisoning.
V.
Outline that an attacker sniffs packets from the network, modifies them, and inserts them back into the network. Point out that in a TCP hijacking attack, the attacker uses address spoofing to impersonate other legitimate entities on the network. Mention that this is also known as session hijacking or a man-in-the-middle scenario.
Technical Hardware Failures or Errors I.
Emphasize that technical hardware failures or errors occur when a manufacturer distributes a user’s equipment containing a known or unknown flaw. These defects can cause the system to perform outside of expected parameters, resulting in unreliable or unavailable service.
II.
Discuss that some errors are terminal in that they result in the unrecoverable loss of the equipment. Some errors are intermittent in that they only periodically manifest themselves, resulting in faults that are not easily repeated.
III.
Stress that applying Murphy’s Law, it is more of a matter of when and not if computing equipment will break down.
The Intel Pentium CPU Failure I.
Illustrate that one of the best-known hardware failures was the Intel Pentium II chip.
II.
Since a simple quotient problem caused systems to crash, the Pentium floatingpoint division bug (FDIV) led to a public-relations disaster for Intel that resulted in its first-ever chip recall and a loss of more than $475 million. A few months later,
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
28
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
disclosure of another bug, known as the Dan-0411 flag erratum, further eroded the chip manufacturer’s public image.
Mean Time Between Failures I.
II.
Compare and contrast the differences between mean time between failure (MTBF) and mean time to failure (MTTF). •
Explain that in hardware terms, failures are measured in mean time between failure (MTBF) and mean time to failure (MTTF). Point out that MTBF and MTTF are sometimes used interchangeably.
•
Also note that additionally, the mean time to diagnose (MTTD) is the average amount of time a technician needs to determine the cause of a failure, and the mean time to repair (MTTR) is the average time it will take to rectify the issue.
Calculate the MTBF by adding up the sum of MTTF, MTTD, and MTTR.
Technical Software Failures or Errors I.
Explain that this category involves threats that come from purchasing software with unknown, hidden faults. Large quantities of computer code are written, debugged, published, and sold before all their bugs are detected and resolved.
II.
Discuss how combinations of certain software and hardware can reveal new bugs. Sometimes these items are not errors, but rather are purposeful shortcuts left by programmers for benign or malign reasons.
The OWASP Top 10 I.
List the top 10 Web application security risks, as outlined by the Open Web Application Security Project (OWASP): •
Injection
•
Broken authentication
•
Sensitive data exposure
•
XML external entities (XXE)
•
Broken access control
•
Security misconfiguration
•
Cross-site scripting (XSS)
•
Insecure deserialization
•
Insufficient logging & monitoring
•
Insecure direct object references
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
29
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
II.
Emphasize that these have rarely changed since 2010, but the threat is just as big— if not bigger comparatively speaking in terms of time.
The Deadly Sins in Software Security I.
Explain that some software development problems result in software that is difficult or impossible to deploy in a secure fashion. There are at least two dozen problem areas or categories in software development (which is also called software engineering) that are recommended to be summarized to students.
II.
Describe SQL injection as it occurs when developers fail to properly validate user input before using it to query a relational database. The possible effects of the ability to “inject” SQL of the attacker’s choosing into the program are not just limited to improper access to information but could potentially allow an attacker to drop tables or even shut down the database.
III.
Mention to students that the same cross-site scripting attacks that can infect a client system can also be used to attack Web servers. Cross-site request forgery (XSRF or CSRF) attacks and scripting cause users to attack servers they access legitimately.
IV.
Discuss Web client-related vulnerability (XSS). Client-side cross-site scripting errors can cause problems that allow an attacker to send malicious code to the user’s computer by inserting the script into a normal Web site.
V.
Describe the use of magic URLs and hidden forms.
VI.
•
Because HTTP is a stateless protocol and computer programs on either end of the communication channel cannot rely on guaranteed delivery of any message, it is difficult for software developers to track a user’s exchanges with a Web site over multiple interactions.
•
Too often, sensitive state information is simply included in a “magic” URL (e.g., the authentication ID is passed as a parameter in the URL for the exchanges that will follow) or included in hidden form fields on the HTML page.
•
If this information is stored as plain text, an attacker can harvest the information from a magic URL as it travels across the network or use scripts on the client to modify information in hidden form fields.
Detail what buffer overruns are and how they occur. This is a situation in which buffers are used when there is a mismatch in the processing rates between two entities involved in a communication process. A buffer overrun (or buffer overflow) is an application error that occurs when more data is sent to a program buffer than it is designed to handle. During a buffer overrun, an attacker can make the target system execute instructions, or the attacker can take advantage of some other unintended consequence of the failure.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
30
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
VII.
Illustrate format string problems and the reason that they occur. Computer languages are often equipped with built-in capabilities to reformat data while they are outputting it. The formatting instructions are usually written as a “format string.” An attacker may embed characters meaningful as formatting directives into malicious input. If this input is then interpreted by the program as formatting directives, the attacker may be able to access information or overwrite very targeted portions of the program’s stack with data of the attacker’s choosing.
VIII.
Discuss integer bugs (overflows/underflows). Although paper and pencil can deal with arbitrary numbers of digits, the binary representations used by computers are of a particular fixed length. “Integer bugs fall into four broad classes: overflows, underflows, truncations, and signedness errors. Integer bugs are usually exploited indirectly—that is, triggering an integer bug enables an attacker to corrupt other areas of memory, gaining control of an application.”
IX.
Summarize the occurrence of C++ catastrophes. Note that this programming language has been around for nearly 40 years, and due to its age, security concerns have arisen. Since operating systems have API that use these pointers to control execution code, they are susceptible to diverting program flows and open the door for a hacker to take them over.
X.
Explain that effective software can catch and resolve exceptions, which are unusual situations that require special processing.
XI.
Define command injection and explain that command injection problems occur when user input is passed directly to a compiler or interpreter. The underlying issue is the developer’s failure to ensure that command input is validated before it is used in the program.
XII.
Comprehend that failure to handle errors can cause a variety of unexpected system behaviors. Programmers are expected to anticipate problems and prepare their application code to handle them.
XIII.
Analyze that information leakage is one of the most common methods of obtaining inside and classified information that is directly or indirectly from an individual, usually an employee. By warning employees against disclosing information, organizations can protect the secrecy of their operation.
XIV.
Justify that a race condition is the failure of a program that occurs when an unexpected ordering of events in the execution of the program results in a conflict over access to the same system resource.
XV.
Stress that employees prefer to do things “the easy way” when the official way is too difficult or cumbersome to complete. They must be reminded that there is only one way to do things—the secure way! If users choose the easier way, they are likely to experience loss of some kind very quickly.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
31
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
XVI.
Relate that the complexity of updating applications and/or systems increases over time, and without catching the errors, they become harder to find. As a result, hackers can sneak in through those vulnerabilities and, as a result, create an urgent security risk.
XVII.
Recall that when computers have more privileges than they need, this sets up numerous critical security issues. One of the greatest concerns in this area occurs when individuals download and run code from public sources, like Web sites.
XVIII.
Distinguish the fact that mobile code is an application, applet, macro, or script that may be imbedded in another application or document and thus downloaded and executed without the user even knowing, and especially without consenting. This potentially results in a security risk from occurring as well.
XIX.
Apply the process of cryptography and how weak passwords are an open door for hackers and viruses to work their way into systems. As one of many safeguards to protect access, administrators should limit the number of attempts an incorrect password is entered.
XX.
Discuss the failure to use cryptographically strong random numbers. Many computer systems use random number generators. These “random” number generators use a mathematical algorithm, based on a seed value and another system component (such as the computer clock), to simulate a random number. Those who understand the workings of such a “random” number generator can predict values at particular times.
XXI.
Emphasize that cryptography is a powerful tool to protect information, especially information that may travel outside the organization’s protective networks and systems. Using untested or undertested cryptographic algorithms and programs can cause issues. Using weak crypto keys or reusing the same crypto keys can cause issues, as can sending crypto keys through the same medium as the encrypted messages.
XXII.
Describe the failure to protect network traffic and explain that with the growing popularity of wireless networking comes a corresponding increase in the risk that wirelessly transmitted data will be intercepted. Most wireless networks are installed and operated with little or no protection for the information that is broadcast between the client and the network wireless access point. Without appropriate encryption (such as that afforded by WPA), attackers can intercept and view your data. Traffic on a wired network is also vulnerable to interception in some situations.
XXIII.
Discuss the improper use of SSL. Programmers use Secure Sockets Layer (SSL) to transfer sensitive data such as credit card numbers and other personal information between a client and server. SSL and its successor, Transport Layer Security (TLS),
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
32
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
both need certificate validation to be utterly secure. Failure to use secure HTTP, to validate the certificate authority and then validate the certificate itself, or to validate the information against a certificate revocation list (CRL), can compromise the security of SSL traffic. XXIV.
Explain that the DNS is a core function of the Internet and World Wide Web and that it is subject to cache poisoning. In other words, when the DNS is compromised, the valid IP address associated with a domain name change into one the attacker chooses, usually a fake Web site designed to obtain personal information or one that accrues a benefit to the attacker—for example, redirecting shoppers from a competitor’s site. This may include additional attacks to other primary and secondary DNS servers linked to a specific domain.
XXV.
Stress the issue of neglecting change control. Developers use a process known as change control to ensure that the working system delivered to users represents the intent of the developers. Change control processes ensure that developers do not work at cross purposes by altering the same programs or parts of programs at the same time. They also ensure that only authorized changes are introduced and that all changes are adequately tested before being released.
Technological Obsolescence I.
Discuss how antiquated or outdated infrastructure leads to unreliable and untrustworthy systems. Management must recognize that when technology becomes outdated, there is a risk of loss of data integrity from attacks.
II.
Explain that proper planning by management should prevent technology from becoming obsolete. However, when obsolescence is identified, management must take immediate action.
III.
Illustrate examples of obsolete technologies as provided in Figure 2-20 within the text. If available, provide additional examples of items virtually or in person.
Theft I.
Define theft as the illegal taking of another’s property. Within an organization, that property can be physical, electronic, or intellectual.
II.
Summarize how physical theft can be controlled quite easily. Many measures can be taken, including locking doors, training security personnel, and installing alarm systems.
III.
Contrast electronic theft, however, as a more complex problem to manage and control. Organizations may not even know it has occurred.
Quick Quiz 2
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
33
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
1. Using a known or previously installed access mechanism is known as which of the following? a. hidden bomb b. vector c. spoof d. back door Answer: d 2. True or False: When a program tries to reverse-calculate passwords, this is known as a brute force spoof. Answer: False 3. True or False: Warnings of attacks that are not valid are usually called hoaxes. Answer: False 4. What is another name for a man-in-the-middle attack? a. TCP hijacking b. mail bombing c. spoofing d. denial of service Answer: a 5. Which of the following is an application error that occurs when more data is sent to a program buffer than it is designed to handle? a. buffer underrun b. buffer overrun c. heap overflow d. heap attack Answer: b 6. True or False: A SQL injection occurs when developers fail to properly validate user input before using it to query a relational database. Answer: True 7. True or False: The Domain Name System (DNS) is a function of the World Wide Web that converts a URL (Uniform Resource Locator) such as www.course.com into the IP address of the Web server host.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
34
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
Answer: True [return to top]
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. Discuss the differences between a threat and an attack. How are they similar and how are they different with respect to the need for information security at an organization? (2.1, 2.3, PPT Slides 3, 10, 73–76) Duration 15 minutes. 2. Detail the reasons why everyone in an organization should be responsible for information security and not just persons in information technology or security. What are the consequences to users and the firm with a tunnel vision-based approach? (2.2, 2.4, PPT Slides 8–10, 68–70, and 72) Duration 15 minutes. 3. Is there an ethically acceptable reason to study and use the various attack methods described in this chapter? Why or why not? (2.3, 2.4, PPT Slides 3–10 and 33–35) Duration 15 minutes. [return to top]
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks
Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques.
Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
35
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
Web Browser Security
Malware Defense
Windows Password Management
Backup and Recovery and File Integrity Monitoring
OS Processes and Services
Log Management & Security
Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various
1 to 1.5 hours
1 to 1.5 hours
30 minutes to 1 hour
15–20 minutes
60–90 minutes
30 minutes to 1 hour
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
36
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
Footprinting, Scanning, and Enumeration
AlienVault OSSIM
Image Analysis Using Autopsy
logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.
40–60 minutes
2–3 hours
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Using the Internet, browse www.cert.org and find the most recent CERT advisory. Have students report on any recent vulnerabilities posted on the site. 2. Using the Internet, find and read the SANS/FBI Top 20 Vulnerabilities. Assign each student 1 or 2 of the 20 vulnerabilities listed and have them identify the threat group and threat category it warns about. [return to top]
Additional Resources Cengage Video Resources •
MindTap Video: Information Security Terminology
Internet Resources •
Build Security In: Making the Case for Software Assurance
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
37
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
• • • • •
Build Security In: Secure Software Development Lifecycle Cross-Site Scripting FAQ Governing for Enterprise Security Implementation Guide Hackers Breached Colonial Pipeline Using Compromised Password Verizon Data Break Investigation Report (2016)
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
38
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 2: The Need for Information Security
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale, and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
39
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 3 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 7 Module Outline .............................................................................................................................. 7 Discussion Questions .................................................................................................................. 35 Suggested Usage for Lab Activities ............................................................................................ 35 Additional Activities and Assignments ....................................................................................... 37 Additional Resources................................................................................................................... 37 Cengage Video Resources ....................................................................................................................... 37 Internet Resources .................................................................................................................................. 37 Appendix ...................................................................................................................................... 39 Grading Rubrics ....................................................................................................................................... 39
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Purpose and Perspective of the Module Maintaining the security of information is paramount to any organization thriving and surviving in the digital age. In this module, students will gain an understanding of the different management functions that are required to maintain information security. One topic that is important to note that is part of this is information security governance. Think of this as the guiderails for maintaining and protecting information in an organization. The role management has in this is critical for policies, procedures, standards, and practices, not to mention guidelines. Students will also gain knowledge on different elements that should be in security education and training and the composition of a blueprint. This module is a foundational piece to comprehend the more complex topics later in the text.
Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. • • • • •
PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual
Module Objectives The following objectives are addressed in this module: 3.1
Describe the different management functions with respect to information security.
3.2
Define information security governance and list the expectations of the organization’s senior management with respect to it.
3.3
Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines.
3.4
List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization.
3.5
Explain what an information security blueprint is, identify its major components, and explain how it supports the information security program.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Complete List of Module Activities and Assessments For additional guidance, refer to the MindTap Educator Guide. Module Objective 3.1, 3.2, and 3.3 3.4 and 3.5 3.4 and 3.5 3.1–3.5
PPT slide
Activity/Assessment
Duration
16–17
Knowledge Check Activity 1
2 minutes
37–38 53–55 62–63 MindTap MindTap MindTap
Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 03 Review Questions Module 03 Case Exercises Module 03 Exercises
MindTap MindTap
Module 03 Security for Life Module 03 Quiz
2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: strategic planning: The process of defining and specifying the long-term direction (strategy) to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort. goals: A term sometimes used synonymously with objectives; the desired end of a planning cycle. strategic plan: The documented product of strategic planning; a plan for the organization’s intended strategic efforts over the next several years. objectives: A term sometimes used synonymously with goals; the intermediate states obtained to achieve progress toward a goal or goals. governance, risk management, and compliance (GRC): An approach to information security strategic guidance from a board of directors’ or senior management perspective that seeks to integrate the three components of information security governance, risk management, and regulatory compliance. governance: The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. corporate governance: Executive management’s responsibility to provide strategic direction, ensure the accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use. information security governance: The application of the principles and practices of corporate governance to the information security function, emphasizing the responsibility of the board of directors and/or senior management for the oversight of information security in the organization. tactical plan: The documented product of tactical planning; a plan for the organization’s intended tactical efforts over the next few years. operational plan: The documented product of operational planning; a plan for the organization’s intended operational efforts on a day-to-day basis for the next several months. tactical planning: The actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives. operational planning: The actions taken by management to specify the short-term goals and objectives of the organization in order to obtain specified tactical goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives. policy: Instructions that dictate certain behavior within an organization. standard: A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. de facto standard: A standard that has been widely adopted or accepted by a public group rather than a formal standards organization. de jure standard: A standard that has been formally evaluated, approved, and ratified by a formal standards organization. guidelines: Nonmandatory recommendations the employee may use as a reference in complying with a policy. procedures: Step-by-step instructions designed to assist employees in following policies, standards, and guidelines. practices: Examples of actions that illustrate compliance with policies.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
information security policy: Written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets. enterprise information security policy (EISP): The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts; also known as a security program policy, general security policy, IT security policy, highlevel InfoSec policy, or simply an InfoSec policy. issue-specific security policy (ISSP): An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies. systems-specific security policies (SysSPs): Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. SysSPs can be separated into two general groups—managerial guidance and technical specifications— but may be written as a single unified SysSP document. managerial guidance SysSP: A policy that expresses management’s intent for the acquisition, implementation, configuration, and management of a particular technology, written from a business perspective. technical specifications SysSP: A policy that expresses technical details for the acquisition, implementation, configuration, and management of a particular technology, written from a technical perspective; usually includes details on configuration rules, systems policies, and access control. access control list (ACL): Specifications of authorization that govern the rights and privileges of users to a particular information asset; includes user access lists, matrices, and capabilities tables. capabilities table: A lattice-based access control with rows of attributes associated with a particular subject (such as a user). access control matrix: An integration of access control lists (focusing on assets) and capability tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings; contains ACLs in columns for a particular device or asset and capability tables in rows for a particular user. configuration rules: The instructions a system administrator codes into a server, networking device, or security device to specify how it operates. policy administrator: An employee responsible for the creation, revision, distribution, and storage of a policy in an organization. sunset clause: A component of policy or law that defines an expected end date for its applicability.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
security, education, training, and awareness (SETA): A managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for an organization’s employees. information security blueprint: In information security, a framework or security model customized to an organization, including implementation details. information security framework: In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. Information security model: A well-recognized information security framework, usually promoted by a government agency, standards organization, or industry group. managerial controls: Information security safeguards that focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the organization’s security administration; they include governance and risk management. operational controls: Information security safeguards focusing on lower-level planning that deals with the functionality of the organization’s security; they include disaster recovery planning, incident response planning, and SETA programs. technical controls: Information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets; they include firewalls, virtual private networks, and IDPSs. defense in depth: A strategy for the protection of information assets that uses multiple layers and different types of controls to provide optimal protection; typically, implementation of many different types of controls. redundancy: The use of multiple types and instances of technology that prevent the failure of one system from compromising the security of information; typically, multiple instances of the same type of control. security perimeter: The boundary in the network within which an organization attempts to maintain security controls for securing information from threats from untrusted network areas. security domain: An area of trust within which information assets share the same level of protection; communication between these trust areas requires evaluation of communications traffic. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
What's New in This Module The following elements are improvements in this module from the previous edition: •
This module was mostly drawn from Chapter 4 in the 6th edition.
•
The internal organization of the module was restructured to an updated approach, expanding from planning to a more complete presentation on security management.
•
The content on contingency planning was moved to Module 5.
•
The entire module was refreshed with a general update and given more current examples.
[return to top]
Module Outline Introduction to the Management of Information Security (3.1, PPT Slides 3–5) I.
Stress that an information security program begins with policies, standards, and practices that are the foundation for the program and its blueprint. This will require coordinated planning, and it should be done regardless of an organization’s size.
II.
Denote that the information security (InfoSec) team’s goals are different than information technology’s goals. Hence, the primary focus of the IT group is to ensure the effective and efficient processing of information, whereas the primary focus of the InfoSec group is to ensure the confidentiality, integrity, and availability of information.
III.
Propose to students that even though security slows down information, the validation, verification, and assessment against attacks is worth the sacrifice so that an organization can run properly.
IV.
List out “the six Ps” of information security management: planning, policies, programs, protection, people, and project management. These are discussed further in the subsections below.
Planning I.
Outline that within the planning stage of the InfoSec model are activities that are necessary to support the design, creation, and implementation of strategies within the planning environments of an organization. Emphasize that this does include the information technology (IT) department.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
II.
Report that information that is received from other departments is essential for information needed so that the chief information security officer (CISO) and chief information officer (CIO) can develop strategies from the top down in the firm.
III.
Classify that the net result of these initiatives are to protect the organization for unexpected incidents and be able to respond to them in a timely and efficient manner.
Policy I.
Review the three categories of policy that are presented here. Note that these are covered in more depth later in the module: •
Enterprise information security policy (EISP): Developed within the context of the strategic IT plan, this sets the tone for the InfoSec department and the InfoSec climate across the organization. The CISO typically drafts the program policy, which is usually supported and signed by the CIO or the CEO.
•
Issue-specific security policies (ISSPs): These are sets of rules that define acceptable behavior within a specific organizational resource, such as e-mail or Internet usage.
•
Systems-specific policies (SysSPs): A merger of technical and managerial intent, SysSPs include both the managerial guidance for the implementation of a technology as well as the technical specifications for its configuration.
Programs I.
Relate that InfoSec operations that are specifically managed are often known as programs (or entities). Apply the example of security education, training, and awareness (SETA) programs or a risk management program.
II.
Give additional examples of different programs that may be part of InfoSec operations.
Protection I.
Summarize that the protection function is done through a set of risk management activities in addition to protection mechanisms, technologies, and tools. Note that these are critical pieces of an overall InfoSec plan.
People I.
Emphasize that people are the most critical link of the InfoSec program. State that people may include security personnel (professional information security employees), the security of personnel in an organization, and items mentioned in the SETA.
Projects © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
I.
Recognize that whatever will be implemented in the InfoSec space, it must be managed as a project.
II.
Identify that project management involves the application of a project management discipline to all elements of the InfoSec program. Project management involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goal.
III.
Provide examples of projects that an information security manager may want to execute to maintain information assets in the organization.
Information Security Planning and Governance (3.2, PPT Slides 6–11) I.
Explain that long-term strategic planning is critical to the information security program and that the planning effort should have specific clearly defined goals for the organization.
II.
Discuss the organization of the planning process from the broad goals and vision of the organization down to the division and subsequent levels of the organization.
III.
Remind students that the translation of goals at one level into actionable items at the next level depends on the skill of the executive in charge of that level and is more art than science.
IV.
Analyze and present to students that the executives are often the decision makers and may be referred to as the C-level or C-suite.
Information Security Leadership I.
Recognize that the information security function that delivers strategic planning and corporate responsibility is best done applying the approach of governance, risk management, and compliance (GRC).
II.
Comment that risk is not just strictly a responsibility of the InfoSec team but rather the whole organization.
III.
Classify that InfoSec objectives must be addressed at the highest levels of an organization’s management team. This must be done so the effectiveness and sustainability of any approach is achieved.
IV.
Compare and contrast the differences between corporate and information security governance.
V.
Outline the core set of activities provided by the Corporate Governance Task Force (CGTF) needed to develop and implement an InfoSec governance program: •
Conduct an annual InfoSec evaluation, the results of which the CEO should review with staff and then report to the board of directors.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
VI.
VII.
•
Conduct periodic risk assessments of information assets as part of a risk management program.
•
Implement policies and procedures based on risk assessments to secure information assets.
•
Establish a security management structure to assign explicit individual roles, responsibilities, authority, and accountability.
•
Develop plans and initiate actions to provide adequate InfoSec for networks, facilities, systems, and information.
•
Treat InfoSec as an integral part of the system life cycle.
•
Provide InfoSec awareness, training, and education to personnel.
•
Conduct periodic testing and evaluation of the effectiveness of InfoSec policies and procedures.
•
Create and execute a plan for remedial action to address any InfoSec inefficiencies.
•
Develop and implement incident response procedures.
•
Establish plans, procedures, and tests to provide continuity of operations.
•
Use security best practices guidance, such as the ISO 27000 series, to measure InfoSec performance.
Distinguish that ISO 27014:2013 is the ISO 27000 series standard of Governance of Information Security and list the six high-level “action-oriented” principles that make up this standard: •
Establish organization-wide information security.
•
Adopt a risk-based approach.
•
Set the direction of investment decisions.
•
Ensure conformance with internal and external requirements.
•
Foster a security-positive environment.
•
Review performance in relation to business outcomes.
Outline the five governance processes that should be adopted by the organization’s executive management and governing board that are also part of the ISO 27014:2013 standard: •
Evaluate: Review the status of current and projected progress toward organizational information security objectives and decide whether modifications of the program or its strategy are needed to keep on track with strategic goals.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
•
Direct: The board of directors provides instruction for developing or implementing changes to the security program. This could include modification of available resources, structure of priorities of effort, adoption of policy, recommendations for the risk management program, or alteration to the organization’s risk tolerance.
•
Monitor: The review and assessment of organizational information security performance toward goals and objectives by the governing body. Monitoring is enabled by ongoing performance measurement.
•
Communicate: The interaction between the governing body and external stakeholders, where information on organizational efforts and recommendations for change are exchanged.
•
Assure: The assessment of organizational efforts by external entities like certification or accreditation groups, regulatory agencies, auditors, and other oversight entities, to validate organizational security governance, security programs, and strategies.
Apply Figure 3-1 as an additional visual to assist with the comprehension of this standard for students. VIII.
IX.
Review the Information Technology Governance Institute’s view on information governance and how it is similar to and different from the ISO standard. Note that in their eyes, the following must be provided by the board of directors and executive management: •
Strategic direction
•
Establishment of directives
•
Progress measurement
•
Verification that risk management practices are appropriate
•
Validation that the organization’s assets are used properly
Reference Figure 3-2 as a summarized view of information security governance, roles, and responsibilities for personnel in an organization.
Information Security Governance Outcomes I. State that governance describes the entire process of governing, or controlling, the processes used by a group to accomplish some objective. II. Define the term governance and why the board of directors are the ones that must be involved to provide strategic direction. Note the five key tasks they are responsible for: •
Strategic direction
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
•
Establishment of objectives
•
Measurement of progress toward these objectives
•
Verification that risk management practices are appropriate
•
Validation that the organization’s assets are used properly
III. List the five goals of information security governance: •
Strategic alignment of information security with business strategy to support organizational objectives
•
Risk management by executing appropriate measures to manage and mitigate threats to information resources
•
Resource management by utilizing information security knowledge and infrastructure efficiently and effectively
•
Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
•
Value delivery by optimizing information security investments in support of organizational objectives
Planning Levels I.
Explain to students that strategic plans and objectives are used to create tactical plans, which are used to develop operational plans.
II.
Compare and contrast tactical planning (one- to two-year timelines) with operational planning (day-to-day) tasks.
III.
Discuss how the chief information security officer (CISO) uses tactical plans to organize, prioritize, and acquire resources for major projects.
Planning and the CISO I.
Remind students that the primary objective of the CISO and the Information Security (IS) management team is to create the security strategic plan. Explain that this plan is an evolving statement of how the CISO will implement the objectives expressed in the Enterprise Information Security Plan.
II.
Stress that clearly directed strategies flow from top to bottom, and a systematic approach is required so that all members of an organization are aware.
III.
Define that everyone in the organization will likely use the information provided and not just strictly information security or technology professionals.
Quick Quiz 1
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
1. What type of planning occurs where the actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals are followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives? a. strategic b. tactical c. operational d. financial Answer: b 2. According to the text and the information security governance roles and responsibilities graphic, who is responsible for policy implementation, reporting security vulnerabilities, and breaches? a. Chief executive officer b. Mid-level managers c. Janitorial staff d. Enterprise staff/employees Answer: d 3. The ________ process entails the review and assessment of organizational information security performance toward goals and objectives by the governing body. a. evaluate b. direct c. monitor d. assure Answer: c 4. True or False: ISO 27014:2021 is the ISO 27000 series standard for Governance of Information Security. Answer: False 5. True or False: Strategic planning sets the long-term direction to be taken by the organization and each of its component parts. It should also guide organizational efforts and focus resources toward specific, clearly defined goals. Answer: True
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Information Security Policy, Standards, and Practices (3.3, PPT Slides 12–13 and 18–30) I.
Establish how management from all communities of interest must consider policies as the basis for all information security planning, design, and deployment.
II.
Explain how policies direct how issues should be addressed and how technologies should be used.
III.
Emphasize that they should not explain the proper operation of hardware or software. This information should be placed in standards, procedures, and systems documentation.
IV.
State that policies should never contradict laws because they must be properly administered through dissemination and documented acceptance.
V.
Explain that quality security programs begin and end with policy.
VI.
Report how security policies are the least expensive control to execute, but the most difficult to implement properly.
Policy as the Foundation for Planning I.
Explain how policies are organizational laws in that they dictate acceptable and unacceptable behavior within the context of the organization’s culture. Like laws, policies must contain information on what is right and wrong, what the penalties are for violating policy, and what the appeal process is.
II.
Contrast how standards are more detailed statements of what must be done to comply with policies that are broader.
III.
Discuss how the level of acceptance of standards may be informal, as in de facto standards. Alternatively, standards may be published, scrutinized, and ratified by a group, as in formal or de jure standards.
IV.
Identify the relationship between policies, processes, practices, procedures, and guidelines as outlined in Table 3-1.
V.
Relate that the term of security policy strictly depends on the context in which it is used. As mentioned by the authors, this is a set of rules that protect an organization’s assets.
VI.
Define the term information security policy as it provides rules for protecting an organization’s information assets. Reference NIST’s SP 800-14 for the three types of security policy: •
Enterprise information security policies
•
Issue-specific security policies
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
• VII.
Systems-specific security policies
Emphasize how for a policy to be effective and legally enforceable, it must be properly disseminated, read, understood, agreed to, and enforced equally upon all members of the organization.
Enterprise Information Security Policy I.
Detail how an enterprise information security policy (EISP) is also known as a general security policy, organizational security policy, IT security policy, or information security policy. This policy sets the strategic direction, scope, and tone for all security efforts within the organization.
II.
Arrange the understanding that the EISP is often an executive-level document drafted by the CIO and is about 2 to 10 pages long.
III.
Recall the guidance that the NIST provides and that the EISP typically addresses compliance in the following two areas: •
General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to various organizational components.
•
The use of specified penalties and disciplinary action.
EISP Elements I.
Construct the following elements that an EISP should have. Give students an opportunity to review Table 3-2 as an example of what is included in an EISP. •
An overview of the corporate philosophy on security
•
Information on the structure of the information security organization and people who fulfill the information security role
•
Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors)
•
Fully articulated responsibilities for security that are unique to each role within the organization
Issue-Specific Security Policy I.
Explain how as an organization executes various technologies and processes to support routine operations, certain guidelines are needed to instruct employees to use these technologies and processes properly.
II.
Review the purpose of the ISSP and the components that, at a minimum, should be included within it: •
Addresses specific areas of technology
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
III.
•
Requires frequent updates
•
Contains a statement on the organization’s position on a specific issue
Outline topics that are often part of an issue-specific security policy (ISSP): •
•
Use of the Internet and World Wide Web
•
Specific minimum configurations of computers to defend against worms and viruses
•
Prohibitions against hacking or testing organization security controls
•
Home use of company-owned computer equipment
•
Use of personal equipment on company networks (BYOD: bring your own device)
•
Use of telecommunications technologies, such as fax and phone
•
Use of photocopy equipment
•
Use of portable storage devices such as USB memory sticks, backpack drives, game players, music players, and any other device capable of storing digital files
•
Use of cloud-based storage services that are not self-hosted by the organization or engaged under contract; such services include Google Drive, Dropbox, and Microsoft OneDrive
•
Use of networked infrastructure devices, “intelligent assistants” such as Google Assistant and Amazon Echo, and accompanying devices usually classified as the Internet of Things (IoT)
•
Use of programmable logic controller (PLC) devices and associated control protocols with corporate data networks and production-focused industrial networks
IV.
Propose the three common ways that ISSPs can be created within an organization. These are tailored to specific issues, a single comprehensive ISSP document that covers all issues, or a modular ISSP document that unifies policy creation and administration while giving autonomy to each specific issue’s requirements.
V.
Critique the three different approaches to ISSP development and conclude that the optimal balance between the independent and comprehensive ISSP is the modular ISSP approach.
VI.
Name the core components of an ISSP as outlined in Table 3-3. Emphasize that these are explained in detail within this part of the module.
Statement of Policy © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
I.
Detail the purpose of a statement of policy. Emphasize that it should begin with a clear statement and purpose.
II.
Comment that within the introductory section, the following questions should be answered: •
What is the scope of the policy?
•
Who is responsible and accountable for policy implementation?
•
What technologies and issues does the policy document address?
Authorized Access and Usage of Equipment I.
Justify that this section of the policy statement addresses who can use the technology governed by the policy, and the purposes for which it can be used.
II.
Assess that additionally, this section defines “fair and responsible use” of equipment and other organizational assets and should also address key legal issues, such as protection of personal information and privacy.
Prohibited Use of Equipment I.
Stress that this section of the policy provides strict guidance with respect to where technology is prohibited to be used.
II.
Predict the fact that an organization and its employees cannot be penalized if a particular use is strictly prohibited.
Systems Management I.
Explain that this section provides focus on the users’ relations to systems management.
II.
Emphasize that it is important to identify all responsibilities delegated to both users and systems administrators to avoid confusion.
Violations of Policy I.
Label this part of the policy the consequences and penalties for violating an information security policy.
II.
Guide students to understand that this section also provides instructions on how to report policy violations.
Policy Review and Modification I.
Explain that each policy should have a procedure and a timetable for a periodic review.
Limitations of Liability
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
I.
Recall that this section is often the final section of a policy and has a general statement of liability or disclaimers.
II.
Summarize that the policy should state that if employees violate a company policy or any law using company technologies, the company will not protect them and is not liable for their actions.
Systems-Specific Security Policy (SysSP) I.
Emphasize that while issue-specific policies are formalized as written documents to be distributed to users and agreed to in writing, SysSPs are frequently codified as standards and procedures to be used when configuring or maintaining systems.
II.
Explain that systems-specific policies can be combined into a single policy document or separated into two groups: managerial guidance and technical specifications.
Managerial Guidance of SysSPs I.
Discuss the managerial guidance SysSPs. Note that a managerial guidance SysSP document is created by leadership to guide the implementation and configuration of technology, as well as to address the behavior of people in the organization in ways that support the security of information.
II.
Establish an understanding that any system that affects the confidentiality, integrity, or availability of information must be assessed to evaluate the trade-off between improved security and restrictions.
Technical Specifications of SysSPs I.
Discuss that while a manager can work with a systems administrator to create managerial policy as described in the preceding section, the system administrator may need to create a policy to implement the managerial policy.
II.
State the purpose and definition of access control lists (ACLs). Comment that these are user access lists, matrices, and capability tables that govern the rights and privileges of users. A capability table specifies which subjects and objects users or groups can access; in some systems, capability tables are called user profiles or user policies.
III.
Summarize the purpose of an ACL and what it regulates: •
Who can use the system
•
What authorized users can access
•
When authorized users can access the system
•
Where authorized users can access the system from
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
IV.
Recall the purpose of configuration rule policies, as they are specific instructions entered into a security system that govern how it reacts to data it receives. Note that these are more specific than ACLs to the operation of a system and may or may not deal with users directly.
Combination SysSPs I.
Explain that many organizations create a single document that combines the management guidance SysSP and the technical specifications SysSP. This often is confusing to casual users but is practical since it puts the guidance from both managerial and technical perspectives in a single place.
Developing and Implementing Effective Security Policy I.
Develop the six tasks that must be done properly in order for a policy to be legally defensible: •
Development: Policies must be written using industry-accepted practices and formally approved by management.
•
Dissemination: Policies must be distributed using all appropriate methods.
•
Review: Policies must be readable and read by all employees.
•
Comprehension: Policies must be understood by all employees.
•
Compliance: Policies must be formally agreed to by act or affirmation.
•
Enforcement: Policies must be uniformly applied to all employees.
Developing Information Security Policy I.
II.
Outline that in most cases, policy development is comprised of three parts: •
Designed and written
•
Senior management or an executive along with legal counsel reviews and approves the document
•
Management processes developed in the final state, which, in turn, results in policy enforcement within the organization
Emphasize the importance of security managers using all resources available to create policies, but give credit where it is due when referencing external sources outside of the organization.
Policy Distribution I.
Compare and contrast the options of providing hard copy policy documents and electronic ones.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
II.
Stress that distribution of materials, regardless of method, may still not get to individuals. Unlike in law, ignorance of policy, where policy is inadequately distributed, is considered an acceptable excuse.
III.
Distinguish that distribution of classified policies—those containing confidential information—requires additional levels of controls, in the labeling of the document, in the dissemination and storage of new policy, and in the collection and destruction of older versions to ensure the confidentiality of the information contained within the policy documents themselves.
Policy Review I.
Identify that one of the common barriers of employees reading policies arises from literacy or language issues. Provide the fact that, according to Macrotrends, 1 in 15 adults cannot read and write with understanding. Language issues are even more prevalent in organizations with multiple locations around the world.
II.
Stress that alternate forms of materials such as braille, an audio version, or a sign language intrpreter of policies must be available to accommodate employees who are visually impaired or deaf.
Policy Comprehension I.
Review the two aspects of policy comprehension: the target audience can understand the policy, and the organization has assessed how well they understand it.
II.
Apply the use of software or add-ons that examine the readability of a document. For example, the Flesch Reading Ease test recommends a score of 60 to 70 on its 100-point scale for corporate documents. The Flesh–Kincaid Grade Level test, alternately, recommends a score of 7.0 to 8.0 for similar documents.
III.
Classify the use of assessments to gauge how well employees comprehend underlying issues. Quizzes and other forms of examination can be employed to assess quantitatively which employees understand the policy by earning a minimum score (e.g., 70 percent) and which employees require additional training and awareness efforts before the policy can be enforced.
Policy Compliance I.
Record that an employee must agree to policies by act or affirmation with respect to policies developed within an organization.
II.
Emphasize that through direct collection of a signature or the equivalent digital alternative the organization can prove that it has obtained an agreement to comply with policy, which also demonstrates that the previous conditions have been met.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
III.
Give an example of what may happen when an employee refuses to agree to comply with a policy. In most cases, they will be terminated. However, organizations can avoid this dilemma by incorporating policy confirmation statements into employment contracts, annual evaluations, or other documents necessary for the individual’s continued employment.
Policy Enforcement I.
Recognize that the final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination— organizations must establish high standards of due care about policy management.
II.
Consequentially, state that an employee who is punished, censured, or dismissed because of a refusal to follow policy and is subsequently able to demonstrate that the policies are not uniformly applied or enforced, the organization may find itself facing punitive as well as compensatory damages.
Policy Development and Implementation Using the SDLC I.
Apply the concept of the systems development life cycle (SDLC) to creating policies.
II.
Outline information and processes that the policy development team should obtain in each of the five phases, as arranged below: •
Investigation Phase: o
Support from senior management because any project without it has a reduced chance of success. Only with the support of top management will a specific policy receive the attention it deserves from the intermediate-level managers who must implement it and from the users who must comply with it.
o
Support and active involvement of IT management, specifically the CIO. Only with the CIO’s active support will technology-area managers be motivated to participate in policy development and support the implementation efforts to deploy it once created.
o
Clear articulation of goals. Without a detailed and succinct expression of the goals and objectives of the policy, broken into distinct expectations, the policy will lack the structure it needs to obtain full implementation.
o
Participation of the correct individuals from the communities of interest affected by the recommended policies. Assembling the right team, by ensuring the participation of the proper representatives from the groups that will be affected by the new policies, is very important. The team must
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
include representatives from the legal department, the human resources department, and end users of the various IT systems covered by the policies, as well as a project champion with sufficient stature and prestige to accomplish the goals of the project and a capable project manager to see the project through to completion. o •
A detailed outline of the scope of the policy development project and sound estimates for the cost and scheduling of the project.
Analysis Phase: o
A new or recent risk assessment or IT audit documenting the current InfoSec needs of the organization. This risk assessment should include any loss history, as well as past lawsuits, grievances, or other records of negative outcomes from InfoSec areas.
o
The gathering of key reference materials, including any existing policies. Sometimes policy documents that affect InfoSec will be housed in the human resources department as well as the accounting, finance, legal, or corporate security departments.
o
The policy development committee must determine the fundamental philosophy of the organization when it comes to policy. This will dictate the general development of all policies, but in particular, the format to be used in the crafting of all ISSPs. This philosophy typically falls into one of two groups: 1. “That which is not permitted is prohibited.” Also known as the “whitelist” approach, this is the more restrictive of the two, and focuses on creating an approach where specific authorization is provided for various actions and behaviors; all other actions and behaviors (and uses) are prohibited or at least require specific permissions. This approach can impede normal business operations if appropriate options emerge but cannot be incorporated into policy until subsequent revisions are made. 2. “That which is not prohibited is permitted.” Also known as the “blacklist” approach, this alternate approach specifies what actions, behaviors, and uses are prohibited and then allows all others by default. While easier to implement, this approach can result in issues as more and more areas that should be prohibited are discovered by users.
•
Design Phase:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
o
Note that this is the first task in the design phase and drafting of the actual document. Most times this is done by a single author but can be a committee sometimes. The following resources are often available: 1. The Web: You can search for other similar policies. The point here is not to advocate wholesale copying of these policies but to encourage you to look for ideas for your own policy. For example, dozens of policies available on the Web describe fair and responsible use of various technologies. What you may not find, however, are policies that relate to sensitive internal documents or processes. 2. Government sites: Sites such as http://csrc.nist.gov contain numerous sample policies and policy support documents, including SP 800-100, “Information Security Handbook: A Guide for Managers.” While these policies are typically applicable to federal government Web sites, you may be able to adapt some sections to meet your organization’s needs. 3. Professional literature: Several authors have published books on the subject. Of particular note is Charles Cresson Wood’s Information Security Policies Made Easy series, which not only provides more than 1,000 pages of policies, but it also makes those policies available in electronic format, complete with permission to use them in internal documents. Exercise caution when using such resources, however; it is extremely easy to take large sections of policy and end up with a massive, unwieldy document that is neither publishable nor enforceable. 4. Peer networks: Other InfoSec professionals must write similar policies and implement similar plans. Attend meetings like those offered by the Information Systems Security Association (www.issa.org) or the Information Systems Audit and Control Association (www.isaca.org) and ask your peers. 5. Professional consultants: Policy is one area of InfoSec that can certainly be developed in-house. However, if your organization does not have the requisite expertise, or if your team simply cannot find the time to develop your own policy, then hiring an outside consultant may be your best option. Keep in mind that no consultant can know your organization as well as you do; you may decide to have the consultant design generic policies that you can then adapt to your specific needs.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
o
•
•
After the document is drafted and the document has committee approval, this is then sent to the approving manager or executive for sign-off.
Implementation Phase: o
This is the step during which the team must create a strategic plan to distribute and verify the distribution of policies. In most cases, the simplest way to document acknowledgment of a written policy is to attach a cover sheet that states “I have received, read, understood, and agreed to this policy.” The employee’s signature and date provide a paper trail of his or her receipt of the policy.
o
Emphasize that a stronger form of acknowledgement requires personnel to take a quiz to test their knowledge on the policy.
o
This phase should also include the ability for any automated tool used for the creation and management of policy documents and revisions to feasibility analysis reports based on improved costs and benefits as designs are clarified.
Maintenance Phase: o
This is when the policy team monitors, maintains, and modifies existing policies and procedures.
o
Options should be available for personnel to anonymously report issues or problems of policies published. This is to ensure uniform policy development and enforcement.
Policy Management I. Describe the purpose of policy management and stress that they are living documents that must be managed and nurtured, as they constantly change and grow. These documents must be properly disseminated and managed. II. Assess situations where special considerations should be made. Give examples of this being organizations undergoing mergers, takeovers, and partnerships. III. Relate that viable security policies must have a responsible manager, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and revision date.
Responsible Manager I.
Detail that a policy administrator is the person that is responsible for the creation, revision, distribution, and storage of a policy in an organization.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
II.
Stress that this person does not have to have proficient knowledge in the technologies, but rather policy administration requires only a moderate technical background.
III.
The policy administrator must be clearly identified in the policy document as the primary point of contact for additional information or suggested revisions to the policy.
Schedule of Reviews I.
Organize understanding that policies can be only so effective provided they are kept current. Hence, an organization must actively seek to meet the requirements of the market they operate in.
II.
Justify that once a year for policy review is a minimum baseline, but it is up to the leadership to determine if it needs to be more frequent.
Review Procedures and Practices I.
Explain that to facilitate policy reviews, the policy manager should implement a mechanism by which people can comfortably make recommendations for revisions, whether via e-mail, office mail, or an anonymous drop box.
II.
Assess the benefits of using automation, which can streamline the repetitive steps of writing policy, tracking the workflow of policy approvals, publishing policy once it is written and approved, and tracking when employees have read the policy.
Policy, Review, and Revision Dates I.
Comment that a simple action of not including a date on a policy can cause mass confusion for an organization.
II.
Stress that without the dates, it will be nearly impossible to determine which version of a policy is the most current or if a past version needs to be referenced, which one that is.
III.
Emphasize that some policies may need a sunset clause that contains an expiration date.
Automated Policy Management I. II.
III.
Explain that this is a new practice in the workplace, which can assist with some of the busywork policy managers have to deal with. Outline that automation streamlines the repetitive steps of writing policy, tracking the workflow of policy approvals, publishing policy once it is written and approved, and tracking when employees have read the policy. Quantify to students that some of the benefits that can be achieved from this include being able to train staff through computer-based training (CBT) and increased awareness of policies and procedures, among other benefits.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Security Education, Training, and Awareness Program (3.4, PPT Slides 31–36) I.
Explain that as soon as the policies outlining the general security policy have been drafted, policies to implement security education, training, and awareness (SETA) programs in the organization should follow.
II.
Describe the SETA program, which is a control measure designed to reduce the incidences of accidental security breaches by employees. SETA programs are designed to supplement the general education and training programs that many organizations have in place to educate staff on information security.
III.
Identify that the SETA program consists of three elements: security education, security training, and security awareness.
IV.
Present that the purpose of SETA is to enhance security by the following three ways:
V.
•
Improving awareness of the need to protect system resources
•
Developing skills and knowledge so computer users can perform their jobs more securely
•
Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems
Recommend students review Table 3-4, as it provides a comparative framework of SETA that can be applied to in-class discussions and potential projects.
Security Education I.
Emphasize that everyone in an organization needs to be trained and aware of information security, but not every member of the organization needs a formal degree or certificate in information security.
II.
Discuss that when formal education for appropriate individuals in security is needed, with the support of management, an employee can identify curriculum available from local institutions of higher learning or continuing education.
Security Training I.
Relate how security training involves providing members of the organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely.
II.
Present how management of information security can develop customized in-house training or outsource the training program. This is beneficial to the organization, as it is specific to themselves, although the likelihood of it needing to be adjusted would occur with changes in material.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Security Awareness I.
Stress that a security awareness program is one of the least frequently implemented but most beneficial programs in an organization.
II.
Explain that a security awareness program is designed to keep information security at the forefront of the users’ minds as they work daily. This helps stimulate them to care about security as well.
III.
Establish that if the program is not actively implemented, employees begin to “tune out,” and the risk of employee accidents and failures increases.
Information Security Blueprint, Models, and Frameworks (3.5, PPT Slides 39–52 and 55–58) I.
State how the security blueprint is the basis for the design, selection, and implementation of all security program elements.
II.
Explain that the blueprint builds on top of the organization’s information security policies and that it is a scalable, upgradeable, comprehensive plan to meet the organization’s current and future information security needs.
III.
Discuss how the blueprint is a detailed version of the information security framework, which is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
IV.
Summarize that one approach to selecting a methodology is to adapt or adopt a published model, or framework, for information security.
The ISO 27000 Series I.
Explain that one of the most widely referenced and often discussed security models is the Information Technology—Code of Practice for Information Security Management, which was originally published as the British Standard BS7799.
II.
Outline that in 2000, this code of practice was adopted as an international standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799. Further explain that it was renamed as ISO 27002 in 2007 to align it with ISO 27001.
III.
Discuss and present the core sections of ISO/IEC 27002:2013, as outlined in Table 35 within the textbook.
IV.
Evaluate Figure 3-9 and the core steps and deliverables that make up procedure ISO/IEC 27001:2013.
NIST Security Models © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
27
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
I.
Reference that an alternate approach is available as mentioned in the textbook, which provides numerous documents available for reference from the Computer Security Resource Center of the National Institute for Standards and Technology (http://csrc.nist.gov).
II.
Emphasize that NIST documents are publicly available at no charge and have been available for some time. They have been broadly reviewed by government and industry professionals, and they are among the references cited by the federal government when it decided not to select the ISO/IEC 17799 standards.
III.
Explain how SP 800-12, “An Introduction to Computer Security,” is an excellent reference and guide for the security manager or administrator in the routine management of information security.
IV.
Describe SP 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems,” which provides best practices and security principles that can direct the security team in the development of a security blueprint.
V.
List the following NIST documents that can assist in the design of a security framework: •
SP 800-12, Rev. 1: “An Introduction to Information Security”
•
SP 800-18, Rev. 1: “Guide for Developing Security Plans for Federal Information Systems”
•
SP 800-30, Rev. 1: “Guide for Conducting Risk Assessments”
•
SP 800-37, Rev. 2: “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”
•
SP 800-39: “Managing Information Security Risk: Organization, Mission, and Information System View”
•
SP 800-50: “Building an Information Technology Security Awareness and Training Program”
•
SP 800-55, Rev. 1: “Performance Measurement Guide for Information Security”
•
SP 800-100: “Information Security Handbook: A Guide for Managers”
NIST SP 800-12 I.
Recognize that this is an excellent reference and guide for a security manager or administrator in the routine management of information security.
II.
Stress that it, however, provides little guidance for the design and implementation of new security systems, and therefore should be used only as a precursor to understanding an information security blueprint.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
28
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
NIST SP 800-14 I.
Present that this provides the best practices and security principles that can direct the security team in the development of a security blueprint.
II.
Assess and discuss the philosophical principles that the security team should integrate into the entire security process, as described below: •
Security supports the organization.
•
Security is an integral element of sound management.
•
Security should be cost-effective.
•
Systems owners have security responsibilities outside their own organizations.
•
Security responsibilities and accountability should be made explicit.
•
Secure requires a comprehensive and integrated approach.
•
Security should be periodically assessed.
•
Security is constrained by societal factors.
NIST SP 800-18, Rev. 1 I.
State that this document can be used for a comprehensive security blueprint and framework. It can also be a useful guide to the activities described in this module and as an aid in the planning process. It also includes templates for major application security plans.
II.
Stress that a blueprint must be customized to meet the needs of an organization.
NIST and the Risk Management Framework I.
II.
Analyze the following with respect to NIST’s approach to managing risk in the organization. Note that this is discussed in the next module in more detail: •
Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
•
Maintaining awareness of the security state of information systems on an ongoing basis through enhanced monitoring processes
•
Providing essential information to help senior leaders make decisions about accepting risk to an organization’s operations and assets, individuals, and other organizations arising from the use of information systems
Examine the characteristics that are part of the Risk Management Framework (RMF):
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
29
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
•
Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring
•
Encourages the use of automation to provide senior leaders with necessary information to make cost-effective, risk-based decisions about information systems that support an organization’s core missions and business functions
•
Integrates information security into the enterprise architecture and system development life cycle
•
Emphasizes the selection, implementation, assessment, and monitoring of security controls and the authorization of information systems
•
Links risk management processes at the information system level to risk management processes at the organization level through a risk executive function
•
Establishes responsibility and accountability for security controls deployed within an organization’s information systems and inherited by those systems (i.e., common controls)
The NIST Cybersecurity Framework I.
Recognize that in early 2014, the NIST published a new Cybersecurity Framework in response to Executive Order 13636 from President Barack Obama. The purpose of this was to create a voluntary framework that provides an effective approach to “manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services.”
II.
Describe that the intent of the framework was to accomplish five things: “1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target state; and 5) Communicate among internal and external stakeholders about cybersecurity risk.”
III.
Outline and summarize the three fundamental components: •
The framework core: A set of information security activities an organization is expected to perform, as well as their desired results.
•
The framework tiers: A compilation of a self-defined set of four tiers so organizations can relate the maturity of their security programs and implement corresponding measures and functions.
•
The framework profile: Organizations are expected to identify which tier their security programs most closely match and then use corresponding
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
30
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
recommendations within the framework to improve their programs. This framework profile is then used to perform a gap analysis—comparing the current state of information security and risk management to a desired state, identifying the difference, and developing a plan to move the organization toward the desired state. IV. Apply the materials provided in the NIST framework to follow a seven-step approach to implementing or improving their risk management and information security programs. These are provided below: •
Step 1: Prioritize and scope: The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process.
•
Step 2: Orient: Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then identifies threats to, and vulnerabilities of, those systems and assets.
•
Step 3: Create a current profile: The organization develops a current profile by indicating which category and subcategory outcomes from the framework core are currently being achieved.
•
Step 4: Conduct a risk assessment: This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization.
•
Step 5: Create a target profile: The organization creates a target profile that focuses on the assessment of the framework categories and subcategories describing the organization’s desired cybersecurity outcomes.
•
Step 6: Determine, analyze, and prioritize gaps: The organization compares the current profile and the target profile to determine gaps. Next, it creates a prioritized action plan to address those gaps that draws upon mission drivers, a cost-benefit analysis, and understanding of risk to achieve the outcomes in the target profile. The organization then determines resources necessary to address the gaps.
•
Step 7: Implement action plan: The organization determines which actions to take regarding the gaps, if any, identified in the previous step. It then monitors its current cybersecurity practices against the target profile.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
31
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Other Sources of Security Frameworks I.
Review the text, as it offers several professional societies and organizations that have Web sites and resources that can assist with building strong security frameworks.
Design of the Security Architecture I.
Examine the overview of different types of security architectures that can help with blueprint construction, implementation, and maintenance. These include spheres of security, levels of controls, defense in depth, and security perimeters.
Spheres of Security I.
Establish that spheres of security are the core of a security framework. Figure 3-10 illustrates how information is under attack from several sources, both internally and externally.
II.
Illustrate that the left side of the graphic illustrates that a layer of protection must exist between each layer of the sphere of use.
III.
Relate that there are often three layers to information security implementation: policies, people, and technology. These layers are commonly referred to as PPT. Each layer contains controls and safeguards to protect the information and information system assets that the organization values.
IV.
Emphasize before moving forward that before any technical controls are in place, policies must be in place and solidified.
Levels of Controls I.
Summarize that information security safeguards offer three levels of controls: managerial, operational, and technical.
II.
Managerial controls are security processes that are designed by strategic planners and implemented by the security administration of the organization. Management controls set the direction and scope of the security process, and they provide detailed instructions for its conduct, while addressing the design and implementation of the security planning process and security program management.
III.
Operational controls are management and lower-level planning functions that deal with the operational functionality of security in the organization, such as disaster recovery and incident response planning. Operational controls also address personnel security, physical security, and the protection of production inputs and outputs.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
32
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
IV.
Technical controls are the tactical and technical implementations of security in the organization. Technical controls are the components put in place to protect an organization’s information assets.
V.
Compare and contrast the differences between the three level of controls. Focus on the fact that managerial controls influence operational and technical controls that must be in place for security to be effective.
Defense in Depth I.
Distinguish that a basic tenet of security architectures is layered implementation of security. Thus, an organization must establish multiple layers of security controls and safeguards, which can be organized into policy, training and education, and technologies, as shown in the CNSS model presented in the first module.
II.
Demonstrate that to achieve defense in depth, an organization must establish multiple layers of security controls and safeguards, which can be organized into policy, training and education, and technology.
III.
Recall that while policy may not prevent attacks, it prepares the organization to handle them, and coupled with other layers, it can deter attacks.
IV.
Implementing multiple types of technology and thereby preventing the failure of one system from compromising the security of information is referred to as redundancy.
Security Perimeter I.
Describe the purpose a security perimeter. This is the boundary between the outer limit of an organization’s security and the beginning of the outside world. It is the level of security that protects all internal systems from outside threats.
II.
Relate that the security perimeter does not protect against internal attacks from employee threats or on-site physical threats.
III.
Explain that the key components of the security perimeter are firewalls, DMZs, proxy servers, and IDPSs.
Quick Quiz 2 1. Which of the following terms best describes a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls? a. blueprint b. the NIST handbook c. information security framework d. security plan © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
33
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Answer: c 2. Which document is an excellent reference for security managers involved in the routine management of information security? a. SP 800-12, “An Introduction to Computer Security” b. SP 800-14, “Generally Accepted Principles and Practices for Securing Information Technology” c. SP-800-30 Rev. 1: “Guide for Conducting Risk Assessments” d. SP-800-50: “Building an Information Technology Security Awareness and Training Program” Answer: a 3. True or False: SP 800-18, “Guide for Developing Security Plans for Federal Information Systems,” is considered the foundation for a comprehensive security blueprint and framework. Answer: True 4. As indicated earlier, one of the foundations of security architectures is the requirement to implement security in layers. This layered approach is referred to as which of the following? a. framework b. security perimeter c. security domain d. defense in depth Answer: d 5. Which of the following defines the edge between the outer limit of an organization’s security and the beginning of the outside world? a. framework b. security perimeter c. security domain d. defense in depth Answer: b [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
34
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. There are several management functions that apply to information security. Have the class discuss which ones that were outlined were the most important and least important and why. (3.1, PPT Slides 3–12) Duration 15 minutes. 2. Keeping policy current is critical. Have the class discuss how policy needs to be updated to accommodate current events. (3.4, 3.5, PPT Slides 39–52 and 55–58) Duration 15 minutes. 3. Enact a discussion with students in the course with respect to management figures and their roles in policy development. Should a CEO be involved in the policy development, or should they take a hands-off approach? Divide the course up into two camps: one that supports the CEO being a part and the other that does not. (3.5, PPT Slides #15, 18–36, and 39–52) Duration 15 minutes. [return to top]
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks
Web Browser Security
Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques. Upon completion of this activity, the student will be able to: • Review and configure the security
Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.
1 to 1.5 hours
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
35
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Malware Defense
Windows Password Management
Backup and Recovery and File Integrity Monitoring
OS Processes and Services
Log Management & Security
and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer.
1 to 1.5 hours
30 minutes to 1 hour
15–20 minutes
60–90 minutes
30 minutes to 1 hour
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
36
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Footprinting, Scanning, and Enumeration
AlienVault OSSIM
Image Analysis Using Autopsy
Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.
40–60 minutes
2–3 hours
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Engage students to search the Web for examples of technology-specific security policies. What types of technology are being controlled? 2. Direct students go to the library, find a journal or magazine article on defense in depth, and write a short summary to share with the class. [return to top]
Additional Resources Cengage Video Resources • •
MindTap Video: Goverance MindTap Video: Information Security Policy
Internet Resources • • •
A Guide to Security Metrics COBIT Framework for IT Governance and Control ITIL
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
37
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
• •
Information Security Governance Strategic Planning (in a nonprofit and for-profit organization)
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
38
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 3: Information Security Management
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale, and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
39
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
Instructor Manual Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 5 Module Outline .............................................................................................................................. 6 Discussion Questions .................................................................................................................. 24 Suggested Usage for Lab Activities ............................................................................................ 25 Additional Activities and Assignments ....................................................................................... 27 Additional Resources................................................................................................................... 27 Cengage Video Resources ....................................................................................................................... 27 Internet Resources .................................................................................................................................. 27 Appendix ...................................................................................................................................... 28 Grading Rubrics ....................................................................................................................................... 28
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
Purpose and Perspective of the Module The purpose of this module is to examine the processes necessary to undertake formal risk management activities in the organization. Risk management is the process of identifying, assessing, and reducing risk to an acceptable level and implementing effective control measures to maintain that level of risk. This is done with a number of processes from risk analysis through various types of feasibility analyses, including quantitative and qualitative assessment measures and evaluation of security controls.
Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. • • • • •
PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual
Module Objectives The following objectives are addressed in this module: 4.1
Define risk management and describe its importance.
4.2
Explain the risk management framework and process model, including major components.
4.3
Define risk appetite and explain how it relates to residual risk.
4.4
Describe how risk is identified and documented.
4.5
Discuss how risk is assessed based on likelihood and impact.
4.6
Describe various options for a risk treatment strategy.
4.7
Discuss conceptual frameworks for evaluating risk controls and formulating a costbenefit analysis.
4.8
Compare and contrast the dominant risk management methodologies.
Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective
PPT slide
Activity/Assessment
Duration
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
4.1 and 4.2 4.3–4.5 4.3–4.5 4.1–4.8
7–8 29–30 61–62 86 MindTap MindTap MindTap
Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 04 Review Questions Module 04 Case Exercises Module 04 Exercises
MindTap MindTap
Module 04 Security for Life Module 04 Quiz
2 minutes 2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: risk management: The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level. risk assessment: The identification, analysis, and evaluation of risk as initial parts of risk management. risk treatment: The application of safeguards or controls to reduce the risks of an organization’s information assets to an acceptable level. risk control: See risk treatment. RM framework: The overall structure of the strategic planning and design for the entirety of the organization’s RM efforts. RM process: The identification, analysis, evaluation, and treatment of risk to information assets, as specified in the RM framework. risk management (RM) plan: A document that contains specifications for the implementation and conduct of RM efforts. residual risk: The risk to information assets that remains even after current controls have been applied. risk appetite: The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. risk tolerance: The assessment of the amount of risk an organization is willing to accept for a particular information asset, typically synthesized into the organization’s overall risk appetite.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
risk threshold: See risk tolerance. zero-tolerance risk exposure: An extreme level of risk tolerance whereby the organization is unwilling to allow any successful attacks or suffer any loss to an information asset. risk appetite statement: A formal document developed by the organization that specifies its overall willingness to accept risk to its information assets, based on a synthesis of individual risk tolerances. risk identification: The recognition, enumeration, and documentation of risks to an organization’s information assets. data classification scheme: A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it. threat assessment: An evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack. risk analysis: A determination of the extent to which an organization’s information assets are exposed to risk. likelihood: The probability that a specific vulnerability within an organization will be attacked by a threat. impact: An understanding of the potential consequences of a successful attack on an information asset by a threat. uncertainty: The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes. risk evaluation: The process of comparing an information asset’s risk rating to the numerical representation of the organization’s risk appetite or risk threshold to determine if risk treatment is required. mitigation risk treatment strategy: The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards in an effort to change the likelihood of a successful attack on an information asset, also known as the defense strategy. risk defense: See mitigation risk treatment strategy. risk mitigation: See mitigation risk treatment strategy transference risk treatment strategy: The risk treatment strategy that attempts to shift risk to other assets, processes, or organizations. risk sharing: See transference risk treatment strategy.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
risk transfer: See transference risk treatment strategy. acceptance risk treatment strategy: The risk treatment strategy that indicates the organization is willing to accept the current level of residual risk, and as a result, the organization makes a conscious decision to do nothing else to protect an information asset from risk and to “live with” the outcome from any resulting exploitation. risk acceptance: See acceptance risk treatment strategy. termination risk treatment strategy: The risk treatment strategy that eliminates all risk associated with an information asset by removing it from service. risk avoidance: See termination risk treatment strategy. risk termination: See termination risk treatment strategy. process communications: The necessary information flow within and between the governance group, RM framework team, and RM process team during the implementation of RM. process monitoring and review: The data collection and feedback associated with performance measures used during the conduct of the process. cost avoidance: The financial savings from using the mitigation risk treatment strategy to implement a control and eliminate the financial ramifications of an incident. cost-benefit analysis (CBA): The formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization, also known as an economic feasibility study. asset valuation: The process of assigning financial value or worth to each information asset. single loss expectancy (SLE): In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack (impact); the SLE is the product of the asset’s value and the exposure factor. annualized rate of occurrence (ARO): In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis. annualized loss expectancy (ALE): In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy. [return to top]
What's New in This Module The following elements are improvements in this module from the previous edition:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
●
This Module was Chapter 5 in the 6th edition.
●
Risk Management methodology has been updated to reflect the ISO model.
●
Module content has been refined and restructured.
●
Module has been updated to include new NIST SP content.
[return to top]
Module Outline Introduction to Risk Management (4.1, PPT Slides 3 and 4) I.
Emphasize how as aspiring information security professionals your students will have a key role to play in risk management.
II.
Remind your students that the IT community must serve the information technology needs of the broader organization, and at the same time, leverage the special skills and insights of the information security community.
III.
Explain how the information security team must lead the way with skill, professionalism, and flexibility as it works with the other communities of interest to appropriately balance the usefulness and security of the information system.
IV.
Discuss how in the past an organization could establish a competitive business model, method, or technique to provide a product or service that was superior and create a competitive advantage.
V.
Explain that in order to keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function. This environment must maintain the confidentiality, privacy, and integrity of organizational data.
Sun Tzu and the Art of Risk Management I.
Explain how risk management is the process of identifying vulnerabilities in an organization’s information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components in the organization’s information system.
II.
Emphasize how risk management requires three major undertakings: risk identification, risk assessment, and risk control.
III.
Define risk identification, which is the process of examining and documenting the security posture of an organization’s information technology and the risks it faces.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
IV.
Define risk control, which is the application of controls that reduce the risks to an organization’s information systems.
Know Yourself I.
Emphasize how we must first know ourselves by identifying, examining, and understanding the information and systems currently in place.
II.
Explain how in order to protect our assets, defined here as the systems that use, store, and transmit information, we have to understand everything about the information.
III.
Note that the policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure they remain effective.
Know the Enemy I.
Emphasize how for information security knowing the enemy means identifying, examining, and understanding the threats that most directly affect our organization and the security of our organization’s information assets.
II.
Discuss how we can use our understanding of these aspects to create a list of threats prioritized by importance to the organization.
The Risk Management Framework (4.2, PPT Slides 5–6 and 9–12) I.
Explain how to identify the risk.
II.
Explain how to determine the current level of risk (risk analysis).
III.
Discuss how to determine if the current level of risk is acceptable (risk evaluation).
IV.
Determine how to treat the risk to bring it to an acceptable level.
The Roles of the Communities of Interest I.
Explain how each community of interest must manage the risks the organization encounters.
II.
Explain how information security understands the threats and attacks that introduce risk into the organization, so they often take a leadership role.
III.
Explain how management and users play a part in the early detection and response process and ensure that sufficient resources are allocated
IV.
Explain how the information technology community assists in building secure systems and operating them safely.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
V.
Emphasize how general management, IT management, and information security management are collectively accountable for identifying and classifying all levels of risk.
VI.
Explain that the three communities of interest that are also responsible for the following: a. Evaluating current and proposed risk controls b. Determining which control options are cost effective for the organization c. Acquiring or installing the needed controls d. Ensuring that the controls remain effective
Quick Quiz 1 1. Risk identification is performed within a larger process of identifying and justifying risk controls that is called which of the following? a. risk assessment b. risk management c. risk control d. risk identification Answer: c 2. The application of controls that reduce the risks to an organization’s information assets to an acceptable level is known as which of the following? a. risk assessment b. risk management c. risk control d. risk identification Answer: c 3. For information security purposes, which of the following terms is used to describe the systems that use, store, and transmit information? a. inventory b. threats c. controls d. assets Answer: d
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
4. True or False: The information technology community of interest must assist in risk management by configuring and operating information systems in a secure fashion. Answer: True 5. True or False: The information technology community of interest must ensure sufficient resources are allocated to the risk management process. Answer: False
The RM Policy I.
Explain that the RM policy is a strategic document that formalizes much of the intent of the governance group.
II.
Explain that the RM policy must include purpose and scope, RM intent and objectives, roles and responsibilities, resource requirements, risk appetite and tolerances, RM program development guidelines, special instructions and revision information and references to other key policies, plans, standards, and guidelines.
Framework Design I.
Explain that designing the RM program means defining and specifying the details tasked to be performed by the framework team and the process team.
II.
Understand that the framework team must also formally document and define the organization’s risk appetite and draft the RM plan.
Defining the Organization’s Risk Tolerance and Risk Appetite I.
Explain that the RM Framework team needs to understand and determine residual risk.
II.
Document risk appetite.
Framework Implementation I.
Explain how the organization may distribute the plan to managers for a desk check prior to deployment.
II.
Understand that the organization could pilot-test the plan and use a phased approach to implement the plan.
III.
Understand that the RM framework team should carefully monitor, communicate, and review the implementation plan.
Framework Monitoring and Review I.
Introduce that the framework team continues to monitor the conduct of the RM process while simultaneously reviewing the success of the framework planning.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
II.
Understand that the framework team is concerned with the oversight of the RM framework and plan.
The Risk Management Process (4.3–4.5, PPT Slides 13–28 and 31–54) I.
Introduce how to establish the context, which includes understanding the organization’s internal and external operating environments and other factors that could impact the RM process.
II.
Identify the risk: a. Create an inventory of information assets b. Classify and organize assets meaningfully c. Assign a value to teach information asset d. Identify threats to the cataloged assets. e. Pinpoint vulnerable assets by tying specific threats to specific assets.
III.
Analyze the risk: a. Determining the likelihood that vulnerable systems will be attacked. b. Assessing the relative risk facing the organization’s information assets c. Calculating the risks to which assets are exposed. d. Looking at controls that might come into play for identified vulnerabilities and how to control those risks. e. Documenting and reporting the findings of risk identification and assessment.
IV.
Evaluate the risk by comparing identified uncontrolled risks against the risk appetite.
V.
Treat the unacceptable risk.
VI.
Discuss summarizing the findings and stating the conclusions of the investigation.
VII.
Explain how a risk management strategy calls on information security professionals to identify, classify, and prioritize their organizations’ information assets.
RM Process Preparation – Establishing the Context I.
Introduce the RM process as preparing for the risk process by performing the following tasks: •
Identify the purpose of the assessment.
•
Identify the scope of the assessment.
•
Identify the assumptions and constraints associated with the assessment.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
•
Identify the sources of information to be used as inputs to the assessment.
•
Identify the risk model and analytic approaches (i.e., assessment and analysis approaches) to be employed during the assessment.
External Context I.
Understand that the external context means understanding the impact the following external factors could have on the RM process, its goals, and its objectives: • • • • •
The business environment and its customers, suppliers, competitors. The legal/regulatory/compliance environment: laws, regulations, industry standards. The threat environment: threats, known vulnerabilities, attack vectors. The support environment: government agencies like NIST and DHS, professional associations like ISSA, and service agencies such as SecurityFocus. Perhaps other factors known to the subject-matter experts that make up the team.
Internal Context I.
Understand the internal factors that could impact or influence the RM process: • • • • •
The organization’s governance structure (or lack thereof). The organization’s internal stakeholders. The organization’s culture. The maturity of the organization’s information security program. The organization’s experience in policy, planning, and risk management in general.
Risk Assessment: Risk Identification I.
Understand that risk identification begins with the process of self-examination.
Identification of Information Assets I.
Describe the iterative process, which begins with the identification of assets, including all of the following elements of an organization’s system: people, procedures, data, software, hardware, and networking components.
II. Discuss the identification of people, procedures, and data assets. Identifying human resources, documentation, and data information is more difficult than identifying hardware and software assets. • As the people, procedures, and data assets are identified, they should be recorded using a reliable data-handling process. III. Explain that when deciding which information assets to track, consider the following asset attributes: •
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
People: Position name/number/ID (try to avoid names and stick to identifying positions, roles, or functions); supervisor; security clearance level; special skills • Procedures: Description; intended purpose; relationship to software, hardware, and networking elements; storage location for reference; storage location for update • Data: Classification; owner, creator, and manager; size of data structure; data structure used (sequential or relational); online or offline; location; backup procedures employed IV. Describe the identification of hardware, software, and network assets. •
•
Depending on the needs of the organization and its risk management efforts, as well as the preferences and needs of the management of the information security and information technology communities, when deciding which information assets to track, you may want to consider including these asset attributes: o
Name
o
IP address
o
MAC address
o
Element type ▪
DeviceClass = S (server)
▪
DeviceOS = W2K (Windows 2000)
▪
DeviceCapacity = AS (advanced server)
o
Serial number
o
Manufacturer’s name
o
Manufacturer’s model number or part number
o
Software version, update revision, or FCO number
o
Physical location
o
Logical location
o
Controlling entity
V. Discuss automated risk identification tools. • •
Automated tools can sometimes identify the system elements that make up the hardware, software, and network components. Once stored, typically in a database or in a form that can be exported to a database, the inventory list must be kept current by using a tool that periodically refreshes the data.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
In the later steps of risk management, which require involved calculations, the case is strong for the use of automated risk management tools for tracking information assets. At this point in the process, however, simple wordprocessing, spreadsheet, and database tools can provide adequate record keeping. VI. When discussing asset categorization, point out the several new subdivisions of risk management categorizations. •
Prioritizing (Rank-Ordering) Information Assets I.
Define data classification schemes as a formal access control methodology used to assign a level of confidentiality to an information asset, restricting the number of people who can access it.
II. Point out examples of data classification categories: confidential, internal, and public. Mention that any classification method must be specific enough to enable determination of priority levels. III. Discuss data classification and management. •
Corporate and military organizations use a variety of data classification schemes.
•
The typical information classification scheme has three categories: o
Confidential: Used for corporate information that must be tightly controlled, even within the company. Access to this information is strictly on a need-toknow basis or as required by the terms of a contract.
o
Internal: Used for internal information that does not meet the criteria for the confidential category. It is to be viewed only by corporate employees, authorized contractors, and other third parties.
o
External: This includes all information that has been approved by management for public release.
•
Many developments in data communications and information security are the result of government-sponsored research. For most information, the government uses a three-level classification scheme: Confidential, Secret, and Top Secret.
•
Federal agencies such as the FBI and CIA also use specialty classification schemes, like Need-to-Know and Named Projects.
•
Most organizations do not need the detailed level of classification used by the military or federal agencies.
IV. Describe security clearances.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
•
The other side of the data classification scheme is the personnel security clearance structure. For each user of data in the organization, a single level of authorization must be assigned that indicates the level of classification he or she is authorized to view.
•
Before an individual is allowed access to a specific set of data, he or she must meet the need-to-know standard. This extra level of protection ensures that the confidentiality of information is properly maintained.
V. Discuss the management of classified data. I.
Management of classified data includes its storage, distribution, transportation, and destruction.
II. Information that is not unclassified or public must be clearly marked as such.
Use Figure 5-5 in your explanation. III. When classified data is stored, it must be available only to authorized
individuals. IV. When an individual carries classified information, it should be transported via
inconspicuous means, such as in a locked briefcase or portfolio. V. The clean desk policy requires employees to secure all information in
appropriate storage containers at the end of each day. VI. When copies of classified information are no longer valuable or excessive copies
exist, proper care should be taken to destroy them by means of shredding, burning, or transferring to an authorized document destruction service. •
It is important to enforce policies to ensure that no classified information is disposed of in trash or recycling areas since some individuals would not hesitate to engage in dumpster diving to retrieve information that could embarrass an organization or compromise information security.
Threat Assessment I.
Identify and assess threats for individual organizations.
II. Understand how much danger a threat possesses to information assets. III. Determine how probable and severe a threat is to an organization.
The TVA Worksheet I.
Explain that the TVA worksheet serves as the starting point for the next step in the risk management process-risk assessment. Refer students to the sample TVA spreadsheet in Table 5-8 and discuss how to use the worksheet.
Risk Assessment: Risk Analysis
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
I.
Explain how we can determine the relative risk for each of the vulnerabilities through a process called risk assessment.
II. Discuss risk assessment, which assigns a risk rating or score to each information asset, which is useful in gauging the relative risk to each vulnerable information asset and making comparative ratings later in the risk control process.
Mitigation of Applicable Controls I.
Explain how mitigation is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
II. Explain how mitigation begins with early detection of an attack in progress and relies on the ability of the organization to respond quickly, efficiently, and effectively. III. Discuss the three types of plans in this approach: the incident response plan (IRP), the disaster recovery plan (DRP), and the business continuity plan (BCP).
Determining the Likelihood of a Threat Event I.
Explain how after identifying and performing the preliminary classification of an organization’s information assets, the analysis phase examines the threats facing the organization.
II. Emphasize how each threat must be examined to assess its potential impact on the organization. This is referred to as a threat assessment. III. Explain how to begin a threat assessment by answering a few questions: •
Which threats present a danger to the organization’s assets in the given environment?
•
Which threats represent the most danger to the organization’s information?
•
How much would it cost to recover from a successful attack?
•
Which of these threats would require the greatest expenditure to prevent?
IV. Emphasize how answering these questions helps establish a framework for the discussion of threat assessment. An organization's guidelines and/or policies should influence this process and may require the posing of additional questions.
Assessing Potential Impact on Asset Value I.
Explain that after identification of the organization’s information assets and documentation of criteria for beginning to assess the threats it faces, review each information asset for each threat it faces and create a list of vulnerabilities.
II. Discuss vulnerabilities, which are specific avenues that threat agents can exploit to attack an information asset.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
III. Explain how a list of the organization’s assets and their vulnerabilities is created. This process works best when groups of people with diverse backgrounds within the organization work iteratively in a series of brainstorming sessions. Use Table 5-7 in your explanation. IV. Define threats-vulnerabilities-assets (TVA) worksheet as a document that shows a comparative ranking of prioritized assets against prioritized threats with an indication of any vulnerabilities in the asset/threat pairings. V. Explain that the TVA worksheet serves as the starting point for the next step in the risk management process-risk assessment. Refer students to the sample TVA spreadsheet in Table 5-8 and discuss how to use the worksheet.
Aggregation I.
Explain that organizations may use risk aggregation to roll up several discrete or lower-level risks into a more general or higher-level risk. II. Explain that organizations may also use risk aggregation to efficiently manage the scope and scale of risk assessments involving multiple information systems and multiple mission/business processes with specified relationships and dependencies among those systems and processes.
Uncertainty I.
For the purpose of relative risk determination, explain that risk equals loss frequency times loss magnitude plus an element of uncertainty. Discuss the risk calculation examples given in the text.
Risk Determination I.
For the purpose of relative risk determination, explain that risk equals loss frequency times loss magnitude plus an element of uncertainty. Discuss the risk calculation examples given in the text.
Risk Evaluation I.
Explain how for each threat and its associated vulnerabilities that have residual risk we need to create a ranking of their relative risk levels. II. Explain that when the organization’s risk appetite is less than the asset’s residual risk, it must move to the next stage of risk control and look for additional strategies to further reduce the risk. III. Explain how the goal of this process has been to identify the organization’s information assets that have specific vulnerabilities and list them, ranked according to those that most need protection. IV. Discuss how in preparing this list, we have collected and preserved a wealth of factual information about the assets, the threats they face, and the vulnerabilities
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
they expose, as well as some information about the controls that are already in place. V. Describe the final summarized document, which is the ranked vulnerability risk worksheet and contains the following data: •
Asset: Each vulnerable asset.
•
Asset relative value: Shows the results for this asset from the weighted factor analysis worksheet.
•
Vulnerability: Each uncontrolled vulnerability.
•
Loss frequency: The likelihood of the realization of the vulnerability by a threat agent, as noted in the vulnerability analysis step.
•
Loss magnitude: The figure calculated from the asset impact multiplied by loss frequency.
VI. Discuss the ranked vulnerability risk worksheet, which is the working document for the next step in the risk management process: assessing and controlling risk.
Documenting the Results of Risk Assessment I.
Discuss how the results of risk assessment activities can be delivered. There are a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment. II. Explain that when the organization is pursuing an overall risk management program, it requires a systematic report that enumerates the opportunities for controlling risk. This report documents a series of proposed controls, each of which has been justified by one or more feasibility or rationalization approaches. III. Explain how another option is to document the outcome of the control strategy for each information asset-threat pair in an action plan. This action plan includes concrete tasks, each with accountability assigned to an organizational unit or to an individual. IV. Remind students that sometimes a risk assessment is prepared for a specific IT project at the request of the project manager, either because it is required by organizational policy or because it is good project management practice. The project risk assessment should identify the sources of risk in the finished IT system with suggestions for remedial controls as well as those risks that might impede the completion of the project. V. Explain how when management requires details about a specific risk to the organization, risk assessment may be documented in a topic-specific report. These are usually demand reports that are prepared at the direction of senior management and are focused on a narrow area of information systems operational risk.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
Evaluating Risk I. Discuss the process for evaluating risk. II. Explain that evaluating risk requires extensive input from the RM process team,
along with recommendations and cost estimates.
Risk Treatment/Risk Response (4.6, PPT Slides 55–60 and 63) I.
Introduce the four strategies to treat risks for assets: a. Mitigation: Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk. b. Transference: Shifting risks to other areas or to outside entities. c. Acceptance: Understanding the consequences of choosing to leave an information asset’s vulnerability facing the current level of risk but only after a formal evaluation and intentional acknowledgement of this decision. d. Termination: Removing or discontinuing the information asset from the organization’s operating environment.
Risk Mitigation I.
Explain how mitigation is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
II. Explain how mitigation begins with early detection of an attack in progress and relies on the ability of the organization to respond quickly, efficiently, and effectively. III. Discuss the three types of plans in this approach: the incident response plan (IRP), the disaster recovery plan (DRP), and the business continuity plan (BCP).
Risk Transference I.
Explain that the transfer control strategy attempts to shift the risk to other assets, other processes, or other organizations. II. Mention that this principle should be considered whenever an organization begins to expand its operations. III. Explain that if an organization does not already have quality security management and administration experience, it should hire individuals or firms that provide such expertise. IV. Point out that it is up to the owner of the information asset, IT management, and the information security team to ensure that the disaster recovery requirements of the outsourcing contract are sufficient and have been met before they are needed for recovery efforts.
Risk Acceptance © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
Emphasize that the acceptance of risk is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. This may or may not be a conscious business decision. II. Clarify how the only acceptance strategy that is recognized as valid occurs when the organization has done the following: I.
●
Determined the level of risk.
●
Assessed the probability of attack.
●
Estimated the potential damage that could occur from these attacks.
●
Performed a thorough cost-benefit analysis.
●
Evaluated controls using each appropriate type of feasibility.
●
Decided that the particular function, service, information, or asset did not justify the cost of protection.
V. Explain how if every vulnerability identified in the organization is handled by means of acceptance, it may reflect an inability to conduct proactive security activities and an apathetic approach to security in general.
Risk Termination I.
Remind students that the final risk control strategy directs the organization to avoid business activities that introduce uncontrollable risks.
Process Communications, Monitoring, and Review I. Define process communications. II. Define process monitoring and review. III. Explain that the process team needs to give continual feedback to the framework team about the relative success and challenges of its RM activities.
Mitigation and Risk I.
Explain that this form of mitigation is part of contingency planning (CP), which students will learn about in Module 5. II. Note that CP mitigation derives its value from the ability to detect, react to, respond to, and recover from incidents and disasters as quickly as possible, thus minimizing the damage to an information asset.
Managing Risk (4.6, 4.7, PPT Slides 64–70) I.
Discuss the actual and perceived advantages to implementing a control as opposed to the actual and perceived disadvantages.
II.
Discuss how a risk management process requires applying the organization’s project management principles to the risk management process.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
III.
Explain that the process will need a proper project plan with periodic deliverables, including a task list and appropriate assignments.
IV.
Explain how planned expenditures to implement a control strategy must be justified, and budget authorities must be convinced to spend the necessary amount to protect a particular asset from an identified threat.
V.
Note that another factor to consider is that each control or safeguard affects more than one asset-threat pair. Information security professionals manage a dynamic matrix covering a broad range of threats, information assets, controls, and identified vulnerabilities.
VI.
Explain how if a new safeguard is implemented, there is a risk decrease associated with all subsequent control evaluations. The action of implementing a control may change the values assigned or calculated in a prior estimate.
VII.
Emphasize how there is an ongoing search for ways to design security architectures that go beyond the direct application of specific controls in which each is justified for a specific information asset vulnerability, to safeguards that can be applied to several vulnerabilities at once.
VIII.
Discuss how the results of risk assessment activities can be delivered. There are a number of ways: a report on a systematic approach to risk control, a project-based risk assessment, or a topic-specific risk assessment.
IX.
Explain that when the organization is pursuing an overall risk management program, it requires a systematic report that enumerates the opportunities for controlling risk. This report documents a series of proposed controls, each of which has been justified by one or more feasibility or rationalization approaches.
X.
Explain how another option is to document the outcome of the control strategy for each information asset-threat pair in an action plan. This action plan includes concrete tasks, each with accountability assigned to an organizational unit or to an individual.
XI.
Remind students that sometimes a risk assessment is prepared for a specific IT project at the request of the project manager, either because it is required by organizational policy, or because it is good project management practice. The project risk assessment should identify the sources of risk in the finished IT system with suggestions for remedial controls as well as those risks that might impede the completion of the project.
XII.
Explain how when management requires details about a specific risk to the organization, risk assessment may be documented in a topic-specific report. These are usually demand reports that are prepared at the direction of senior
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
management and are focused on a narrow area of information systems operational risk.
Feasibility and Cost-Benefit Analysis I.
Discuss that before deciding on the treatment strategy for a specific TVA triple, an organization should explore all readily accessible information about the economic and noneconomic consequences of a vulnerability’s exploitation when the threat causes a loss to the asset. II. Explain that some of the techniques of cost-benefit analysis use dollar-denominated expenses and savings from economic cost avoidance while others use noneconomic feasibility criteria.
Cost I.
Discuss the factors that help to determine the cost of safeguarding information: • Cost of development or acquisition—Hardware, software, and services. • Training fees—Cost to train personnel. • Cost of implementation—Installing, configuring, and testing hardware, software, and services. • Service costs—Vendor fees for maintenance and upgrades or from outsourcing the information asset’s protection and/or insurance. • Cost of maintenance—Labor expense to verify and continually test, maintain, train, and update. • Potential cost from the loss of the asset—Either from removal of service (termination) or compromise by attack.
Benefit I.
Define benefit as the value to the organization of using controls to prevent losses associated with a specific vulnerability. II. Explain that this result is expressed as the annualized loss expectancy (ALE).
Asset Valuation I.
Discuss what needs to be considered as each asset of the organization is assigned to a category. The following questions assist in developing the weighting criteria to be used for asset valuation. These questions include the following: •
Which information asset is the most critical to the success of the organization?
•
Which information asset generates the most revenue?
•
Which of these assets plays the biggest role in generating revenue or delivering services?
•
Which information asset would be the most expensive to replace?
•
Which information asset would be the most expensive to protect?
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
•
Which information asset would most expose the company to liability or embarrassment if revealed?
II. Discuss what is necessary to calculate, estimate or derive values for information
assets; consideration might be given to the following: •
Value retained from the cost of creating the information asset.
•
Value retained from past maintenance of the information asset.
•
Value implied by the cost of replacing the information.
•
Value from providing the information.
•
Value incurred from the cost of protecting the information.
•
Value to owners.
•
Value of intellectual property.
•
Value to adversaries.
III. Note how additional company-specific criteria may add value to the asset evaluation
process and should be identified, documented, and added to the process. IV. Explain that to finalize this step the organization should assign a weight to each
asset based on their given answers. V. Discuss information asset prioritization. •
Once the process of inventorying and assessing value is complete, you can prioritize each asset using weighted factor analysis. Use Table 5-2 in your explanation.
•
In this process, each information asset is assigned a score for each critical factor. In addition, each critical factor is also assigned a weight (ranging from 1 to 100) to show that criteria’s assigned importance for the organization.
Alternative Risk Management Methodologies (4.8, PPT Slides 71–77) I.
Explain there are alternative approaches to risk management, including international and national standards and methodologies from industry-leading organizations.
The OCTAVE Methods I.
Define the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method.
FAIR
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
I.
Explain how Factor Analysis of Information Risk (FAIR) can help organizations understand, analyze, and measure information risk.
II.
Discuss the four major stages of the FAIR methodology, which consist of 10 steps in four stages.
ISO Standards for InfoSec Risk Management I.
Discuss how the International Organization for Standardization (ISO) has standards related to information security and risk management.
NIST Risk Management Framework (RMF) I.
Investigate the National Institute of Standards and Technology (NIST) risk management framework. https://csrc.nist.gov/publications/sp.
Selecting the Best Risk Management Model I.
Determine how to select the best risk management model.
Quick Quiz 2 1. True or False: The process an organization uses to assign a risk rating or score to each information asset is a risk evaluation. Answer: False 2. The probability that a specific vulnerability within an organization will be the target of an attack is known as which of the following? a. probability b. manageability c. likelihood d. practicality Answer: c 3. Which risk control strategy attempts to reduce the impact of a successful attack through planning and preparation? a. Transference b. Defense c. Acceptance d. Mitigation Answer: d
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
4. Which risk control strategy attempts to shift residual risk to other assets, other processes, or other organizations? a. Transference b. Defense c. Acceptance d. Mitigation Answer: a 5. The calculation of the value associated with the most likely loss from an attack is called which of the following? a. ARO b. ALE c. CBA d. SLE Answer: d 6. Which of the following terms best describes comparing an organization’s efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate? a. baselining b. performance gap c. benchmarking d. feasibility reporting Answer: c [return to top]
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
1. What is the best value that should be assessed when evaluating the worth of an information asset to the organization—replacement cost or lost income while repairing or replacing? (4.1, PPT Slides 3–6, 25, 79, and 81) Duration 15 minutes. 2. What is the likelihood value of a vulnerability that no longer must be considered? (4.6, PPT Slides 33, 35–37, 40, 42, and 46–60) Duration 15 minutes. 3. In what instances is baselining or benchmarking superior to cost benefit analysis? (4.7, PPT Slides 64–70) Duration 15 minutes. [return to top]
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks
Web Browser Security
Malware Defense
Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques. Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used.
Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.
1 to 1.5 hours
1 to 1.5 hours
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
Windows Password Management
Backup and Recovery and File Integrity Monitoring
OS Processes and Services
Log Management & Security
Footprinting, Scanning, and Enumeration
AlienVault OSSIM
Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab.
30 minutes to 1 hour
15–20 minutes
60–90 minutes
30 minutes to 1 hour
40–60 minutes
2–3 hours
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
Image Analysis Using Autopsy
Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Have students review the information assets in a campus departmental office and estimate the value of each asset. 2. Have students list the hardware assets found in a computing lab and then list the attributes of those assets. They should provide as many facts about each asset as possible. 3. Provide your students with a list of information security controls. Have them classify them as preventive or detective. [return to top]
Additional Resources Cengage Video Resources • •
MindTap Video: Risk Assessment MindTap Video: Risk Control
Internet Resources • • • •
Cultivating a Risk Intelligent Culture Creating a Culture of Risk Avoidance Effective IT Risk Management An Introduction to Cost Benefit Analysis
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
27
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 4: Risk Management
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
28
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 8 Module Outline .............................................................................................................................. 8 Discussion Questions .................................................................................................................. 42 Suggested Usage for Lab Activities ............................................................................................ 43 Additional Activities and Assignments ....................................................................................... 45 Additional Resources................................................................................................................... 45 Cengage Video Resources ....................................................................................................................... 45 Internet Resources .................................................................................................................................. 45 Appendix ...................................................................................................................................... 47 Grading Rubrics ....................................................................................................................................... 47
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
Purpose and Perspective of the Module Interruptions within an organization are bound to happen. The question is when and what can be done to mitigate the damage it causes. Within this module, students will gain an understanding of the purpose and need for contingency planning. Alternately, this is referred to as disaster recovery and business continuity planning. Incident responses are an additional major theme here, as the authors comprehensively provide the components of them and processes used in digital forensics to determine why these events occurred. Toward the conclusion of this module, a discussion is held on how the organization would prepare and execute a test of contingency plans. This is essential to ensure that they work in the event something was to happen.
Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •
PowerPoint slides
•
Test banks, available in Word, as LMS-ready files, and on the Cognero platform
•
MindTap Educator Guide
•
Solution and Answer Guide
•
This instructor’s manual
Module Objectives The following objectives are addressed in this module: 5.1
Discuss the need for contingency planning.
5.2
Describe the major components of incident response, disaster recovery, and business continuity.
5.3
Identify the processes used in digital forensics investigations.
5.4
Define the components of crisis management.
5.5
Discuss how the organization would prepare and execute a test of contingency plans.
Complete List of Module Activities and Assessments For additional guidance, refer to the MindTap Educator Guide. Module Objective 5.1
PPT slide
Activity/Assessment
Duration
6–7
Knowledge Check Activity 1
2 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
5.2 5.3–5.4 5.4–5.5 5.1–5.5
47–48 79–80 92–93 103 MindTap MindTap MindTap
Knowledge Check Activity 2 Knowledge Check Activity 3 Knowledge Check Activity 4 Self-Assessment Module 05 Review Questions Module 05 Case Exercises Module 05 Exercises
MindTap MindTap
Module 05 Security for Life Module 05 Quiz
2 minutes 2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: adverse event: An event with negative consequences that could threaten the organization’s information assets or operations; also referred to as an incident candidate. contingency planning (CP): The actions taken by senior management to specify the organization’s efforts and actions if an adverse event becomes an incident or disaster; CP typically includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis. contingency planning management team (CPMT): The group of senior managers and project members organized to conduct and lead all CP efforts. incident response planning team (IRPT): The team responsible for designing and managing the IR plan by specifying the organization’s preparation, reaction, and recovery from incidents. disaster recovery planning team (DRPT): The team responsible for designing and managing the DR plan by specifying the organization’s preparation, response, and recovery from disasters, including reestablishment of business operations at the primary site after the disaster. business continuity planning team (BCPT): The team responsible for designing and managing the BC plan of relocating the organization and establishing primary operations at an alternate site until the disaster recovery planning team can recover the primary site or establish a new location. crisis management planning team (CMPT): The individuals from various functional areas of the organization assigned to develop and implement the CM plan.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
business impact analysis (BIA): An investigation and assessment of adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process; it includes a determination of how critical a system or set of information is to the organization’s core processes and its recovery priorities. business process: A task performed by an organization or one of its units in support of the organization’s overall mission and operations. recovery time objective (RTO): The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported business processes, and the maximum tolerable downtime. recovery point objective (RPO): The point in time before a disruption or system outage to which business process data can be recovered after an outage, given the most recent backup copy of the data. maximum tolerable downtime (MTD): The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption. The MTD includes all impact considerations. work recovery time (WRT): The amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. This recovery time is identified by the RTO. incident response (IR): An organization’s set of planning and preparation efforts for detecting, reacting to, and recovering from an incident. incident response planning (IRP): The actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team. incident candidate: See adverse event. incident: An adverse event that could result in a loss of information assets but does not threaten the viability of the entire organization. incident response plan (IRP): The documented product of incident response planning; a plan that shows the organization’s intended efforts in the event of an incident. computer security incident response team (CSIRT): An IR team composed of technical IT, managerial IT, and InfoSec professionals who are prepared to detect, react to, and recover from an incident; may include members of the IRPT. IR policy: The policy document that guides the development and implementation of IR plans and the formulation and performance of IR teams. IR procedures: Detailed, step-by-step methods of preparing, detecting, reacting to, and recovering from an incident.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
electronic vaulting: A backup strategy that transfers data in bulk batches to an off-site facility. remote journaling: A backup strategy that transfers only transaction data in near real time to an off-site facility. database shadowing: A backup strategy that transfers duplicate online transaction data and duplicate databases to a remote site on a redundant server combining electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations. 3-2-1 backup rule: A backup strategy that recommends the creation of at least three copies of critical data (the original and two copies) on at least two different media, with at least one copy stored off-site. incident classification: The process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident. incident detection: The identification and classification of an adverse event as an incident, accompanied by the notification of the CSIRT and the activation of the IR reaction phase. alert roster: A document that contains contact information for personnel to be notified in the event of an incident or disaster. alert message: A description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process. after-action review (AAR): A detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery. protect and forget: The organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker’s identification and prosecution; also known as “patch and proceed.” apprehend and prosecute: The organizational CP philosophy that focuses on an attacker’s identification and prosecution, the defense of information assets, and preventing reoccurrence; also known as “pursue and punish.” digital forensics: Investigations that involve the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis, following clear, well-defined methodologies. forensics: The coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting. evidentiary material (EM): Any information that could potentially support an organization’s legal or policy-based case against a suspect; also known as items of potential evidentiary value. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
digital malfeasance: A crime involving digital media, computer technology, or related components. root cause analysis: The determination of the source or origin of an event, problem, or issue like an incident. affidavit: Sworn testimony that certain facts are in the possession of an investigating officer and that they warrant the examination of specific items located at a specific place; the affidavit specifies the facts, the items, and the place. search warrant: Permission to search for evidentiary material at a specified location or to seize items to return to an investigator’s lab for examination. chain of evidence: The detailed documentation of the collection, storage, transfer, and ownership of evidentiary material from the crime scene through its presentation in court and its eventual disposition. chain of custody: See chain of evidence. disaster recovery (DR): An organization’s set of planning and preparation efforts for detecting, reacting to, and recovering from a disaster. disaster recovery planning (DRP): The actions taken by senior management to develop and implement the DR policy, plan, and recovery teams. disaster recovery plan (DR plan): The documented product of disaster recovery planning; a plan that shows the organization’s intended efforts in the event of a disaster. DR policy: The policy document that guides the development and implementation of DR plans and the formulation and performance of DR teams. disaster classification: The process of examining an adverse event or incident and determining whether it constitutes an actual disaster. slow-onset disasters: Disasters that occur over time and gradually degrade the capacity of an organization to withstand their effects. rapid-onset disasters: Disasters that occur suddenly, with little warning, taking people’s lives and destroying the means of production. business continuity (BC): An organization’s set of efforts to ensure its long-term viability when a disaster precludes normal operations at the primary site; typically includes temporarily establishing critical operations at an alternate site until operations can be resumed at the primary site or a new permanent site. business continuity planning (BCP): The actions taken by senior management to develop and implement the BC policy, plan, and continuity teams.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
BC plan: The documented product of business continuity planning; a plan that shows the organization’s intended efforts to continue critical functions when operations at the primary site are not feasible. BC policy: The policy document that guides the development and implementation of BC plans and the formulation and performance of BC teams. business resumption planning (BRP): The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams. hot site: A fully configured BC facility that includes all computing services, communications links, and physical plant operations. warm site: A BC facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications. cold site: A BC facility that provides only rudimentary services, with no computer hardware or peripherals. timeshare: A continuity strategy in which an organization co-leases facilities with a business partner or sister organization, which allows the organization to have a BC option while reducing its overall costs. service bureau: A BC strategy in which an organization contracts with a service agency to provide a facility for a fee. mutual agreement: A BC strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster. rolling mobile site: A BC strategy that involves contracting with an organization to provide specialized facilities configured in the payload area of a tractor-trailer. crisis management (CM): An organization’s set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster. crisis management policy (CM policy): The policy document that guides the development and implementation of CM plans and the formulation and performance of CM teams. crisis management plan (CM plan): The documented product of crisis management planning; a plan that shows the organization’s intended efforts to protect its personnel and respond to safety threats. crisis management planning (CMP): The actions taken by senior management to develop and implement the CM policy, plan, and response teams.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
desk check: The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster; each individual reviews the plan and validates its components. structured walk-through: The CP testing strategy in which all involved individuals walk through a site and discuss the steps they would take during an actual CP event; can also be conducted as a conference room talk-through. talk-through: A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization. simulation: The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred. The CP team is presented with a scenario in which all members must specify how they would react and communicate their efforts. full-interruption testing: The CP testing strategy in which all team members follow each IR/DR/BC procedure, including those for interruption of service, restoration of data from backups, and notification of appropriate individuals. [return to top]
What's New in This Module The following elements are improvements in this module from the previous edition: •
This module was not present in the 6th edition.
•
The contingency planning content that was previously found in Chapter 4 was expanded and enhanced to include incident response technologies, SOCs, CSIRTs, and response strategies.
•
The content on digital forensics was pulled from Chapter 12 and placed into the context of incident response.
[return to top]
Module Outline Introduction to Incident Response and Contingent Planning (5.1, PPT Slide 3) I.
Emphasize that the purpose of this module focuses on plants that are made for adverse events and when the technologies an organization uses are disrupted, and business comes to a halt.
II.
Stress that often the information technology (IT) and information security (InfoSec) communities assess the entire technological infrastructure of the organization using
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
the mission statement and current organizational objectives to drive their planning activities. Emphasize that they must be sanctioned and actively support the general business community of interest. III.
Direct learners to reference the National Institute of Standards and Technology (NIST) Special Publication 800-34, which is a contingency planning guide for federal information systems. Although this is for a government entity, the information included in it applies to a number of topics discussed in the module.
IV.
Present the fact that organizations of every size and purpose should also prepare for the unexpected. Note that incidents or disasters happen in several ways and can be over time or suddenly with no notice.
V.
Emphasize strongly that the development of a plan for handling unexpected events must be a high priority for all managers. Note that key members of the organization must be factored in as not present should an issue or emergency occur for maximum benefit.
VI.
Compare to past efforts that there is a growing interest and emphasis on comprehensive and robust planning for adverse circumstances. Apply that sound risk management practices are essential for an organization to be ready for anything that may come their way operationally.
Fundamentals of Contingency Planning (5.2, PPT Slide 4–28) I.
Define the terms of adverse events and contingency planning (CP) and how the IT and InfoSec communities of interest position themselves to prepare, defend, detect, react, and recover from events that threaten the security of resources and assets. The assets mentioned not only include information but people and capital assets as well.
II.
Outline the four components of a CP:
III.
•
Business impact analysis (BIA)
•
Incident response plan (IR plan)
•
Disaster recovery plan (DR plan)
•
Business continuity plan (BC plan)
Recall that the BIA is a preparatory activity common to both CP and risk management, as this was covered in the fourth module of the course. This also assists an organization to determine which business functions and information systems are the most critical to the success of the organization.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
IV.
Clarify that the most likely individuals that are responsible for contingency planning are the chief information officer (CIO), system administrations, the chief information security officer (CISO), and key IT and business managers.
V.
Review and develop the foundation of a contingency planning management team (CMPT) and their CP document as recommended by the NIST. Remember that effective CP begins with effective policies. The following steps are mandatory to follow to have a solid plan, as provided in the text:
VI.
•
Develop the CP policy statement: A formal policy provides the authority and guidance necessary to develop an effective contingency plan.
•
Conduct the BIA: The BIA helps identify and prioritize information systems and components critical to supporting the organization’s mission/business processes. A template for developing the BIA is provided to assist the user.
•
Identify preventive controls: Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
•
Create contingency strategies: Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
•
Develop a contingency plan: The contingency plan should contain detailed guidance and procedures for restoring damaged organizational facilities unique to each business unit’s impact level and recovery requirements.
•
Ensure plan testing, training, and exercises: Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation, and exercising the plan identifies planning gaps; when combined, the activities improve plan effectiveness and overall organization preparedness.
•
Ensure plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.
Examine and explain the recommended sections that a CP policy should contain as recommended by the NIST and its Special Publication (SP) 800-34: •
An introductory statement of philosophical perspective by senior management as to the importance of CP to the strategic, long-term operations of the organization
•
A statement of the scope and purpose of the CP operations, stipulating the requirement to cover all critical business functions and activities
•
A call for periodic (e.g., yearly) risk assessment and BIA by the CPMT, to include identification and prioritization of critical business functions (while the need for
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
such studies is well understood by the CPMT, the formal inclusion in policy reinforces that need to the rest of the organization)
VII.
•
A description of the major components of the CP to be designed by the CPMT, as described earlier
•
A call for, and guidance in, the selection of recovery options and continuity strategies
•
A requirement to test the various plans on a regular basis (e.g., annually, semiannually, or more often as needed)
•
Identification of key regulations and standards that impact CP and a brief overview of their relevance
•
Identification of key individuals responsible for CP operations, such as establishment of the chief operations officer (COO) as CPMT lead, the CISO as IR team lead, the manager of business operations as DR team lead, the manager of information systems and services as BC team lead, and legal counsel as crisis management team lead
•
An appeal to the individual members of the organization, asking for their support and reinforcing their importance as part of the overall CP process
•
Additional administrative information, including the original date of the document, revision dates, and a schedule for periodic review and maintenance
Recall that the CPMT collects information about the organization and the threats it faces internally and externally. However, in order to plan for incident responses, disasters and their recoveries, and business continuity, list the personnel that should be on these teams for maximum effectiveness and application of the plans created: •
Champion: As with any strategic function, the CP project must have a high-level manager to support, promote, and endorse the findings of the project. This champion could be the chief operation officer (COO) or (ideally) the CEO/president.
•
Project manager: A champion provides the strategic vision and the linkage to the power structure of the organization but does not manage the project. A project manager—possibly a mid-level operations manager or even the CISO— leads the project, putting in place a sound project planning process, guiding the development of a complete and useful project, and prudently managing resources.
•
Team members: The team members should be the managers or their representatives from the various communities of interest: business, IT, and
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
InfoSec. Business managers supply details of their activities and insight into functions that are critical to running the business. IT managers supply information about the at-risk systems used in the development of the BIA and the IR, DR, and BC plans. Some select team member departments that should be involved include: i.
Corporate communications department/public relations
ii.
Legal affairs and/or attorneys
iii.
Supplemental teams from the incident response planning team (IRPT), disaster recovery planning team (DRPT), business continuity planning team, (BCPT), and the crisis management planning team (CMPT)
VIII.
Comment that larger organizations often have distinct groups with little or no overlap, whereas by contrast, smaller businesses often have persons who are responsible for multiple duties on the aforementioned teams above. This can create a major obstacle or challenge if something were to occur.
IX.
Strongly emphasize to students that contingency plans often get little attention or a high priority and, in most cases, don’t address it at all.
Components of Contingency Planning I.
Guide students to review Figures 5-1 and 5-2 in the textbook for a visual aid of contingency planning hierarchies and a contingency planning life cycle.
II.
Recognize that the authors provide extensive detail on how to determine which plan is best suited for the identification, containment, and resolution of an unexpected event throughout the module.
Business Impact Analysis I.
Define the purpose of the business impact analysis (BIA). Stress that this document is the first major component of the CP process and what it is intended for. As mentioned in the text, it serves as an investigation and assessment of the impact that various adverse events can have on the organization.
II.
Compare and contrast the difference between risk management and a BIA. A BIA specifically assumes that controls that are in place have been bypassed or failed or were ineffective to stop the attack from occurring. Critique the approach stating that it is best to assume the worst to be able to recover quickly back to normal operation.
III.
Assemble the considerations that should be included in the BIA document, as provided in the text. These are the following:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
IV.
•
Scope: Carefully consider which parts of the organization to include in the BIA; determine which business units to cover, which systems to include, and the nature of the risk being evaluated.
•
Plan: The needed data will likely be voluminous and complex, so work from a careful plan to ensure that the proper data is collected to enable a comprehensive analysis. Getting the correct information to address the needs of decision makers is important.
•
Balance: Weigh the information available; some information may be objective in nature, while other information may only be available as subjective or anecdotal references. Facts should be weighted properly against opinions; however, sometimes the knowledge and experience of key personnel can be invaluable.
•
Objective: Identify in advance what the key decision makers require for making choices. Structure the BIA to bring them the information they need and to facilitate consideration of those choices.
•
Follow-up: Communicate periodically to ensure that process owners and decision makers will support the process and result of the BIA.
Order and present the three stages that the NIST SP 800-34, Rev. 1, recommend that should be in a BIA: •
Determine mission/business processes and recovery criticality.
•
Identify resource requirements.
•
Identify recovery priorities for system resources.
Determine Mission/Business Processes and Recovery Critically I.
State that the first major BIA task that should be developed is the analysis and prioritization of businesses processes that are in an organization. These should be based on their relationship with the mission of the firm.
II.
Clarify that the term mission or business process is strictly talking about business processes that occur in an organization. Relate the understanding that the NIST uses the terms interchangeably and may cause unnecessary confusion.
III.
Describe to students when information is being gathered, collecting critical information about each business unit before prioritizing functions that must be sustained is a mandatory starting point.
IV.
Recommend the use of a weighted table analysis (WTA) as provided in Table 5-1, which can resolve issues of which business function(s) are the most critical. This likely provides the most accurate assessment of what is critical and what is not as important but essential to the organization’s operations.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
V.
VI.
Align students to the recommendation from the NIST about using simple qualitative categories for recovery criticality. They include: •
Low impact
•
Moderate impact
•
High impact
Review the four terms provided within the section with respect to how much of an asset is needed to recover and the time it takes to do that. These are the following: •
recovery time objective (RTO): The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported business processes, and the maximum tolerable downtime.
•
recovery point objective (RPO): The point in time before a disruption or system outage to which business process data can be recovered after an outage, given the most recent backup copy of the data.
•
maximum tolerable downtime (MTD): The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption. The MTD includes all impact considerations.
•
work recovery time (WRT): The amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. This recovery time is identified by the RTO.
VII.
Stress that there are often situations where nontechnical tasks are required in order for an organization to make information assets usable again for applicable business functions.
VIII.
Express concerns as aligned with the NIST that failing to determine MTD “could leave contingency planners with imprecise direction on (1) selection of an appropriate recovery method and (2) the depth of detail that will be required when developing recovery procedures, including their scope and content.”
IX.
Disseminate Figure 5-5 and provide guidance to learners that the cost balance point provides an optimal point between disruption and recovery costs. Note that this cost will greatly vary from one organization to another.
X.
Establish the knowledge that as the CPMT executes the BIA, they will have asset priorities and relative values for mission and/or business processes.
XI.
Consequentially, critique the fact to students that the presence of high-value information assets may influence the valuation of a particular business process. In any event, once the business processes have been prioritized, the organization should identify, classify, and prioritize the information assets both across the
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
organization and within each business process, placing classification labels on each collection or repository of information to better understand its value and to prioritize its protection.
Identify Recovery Resource Requirements I.
State that once the organization has the list of mission/business processes in place, it will need to recover those processes and the assets that are critical to them.
II.
Review Table 5-2 and walk students through the process of identifying the business process or mission, the required resource components, additional resources that may be needed, and a description of what it would take to get it up and running, as well as estimated costs.
Identify System Resource Recovery Priorities I.
Recall that the final step of the BIA is to prioritize the resources associated with the mission/business processes. This is best done to determine what needs to be recovered first, even with the most critical processes at hand.
II.
Relate that multiple weighted tables can and may need to be created so that the resources can be properly or fairly allocated. This can also assign values to each resource more accurately.
III.
Establish that persons who oversee the team should not get so bogged down in the process that you lose sight of the objective.
Contingency Planning Policies I.
Identify that the CP team should work to develop the policy environment that will enable the BIA process and should provide specific policy guidance toward authoring the creation of each of the planning components (IR, DR, and BC) before documents are created.
II.
Describe the nature of documents that are developed. Here each of the documents that are part of the CP must include a policy that is similar in structure to all other policies used in the organization.
Incident Response (5.2, PPT Slides 29–59) I.
Define what an incident response is and how it is similar or different to an adverse event.
II.
Express concern that incident responses depend on the quick, efficient, and timely containment of an issue that occurs and the resolution of it.
III.
Summarize the purpose of incident response planning (IR plan) and who is primarily responsible for carrying these out, which is often senior management.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
IV.
Describe when an IR plan is activated and give an example or two of simple situations when that would happen. In truth, it is any incident regardless of how minor or major the effect it.
Getting Started I.
Correlate the process mentioned earlier in the module that the CPMT is responsible for creating the IRPT. This team then is tasked with creating the computer security incident response team (CSIRT).
II.
Display and discuss the NIST incident response life cycle as outlined in Figure 5-6. The following steps are included in this process: •
Preparation
•
Detection and analysis
•
Containment eradication and recovery
•
Post-incident activity
Note that detection and analysis as well as the containment eradication and recovery steps are cyclical and can happen multiple times in the life cycle. III.
Translate the NIST Cybersecurity Framework in Figure 5-7. Detail the five stages that are part of this framework: •
Identify: Relates to risk management and governance
•
Protect: Relates to implementation of effective security controls (policy, education, training and awareness, and technology)
•
Detect: Relates to the identification of adverse events
•
Respond: Relates to reacting to an incident
•
Recover: Relates to putting things “as they were before” the incident
Mention to students that the third, fourth, and fifth steps apply to the NIST’s IR strategy in SP 800-61.
Incident Response Policy I.
Present the purpose of the IR policy as a document that provides guidance for developing and implementing IR plans and the formulation and performance of incident response teams.
II.
Analyze the core components of the IR policy as denoted in NIST’s SP 800-61, Rev. 2: •
Statement of management commitment
•
Purpose and objectives of the policy
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
III.
•
Scope of the policy (to whom and what it applies and under what circumstances)
•
Definition of InfoSec incidents and related terms
•
Organizational structure and definition of roles, responsibilities, and levels of authority; should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, the requirements for reporting certain types of incidents, the requirements and guidelines for external communications and information sharing (e.g., what can be shared with whom, when, and over what channels), and the handoff and escalation points in the incident management process
•
Prioritization or severity ratings of incident
•
Performance measures
•
Reporting and contact forms
Identify that top management must fully be on board and clearly understand the policies being created, as changes to IT infrastructure may be required to prevent or mitigate incidents.
Incident Response Planning I.
Interpret the three characteristics that an InfoSec incident must have in order to be considered a threat (credible or not): •
It is directed against information assets.
•
It has a realistic chance of success.
•
It threatens the confidentiality, integrity, or availability of information resources and assets.
II.
Recognize that IR is a reactive measure and not a preventive one.
III.
Identify the core organization personnel who is responsible for IR planning. These are commonly the CIO, the CISO, or an IT manager with security responsibilities. Other managers may be involved but are likely to be members from the community of interests in the organization.
IV.
Stress that not only the roles of responsibilities of people on the team are clearly defined but also the plan must include an alert roster. This is important because these are the go-tos who must be contacted when an incident occurs.
V.
Outline the following elements an IR plan must include. This is like the CP process but with a few adjustments: •
Mission
•
Strategies and goals
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
VI.
•
Senior management approval
•
Organizational approach to incident response
•
How the incident response team will communicate with the rest of the organization and with other organizations
•
Metrics for measuring incident response capability and its effectiveness
•
Roadmap for maturing incident response capability
•
How the program fits into the overall organization
Detail the three sets of incident handling procedures that are classified in tandem as IR procedures: •
During the incident: The planners develop and document the procedures that must be performed during the incident. These procedures are grouped and assigned to individuals. Systems administrators’ tasks differ from managerial tasks, so members of the planning committee must draft a set of functionspecific procedures.
•
After the incident: Once the procedures for handling an incident are drafted, the planners develop and document the procedures that must be performed immediately after the incident has ceased. Again, separate functional areas may develop different procedures.
•
Before the incident: The planners draft a third set of procedures: those tasks that must be performed to prepare for the incident, including actions that could mitigate any damage from the incident. These procedures include details of the data backup schedules, disaster recovery preparation, training schedules, testing plans, copies of service agreements, and BC plans, if any. At this level, the BC plan could consist just of additional material about a service bureau that stores data off-site via electronic vaulting, with an agreement to provide office space and lease equipment as needed.
VII.
Propose to students that an incident and the responses that are required to mitigate it must be a product of the comprehensive understanding of the information systems and the threats the organization faces.
VIII.
Establish the responsibilities of the CSIRT team with respect to incidents. •
They are the required group that executes the IR plan.
•
Persons that are part of this team must be available when an incident is detected or a suspicious one is detected. Regardless of the severity, everyone on the team has a specific role to perform to squash the threat as quickly as possible with minimal damage to the organization.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
• IX.
Decisions are made as a team, as their success is dependent on their participation and cooperation with others.
Recall the three phases of incident response actions: •
Detection: Recognition that an incident is under way
•
Reaction: Responding to the incident in a predetermined fashion to contain and mitigate its potential damage (the new NIST CSF refers to this stage as “Respond” in its Detect, Respond, Recover approach)
•
Recovery: Returning all systems and data to their state before the incident. Table 5-3 provides a sample incident handling checklist from NIST SP 800-61, Rev 2.
Data Protection in Preparation in Incidents I.
II.
Detail the four options that organizations can use to get operations back up and running in a timely manner: •
Traditional data backups: The organization can use a combination of on-site and off-site tape-drive, hard-drive, and cloud backup methods, in a variety of rotation schemes; because the backup point is sometime in the past, recent data is potentially lost. Most common data backup schemes involve a redundant array of independent disks (RAID) or disk-to-disk-to-cloud methods.
•
Electronic vaulting: The organization can employ bulk batch transfer of data to an off-site facility, usually via leased lines or secure Internet connections.
•
Remote journaling: The organization can transfer live transactions to an off-site facility. Remote journaling differs from electronic vaulting in two ways: (1) Only transactions are transferred, not archived data, and (2) the transfer takes place online and in much closer to real time. While electronic vaulting is akin to a traditional backup, with a dump of data to the off-site storage, remote journaling involves online activities on a systems level, much like server fault tolerance, where data is written to two locations simultaneously.
•
Database shadowing: The organization can store duplicate online transaction data, along with duplicate databases, at the remote site on a redundant server; database shadowing combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two separate locations.
Explain the 3-2-1 backup rule and why it is important for organizations to apply this method to their data backup plan (or rhythm).
Detecting Incidents
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
I.
Summarize the practice of incident classification and why it is important for an IR plan to have this included to determine the severity of threats that may occur.
II.
Recall that incidents are the responsibility of the CSIRT except for an organization having a security operations center (SOC).
III.
Review the first step in the IR process, which is to detect the incident (termed as incident detection in the text).
IV.
Relate that Donald Pipkin identified three categories of incident indicators: possible, probable, and definite.
Possible Indicators I.
II.
Outline indicators that may warrant an incident to be investigated but may be common within an organization depending on one’s interpretation: •
Presence of unfamiliar files
•
Presence or execution of unknown programs or processes
•
Unusual consumption of computing resources
•
Unusual system crashes
Give examples of each of the possible indicators outlined in the text to enhance the meeting and purpose of each one in a real-world environment.
Probable Indicators I.
Compare and contrast probable indicators to possible indicators and explain how they are different from one another.
II.
Review the list of incident candidates as outlined in the text that are considered probable indicators of actual incidents:
III.
•
Activities at unexpected times
•
Presence of new accounts
•
Reported attacks
•
Notification from an intrusion detection and prevention system (IDPS)
Summarize that probable indicators have a greater chance of an incident result but still require some investigation prior to that conclusion being made.
Definite Indicators I.
Stress that definite indicators are incident candidates of something that is happening or has happened. Better put, they are clear signals.
II.
Establish an understanding that the IR plan must be activated immediately in a situation like this, and the CSIRT must act.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
III.
Review the list of incident candidates that are red flags and are considered definite indicators of an actual incident: •
Use of dormant accounts
•
Changes to logs
•
Presence of hacker tools (both physical and digital)
•
Notifications by a partner or peer
•
Notifications by a hacker
Probable Incident Results I.
Focus students’ attention that regardless of whether an incident indicator was possible, probable, or definite, action still must be taken because consequences can still result that could be detrimental for an organization.
II.
Review the five most likely outcomes that an incident can cause. Whether it is a credible threat or a system having issues, these can all result: •
Loss of availability: Information or information systems become unavailable.
•
Loss of integrity: Users report corrupt data files, garbage where data should be, or data that just looks wrong.
•
Loss of confidentiality: There is a notification of a sensitive information leak, or information that was thought to be protected has been disclosed.
•
Violation of policy: There is a violation of organizational policies addressing information or InfoSec.
•
Violation of law or regulation: The law has been broken, and the organization’s information assets are involved.
Reacting to Incidents I.
Recall that once an incident has been confirmed and classified properly, the IR plan moves into the detection phase.
II.
Summarize the action steps for reacting to incidents. They include: •
Notifying key personnel
•
Documenting the incident(s)
•
Strategizing an incident containment plan to minimize impact to the organization
•
Escalating the incident, if applicable
Notification of Key Personnel
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
I.
Emphasize the use of an alert roster as the first line of defense and step that is taken once a CSIRT determines that an incident is in progress.
II.
Examine the two ways an alert roster is activated: •
Sequentially: This option requires that a designated contact person initiate contact with each person on the roster using the identified method.
•
Hierarchical: The alternate option is where the roster requires a specific number of people to be contacted who, in turn, do the same thing, and so on until all are notified.
III.
Compare and contrast the advantages and disadvantages of sequentially or hierarchically contacting people within the CSIRT when an incident is in progress.
IV.
Detail the purpose of an alert message and why it is important to broadcast to persons within the CSIRT so the incident can be dealt with quickly and efficiently. Note that other departments such as general management, legal, communications, and human resources are notified prior to external sources using this method.
V.
Report that other organizations may be required to be notified should the incident be part of a larger-scale assault, or it may affect them as a result.
Documenting an Incident I.
Emphasize that once an incident has been confirmed, the team should begin to document it.
II.
Detail that the who, what, when, where, why, and how of each action that is taken should be noted while the incident is ongoing and up until it has concluded.
III.
Note that legally, the standards of due care may offer some protection to the organization if an incident adversely affects individuals inside and outside the organization, or if it affects other organizations that use the target organization’s systems.
Incident Containment Strategies I.
Conclude that the most critical component of an IR plan is to stop the incident and contain the sco0pe and/or impact to the organization. With time being of the essence, detailed analyses here are not the best use of resources as it may prolong the attack and its result.
II.
Propose the following containment strategies that were provided in the text that the CSIRT can execute to slow or stop an incident in progress: •
Disabling compromised user accounts
•
Reconfiguring a firewall to block the problem traffic
•
Temporarily disabling compromised processes or services
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
III.
•
Taking down the conduit application or server—for example, the e-mail server
•
Disconnecting affected networks or network segments
•
Stopping (powering down) all computers and network devices
Justify that the last strategy outlined above is a last-ditch effort to preserve data stored on computers so that operations can resume normally once the incident has concluded.
Incident Escalation I.
Recall that one of the challenges of the CSIRT is determining when an incident requires escalation up to a disaster or when to transfer it to an outside authority to handle. This may be to authorities or another public response unit.
II.
Give an example of when an incident has become too large that an IR plan would be ineffective.
III.
Relate that once this action has been completed, it cannot be undone, so it should only be done when there is proper justification to do this.
Recovering from Incidents I.
Explain that once an incident has been contained and system control has been regained within the organization, the recovery can begin.
II.
Describe that the appropriate human resources must be notified once an incident has been terminated, and, at the same time, the CSIRT team must go into action to do an immediate damage assessment to determine the severity of the breach.
III.
To get a comprehensive picture of what happened and what resulted from the incident, system logs, intrusion detection logs, configuration logs, and other documents, as well as the documentation from the incident response, provide information on the type, scope, and extent of damage.
IV.
Apply information provided by Donald Pipkin as to what the recovery process should entail. His recommendations are the following: •
Identify the vulnerabilities that allowed the incident to occur and spread. Resolve them.
•
Address the safeguards that failed to stop or limit the incident or were missing from the system in the first place. Install, replace, or upgrade them.
•
Evaluate monitoring capabilities (if present). Improve detection and reporting methods or install new monitoring capabilities.
•
Restore the data from backups, as needed. The IR team must understand the backup strategy used by the organization, restore the data contained in backups,
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
and then use the appropriate recovery processes, from incremental backups or database journals, to recreate any data that was created or modified since the last backup. •
Restore the services and processes in use. Compromised services and processes must be examined, cleaned, and then restored. If services or processes were interrupted while regaining control of the systems, they need to be brought back online.
•
Continuously monitor the system. If an incident happened once, it could easily happen again. Hackers frequently boast of their exploits in chat rooms and dare their peers to match their efforts. If word gets out, others may be tempted to try the same or different attacks on your systems. It is therefore important to maintain vigilance during the entire IR process.
•
Restore the confidence of the organization’s communities of interest. The CSIRT, following a recommendation from management, may want to issue a short memorandum outlining the incident and assuring everyone that it was handled, and the damage was controlled. If the incident was minor, say so. If the incident was major or severely damaged systems or data, reassure users that they can expect operations to return to normal as soon as possible. The objective of this communication is to prevent panic or confusion from causing additional disruption to the operations of the organization.
V.
Apply content from NIST SP 800-184 such that every organization, regardless of their size, function, or location, should have a recovery plan to guide specific efforts after an incident has occurred.
VI.
Identify that prior to returning to their routine duties, the CSIRT should conduct an after-action review (AAR). Note that a designated moderator is assigned to complete the document so that it can be shared with internal and external organizations that were directly involved in the containment of the incident.
VII.
List the 10 common mistakes that an organization’s CSIRs make in incident response (IR): •
Failure to appoint a clear chain of command with a specified individual in charge
•
Failure to establish a central operation center
•
Failure to “know their enemy”
•
Failure to develop a comprehensive IR plan with containment strategies
•
Failure to record IR activities at all phases, especially help-desk tickets to detect incidents
•
Failure to document the events as they occur in a timeline
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
VIII.
•
Failure to distinguish incident containment from incident remediation (as part of reaction)
•
Failure to secure and monitor networks and network devices
•
Failure to establish and manage system and network logging
•
Failure to establish and support effective antivirus and antimalware solutions
Differentiate the recommendations that NIST SP 800-61, Rev. 2, makes with respect to handling incidents: •
Acquire tools and resources that may be of value during incident handling.
•
Prevent incidents from occurring by ensuring that networks, systems, and applications are sufficiently secure.
•
Identify precursors and indicators through alerts generated by several types of security software.
•
Establish mechanisms for outside parties to report incidents.
•
Require a baseline level of logging and auditing on all systems and a higher baseline level on all critical systems.
•
Profile networks and systems.
•
Understand the normal behaviors of networks, systems, and applications.
•
Create a log retention policy.
•
Perform event correlation.
•
Keep all host clocks synchronized.
•
Maintain and use a knowledge base of information.
•
Start recording all information as soon as the team suspects that an incident has occurred.
•
Safeguard incident data.
•
Prioritize handling of incidents based on relevant factors.
•
Include provisions for incident reporting in the organization’s incident response policy.
•
Establish strategies and procedures for containing incidents.
•
Follow established procedures for evidence gathering and handling.
•
Capture volatile data from systems as evidence.
•
Obtain system snapshots through full forensic disk images, not file system backups.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
•
Hold lessons-learned meetings after major incidents.
Organizational Philosophy on Incident and Disaster Handling I.
Compare and contrast the two approaches that an organization must choose from with respect to their IR and DR approach as well as involvement with digital forensics and law enforcement agencies. The options are protect and forget and apprehend and prosecute. •
Protect and forget: This approach, also known as “patch and proceed,” focuses on the defense of data and the systems that house, use, and transmit it. An investigation that takes this approach focuses on the detection and analysis of events to determine how they happened and to prevent reoccurrence. Once the current event is over, the questions of who caused it and why are almost immaterial.
•
Apprehend and prosecute: This approach, also known as “pursue and punish,” focuses on the identification and apprehension of responsible individuals, with additional attention paid to the collection and preservation of potential evidentiary material that might support administrative or criminal prosecution. This approach requires much more attention to detail to prevent contamination of evidence that might hinder prosecution.
II.
Stress that an organization may experience difficulties having enough data to administer penalties but rather pursue formal punishment should an employee challenge it.
III.
Emphasize that without notifying individuals of data breaches, companies put themselves seriously at risk for criminal charges or corporate negligence lawsuits.
Quick Quiz 1 1. What is the term called for which actions taken by management specify the organization's efforts and actions if an adverse event becomes an incident or disaster? a. CSIRT plan b. contingency planning c. business continuity plan d. business process Answer: b 2. Which of the following is NOT a stage as described in NIST’s SP 800-34, Rev. 1? a. Determine mission/business process and recovery critically.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
b. Identify resource requirements. c. Identify recovery priorities for system requirements. d. There is no wrong answer, as these are the three stages described in this document. Answer: d 3. Providing customer billing as mentioned in the text is an example of what? a. potential incident that can occur in an organization b. additional resource detail c. mission/business process d. description and estimated cost Answer: c 4. True or False: The NIST Cybersecurity Framework has a total of four processes that are cyclical in nature. Answer: False 5. True or False: Remote journaling is the process in which an organization can transfer live transactions to an off-site facility. Answer: True 6. True or False: An alert roster often is done one of two ways: sequentially or hierarchically. Answer: True
Digital Forensics (5.3, PPT Slides 60–69) I.
Comprehend that when the asset attacked is in the purview of the CISO, they are expected to understand how policies and laws require the matter to be managed. The investigation of what happened and how is called digital forensics.
II.
Detail how digital forensics is based on the field of traditional forensics. Mention to students that forensics is the coherent application of methodical investigatory techniques to present evidence of crimes in a court or court-like setting.
III.
Define digital forensics in the respect that it involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. Like traditional forensics, it follows clear, well-defined methodologies, but still tends to be as much art as science.
IV.
Outline how digital forensics is often used for two key purposes:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
27
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
V.
•
To investigate allegations of digital malfeasance: Such an investigation requires digital forensics to gather, analyze, and report the findings.
•
To perform root cause analysis: If the organization suspects an attack was successful, digital forensics can be used to examine the path and methodology used to gain unauthorized access, as well as to determine how pervasive and successful the attack was.
Relate that depending on the circumstances, some investigations are undertaken by organization personnel, whereas more severe cases require the immediate involvement of law enforcement. This is specific to cases with allegations of digital malfeasance, for example.
The Digital Forensics Team I.
Emphasize that most organizations cannot sustain a permanent digital forensics team. Even so, there should be people in the information security group trained to understand and manage the forensics process.
II.
Recall that this expertise can be obtained by sending staff members to a regional or national information security conference with a digital forensics track or to dedicated digital forensics training. Organizations should be aware that this may be a costly action to take, but depending on their industry and frequency of attacks that may come in, it could be a good investment to do.
Affidavits and Search Warrants I.
Label that an affidavit is sworn testimony that certain facts are in the possession of the investigating officer that they feel warrant the examination of specific items located at a specific place.
II.
Distinguish that when an approving authority signs the affidavit or creates a synopsis form based on this document, it becomes a search warrant.
III.
Stress that in corporate environments, the names of these documents may change and, in many cases, may be verbal in nature, but that the process should be the same. Formal permission is obtained before an investigation occurs.
Digital Forensics Methodology I.
Broadcast that all investigations applying the use of digital forensics apply the same basic methodology below: •
Identify relevant EM.
•
Acquire (seize) the evidence without alteration or damage.
•
Take steps to assure that the evidence at every step is verifiably authentic and is unchanged from the time it was seized.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
28
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
•
Analyze the data without risking modification or unauthorized access.
•
Report the findings to the proper authority.
II.
Recommend that to support the selection and implementation of a methodology, legal counsel with local or state law enforcement is a likely option an organization should use.
III.
Recommend that students review the following resources provided in the text that should be part of an organization’s library: •
Electronic Crime Scene Investigation: A Guide for First Responders, 2nd Edition, April 2008 (https://www.ncjrs.gov/pdffiles1/nij/219941.pdf)
•
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf)
•
Scientific Working Group on Digital Evidence: Published Guidelines and Best Practices (https://www.swgde.org/documents/published)
•
First Responders Guide to Computer Forensics (https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14429.p df)
•
First Responders Guide to Computer Forensics: Advanced Topics (http://resources.sei.cmu.edu/asset_files/handbook/2005_002_001_14432.pd f)
Identifying Relevant Items I.
Explain that the affidavit and/or warrant that has been issued authorizes a search but must identify which items of evidence can be seized and their locations.
II.
Emphasize that EM that fits the description on the authorization can be seized.
III.
Note, though, that the search and seizures often come under stressful conditions and strict time restrictions.
Acquiring the Evidence I.
Emphasize to students that the principal responsibility of the response team is to get the information without making any adjustments or alterations to it.
II.
Present two options that can be used to acquire evidence from a system: a. Offline: This is when an investigator removes the power source and then uses a utility or special device to make a bit-stream sector-by-sector copy of the hard drives contained in the system.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
29
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
b. Online (or live): Alternately, this is when investigators use network-based tools to acquire a protected copy of the information. Classify that the only key difference between the two options is that the source system cannot be taken offline, and the tools required do not alter the system while acquiring data. III.
Present Table 5-4 to students, showing them a summary of methods employed to acquire forensic data.
IV.
State that not all evidentiary material is on a perpetrator’s hard drive, as that would make it too obvious to find out their motive and net acquisition. A technically savvy attacker is more likely to store incriminating evidence on other digital media, such as removable drives, CDs, DVDs, flash drives, memory chips or sticks, or other computers accessed across the organization’s networks or via the Internet.
V.
Relate that once evidence has been acquired, both the copy image and the original drive should be handled so as to ward off legal challenges based on authenticity and preservation of integrity.
VI.
Identify how chain of evidence or chain of custody is defined as the detailed documentation of the collection, storage, transfer, and ownership of collected evidence from the crime scene through its presentation in court.
VII.
Educate learners that the copy or image is typically transferred to the laboratory for the next stage of authentication. The team must be able to demonstrate that any analyzed copy or image is a true and accurate replica of the source EM. This is accomplished using cryptographic hash tools.
VIII.
Justify that the most difficult and often complex part of an investigation is the analysis of the copy or image for potential EM. While the process can be performed manually using simple utilities, two industry-leading applications dominate the market for digital forensics. Recommend students research the following software titles and summarize their findings: a. Guidance Software’s EnCase (www.guidancesoftware.com) b. AccessData Forensic Toolkit (FTK, at www.accessdata.com) c. OSForensics (www.osforensics.com)
IX.
Evaluate the first component of the analysis phase. In the case here, this is indexing. Mention that that tools organize files into categories, such as documents, images, and executables.
X.
Explain that once investigators have found a suitable amount of information, they can summarize their findings with a synopsis of their investigatory procedures in a
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
30
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
report and submit it to the appropriate authority. Point out that the authority might be law enforcement or management.
Evidentiary Procedures I.
Compare and contrast how in information security, most operations focus on policies—those documents that provide managerial guidance for ongoing implementation and operations. In digital forensics, however, the focus is on procedures instead.
II.
Establish an understanding that strong procedures for handling evidentiary material minimize the chance an organization would lose a legal challenge.
III.
Outline the core components of specific procedures and how to use these with regard to evidence-based practices:
IV.
•
Who may conduct an investigation
•
Who may authorize an investigation
•
What affidavits and related documents are required
•
What search warrants and related documents are required
•
What digital media may be seized or taken offline
•
What methodology should be followed
•
What methods are required for chain of custody or chain of evidence
•
What format the final report should take, and to whom it should it be given
Explain how the policy document should be supported by a procedures manual, developed based on the documents discussed earlier, along with guidance from law enforcement or consultants.
Disaster Recovery (5.3, PPT Slides 70–80) I.
Differentiate disaster recovery from incident planning and explain what is involved in a disaster recovery plan (DR plan). Explain that, at times, incidents are escalated to disasters depending on their severity.
II.
Refresh one’s memory that the CP team creates the DR planning team (DRPT) and in turn organizes the DR response team (DRRT) should a disaster strike.
III.
Review the responsibilities that a DRRT would need to execute to bring an organization back online in the event of a disaster: •
Recover information assets that are salvageable from the primary facility after the disaster.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
31
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
IV.
•
Purchase or otherwise acquire replacement information assets from appropriate sources.
•
Reestablish functional information assets at the primary site if possible or at a new primary site, if necessary.
Assemble the common elements of a DRRT as provided in the text: •
DR management team: Coordinates the on-site efforts of all other DRRTs.
•
Communications team: With representatives from the public relations and legal departments, provides feedback to anyone who wants additional information about the organization’s efforts in recovering from the disaster.
•
Computer recovery (hardware) team: Works to recover any physical computing assets that might be usable after the disaster and acquire replacement assets for resumption of operations.
•
Systems recovery (OS) team: Works to recover operating systems and may contain one or more specialists on each operating system that the organization employs; may be combined with the applications recovery team as a “software recovery team” or with the hardware team as a “systems recovery team” or “computer recovery team.”
•
Network recovery team: Works to determine the extent of damage to the network wiring and hardware (hubs, switches, and routers) as well as to Internet and intranet connectivity.
•
Storage recovery team: Works with the other teams to recover storage-related information assets; may be subsumed into other hardware and software teams.
•
Applications recovery team: Works to recover critical applications.
•
Data management team: Works on data restoration and recovery, whether from on-site, off-site, or online transactional data.
•
Vendor contact team: Works with suppliers and vendors to replace damaged or destroyed materials, equipment, or services, as determined by the other teams.
•
Damage assessment and salvage team: Specialized individuals who provide initial assessments of the extent of damage to materials, inventory, equipment, and systems on-site.
•
Business interface team: Works with the remainder of the organization to assist in the recovery of nontechnology functions.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
32
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
•
Logistics team—Responsible for providing any needed supplies, space, materials, food, services, or facilities at the primary site; may be combined with the vendor contact team.
•
Other teams as needed.
The Disaster Recovery Process I.
Examine the two pieces of criteria that classify that a disaster has occurred: the organization is unable to contain or control the impact of an incident, or the level of damage or destruction from an incident is so severe that the organization cannot quickly recover from it.
II.
Emphasize it rests on the DRPT’s shoulders to determine if an event is an incident or a disaster. Whatever is decided provides direction as to which plan will be activated should it occur.
III.
Construct the eight-step sequence of creating a disaster recovery process: •
Organize the DR team: The initial assignments to the DR team, including the team lead, will most likely be performed by the CPMT; however, additional personnel may need to be assigned to the team as the specifics of the DR policy and plan are developed, and as individual roles and responsibilities are defined and assigned.
•
Develop the DR planning policy statement: A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
•
Review the BIA: The BIA was prepared to help identify and prioritize critical information and its host systems. A review of what was discovered is an important step in the process.
•
Identify preventive controls: Measures taken to reduce the effects of business and system disruptions can increase information availability and reduce contingency life cycle costs.
•
Create DR strategies: Thorough recovery strategies ensure that the system can be recovered quickly and effectively following a disruption.
•
Develop the DR plan document: The plan should contain detailed guidance and procedures for restoring a damaged system.
•
Ensure DR plan testing, training, and exercises: Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
•
Ensure DR plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
33
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
Disaster Recovery Policy I.
Summarize that upon the creation of the DR team, the manager that is placed in charge of the group will begin the creation of the DR policy. Note that this document may have already been created by the CP team, or the DR policy will need to be created from scratch.
II.
Outline the key elements that are included in the DR plan: •
Purpose: The purpose of the DR program is to provide direction and guidance for all DR operations. In addition, the program provides for the development and support of the DR plan. In everyday practice, those responsible for the program must also work to emphasize the importance of creating and maintaining effective DR functions. As with any major enterprise-wide policy effort, it is important for the DR program to begin with a clear statement of executive vision.
•
Scope: This section of the policy identifies the organizational units and groups of employees to which the policy applies. This clarification is important if the organization is geographically dispersed or is creating different policies for different organizational units.
•
Roles and responsibilities: This section of the policy identifies the roles and responsibilities of the key players in the DR operation. It can include a delineation of the responsibilities of executive management down to individual employees. Some sections of the DR policy may be duplicated from the organization’s overall CP policy. In smaller organizations, this redundancy can be eliminated, as many of the functions are performed by the same group.
•
Resource requirements: An organization can allocate specific resources to the development of DR plans here. While this may include directives for individuals, it can be separated from the previous section for emphasis and clarity.
•
Training requirements: This section defines and highlights training requirements for units within the organization and the various categories of employees.
•
Exercise and testing schedules: This section stipulates the testing intervals of the DR plan as well as the type of testing and the individuals involved.
•
Plan maintenance schedule: This section states the required review and update intervals of the plan and identifies who is involved in the review. It is not necessary for the entire DR team to be involved, but the review can be combined with a periodic test of the DR plan as long as the resulting discussion includes areas for improving the plan.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
34
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
•
Special considerations: This section includes such items as information storage and maintenance.
Disaster Classification I.
Examine how disasters can be classified by a DR team and/or in the policies that are created as part of the team.
II.
Recall that disasters can be categorized by severity, type, or the amount of damage they would cause. Recognize the authors split them into two core categories: slowonset disasters and rapid-onset disasters. •
Slow-onset disasters are ones that build up over time and may have been incidents initially and are now disasters.
•
Rapid-onset disasters happen with little or no notice and affect lives, property, and production.
III.
Relate that it is the responsibility of the senior IT or InfoSec manager working with the CSIRT and DR team leads who would classify an incident as a disaster or not.
IV.
Guide learners to review Table 5-5, which has a list of natural disasters, their effects, and mitigation recommendations.
Planning to Recover I.
Emphasize that in the recovery process, information is not the most important asset that should be focused on; rather, it is people.
II.
State that organizations must take a proactive approach to cross-train employees to ensure that an operation will have some sense of normalcy after a disaster strike. This includes periodic testing of the DR plan so the effort can be done quickly and efficiently.
III.
Review the key elements of the DR plan with respect to recovery: •
Clear delegation of roles and responsibilities: Everyone assigned to the DR team should be aware of his or her duties during a disaster. Some team members may be responsible for coordinating with local services, such as fire, police, and medical personnel. Some may be responsible for the evacuation of company personnel, if required. Others may be assigned to simply pack up and leave.
•
Execution of the alert roster and notification of key personnel: These notifications may extend outside the organization to include the fire, police, or medical services mentioned earlier, as well as insurance agencies, disaster teams such as those of the Red Cross, and management teams.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
35
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
IV.
•
Clear establishment of priorities: During a disaster response, the priority is always the preservation of human life. Data and systems protection is subordinate when the disaster threatens the lives, health, or welfare of the employees or members of the community. Only after all employees and neighbors have been safeguarded can the DR team attend to protecting other organizational assets.
•
Procedures for documentation of the disaster: Just as in an incident response, the disaster must be carefully recorded from the onset. This documentation is used later to determine how and why the disaster occurred.
•
Action steps to mitigate the impact of the disaster on the operations of the organization: The DR plan should specify the responsibilities of each DR team member, such as the evacuation of physical assets or making sure that all systems are securely shut down to prevent further loss of data.
•
Alternative implementations for the various system components, should primary versions be unavailable: These components include standby equipment that is either purchased, leased, or under contract with a DR service agency. Developing systems with excess capacity, fault tolerance, auto-recovery, and fail-safe features facilitates a quick recovery. Something as simple as using Dynamic Host Control Protocol (DHCP) to assign network addresses instead of using static addresses can allow systems to regain connectivity quickly and easily without technical support. Networks should support dynamic reconfiguration; restoration of network connectivity should be planned. Data recovery requires effective backup strategies as well as flexible hardware configurations. System management should be a top priority. All solutions should be tightly integrated and developed in a strategic plan to provide continuity. Piecemeal construction can result in a disaster after the disaster, as incompatible systems are unexpectedly thrust together.
Highlight that each employee should always have two sets of emergency information in their possession: emergency information (people to notify if something happens such as next of kin, medical conditions, and a form of identification) and instructions what to do in an emergency (such as a number to contact), emergency service numbers, evacuation, and assembly locations. Recommend that students review Figure 5-11 for an example of an emergency ID card.
Responding to the Disaster I.
Stress to students that the response to a disaster can be a make-or-break moment for the organization and how it is handled.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
36
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
II.
Emphasize that when a primary site has been destroyed by a disaster (humanmade or otherwise), the DR process transitions into a business continuity process.
Business Continuity (5.3, PPT Slides 81–88) I.
Denote to students that the purpose of business continuity is the continued operations of an organization after a disaster has occurred. This may or may not be at the original location where it took place.
II.
Report the purpose of business continuity planning and the BC plan that results from it. However, mention that not every business requires this, depending on their makeup.
III.
Relate that the BP is another component of contingency planning (CP) and the first step is to plan which is in line with other processes outlined in the module.
IV.
Assemble and construct the steps necessary to develop and maintain a viable and strong BC program: •
Form the BC team: As was done with the DR planning process, the initial assignments to the BC team, including the team lead, will most likely be performed by the CPMT; however, additional personnel may need to be assigned to the team as the specifics of the BC policy and plan are developed, and their individual roles and responsibilities will have to be defined and assigned.
•
Develop the BC planning policy statement: A formal organizational policy provides the authority and guidance necessary to develop an effective continuity plan. As with any enterprise-wide policy process, it is important to begin with the executive vision.
•
Review the BIA: Information contained within the BIA can help identify and prioritize critical organizational functions and systems for the purposes of business continuity, making it easier to understand what functions and systems will need to be reestablished elsewhere in the event of a disaster.
•
Identify preventive controls: Little is done here exclusively for BC. Most of the steps taken in the CP and DRP processes will provide the necessary foundation for BCP.
•
Create relocation strategies: Thorough relocation strategies ensure that critical business functions will be reestablished quickly and effectively at an alternate location following a disruption.
•
Develop the BC plan: The BC plan should contain detailed guidance and procedures for implementing BC strategies at predetermined locations in accordance with management’s guidance.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
37
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
V.
•
Ensure BC plan testing, training, and exercises: Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
•
Ensure BC plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements.
Emphasize that the BC plan must continually be updated, as circumstances and the nature and frequency of disasters can change over time.
Business Continuity Policy I.
Recall that business continuity planning begins with the BC policy as outlined in the text and below.
II.
Outline the key sections that must be included in the BC policy document: •
Purpose: The purpose of the BC program is to provide the necessary planning and coordination to help relocate critical business functions should a disaster prohibit continued operations at the primary site.
•
Scope: This section identifies the organizational units and groups of employees to which the policy applies. This is especially useful in organizations that are geographically dispersed or that are creating different policies for different organizational units.
•
Roles and responsibilities: This section identifies the roles and responsibilities of key players in the BC operation, from executive management down to individual employees. In some cases, sections may be duplicated from the organization’s overall CP policy. In smaller organizations, this redundancy can be eliminated because many of the functions are performed by the same group of individuals.
•
Resource requirements: Organizations can allocate specific resources to the development of BC plans. Although this section may include directives for individual team members, it can be separated from the roles and responsibilities section for emphasis and clarity.
•
Training requirements: This section specifies the training requirements for the various employee groups.
•
Exercise and testing schedules: This section stipulates the frequency of BC plan testing and can include both the type of exercise or testing and the individuals involved.
•
Plan maintenance schedule: This section specifies the procedures and frequency of BC plan reviews and identifies the personnel who will be involved in the review. It is not necessary for the entire BC team to be involved; the review
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
38
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
can be combined with a periodic test of the BC plan (as in a talk-through) as long as the resulting discussion includes areas for plan improvement. •
Special considerations: In extreme situations, the DR and BC plans overlap, as described earlier. Thus, this section provides an overview of the organization’s information storage and retrieval plans. While the specifics do not have to be elaborated on in this document, the plan should at least identify where more detailed documentation is kept, which individuals are responsible, and any other information needed to implement the strategy.
Propose to students that the structure looks like a disaster recovery policy and plan. Stress that these are similar in nature but have some minor differences.
Business Resumption I.
Explain that, depending on the organization, most often the disaster recovery and business continuity plans are merged together into one single function known as the business resumption plan.
II.
Emphasize that the planning that takes place must support the reestablishment of business at two locations (original and alternate) when applicable.
Continuity Strategies I.
Outline the two most commonly used types of facilities that are used post-disaster as part of a recovery process: exclusive use and shared use.
II.
Describe the three types of exclusive use sites: hot, warm, and cold.
III.
Compare and contrast the exclusive use sites with timeshares and service bureaus, as those are shared-use sites. Note that mutual agreements are likely to have to be in place prior to a disaster occurring for a temporary but smooth transition while the existing facility is being rebuilt.
IV.
Propose to students that a mobile site or cloud-based provisioning may be alternate options depending on the needs of an organization and severity of the damage that was caused.
Timing and Sequence of CP Elements I.
Comment that in most cases, DR plans focus on restoring systems after a disaster or incident has occurred. However, if damage is long-term, then additional planning and strategy must be executed for operations to continue.
II.
Summarize to students that arguments are often made with respect to the similarities of IR, DR, and BC planning, but they all have specific components that differentiate them from one another and are critical to contingency planning. Reference Figure 5-14 for the comparisons.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
39
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
Crisis Management (5.4, PPT Slides 89–94) I.
Identify that an additional plan that organizations often have in place is a crisis management plan. This is one that deals with human injury, trauma, or loss of life because of a disaster taking place.
II.
Emphasize that the human resource is the most important resource of an organization outside of the information within it.
III.
Outline that the roles the crisis management planning team (CMPT) include:
IV.
•
Supporting personnel and their loved ones during the crisis
•
Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise
•
Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties
Describe the responsibilities the CPMT should establish, which includes personnel from all functional parts of an organization: •
Verifying personnel status
•
Activating the alert roster
•
Coordinating with emergency services
V. Comment that a CM policy and plan should follow the similar structure and methodology as other plans discussed in the module (IR, DR, and BC).
Testing Contingency Plans (5.5, PPT Slide 95) I.
Stress that written plans only go so far, and organizations must frequently test their plans to determine vulnerabilities and areas of improvement, and to accommodate additional threats that may occur over time.
II.
Describe the four most common ways contingency plans can be tested:
III.
•
Desk checks
•
Structured walk-throughs
•
Simulations
•
Full-interruption testing
Emphasize the time of when tests take place, as doing them during the business day may cause unnecessary interruptions and potentially panic when it could be avoidable.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
40
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
IV.
V.
Review the recommendations made by former Navy SEAL Richard Marcinko with respect to motivating a team: •
The more you sweat to train, the less you bleed in combat.
•
Training and preparation can hurt.
•
Lead from the front, not the rear.
•
You don’t have to like it; you just have to do it.
•
Keep it simple.
•
Never assume.
•
You are paid for results, not methods
Stress the importance of cross-training so that if a real disaster occurs, people assigned to roles that aren’t available can be filled in with like-minded individuals who can assist much in the same way effectively.
Final Thoughts on CP (PPT Slide 96) I.
Propose to students that a critical component of the NIST-based methodologies presented in this module is continuous process improvement (CPI). Each time the organization rehearses its plans, it should learn from the process, improve the plans, and then rehearse again. Each time an incident or disaster occurs, the organization should review what went right and what went wrong.
Quick Quiz 2 1. Which of the following is NOT part of the disaster recovery policy? a. financing b. purpose c. exercise and testing schedules d. scope Answer: a 2. What type of data acquisition is done where information is taken off as a protected copy while a system is actively live for the purpose of business continuity? a. offline b. online c. transitory d. slow-dripping Answer: b © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
41
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
3. A ________ is sworn testimony that certain facts are in the possession of an investigating officer, and they warrant the examination of specific items located in a location. a. memorandum b. piece of evidence c. legal directive d. affidavit Answer: d 4. In a ________, the organization creates a role-playing exercise in which the CP team is presented with a scenario of an actual incident or disaster and is expected to react as if it had occurred. a. desk check b. simulation c. full-interruption test d. structured walk-through Answer: b 5. Which of the following is a primary responsibility of the CPMT? a. conducting a building walk-through during an emergency b. securing financing so that physical infrastructure can be immediately replaced c. coordinating with emergency services in the event someone is injured or killed d. gathering criminal evidence of wrongdoing Answer: c 6. True or False: The term chain of evidence is also known as a chain of custody. Answer: True 7. True or False: An example of a disaster classification plan is a scale that has Minor, Moderate, Severe, and Critical categories. Answer: True [return to top]
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
42
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. Compare and contrast the different plans that were described in the module. Split the class into two. On one side, they should explain how they are like each other and why some companies only have one master plan. Have the other side argue how they are different and the importance to have separate plans as part of a contingency plan for an organization. (5.1, 5.2, 5.4, PPT Slides 3–5, 8–46, 50–78, and 81–91) Duration 15 minutes. 2. Explain why crisis planning is as important as securing and protecting information that is within an organization. (5.1, 5.5, PPT Slides 3–5, 93–96) Duration 15 minutes. 3. Poll the class and determine which plan they feel is superior to another. Have them justify their reason why one plan is more important than others described in the module. Although they are all equally important, some may have more applicability to an organization than others. (5.2, 5.3, 5.5, PPT Slides 8–46, 50–78, 81–91, and 94– 96) Duration 15 minutes. [return to top]
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks
Web Browser Security
Malware Defense
Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques. Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the
Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.
1 to 1.5 hours
1 to 1.5 hours
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
43
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
Windows Password Management
Backup and Recovery and File Integrity Monitoring
OS Processes and Services
Log Management & Security
Footprinting, Scanning, and Enumeration
student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization.
30 minutes to 1 hour
15–20 minutes
60–90 minutes
30 minutes to 1 hour
40–60 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
44
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package. •
AlienVault OSSIM
Image Analysis Using Autopsy
2–3 hours
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Have students create a simple contingency plan for a business of their choice. Ask them to apply the information from the text as well as outside resources. Group the persons in the class into small teams and designate one from each team as the spokesperson that explains their plan for the business chosen. 2. Direct students to review a contingency plan for a local business or their school. Compare and contrast the strengths and weaknesses of the plan and how it can be improved upon. Ask them to explain how they would share their findings on what improvements need to be made to executives outlined in the module. [return to top]
Additional Resources Cengage Video Resources •
MindTap Video: Contingency Planning
Internet Resources • • •
American Society of Digital Forensics Automated Notification System Review Incident Handlers Handbook by Patrick Kral
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
45
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
•
NIST Cybersecurity Framework
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
46
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 5: incident Response and Contingency Planning
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale, and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities. 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
47
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 4 Module Outline .............................................................................................................................. 4 Discussion Questions .................................................................................................................. 25 Suggested Usage for Lab Activities ............................................................................................ 26 Additional Activities and Assignments ....................................................................................... 27 Additional Resources................................................................................................................... 28 Cengage Video Resources ....................................................................................................................... 28 Internet Resources .................................................................................................................................. 28 Appendix ...................................................................................................................................... 29 Grading Rubrics ....................................................................................................................................... 29
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
Purpose and Perspective of the Module Personnel in an organization is the lifeblood that makes it run daily. Maintaining the business and having the right people on the information security team is even more important to ensure data is always kept safe and secure. In this module, students will review where and how information security should be positioned within an organization. This includes the people responsible for it and their role and credentials they could receive to gain more credibility within the industry. Near the end of the module, students will gain an understanding of how employment policies and practices can support the effort. This includes special security controls and considerations that apply to personnel management.
Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •
PowerPoint slides
•
Test banks, available in Word, as LMS-ready files, and on the Cognero platform
•
MindTap Educator Guide
•
Solution and Answer Guide
•
This instructor’s manual
Module Objectives The following objectives are addressed in this module: 6.1
Explain the differences between laws and ethics.
6.2
Describe the relevant laws, regulations, and professional organizations of importance to information security.
6.3
Identify major national and international laws that affect the practice of information security.
6.4
Discuss the role of privacy as it applies to law and ethics in information security.
6.5
Explain the roles of some U.S. law enforcement agencies with an interest in information security.
Complete List of Module Activities and Assessments For additional guidance, refer to the MindTap Educator Guide. Module Objective 6.1 and 6.2
PPT slide
Activity/Assessment
Duration
8–9
Knowledge Check 1
2 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
6.2 6.2 6.2–6.5 6.1–6.5
18–19 24–25 53–54 58 MindTap MindTap MindTap
Knowledge Check 2 Knowledge Check 3 Knowledge Check 4 Self-Assessment Module 06 Review Questions Module 06 Case Exercises Module 06 Exercises
MindTap MindTap
Module 06 Security for Life Module 06 Quiz
2 minutes 2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: laws: Rules that mandate or prohibit certain behavior and are enforced by the state. ethics: The branch of philosophy that considers nature, criteria, sources, logic, and the validity of moral judgment. cultural mores: The fixed moral attitudes or customs of a particular group. liability: An entity’s legal obligation or responsibility. restitution: A legal requirement to make compensation or payment resulting from a loss or injury. due care: Reasonable and prudent measures that an organization takes to ensure it is in compliance with a law, regulation, or requirement. due diligence: Measures taken to ensure that an organization continues to meet the obligations imposed by laws, regulations, and requirements; the management of due care. Jurisdiction: The power to make legal decisions and judgments; also, the domain or area within which an entity such as a court or law enforcement agency is empowered to make legal decisions and perform legal actions. long-arm Jurisdiction: The ability of a legal entity to exercise its influence beyond its normal boundaries by asserting a connection between an out-of-jurisdiction entity and a local legal case. privacy: In the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
aggregate information: Collective data that relates to a group or category of people and that has been altered to remove characteristics or components that make it possible to identify individuals within the group. Not to be confused with information aggregation. information aggregation: Pieces of nonprivate data that, when combined, may create information that violates privacy. Not to be confused with aggregate information. identity theft: The unauthorized taking of personally identifiable information with the intent of committing fraud and abuse of a person’s financial and personal reputation, purchasing goods and services without authorization, and generally impersonating the victim for illegal or unethical purposes. personally identifiable information (PII): Information about a person’s history, background, and attributes that can be used to commit identity theft. This information typically includes a person’s name, address, Social Security number, family information, employment history, and financial information. cybersecurity: The affirmation or guarantee of the confidentiality, integrity, and availability of information in storage, processing, and transmission; often used synonymously with “information security.” information assurance: See cybersecurity. [return to top]
What's New in This Module The following elements are improvements in this module from the previous edition: •
This module was Chapter 3 in the 6th edition.
•
The sections on key laws were updated to include recent changes.
•
The section on ethics was rewritten for a more compact treatment using a revised organization.
•
Information on professional organizations was reorganized and updated to reflect changes in the industry.
[return to top]
Module Outline Introduction to Law and Ethics in Information Security (6.1, PPT Slides 3–6) I.
Describe to students that as a future information security professional, they must understand the scope of an organization’s legal and ethical responsibilities.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
II.
Disseminate that the laws and ethics are not the same thing, as laws carry the authority and ethics do not.
III.
Describe ethics, which are based on cultural mores and express the fixed moral attitudes or customs of a particular group. Some ethics are recognized as universal among cultures.
IV.
Explain how to minimize liabilities and reduce risks from electronic and physical threats, and to reduce all losses from legal action, the information security practitioner must understand the current legal environment, stay current with new laws and regulations, and watch for new issues as they emerge.
Organizational Liability and the Need for Counsel I.
Emphasize that even if there is no breach of criminal law, there can still be liability.
II.
Define the term liability. Explain that this is the legal obligation of an entity that extends beyond criminal or contract law; it includes the legal obligation to make restitution or to compensate for wrongs committed by an organization or its employees.
III.
Stress that an organization increases its liability when it refuse to take measures known as due care. Note that due care has been taken when an organization makes sure that every employee knows what acceptable or unacceptable behavior is and knows the consequences of illegal or unethical actions.
IV.
Identify how due diligence requires that an organization make a valid effort to protect others and continually maintain this level of effort.
V.
Recognize the fact that specific to the U.S. legal system, any court can impose its authority over an individual or organization if it can establish jurisdiction—that is, the court’s right to hear a case if the wrong was committed in its territory or involving its citizenry.
VI.
Judge and examine the fact that in most cases when a case is in the injured party’s home area, it is usually more in favor to them than the defendants.
Policy Versus Law I.
Classify the difference between a policy and law and how they are similar and different.
II.
Outline the five criteria for a policy to be enforceable: •
Dissemination (distribution): The organization must be able to demonstrate that the relevant policy has been made readily available for review by the employee. Common dissemination techniques include hard copy and electronic distribution.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
III.
IV.
•
Review (reading): The organization must be able to demonstrate that it disseminated the document in an intelligible form, including versions for employees who are illiterate, reading impaired, and unable to read English. Common techniques include recordings of the policy in English and alternate languages.
•
Comprehension (understanding): The organization must be able to demonstrate that the employee understands the requirements and content of the policy. Common techniques include quizzes and other assessments.
•
Compliance (agreement): The organization must be able to demonstrate that the employee agreed to comply with the policy through act or affirmation. Common techniques include login banners, which require a specific action (mouse click or keystroke) to acknowledge agreement, or a signed document clearly indicating the employee has read, understood, and agreed to comply with the policy.
•
Uniform enforcement: The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment.
Review and discuss with students the common types of law that are found in the United States: •
Constitutional law: Originates with the U.S. Constitution, a state constitution, or local constitution, bylaws, or charter.
•
Statutory law: Originates from a legislative branch specifically tasked with the creation and publication of laws and statutes.
•
Regulatory or administrative law: Originates from an executive branch or authorized regulatory agency and includes executive orders and regulations.
•
Common law, case law, and precedent: Originates from a judicial branch or oversight board and involves the interpretation of law based on the actions of a previous and/or higher court or board.
Summarize the three different subtypes of statutory law as outlined in the text. •
Civil law: A wide variety of laws pertaining to relationships among individuals and organizations. Civil law includes contract law, employment law, family law, and tort law.
•
Tort law: This is a subset of civil law that allows individuals to seek redress for injury. Those injuries can be personal, physical, or financial.
•
Criminal law: Addresses violations harmful to society and is actively enforced and prosecuted by the state.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
V.
Compare and contrast the differences between private and public laws. Private laws regulate the relationships among individuals and between them and organizations. Public laws include criminal, administrative, and constitutional laws.
VI.
Emphasize that regardless of where a business is located, leadership and employees working there must be aware of the laws and regulations that apply to them.
Types of Law I.
Define civil law, which represents a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizational entities and people.
II.
Explain how criminal law addresses violations harmful to society and is actively enforced by the state.
III.
Distinguish the differences of private law. Note that it regulates the relationship between the individual and the organization, and encompasses family law, commercial law, and labor law.
IV.
Describe how public law regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments, providing careful checks and balances. Examples of public law include criminal, administrative, and constitutional law.
Relevant U.S. Laws (6.2, PPT Slides 10–17, 20–23, and 26–30) I.
Conclude that the United States has been a leader in the development and implementation of information security legislation that prevents the misuse and exploitation of information and information technology.
General Computer Crime Laws I.
Recognize that the cornerstone of many computer-related federal laws as mentioned in the text is the Computer Fraud and Abuse Act of 1986 (CFA Act or CFAA).
II.
Recall that the CFAA was amended in 1996 and rebranded as the National Information Infrastructure Protection Act of 1996. Stress that punishment for prosecuted offenses includes fines, prison sentences of up to 20 years, or both depending on the severity of the crime committed. Note that penalties are often dependent on the value of the information obtained, whether the offense is conclusive of a commercial advantage, private financial gain, or furtherance of a criminal act.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
III.
Discuss the USA PATRIOT Act of 2001, which modified a wide range of existing laws to provide law enforcement agencies with broader latitude of actions to combat terrorism-related activities.
IV.
Report that further modifications took place and in 2006, the act was amended with the USA PATRIOT Improvement and Reauthorization Act, which made permanent 14 of the 16 expanded powers of the Department of Homeland Security (DHS) and the FBI in investigating terrorist activity. The act also reset the date of expiration written into the law for certain wiretaps under the Foreign Intelligence Surveillance Act of 1978 (FISA) and revised many of the criminal penalties and procedures associated with criminal and terrorist activities.
V.
Explain that the PATRIOT Sunset Extension Act of 2011 provided extension of certain provisions of the USA PATRIOT Act, specifically those related to wiretaps, searching of business records, and the surveillance of suspected terrorists.
VI.
State that in May 2015, the U.S. Senate failed to extend the USA PATRIOT Act, resulting in its expiration on June 1, 2015. However, President Obama signed the USA FREEDOM Act into law in June 2015 as a replacement. Note that this has now since expired but has been indefinitely postponed by Congress at the time of publication in 2020.
VII.
Examine the Computer Security Act of 1987. This law was one of one of the first attempts to protect federal computer systems by establishing minimum acceptable security practices.
VIII.
Evaluate the passage of the Federal Information Security Management Act (FISMA), which mandates all federal agencies to establish information security programs to protect information assets. Note that this has since been updated by the Federal Information Security Modernization Act of 2014 (FISMA Reform) which enhances the federal government’s ability to respond to security attacks on agencies and departments.
IX.
State that in the future, additional laws and regulations are likely to be created, and it is the responsibility of the information security team to be aware of those should they significantly impact the organization, information managed, or other aspects that could require changes.
Privacy I.
Define the term privacy and why it has become one of the hottest topics in information security since the start of the 21st century. The ability to collect information, combine facts from separate sources, and merge it all with other information has resulted in databases of information that were previously impossible to set up.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
II.
Interpret the understanding that as the pressure for privacy protection has significantly increased, so have the number of statutes addressing one’s right to privacy.
III.
Analyze the privacy of customer information. Note that the Privacy of Customer Information Section of the common carrier regulation specifies that any proprietary information shall be used explicitly for providing services, and not for any marketing purposes. It also stipulates those carriers cannot disclose this information except when necessary to provide their services. The only other exception is when a customer requests the disclosure of information and then the disclosure is restricted to that customer’s information only.
IV.
Define the terms aggregate information and information and why both of those terms should not be confused with one another.
V.
Examine the Federal Privacy Act of 1974. Stress to students that it regulates government agencies and holds them accountable if they release private information about individuals or businesses without permission, but there are agencies, regulated businesses, and select individuals that can claim an exemption from this legislation. They are the following: •
Bureau of the Census
•
National Archives and Records Administration
•
Congress
•
Comptroller General
•
Federal courts with regard to specific issues using appropriate court orders
•
Credit reporting agencies
•
Individuals or organizations that demonstrate information is necessary to protect the health or safety of an individual party
VI.
Review the Electronic Communications Privacy Act (ECPA) of 1986. Commonly referred to as the wiretapping act, this is a compilation of statutes that regulates the interception of wire, electronic, and oral communications. These statutes work in conjunction with the Fourth Amendment to the U.S. Constitution, which protects individual citizens from unlawful search and seizure.
VII.
Discuss the purpose of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kennedy–Kassebaum Act, is to protect the confidentiality and security of healthcare data by establishing and enforcing standards and by standardizing electronic data interchange. Summarize the following purposes of the legislation to students as described in the text:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
VIII.
•
This law requires organizations that retain healthcare information to use information security mechanisms to protect this information, as well as policies and procedures to maintain this security.
•
It also requires organizations to have readily available a comprehensive assessment of the organization's information security systems, policies, and procedures.
•
Applicable to the patients that an organization may serve, it provides them the right to know who has access to their information and who has accessed it. The standards also restrict the use of health information to the minimum necessary for the healthcare services required.
•
Identify that this was updated in 2013 with a Department of Health and Human Services Regulatory Action intended to strengthen the act’s privacy and security protections.
Review the five fundamental principles that make up HIPAA legislation: •
Consumer control of medical information
•
Boundaries on the use of medical information
•
Accountability to maintain the privacy of specified types of information
•
Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual
•
Security of health information
IX.
Recall the Financial Services Modernization Act, or Gramm–Leach–Bliley Act of 1999. This requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information. It also requires due notice to customers so that they can request that their information not be shared with third parties.
X.
Guide students to Table 6-1, which lists key U.S. laws of interest that information security professionals should be cognizant of when managing information in an organization.
Identity Theft I.
Classify what is considered identity theft and provide examples of what personally identifiable information (PII) are that are often stolen. Note from the text that approximately 10% of persons age 16 or older have been a victim of identity theft at least once in the prior calendar year (12 months).
II.
Reference Tables 6-2 and 6-3 for additional insight and a detailed analysis of the types of identity theft and how they have increased between 2014 and 2016.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
III.
Recognize that in May 2006, President Bush signed an executive order creating the Identity Theft Task Force. The goals of this group are to create a strategic plan to improve efforts of the government and private organizations and individuals in combating identity theft. The group seeks better coordination among groups, more effective prosecution of criminals engaged in these activities, and methods to increase restitution made to victims.
IV.
Discuss the fact that numerous states have laws in place specific to identity theft. However, at the federal level, the primary legislation as described is the Fraud and Related Activity in Connection With Identification Documents, Authentication Features, And Information (Title 18, U.S.C. § 1028). This criminalizes the creation, reproduction, transfer, possession, or use of unauthorized or false identification documents or document-making equipment. Penalties for such offenses range from one to 25 years in prison and fines as determined by the courts.
V.
Outline the four steps individuals can do when there is a suspicion or actual case of identity theft:
VI.
•
Place an initial fraud alert.
•
Order your credit reports.
•
Create an identity theft report.
•
Monitor your progress.
Justify that the most up-to-date version of the CFAA is the Identity Theft Enforcement and Restitution Act, which specifically addressed the malicious use of spyware or keyloggers to steal PII. This act also created a new designation of a level of identity theft that provided much stronger penalties for violators who used 10 or more computers to commit theft. The penalties that may be levied under this act include substantial fines, from which the restitution is paid, and prison terms of up to 10 or 20 years, depending on the severity of the crime.
Export and Espionage Laws I.
Establish an understanding that the federal government enacted legislation attempting to protect American ingenuity, intellectual property, and competitive advantage with the help of Congress by passing the Economic Espionage Act (EEA) in 1996. This law attempts to prevent trade secrets from being illegally shared.
II.
Relate the understanding that to further enhance this previous legislation, an additional law was enacted in 1999, the Security and Freedom Through Encryption Act of 1999 (SAFE), which provides guidance on the use of encryption and provides measures of protection from government intervention. The following provisions apply to this piece of legislation:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
•
Reinforce a person’s right to use or sell encryption algorithms without concern for regulations requiring some form of key registration. Key registration is the storage of a cryptographic key (or its text equivalent) with another party for breaking the encryption of data. This is often called “key escrow.”
•
Prohibit the federal government from requiring the use of encryption for contracts, grants, and other official documents and correspondence.
•
State that the use of encryption is not probable cause to suspect criminal activity.
•
Relax export restrictions by amending the Export Administration Act of 1979.
•
Provide additional penalties for the use of encryption in the commission of a criminal act.
U.S. Copyright Law I.
Illustrate to students that intellectual property is recognized as a protected asset in the United States. U.S. copyright laws extend this privilege to the published word, which includes electronic formats.
II.
Explain how fair use of copyrighted materials includes their use to support news reporting, teaching, scholarship, and many other related activities, provided the use is for educational or library purposes, not for profit, and is not excessive.
III.
Emphasize that if proper acknowledgment is provided to the original author of such works, including a proper citation, and the work is not represented as one’s own, it is entirely permissible to include portions of someone else’s work as reference.
Financial Reporting I.
Recall that the Sarbanes–Oxley Act of 2002, which is a critical piece of legislation that affects the executive management of publicly traded corporations and public accounting firms, seeks to improve the reliability and accuracy of financial reporting, as well as increase the accountability of corporate governance, in publicly traded companies.
II.
Emphasize that executives working in firms covered by this law will seek assurance on the reliability and quality of information systems from senior information technology managers who, in turn, will likely ask information security managers to verify the confidentiality and integrity of those same information systems.
Freedom of Information Act of 1966 I.
Justify that this law provides the right of any person to request access to federal agency records or information not determined to be a matter of national security.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
These requests must be provided to them in writing and are enforceable in court should noncompliance occur. II.
Stress that this does not apply to state or local government agencies, private businesses, or individuals, with exception to states having their own Freedom of Information Act (FOIA).
Payment Card Industry Data Security Standards (PCI DSS) I.
Explain that the Payment Card Industry (PCI) Security Standards Council offers a standard of performance to which participating organizations must comply. Point out that it is not a law, but is a standard designed to enhance the security of customers’ account data.
II.
Review the six areas that the PCI DSS addresses with respect to security policies, procedures, and management, as well as technical software and networking specifications. •
Build and maintain a secure network and systems
•
Protect cardholder data
•
Maintain a vulnerability management program
•
Implement strong access control measures
•
Regularly monitor and test networks
•
Maintain an information security policy
State and Local Regulations I.
Remind students that in addition to the national and international restrictions placed on organizational use of computer technology, each state or locality may have a number of its own applicable laws and regulations.
II.
Apply the examples provided in the text how the state of Georgia passed legislation in 1991 and 1998 (the latter being updated in 2002 and 2010). Stress to students that information security professionals must be aware such legislation to ensure that the organization’s security policies and procedures comply with those laws and regulations.
Quick Quiz 1 1. What is a type of law that represents all laws that apply to a citizen (or subject) of a jurisdiction? a. criminal law b. private law
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
c. civil law d. public law Answer: c 2. What is a type of law that addresses violations harmful to society and that is enforced by prosecution by the state? a. criminal law b. private law c. public law d. civil law Answer: a 3. Which law regulates the role of the healthcare industry in protecting the privacy of individuals? a. GLB b. FOIA c. HIPAA d. CFAA Answer: c 4. The generally recognized term for the government protection afforded to intellectual property (written and electronic) is called which of the following? a. computer security law b. copyright law c. aggregate information d. data security standards Answer: b 5. True or False: The cornerstone of many current federal computer-related criminal laws is the Computer Fraud and Abuse Act of 1986. Answer: True 6. True or False: Regardless of what information a company manages, it is shielded from local and state laws and regulations because the federal laws supersede them. Answer: False
International Laws and Legal Bodies (6.3, PPT Slides 32–35) © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
I.
Determine that it is important for IT professionals and information security practitioners to realize that when their organizations do business on the Internet, they do business globally. This is especially true with the advent of the Internet and globalization of the marketplace.
II.
Explain that professionals who conduct business internationally must be sensitive to the laws and ethical values of numerous cultures, societies, and countries.
III.
Stress the facts that there are few international laws applicable to privacy and information security, but the ones that exist are limited in their enforceability. This can potentially create challenges and or issues for an organization that is located in multiple countries.
U.K. Computer Security Laws I.
Compare and contrast laws that are enforceable in the United Kingdom (U.K.) with the ones that have been described in the United States. Ones of importance and described in the text are the following: •
Computer Misuse Act, 1990: Defines three “computer misuse offenses”: unauthorized access to computer material, unauthorized access with intent to commit or facilitate commission of further offenses, and unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computers, etc.
•
Privacy and Electronic Communications (EC Directive) Regulations, 2003: Revoked the Data Protection and Privacy Regulations of 1999 and focuses on protection against unwanted or harassing phone, e-mail, and SMS messages.
•
Police and Justice Act, 2006: Updated the Computer Misuse Act, modified the penalties, and created new crimes defined as “unauthorized acts with intent to impair operation of computers, etc.,” and the manufacture or provision of materials used in computer misuse offenses.
•
Personal Internet Safety, 2007: A report published by the House of Lords Science and Technology Committee provided a public service and criticized the U.K. government’s lack of action in protecting personal Internet safety.
Australian Computer Security Laws I.
Review laws that are currently enforceable in Australia and determine how they are similar yet different to ones that are in place here in the United States. Discuss with students the following laws mentioned in the text as described here: •
Privacy Act, 1988: Regulates the collection, storage, use, and disclosure of personal information. Applies both to private and public sectors. Contains 11 information privacy principles for handling personal information by most public-
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
sector agencies, and 10 national privacy principles for handling of personal information by nongovernment agencies. •
Telecommunications Act, 1997: Updated as of October 2013; contains regulation related to the collection and storage of privacy data held by telecommunications service providers.
•
Corporations Act, 2001: Updated by the Corporations Regulations of 2001 and 2002; focuses on business relationships but, like SOX, contains provisions related to financial reporting and audits.
•
Spam Act, 2003: Legislation designed to regulate the amount of unwanted commercial marketing materials, especially via e-mail. Requires businesses to obtain consent of recipients, ensure that businesses accurately identify the recipients, and provide a mechanism by which the recipients may unsubscribe from commercial messages.
•
Cybercrime Legislation Amendment Bill, 2011: Designed to align Australian laws with the European Convention on Cybercrime (see next section); the bill specifies information that communications carriers and Internet service providers must retain and surrender when requested by law enforcement.
Council of Europe Convention on Cybercrime I.
Explain that the Council of Europe adopted the Convention on Cybercrime in 2001. It provides for the creation of an international task force to oversee a range of security functions associated with Internet activities for standardized technology laws across international borders. It also attempts to improve the effectiveness of international investigations into breaches of technology law.
II.
Relate that the updated set of laws known as the General Data Protection Regulation (GDPR) has specific requirements regarding the transfer of data from the EU. One of these requirements is that transfers can occur only to countries deemed to have adequate data protection laws. The Privacy Shield is designed to implement a program in which participating companies are deemed as having adequate protection, which will facilitate the transfer of information.
World Trade Organization and the Agreement on Trade-Related Aspects of Intellectual Property Rights I.
Explain how the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), created by the World Trade Organization (WTO), introduced intellectual property rules into the multilateral trade system.
II.
Outline the five issues that the WTO TRIPS agreement covers, as mentioned in the text:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
•
How basic principles of the trading system and other international intellectual property agreements should be applied
•
How to give adequate protection to intellectual property rights
•
How countries should enforce those rights adequately in their own territories
•
How to settle disputes on intellectual property between members of the WTO
•
Special transitional arrangements during the period when the new system is being introduced
Digital Millennium Copyright Act I.
Explain how the Digital Millennium Copyright Act (DMCA) is the American contribution to an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially through the removal of technological copyright protection measures.
II.
Discuss with students how in 1995 the European Union had adopted Directive 95/46/EC, which added protection for individuals with regard to the processing of personal data and the use and movement of such data. Note that the United Kingdom has implemented its own version known as the Database Right to comply with this directive.
III.
Classify the provisions of the DMCA:
IV.
•
Prohibits the circumvention of protections and countermeasures implemented by copyright owners to control access to protected content.
•
Prohibits the manufacture of devices to circumvent protections and countermeasures to control access to protected content.
•
Bans trafficking in devices manufactured to circumvent protections and countermeasures to control access to protected content.
•
Prohibits the altering of information attached or imbedded into copyrighted material.
•
Excludes Internet service providers from certain forms of contributory copyright infringement.
Recall that in June 2016, the United States and the European Union (EU) signed an agreement that would supersede the Safe Harbor agreement. This new agreement serves as a data privacy umbrella for EU citizens and allows cooperation between American and European law enforcement agencies in criminal investigations. However, due to the ambiguity of this agreement, companies have considered the adoption of Binding Corporate Rules (BCRs) accreditation.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
Ethics and Information Security (6.4, PPT Slides 36–41) I.
Justify that many professional groups have explicit rules governing ethical behavior in the workplace. Note that the information technology and security fields do not have a binding code of ethics.
II.
Detail that professional associations (such as the Association for Computing Machinery and the Information Systems Security Association) and accreditation agencies (such as ISC2) work to establish the profession’s ethical codes of conduct instead.
III.
Recall and encourage students to review the Ten Commandments of Computer Ethics provided in the module.
Ethical Differences Across Cultures I.
Discuss cultural differences that can make it difficult to determine what is and is not ethical, especially when it comes to the use of computers. Note that there are challenges that can arise when one nationality’s ethical behavior is seen as unethical in another national group.
II.
Recall that approximately 90 percent of all software is created in the United States, though 37 percent of all software installed was not properly licensed.
III.
Review the study published in 1999 examining computer-use ethics. Discuss the following conclusions from the study, applying the information in Table 6-5: •
The study selected several computer-use vignettes and presented them to students in universities in nine nations.
•
Responses indicated a degree of ethical sensitivity or knowledge about the performance of the individuals in the short case studies.
•
The scenarios were grouped into three categories of ethical computer use: software license infringement, illicit use, and misuse of corporate resources.
Software License Infringement I.
Review the findings from the study and draw conclusions from the following observations from the study results: •
Overall, most of the nations studied had similar attitudes toward software piracy.
•
Statistically speaking, only the United States and the Netherlands had attitudes that differed substantially from those of all other countries examined.
•
The United States was significantly less tolerant of piracy, while the Netherlands was significantly more permissive.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
•
II.
Peer pressure, the lack of legal disincentives, the lack of punitive measures, or any one of a host of other reasons could also explain why these alleged piracy centers were not oblivious to intellectual property laws.
Emphasize strongly that software license infringement is a serious issue for an information security team, as invalid software on a network can result in numerous financial and nonfinancial consequences for an organization.
Illicit Use I.
Demonstrate that there was a common theme between countries where participants condemned viruses, hacking, and other forms of system abuse.
II.
Establish the fact, though, that there were different degrees of tolerance among groups measured.
Misuse of Corporate Resources I.
Outline that overall, the use of company equipment of personal use was lenient among the groups polled.
II.
Denote that Singapore and Hong Kong were the only countries that viewed the personal use of company equipment as unethical.
III.
Comment that overall, the researchers found that there is a general agreement among nationalities as to what is acceptable or unacceptable computer use.
IV.
There is, however, a range of views as to whether some actions are moderately or highly unacceptable.
Ethics and Education I.
Emphasize that employees must be trained and kept aware of many topics related to information security, not the least of which are the expected behaviors of an ethical employee and cultural differences that can make it difficult to determine what is and is not ethical, especially when it comes to the use of computers.
II.
Recall the fact that it is critically important in information security that many employees may not have the formal technical training to understand that their behavior is unethical or even illegal. Hence, this gap must be closed as promptly as possible with relevant training and knowledge so they can be accountable for unethical actions they may do unknowingly or otherwise.
Deterring Unethical and Illegal Behavior I.
Justify strongly that it is the responsibility of information security personnel to do everything in their power to deter illegal, immoral, or unethical behavior and to use policy, education and training, and technology to protect information and systems.
II.
Compose and describe the three general causes of illegal behavior:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
III.
•
Ignorance: Ignorance of the law is no excuse; however, ignorance of policy and procedures is. The first method of deterrence is education, which is accomplished by designing, publishing, and disseminating an organization’s policies and relevant laws, and by obtaining agreement to comply with these policies and laws from all members of the organization. Reminders, training, and awareness programs keep policy information in front of employees to support retention and compliance.
•
Accident: People who have authorization and privileges to manage information within the organization are most likely to cause harm or damage by accident. Careful planning and control help prevent accidental modification to systems and data.
•
Intent: Criminal or unethical intent goes to the state of mind of the person performing the act; it is often necessary to establish criminal intent to successfully prosecute offenders. Protecting a system against those with intent to cause harm or damage is best accomplished by means of technical controls, and vigorous litigation or prosecution if these controls fail.
Relate the three conditions that are present that deter people from executing illegal or unethical behaviors (apply the graphical reference in Figure 6-4 as part of the conversation): •
Penalties: Potential offenders must fear the penalty. Threats of informal reprimand or verbal warnings do not have the same impact as the threat of imprisonment or forfeiture of pay.
•
Apprehension: Potential offenders must have the knowledge that there is a strong chance they will likely be caught.
•
Application of penalties: There must be an awareness of the potential offenders that penalties will likely be administered should something occur.
Code of Ethics of Professional Organizations (6.4, PPT Slides 42–47) I.
Explain how many professional organizations have established codes of conduct or codes of ethics that members are expected to follow.
II.
Stress that codes of ethics often have a positive effect on an individual’s judgment regarding computer use. Comment that the awareness factor is one of many that steers personnel to do the right things, as they know they can be called out or caught.
III.
Guide students to review Table 6-6, as it provides the most common professional organizations applicable to information security professionals.
Major IT and InfoSec Professional Organizations © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
I.
Explain that most IT and information security organizations have their own codes of ethics, and what is contained in them may vary from one another.
Association for Computing Machinery (ACM) I.
Present that fact that the ACM (www.acm.org) is a respected professional society, originally established in 1947 as “the world's first educational and scientific computing society.”
II.
Summarize that the ACM’s code of ethics requires members to perform their duties in a manner befitting an ethical computing professional. The code contains specific references to protecting the confidentiality of information, causing no harm, protecting the privacy of others, and respecting the intellectual property and copyrights of others.
International Information Systems Security Certification Consortium, Inc. (ISC)2 I.
Distinguish to students that (ISC)2 is a nonprofit organization that focuses on the development and implementation of information security certifications and credentials. Its code of ethics is primarily designed for information security individuals who have earned a certification from the organization.
II.
Describe the four-mandatory ethical canons as outlined in the text with respect to this organization: •
Protect society, the commonwealth, and the infrastructure.
•
Act honorably, honestly, justly, responsibly, and legally.
•
Provide diligent and competent service to principals.
•
Advance and protect the profession.
SANS I.
Describe the System Administration, Networking, and Security Institute (SANS), a professional organization with a large membership group, with over 153,000 members since its inception in 1989, that is dedicated to the protection of information and systems.
II.
Report that SANS offers a set of certifications called the Global Information Assurance Certification, or GIAC.
ISACA I.
Relate that this organization was originally known as the Information Systems Audit and Control Association. ISACA is a professional association that focuses on auditing, control, and security. The membership comprises both technical and managerial professionals.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
II.
Justify that its main purpose is to provide IT control practices and standards and includes many information security components within its areas of concentration, although it does not focus exclusively on information security.
Information Systems Security Association (ISSA) I.
Comment that this organization is a nonprofit society of information security professionals. As a professional association, its primary mission is to bring together qualified practitioners of information security for information exchange and educational development.
II.
Apply the fact that ISSA also promotes a code of ethics whose focus is “promoting management practices that will ensure the confidentiality, integrity, and availability of organizational information resources.”
EC-Council I.
II.
Explain that this is a security organization founded by Jay Bavisi that offers a variety of security, technical, and managerial certifications. This includes its renowned Certified Ethical Hacker (CEH) and CCISO certifications. Emphasize the organization promotes a 19-point code of ethics for its certificateholding programs and recommend that students visit https://www.eccouncil.org/code-of-ethics/ for more information.
Key U.S. Federal Agencies (6.5, PPT Slides 48–52) I.
Discuss the key U.S. federal agencies charged with the protection of American information resources and the investigation of threats to, or attacks on, these resources.
Department of Homeland Security I.
Describe the Department of Homeland Security (DHS), created in 2003 through the Homeland Security Act of 2002, which was passed in response to the events of September 11, 2001.
II.
Outline the structure of DHS and its five directorates or divisions through which it carries out its mission of protecting the people, as well as the physical and informational assets, of the United States. Note the ones that are applicable to information security in the text:
• III.
The Science and Technology Directorate is responsible for research and development activities in support of homeland defense.
Identify that DHS works with academic institutions nationally, focusing on resilience, recruitment, internationalization, growing academic maturity, and academic research.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
IV.
Emphasize that its efforts are ensuring the continuing examination of vulnerabilities throughout the nation’s infrastructure. This occurs through the extended role from its cybersecurity and Infrastructure Security Agency (CISA), which offers a variety of services to government, industry and the private sector, academia, nonprofit/NGO organizations, and the general public through its services portal, as illustrated in its services catalog.
US-CERT I.
Explain that the U.S. Computer Emergency Readiness Team (US-CERT) is a division of DHS’s National Cybersecurity and Communications Integration Center (NCCIC). Note that DHS provides mechanisms to report phishing, malware, software vulnerabilities, and other types of security incidents.
U.S. Secret Service I.
Describe the U.S. Secret Service, which was relocated from the Department of the Treasury to the DHS in 2002. They have been charged with the responsibility of safeguarding the nation’s financial infrastructure and payment systems to preserve the integrity of the economy.
II.
Discuss the strategic objectives that address cybersecurity-related activity as mentioned in the text relative to this organization.
Federal Burau of Investigation (FBI) I.
Recognize that this group is the primary U.S. law enforcement agency, and it investigates both traditional crimes and cybercrimes, as well as works with the U.S. Attorney’s Office to prosecute suspects under federal law (the U.S. Code).
II.
Review the focus and priorities of this agency and that computer network intrusions, identity theft, and fraud are the ones for which it is the most concerned with respect to information security crimes.
National InfraGard Program I.
Explain that the national InfraGard program began as a cooperative effort between the FBI’s Cleveland field office and local technology professionals, and it was established in January 2001.
II.
Summarize the following points made in the text with respect to this program, which is used to share information about attacks, vulnerabilities, and threats: •
This is a collaborative effort between public and private organizations as well as the academic community.
•
The national InfraGard program serves its members in four basic ways: maintaining an intrusion alert network using encrypted e-mail; providing and
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
upkeeping a secure Web site for communication about suspicious activity or intrusions; sponsoring local chapter activities; and operating a help desk for questions.
National Security Agency (NSA) I.
Identify the purpose of the NSA and what it is responsible for within the federal government. Discuss the following with students with respect to this agency: •
The NSA is responsible for signals intelligence and information system security.
II.
Explain that the IAD is responsible for the protection of systems that store, process, and transmit classified information.
III.
Emphasize that the NSA has a program to certify curriculum in information security. •
The Information Assurance Courseware Evaluation process examines information security courses in an institution and, if accepted, provides a threeyear accreditation.
•
Graduates of these programs receive certificates that indicate this accreditation.
Quick Quiz 2 1. Which of the following is an American contribution to an effort to improve copyright protection internationally? a. Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) b. Digital Millennium Copyright Act (DMCA) c. Privacy and Electronic Communications Regulations of 2003 d. Telecommunications Act of 1997 Answer: b 2. Which of the following respected professional society was founded in 1947 as "the world’s first educational and scientific computing society"? a. Council of Europe Convention on Cybercrime b. SANS c. Information Systems Security Association d. Association of Computing Machinery (ACM) Answer: d 3. What is the name of a nonprofit organization that focuses on the development and implementation of information security certifications? a. International Information Systems Security Certification Consortium, Inc
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
b. Information Systems Audit and Control Association c. System Administration, Networking, and Security Institute d. Information Systems Security Association Answer: a 4. True or False: The Federal Bureau of Investigation (FBI) is the federal agency responsible for signal intelligence and information system security of classified systems. Answer: False 5. True or False: The National Security Agency (NSA) is responsible for the security of all national critical infrastructure. Answer: False [return to top]
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. Compile a list of ethical dilemmas your students might face when they are on the job. Pose them as thought problems or ask students to explain their choices. (6.1, 6.2, PPT Slides 3–7, 10–17, 20–23, and 26–31) Duration 15 minutes. 2. Privacy is a hot-button topic for most students. Discuss how the definition of privacy that is commonly used (freedom from observation) may differ from the definition of privacy from the information security perspective (freedom from unsanctioned intrusion). (6.2, 6.4, PPT Slides 3–7, 10–17, 20–23, 26–52) Duration 15 minutes. 3. Regulation of information and the systems it resides in has increased dramatically over the years. Poll students in the course and ask them if there is (a) not enough regulation, (b) enough regulation, or (c) more regulation needs to be in place, and why? (6.2, 6.3, 6.5, PPT Slides 3–7, 10–17, 20–23, 26–35, and 48–52) Duration 15 minutes. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks
Web Browser Security
Malware Defense
Windows Password Management
Backup and Recovery and File Integrity Monitoring
Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques. Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of
Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.
1 to 1.5 hours
1 to 1.5 hours
30 minutes to 1 hour
15–20 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
OS Processes and Services
Log Management & Security
Footprinting, Scanning, and Enumeration
AlienVault OSSIM
Image Analysis Using Autopsy
basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.
60–90 minutes
30 minutes to 1 hour
40–60 minutes
2–3 hours
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
27
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
1. Have each student find a newspaper or magazine article from the past month that shows a conviction or the ongoing prosecution of a cybercrime perpetrator. 2. Invite students who are employed in larger organizations to write a short essay that documents the enforceability of their organization’s information security according to the terms expressed in the “Policy Versus Law” section on page 225. [return to top]
Additional Resources Cengage Video Resources •
MindTap Video: Intellectual Property and Copyright Law
Internet Resources • • • • • • • •
Center for Democracy and Technology Electronic Frontier Foundation Elcomsoft Verdict: Not Guilty FISMA Implementation Project Legal in US: Jailbreaking your iPhone, ripping a DVD for educational purposes National Security Agency (NSA) PCI DSS Summary of the HIPAA Security Rule
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
28
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 6: Legal, Ethical, and Professional Issues in Information Security
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale, and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities. 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
29
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 3 Module Outline .............................................................................................................................. 4 Discussion Questions .................................................................................................................. 27 Suggested Usage for Lab Activities ............................................................................................ 28 Additional Activities and Assignments ....................................................................................... 30 Additional Resources................................................................................................................... 30 Cengage Video Resources ....................................................................................................................... 30 Internet Resources .................................................................................................................................. 31 Appendix ...................................................................................................................................... 32 Grading Rubrics ....................................................................................................................................... 32
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
Purpose and Perspective of the Module In this module, students will review where and how the information security should be positioned within an organization. This includes the people responsible for it and their role and credentials they could receive to gain more credibility within the industry. Near the end of the module, students will gain an understanding of how employment policies and practices can support the effort. This includes special security controls and considerations that applies to personnel management.
Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •
PowerPoint slides
•
Test banks, available in Word, as LMS-ready files, and on the Cognero platform
•
MindTap Educator Guide
•
Solution and Answer Guide
•
This instructor’s manual
Module Objectives The following objectives are addressed in this module: 7.1
Describe where and how the information security function should be positioned within organizations.
7.2
Explain the issues and concerns related to staffing the information security function.
7.3
List and describe the credentials that information security professionals can earn to gain recognition in the field.
7.4
Discuss how an organization’s employment policies and practices can support the information security effort.
7.5
Identify special security controls and privacy considerations for personnel management.
Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 7.1 7.2
PPT slide
Activity/Assessment
Duration
6–7 15–16
Knowledge Check Activity 1 Knowledge Check Activity 2
2 minutes 2 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
7.3 7.4
28–29 45–46 59 MindTap MindTap MindTap
Knowledge Check Activity 3 Knowledge Check Activity 4 Self-Assessment Module 07 Review Questions Module 07 Case Exercises Module 07 Exercises
MindTap MindTap
Module 07 Security for Life Module 07 Quiz
2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: exit interview: A meeting with an employee who is leaving the organization to remind the employee of contractual obligations, such as nondisclosure agreements as well as to obtain feedback about the employee’s tenure. separation of duties: The principle that requires significant tasks to be split up so that more than one employee is required to complete them. two-person control: The organization of a task or process so that at least two employees must work together to complete it. Also known as dual control. job rotation: The requirement that every employee be able to perform the work of another employee. task rotation: The requirement that all critical tasks can be performed by multiple employees. need to know: The principle of limiting users’ access privileges to the specific information required to perform their assigned tasks. least privilege: The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation needed: least privilege implies a need to know. [return to top]
What's New in This Module The following elements are improvements in this module from the previous edition: •
This module was Chapter 11 in the 6th edition.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
•
The entire module was refreshed with a general update and given more current examples.
[return to top]
Module Outline Introduction to Security and Personnel (7.1, PPT Slide 3) I.
Review the key tasks specific to security and personnel that must be done as early as possible to implement information security within an organization. •
First, the organization must decide how to position and name the security function.
•
Second, the information security community of interest must plan for the proper staffing for the information security function.
•
Third, the IT community of interest must assess the impact of information security on every IT function and adjust job descriptions and documented practices accordingly.
•
Finally, the general management community of interest must work with the information security professionals to integrate solid information security concepts into the personnel management practices.
II.
Learn that a behavioral feasibility study must be conducted before any program is carried out. This includes getting employee feedback early in the process, so it can be taken up for consideration when the plan is developed.
III.
Express to students three common questions that are brought up when an information security plan is constructed from personnel that will be impacted by it: •
Will management be monitoring my work or my e-mail?
•
Will information security staff go through my hard drive looking for evidence to fire me?
•
Will the information security changes affect how efficient and effective I am in my job?
Positioning the Security Function (7.2, PPT Slide 4) I.
Emphasize that often in large organizations, the information technology (IT) department houses the information security (IS) department and designates a chief information security officer (CISO) or chief security officer (CSO) to operate it.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
II.
Advocate to learners that according to the 2019 (ISC) Cybersecurity Workforce study, the fewer the people in an organization, the less likely a CISO or CSO would be handling security duties.
III.
Stress that the CISO most commonly reports directly to the company’s top computing executive, the CIO or vice president for IT. Such a structure implies that the goals and objectives of the CISO and CIO are aligned, but this is not always the case.
IV.
Review the core functions that often a CISO or CSO complete daily.
V.
Justify the fact that often a CIO and CISO tend to contradict each other which requires an organization to have to two separate departments to keep the peace.
VI.
Outline the best practices listed in Cresson Wood’s book, Information Security Roles and Responsibilities Made Easy, that an organization should implement so that an information security program is positioned for success within any of the following organizational functions:
VII.
•
IT as a peer of other subfunctions such as networks, applications development, and the help desk.
•
Physical security as a peer of physical security or protective services.
•
Administrative services as a peer of human resources or purchasing.
•
Insurance and risk management.
•
The legal department.
Relate that once a structure has been identified, the next challenge that an organization often faces is the establishment of a reporting structure that balances competing needs of each community of interest they will serve. This balance is between keeping information safe and secure while integrating it into the culture through training, awareness, and support services.
Staffing the Information Security Function (7.2, PPT Slides 8–14 and 19– 22) I.
Discuss the criteria on which selecting information security personnel is based, including the principles of supply and demand. This is likely a combination of experience, certifications, and knowledge.
II.
Recall that most information security (IS) professionals who are wanting to enter the market will do so by gaining the skills, experience, and credentials they need to qualify as a new supply.
III.
Understand that if the new supply of professionals is limited, an organization will have to pay more to get the best talent in the door to meet their needs. Alternately,
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
the opposite is true once the supply meets or exceeds the demand. That is when an organization that needs to hire these individuals can become selective, and the pay they offer drops. IV.
Quantify the fact that by 2029, it is estimated that there will be a 31 percent increased demand for IS professionals and outpaces the 4 percent growth average for other occupations according to the Bureau of Labor Statistics (BLS).
V.
Recommend students review Figure 7-2 to emphasize where demand for personnel is likely the greatest in the field of information security.
VI.
Assess that with current projections and the pace of hiring, there will be a continued shortfall of personnel which could, in turn, put organizations at risk if they are unable to bring in professionals to maintain and protect their data.
Qualifications and Requirements I.
Justify the fact that with information security being a new field, it is often rife with a lack of understanding about what qualifications applicants need to fit in the roles they fill.
II.
Assess the recommendations provided with respect to how an organization can optimize their hiring practices. As mentioned in the text, they are the following: •
The general management community of interest should learn more about the skills and qualifications for information security positions and IT positions that affect information security.
•
Upper management should learn more about the budgetary needs of information security and its positions.
•
This knowledge will enable management to make sound fiscal decisions for information security and the IT functions that carry out many information security initiatives.
•
The IT and general management communities should grant appropriate levels of influence and prestige to information security, especially to the role of CISO.
III. Examine the fundamentals that an IS professional must understand in order to be, at a minimum, considered for an interview or conversation: •
How an organization operates at all levels.
•
Awareness that information security is usually a management problem and is seldom an exclusively technical problem.
•
How to work with people and collaborate with end users, and the importance of strong communications and writing skills.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
•
The role of policy in guiding security efforts, and the role of education and training in making employees and other authorized users’ part of the solution rather than part of the problem.
•
Most mainstream IT technologies at a general level, not necessarily as an expert.
•
The terminology of IT and information security.
•
The threats facing an organization and how they can become attacks.
•
How to protect an organization’s information assets from attacks.
•
How business solutions, including technology-based solutions, can be applied to solve specific information security problems.
Entry into the Information Security Profession I.
Outline and classify the two common points of entry that information security professionals come from. These are often ex-law enforcement and military personnel and technical professionals.
II.
Gain awareness that college graduates and upper-division students are selecting and tailoring degree programs to prepare to work in the field of information security.
III.
Assess the common current perception of information security is that a security professional must first be a proven professional in another field of IT. However, IT professionals who move into information security tend to focus on the technology, sometimes in place of general information security issues.
Information Security Positions I.
Applying the use of standard job descriptions can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities among organizations.
II.
Recommend to students that organizations which are revising the roles and responsibilities of information security staff should consult Wood’s book, Information Security Roles and Responsibilities Made Easy.
III.
Present the common job position categories provided in Figure 7-4 and where they are commonly located in an organization’s IS hierarchy.
Chief Information Security Officer (CISO) I.
Comprehend that a CISO is often the top information security officer in an organization.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
II.
Recognize the facts that CISO’s are often business managers first and technologists second and may not be in an executive-level position depending on the organization.
III.
Outline the responsibilities of a CISO:
IV.
•
Manages the overall information security program for the organization.
•
Drafts or approves information security policies.
•
Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans.
•
Develops information security budgets based on available funding.
•
Sets priorities for the purchase and implementation of information security projects and technology.
•
Makes decisions or recommendations for the recruiting, hiring, and firing of security staff.
•
Acts as the spokesperson for the information security team.
Recall that the most common certification for this type of position is a Certified Information Security Manager (CISM). Additionally, a graduate degree in one of the following areas is also often required: criminal justice, business, or information technology.
Chief Security Officer (CSO) I. Compare and contrast the differences between a CISO and CSO. Depending on the organization, the CISO’s position may be combined with physical security responsibilities or may even report to a security manager who is responsible for both logical (information) security and physical security. II. Stress to students that a CSO must be capable and knowledgeable in both information security requirements and the “guards, gates, and guns” approach to protecting the physical infrastructure, buildings, and grounds of a place of business. III. Recommend that professional experience a CSO possesses often is being a security manager with planning, policy, and budget experience.
Security Manager I. Apply knowledge presented in the text that security managers are accountable for the day-to-day operation of the information security program. They accomplish the objectives that are identified by the CISO and resolve issues that are identified by technicians.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
II. Recall that candidates for this position often have a CISSP. Traditionally, managers earn the CISSP, and technical professionals earn the Global Information Assurance Certification (GIAC). III. Identify the facts that security managers must have the ability to draft middle- and lower-level policies as well as standards and guidelines. They must have experience in traditional business matters, including budgeting, project management, and hiring and firing. They must also be able to manage technicians, both in the assignment of tasks and in the monitoring of activities. IV. Gain awareness that general job descriptions for this type of position often create confusion with respect to the title of the position and reporting relationship.
Security Analyst I. Establish that security analysts are often known as security technicians, security architects, and/or security engineers. II. Examine the core duties of security analysts. Based on the need, they are technically qualified employees who configure firewalls, deploy IDPSs, implement security software, diagnose, and troubleshoot problems, and coordinate with administrators to ensure that security is properly implemented. III. Review the fact that this position is often entry-level, but some technical skills are required for professionals in this role to be successful. If they would want to advance, they need to gain experience in at least one major security technology group or specialize in hardware or software packages the organization uses. IV. Identify the highly specialized nature of security analysts as they tend to be specialized, focusing on one major security technology group, and further specializing in one software or hardware package within the group. V. Relate that the technical qualifications and position requirements for a security analyst are varied. Organizations prefer the expert, certified, proficient technician. Regardless of the area, the job description includes some level of experience with a particular hardware and software package. Sometimes familiarity with a technology secures an applicant an interview; however, experience in using the technology is usually required. Quick Quiz 1 I.
To assess the effect that information security changes will have on the organization’s personnel management practices, the organization should conduct which of the following studies before the implementation phase? a. security audit b. project feasibility
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
c. behavioral feasibility d. employee feedback Answer: c II.
Which of the following positions is typically the top information security employee in the organization? a. CISO b. CEH c. Security Manager d. CSO Answer: c
III.
Which of the information security roles is usually tasked with configuring firewalls, deploying IDSs, implementing security software, diagnosing and troubleshooting problems, and coordinating with systems and network administrators to ensure that security technology is operating to protect the organization? a. Security Analyst b. CISO c. CSO d. Security Manager Answer: d
IV.
Which of the following information security roles is accountable for the day-to-day operation of the information security program? a. Security Analyst b. CISO c. CSO d. Security Manager Answer: a
V.
True or False: In most organizations, the security analyst position is one that is a senior-level position that requires numerous years of experience and certifications. Answer: False
Credentials for Information Security Professionals (7.3, PPT Slides 23– 27 and 30–32) © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
I.
Identify that many organizations seek industry-recognized certifications when reviewing the credentials of applicants.
II.
Relate those existing certifications are relatively new and not fully understood by hiring organizations.
III.
Discuss how the certifying bodies are working to educate employers and professionals on the value and qualifications of their certificate recipients.
(ISC)2 Certifications I.
Emphasize that the International Information Systems Security Certification Consortium (ISC)2 is considered the foremost organization offering information security certifications today.
CISSIP I.
Present that the CISSIP certification is considered the ‘gold standard’ and the most prestigious certification for security managers and CISO’s.
II.
Recognize that professionals must possess at least five years of direct, full-time experience as a security professional working in at least two of the eight domains of information security knowledge, or four years of direct security work experience in two or more domains. The candidate must also have a four-year college degree.
III.
Review the eight domains that are included in a 100 to 150 multiple-choice exam that has a completion time of six hours (with exception to accommodations): •
Security and risk management
•
Asset security
•
Security architecture and engineering
•
Communication and network security
•
Identity and access management
•
Security assessment and testing
•
Security operations
•
Software development security
IV.
Understand that, once certified, the CISSP holder must complete 120 hours of continuing professional education (CPE) every three years with a minimum of 20 hours per year.
V.
Examine the CISSP concentrations and stress to students what (ISC)2 offers; several concentrations are available for CISSPs to demonstrate advanced knowledge beyond the CISSP CBK.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
•
ISSAP: Information System Security Architecture Professional
•
ISSEP: Information System Security Engineering Professional
•
ISSMP: Information Systems Security Management Professional
SSCP I.
Contrast that, like the CISSP, the SSCP certification applies more to the security manager than the security technician because the SSCP focuses on practices, roles, and responsibilities as defined by experts from major information security industries.
II.
Outline the seven domains SSCP covers in their 125-question exam that participants have three hours to complete: •
Access controls
•
Security operations and administration
•
Risk identification, monitoring, and analysis
•
Incident response and recovery
•
Cryptography
•
Network and communications security
•
Systems and application security
CSSLP I.
Detail that The Certified Secure Software Lifecycle Professional (CSSLP) is another (ISC)2 certification focused on the development of secure applications.
II.
Encourage students to understand that to get this certification a professional must have at least four years of recent experience in one or more of the following eight domains listed below: •
Secure software concepts
•
Secure software requirements
•
Secure software architecture and design
•
Secure software implementation
•
Secure software testing
•
Secure software lifecycle management
•
Secure software deployment, operations, and maintenance
•
Secure software supply chain
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
III. Differentiate this exam to students and compare it to the others as essays are required to be composed in each of the four areas one has expertise in as the exam submission. IV. Provide learners that as an alternative professionals can qualify for a (ISC)2 Associate certification until the criteria for expertise in the aforementioned areas has been satisfied.
CAP I.
Recognize that this certification is geared towards professionals who with the NIST Risk Management Framework, the Certified Authorization Professional is a certification that focuses on the deployment of the RMF, mainly in the government and the Department of Defense, but also in other public or private sectors.
II.
Review the seven domains the CAP covers in their exam:
III.
•
Information security risk management program
•
Categorization of information systems (IS)
•
Selection of security controls
•
Implementation of security controls
•
Assessment of security controls
•
Authorization of information systems (IS)
•
Continuous monitoring
Recall that candidates only need two years of work experience in one or more domains to take and pass the certification exam.
HCISPP I.
Explain that to qualify for the HCISPP you must focus on security management topics and healthcare; this certification requires the candidate to demonstrate knowledge in six specialty domains on its 125-question multiple-choice exam: •
Healthcare industry
•
Regulatory environment
•
Privacy and security in healthcare
•
Information governance and risk management
•
Information risk assessment
•
Third-party risk management
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
II.
Stress that HCISPP candidates must have two or more years of experience in at least one of these domains and at least one year of experience in the top three domains.
CCSP I.
Stress that the Certified Cloud Security Professional (CCSP) certification exam is sponsored by the Cloud Security Alliance and focuses on professionals who are responsible for specifying, acquiring, securing, and managing cloud-based services for their organization.
II.
Review the six domains that the CCSP covers: •
Architectural concepts and design requirements
•
Cloud data security
•
Cloud platform and infrastructure security
•
Cloud application security
•
Operations
•
Legal and compliance
Associate of (ISC)2 I.
Justify the merit of this certification as it is an innovative approach to the experience requirement that may prohibit others from being able to take other exams outlined in this section of the module.
II.
Recognize that this provides an option that learners can complete the exams, subscribe to the (ISC)2 code of ethics, maintain continuing professional education (CPE) credits, and pay the appropriate fees which can maintain their status as an associate until they have logged the required years of experience.
ISACA Certifications I.
Explain to learners how the Information Systems Audit and Control Association (ISACA) offers several reputable certifications. This includes the CISM, CISA, CGEIT, and CDPSE certifications.
CISM I.
Establish that the CISM credential is focused on information security managers and others who may have similar management responsibilities.
II.
Outline the four domains that the exam covers in this annual exam: •
Information security governance (24 percent)
•
Information risk management (30 percent)
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
III.
•
Information security program development and management (27 percent)
•
Information security incident management (19 percent)
Review the requirements that are provided in the text about what information security managers must have prior to completing the exam.
CISA I.
Discuss the Certified Information Systems Auditor (CISA) credential. Note that it is not specifically a certification but does include many information security components.
II.
Outline the five domains that the exam covers in this annual exam:
III.
•
Information systems auditing process (21 percent)
•
Governance and management of IT (17 percent)
•
Information systems acquisition, development, and implementation (12 percent)
•
Information systems operations and business resilience (23 percent)
•
Protection of information assets (27 percent) Information security governance (24 percent)
Examine the requirements that are presented in the text and stress to students that although this is not specifically an information security certification exclusively it is one that is beneficial to have.
CRISC I.
Express this certification is targeted at managers and employees with knowledge and experience in risk management.
II.
Outline the four domains that the exam covers in this annual exam:
III.
•
IT risk identification (27 percent)
•
IT risk assessment (28 percent)
•
Risk response and mitigation (23 percent)
•
Risk and control monitoring and reporting (22 percent)
Recall that this certification requires the candidate to have a minimum of three years’ experience in risk management and information systems control in at least two of the stated domains, and at least one year of that experience must be in one of the first two domains although the candidate may elect to take the exam before fulfilling the experience requirement.
CGEIT
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
I.
Contrast the Certified in the Governance of Enterprise IT (CGEIT) certification with others examined in this section as it is mostly geared towards upper-level executives (CISOs and CIOs), directors, and consultants who have knowledge or experience in IT governance.
II.
Outline the four domains that the exam covers in this annual exam: •
Governance of enterprise IT (40 percent)
•
Benefits realization (26 percent)
•
Risk optimization (19 percent)
•
IT resources (15 percent)
III. Recall that this certification requires the candidate to have a minimum of one year of experience in IT governance and additional experience in at least two of the domains listed.
CDPSE I.
Explain to students that this is one of the newest certifications offered.
II.
Stress that the Certified Data Privacy Solutions Engineer (CDPSE) is an exam that focuses on protection of customer’s personal information.
III.
Outline the four domains that the exam covers in this annual exam:
IV.
•
Privacy governance (34 percent)
•
Privacy architecture (36 percent)
•
Data life cycle (30 percent)
Relate that due to the newness of the certifications the ISACA offers an opportunity for professionals to receive it provided they can show at least five years’ experience and expertise in two or more of the domain areas or a minimum of three years’ experience if they possess another certification from the governing body.
SANS Certifications I.
Explain how in 1999, SANS developed a series of technical security certifications known as the Global Information Assurance Certification (GIAC).
II.
Discuss that the GIAC family of certifications covers more than 40 certifications in six focus areas: offensive security, cyber defense, cloud security, industrial control systems, digital forensics and incident response and management, and legal and audit. Note that an individual can attain the various GIAC certifications individually.
III.
Relate that some of the exams require applicants to complete a written practical whereas others are multiple-choice question-based tests.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
IV.
Review Table 7-1 as it provides the list of exams that are available for professionals as of the time the text was being developed (2020).
EC-Council Certifications I.
Identify that EC Council is a new competitor in certifications for security management. They offer a Certified CISO (CCISO) certification which tests security domain knowledge as well as knowledge of executive business management.
II.
Establish the six domains that have certifications available that apply to information security management: •
Security Awareness
•
Fundamentals
•
Core
•
Specialist
•
Advanced
•
Management
III. Arrange and provide the five domains that make up the Certified CISO (CCISO) certification which tests the knowledge of executive business management. •
Governance and risk management
•
Information security controls, compliance, and auditing management
•
Security program management and operations
•
Information security core competencies
•
Strategic planning, finance, procurement, and vendor management
IV. Gain awareness that before an executive or professional can take an exam, the ECCouncil requires five years’ experience in at least three of the domains. As an alternate option as they gain experience, a ‘light’ version is also available.
CompTIA Certifications I.
Explain how the CompTIA Security+ certification assesses entry-level security knowledge. Candidates must have two years of on-the-job networking experience. The exam covers industry-wide topics.
II.
Compare and contrast the following certifications that are provided in the text: Security+, CySA+, PenTest+, and CASP+.
Security+
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
I.
Describe the purpose of the CompTIA Security+ certification test as it is geared towards a professional’s entry-level security knowledge and their minimum two years of on-the-job networking experience.
CySA+ I.
Compare and contrast this CompTIA certification with the Security+ one as this is more advanced and geared towards the intermediate certification level.
II.
Recognize that this assessment is both knowledge-based and performance-based.
III.
Stress that professionals wanting to achieve this certification must already have at a minimum Security+ or Network+ certification and four years of related experience.
PenTest+ I.
Emphasize that this is one of the newer certifications CompTIA offers. This exam is known as the Penetration Tester Plus certification, which includes both the managerial and technical skills needed to investigate and examine systems for potential vulnerabilities and susceptibility to successful attacks.
II.
Recognize that this assessment is both knowledge-based and performance-based.
III.
Detail the requirements that a professional must possess for this exam as a minimum of a Security+ certification and three to four years of experience.
CASP+ I.
State that this exam is an advanced-level certification which builds upon the knowledge of both the Security+ and CySA+ certifications and to assess an advanced understanding of risk, security controls, cryptography, cloud security, virtualization, and the enterprise security domain.
II.
Recall that this certification required at least 10 years of experience and is a performance-based and knowledge-based exam.
Cloud Security Certifications I.
Guide learners in the understanding that companies such as Amazon offers specialized professional certificates that can be possessed in addition to certifications listed in the module.
II.
Strictly state that most of these external organizations can only provide certificates and not certifications.
Certification Costs I.
Define the reality that certifications cost money and the better certifications can be quite expensive to attain. Depending on the certification, one can cost more than
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
$750.00 alone, and certifications that require multiple exams are in the thousands of dollars. II.
Explain how while these courses should not serve as the candidate’s only means of preparing for the certification exam, they can help candidates round out their knowledge and fill in gaps.
III.
Emphasize that most examinations require between two and three years of work experience, and they are often structured to reward candidates who have significant hands-on experience.
Advice for Information Security Professionals I.
Establish an understanding that as a future information security professional learners can benefit from keeping the following suggestions in mind as you enter the information security job market: •
Always remember business before technology.
•
When evaluating a problem, look at the source of the problem first, determine what factors affect the problem, and see where organizational policy can lead you in designing a solution that is independent of technology.
•
Your job is to protect the organization’s information.
•
Be heard and not seen.
•
Know more than you say and be more skillful than you let on.
•
Speak to users, not at them.
•
Your education is never complete.
Employment Policies and Procedures (7.4, PPT Slides 33–44) I.
Focus on the critical fact that regardless of the position an organization should always have information security as a documented part of an employee’s job description.
II.
Explain that from an information security perspective the hiring of employees is a responsibility laden with potential security pitfalls.
III.
Detail the prerequisites that the CISO and information security manager should establish a dialogue with the human resources (HR) department to provide information security input to the guidelines used for hiring personnel.
Job Descriptions I.
Discuss how to incorporate information security perspectives into the hiring process and how it begins with reviewing and updating all job descriptions.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
II.
Explain the importance of preventing people from applying for positions based solely on access to sensitive information by having the organization avoid revealing access privileges to prospective employees when it advertises open positions.
Interviews I.
Demonstrate how an opening within the information security department presents a unique opportunity for the security manager to educate HR on the certifications, experience, and qualifications of a good candidate.
II.
Recommend to students departments outside of information security, like HR, should limit the information provided to the candidate about the responsibilities and access rights the new hire would have.
III.
Present facts that on-site visits are often part of the interview process and caution must be exercised when showing a candidate around a facility.
Background Checks I.
Examine the purpose of a background check and why it is important to investigate the candidate’s past because criminal behavior could indicate the potential for future misconduct.
II.
Review the restrictions and regulations that govern what the organization can investigate and how much of the information uncovered can be allowed to influence the hiring decision. The security and HR managers should discuss these matters with legal counsel.
III.
Differentiate the level of detail and depth a background check can provide. Additionally, review the various types of background checks a candidate may receive: •
Identity checks
•
Education and credential checks
•
Previous employment verification
•
References checks
•
Worker’s compensation history
•
Motor vehicle records
•
Drug history
•
Credit history
•
Civil court history
•
Criminal court history
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
IV.
Outline the federal regulations that are in place with respect to obtaining personal information for employment decisions and practices: •
One governs consumer credit reporting agencies and the uses of the information procured from these agencies.
•
These reports contain information on a job candidate’s credit history, employment history, and other personal data.
•
The FCRA prohibits employers from obtaining these reports unless the candidate is informed in writing that such a report will be requested as part of the employment process.
•
The FCRA also restricts the periods of time these reports can address.
Employee Contracts I.
Explain how once a candidate has accepted the job offer, the employment contract becomes an important security instrument and must be protected much in the same way as other data sets in an organization.
II.
Classify policies discussed in the text that require an employee to agree in writing to monitoring and nondisclosure agreements.
III.
Relate that if an existing employee refuses to sign these contracts, the security personnel are placed in a difficult situation, and as a result, an offer may need to be rescinded to protect the company. This applies a policy that can be instituted which states “employment contingent upon agreement.” Note that this classification means the employee is not actually employed until he or she agrees in writing to conform to the binding organizational policies.
New Hire Orientation I.
Emphasize as new people enter an organization, one of the first pieces of training they should receive is an extensive information security briefing. Note that this briefing should cover all the major policies, procedures, and requirements related to information security within the new position.
II.
Compare and contrast the levels of authorized access that should be outlined, and training should be provided for the secure use of information systems that are in an organization.
III.
Establish the understanding that by the time employees are ready to report to their positions they should be thoroughly briefed and ready to perform their duties securely.
On-the-Job Security Training
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
I.
Summarize that an organization should integrate the security awareness education into a new hire’s job orientation and make it a part of every employee’s on-the-job security training.
II.
Discuss how keeping security at the forefront of employees’ minds minimizes employee mistakes and is an important part of the information security mission.
III.
Recommend the use of formal and informal seminars that should be used to increase the security awareness level of all employees, especially security employees.
Evaluating Performance I.
Explain how to heighten information security awareness and change workplace behavior; organizations should incorporate information security components into employee performance evaluations.
II.
Justify the rationale that if employees pay close attention to job performance evaluations, and if the evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level.
Termination I.
Review the importance of information security when an employee leaves the organization. Several security-related issues may arise: the key among these is the continuity of protection of all information to which the employee had access.
II.
Outline the tasks that an organization must complete when an employee with information security access leaves the organization. They are the following: •
Access to the organization’s systems must be disabled.
•
Removable media must be returned.
•
Hard drives must be secured.
•
File cabinet locks must be changed.
•
Office door locks must be changed.
•
Keycard access must be revoked.
•
Personal effects must be removed from the organization’s premises.
III.
Stress the importance that once an employee has turned in their keys, keycards, and other property belonging to the organization, they must be escorted off the premises.
IV.
Establish an understanding that most organizations use exit interviews which reminds the departing employee of contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
V.
Review the scenarios that may occur when an employee leaves the organization. This is either a hostile departure or friendly departure.
VI.
Discuss that regardless of the reason an employee leaves, the offices and information used by the employee must be inventoried, their files must be stored or destroyed, and all property must be returned to organizational stores.
VII.
Discuss how in either situation, employees might foresee their departures well in advance and might begin collecting organizational information or anything that could be valuable in their future employment. If this occurs, appropriate policies should be followed to regain the information or pursue legal actions.
Hostile Departures I.
State the common causes of a hostile departure: termination for cause, permanent downsizing, temporary layoffs, and quitting.
II.
Stress the cases when employees may not seem hostile, but the chance of them lashing out against the organization may still be possible, and caution would need to be exercised.
III.
Outline the recommended steps the information security team should apply to ensure assets and the departing employee have the least amount of inconvenience for the organization: •
Before the employee knows he or she is leaving, security terminates all logical and keycard access. As soon as the employee reports for work, he or she is escorted into the supervisor’s office for the news.
•
Upon receiving notice, the employee is escorted to his or her area and allowed to collect personal effects. No organizational property is taken from the premises.
•
The employee is asked to surrender all keys, keycards, and other company property. The employee is then escorted out of the building.
Friendly Departures I.
Detail that friendly departures include resignation, retirement, promotion, or relocation. In this case, the employee may have tendered notice well in advance of the actual departure date.
II.
Emphasize this type of departure is more challenging because it makes it more difficult for security to maintain positive control over the employee’s access and information usage.
III.
Outline the recommended steps the information security team should apply to ensure assets and the departing employee have the least amount of inconvenience for the organization:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
•
Employee accounts are usually allowed to continue with a new expiration date.
•
Employees come and go at will and collect their own belongings and leave on their own.
•
They are asked to drop off all organizational property “on their way out the door.”
Personnel Control Strategies (7.4, 7.5, PPT Slides 47–54) I.
Describe the term separation of duties and why it is important in reducing the risk an organization takes on when limiting the chance an employee will violate information security and break the confidentiality, integrity, or availability of information.
II.
Compare and contrast separation of duties with two-person control and how they are similar but uniquely different in their approaches.
III.
Evaluate the use of job/task rotations and the application of mandatory vacations as additional measures to protect an organization’s information security systems and data.
IV.
Recognize the concept of garden leave and why it is important to have the time break in place after someone departs the company and when they join a new organization that is potentially in the similar industry or field.
V.
Establish that the principles of need to know or least privilege and why they are important to have in place in an organization. Here, employees only have access to information that they need relative to their position. Stress to students that the purpose of information security is to allow people who need to use system information to do so without being concerned about its confidentiality, integrity, and availability.
Privacy and the Security of Personnel Data I.
Emphasize the law states organizations are required to protect employee information that is sensitive or personal as you learned in the sixth module. This information includes employee addresses, phone numbers, Social Security numbers, medical conditions, and even names and addresses of family members.
II.
Stress that information security groups should ensure that this data receives at least the same level of protection as other important data in the organization, including intellectual property, strategic planning data, and other business-critical information.
Security Considerations for Temporary Employees, Consultants, and Other Workers
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
I.
Summarize knowledge that individuals who are not subject to rigorous screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information.
II.
Explain how relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft.
Temporary Employees I.
Distinguish the difference that temporary employees are hired by the organization to serve in a temporary position or to supplement the existing workforce when compared to permanent employees.
II.
Review the concept of how these employees may be paid employees of a “temp agency” or a similar organization and are hired by them directly. Additionally, they are often not subject to the contractual obligations or general policies of other employees.
III.
Stress if these individuals breach a policy or cause a problem, the strongest action the host organization can take is to terminate their relationships with the individuals and request that they are censured.
IV.
Explain how from a security standpoint access to information for these individuals should be limited to that which is necessary for them to perform their duties.
V.
Critique the practice that the organization can attempt to have temporary employees sign nondisclosure agreements and fair use policies, but a temp agency may refuse, forcing the organization to either dismiss the temp worker or allow him or her to work without the agreement.
VI.
Emphasize you should ensure the temp worker’s supervisor restricts the information to which the temp has access and make sure all employees follow good security practices, especially those practices relating to clean desk policies and the security of classified data.
Contract Employees I.
Compare and contrast the difference between temporary employees and contract employees and their differences and similarities with respect to information security policies.
II.
Explain contracts for consultants should specify all requirements for information or facility access before the consultants are allowed into the workplace. Security and technology consultants especially must be prescreened, escorted through work areas, and subjected to nondisclosure agreements to protect the organization from possible breaches of confidentiality.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
III.
Recognize consultants typically request permission to present work samples to other companies as part of their résumés, but a client organization is not obligated to grant this permission and can even explicitly deny permission in writing.
IV.
Stress organizations remember the protection of their information does not become the consultant’s top priority even if they are paid.
Consultants I.
Explain how consultants are on-site contracted workers who are often selfemployed or are part of an organization for a specific one-time purpose.
II.
Emphasize all requirements for information or facility access before the consultants are allowed into the workplace.
III.
Stress how security and technology consultants must be prescreened and escorted through secure areas as well as subject to non-disclosure agreements to protect the organization.
IV.
Justify the fact that these professionals will want to request work samples for their résumé, but that the organization has the right to accept or deny that request.
Business Partners I.
Identify that on occasion businesses find themselves in strategic alliances with other organizations who want to exchange information, integrate systems, or simply discuss operations for mutual advantage. There must be a meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom.
II.
Emphasize that nondisclosure agreements must be in place, and the level of security of both systems must be examined before any physical integration takes place, because when systems are connected, the vulnerability of one system becomes the vulnerability of all.
Quick Quiz 2 1. Which of the following is a certification offered by the International Information Systems Security Certification Consortium (ISC)2? a. Security+ b. GIAC c. CISSP d. CGEIT Answer: c
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
2. Which of the following certifications requires the applicant to complete a written practical assignment to complete the certification process? a. Security+ b. GIAC c. CISSP d. CGEIT Answer: b 3. Which of the following ISACA certifications, while not specifically a security certification, contains many information security systems’ auditing components and is only offered a few times per year? a. CISA b. CISM c. CGEIT d. CRISC Answer: a 4. Once a candidate has accepted the job offer, the employment ________ becomes an important security instrument. a. non-disclosure agreement b. contract c. security acknowledgement d. offer Answer: b 5. True or False: The least privilege principle ensures no unnecessary access to data exists by regulating members, so they can perform only the minimum data manipulation needed. Answer: True [return to top]
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
27
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. What actions can each person take to minimize the risk of identity theft? Take a few minutes to discuss and generate a list of concrete actions each student can take to control this risk. (7.1, 7.2, 7.4, 7.5, PPT Slides 3–5, 8–14, 3–44, and 47–54) Duration 15 minutes. 2. The placement of the security function is a broad topic. Ask students who are familiar with an actual information security organization to describe the placement of security in that organization. (7.4, 7.5, PPT Slides 36–44 and 47–54) Duration 15 minutes. 3. Discuss the different certifications presented in the module. How impactful are the certifications relative to the job duties an information security professional need? Do the costs outweigh the benefits? (7.3, PPT Slides 23–27 and 30–32) Duration 15 minutes. 4. Compare and contrast the different categories of non-permanent employees explained in the module. Why should they or not should be held to the same information security standards that information security professionals abide within their organization? Explain. (7.1, 7.2, 7.5, PPT Slides 3–5, 8–14, and 47–54) Duration 15 minutes. [return to top]
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks
Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques.
Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
28
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
Web Browser Security
Malware Defense
Windows Password Management
Backup and Recovery and File Integrity Monitoring
OS Processes and Services
Log Management & Security
Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various
1 to 1.5 hours
1 to 1.5 hours
30 minutes to 1 hour
15–20 minutes
60–90 minutes
30 minutes to 1 hour
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
29
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
Footprinting, Scanning, and Enumeration
AlienVault OSSIM
Image Analysis Using Autopsy
logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.
40–60 minutes
2–3 hours
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Divide the class into teams of three and have each team conduct a mock exit interview. During the interview, one student should play the role of the departing employee, one should play the role of the interviewer, and the other should take notes to see if all critical issues are covered. 2. Have students draw an organization chart for an imaginary organization’s information security department. You can have them include job descriptions for some or all the positions. [return to top]
Additional Resources Cengage Video Resources •
MindTap Video: Personnel Security
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
30
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
Internet Resources • • • • •
(ISC)2 ISACA Information Shield—Resources from Charles Cresson Wood The Chief Information Security Officer (CISO) Role Explained Data Breach Today
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
31
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 7: Security and Personnel
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
32
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 8 Module Outline .............................................................................................................................. 8 Discussion Questions .................................................................................................................. 32 Suggested Usage for Lab Activities ............................................................................................ 33 Additional Activities and Assignments ....................................................................................... 34 Additional Resources................................................................................................................... 35 Internet Resources .................................................................................................................................. 35 Appendix ...................................................................................................................................... 36 Grading Rubrics ....................................................................................................................................... 36
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
Purpose and Perspective of the Module Protecting information is one of the most important tasks an organization must monitor around the clock and regardless as to where personnel are located. In this module, students will gain knowledge as to the purpose of information security and the need that is present in organizations. Next, they will increase their understanding of why a successful information security program is the shared responsibility of the entire organization and not just departments that focus on technology. In the second half of the module, emphasis is placed on threats that occur to trigger information security solutions and common attacks of them. The final part of the module lists common information security issues that result from poor software development efforts.
Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •
PowerPoint slides
•
Test banks, available in Word, as LMS-ready files, and on the Cognero platform
•
MindTap Educator Guide
•
Solution and Answer Guide
•
This instructor’s manual
Module Objectives The following objectives are addressed in this module: 8.1
Discuss the role of access control in information systems and identify and discuss the four fundamental functions of access control systems.
8.2
Define authentication and explain the three commonly used authentication factors.
8.3
Describe firewall technologies and the various categories of firewalls.
8.4
Explain the various approaches to firewall implementation.
8.5
Identify the various approaches to control remote and dial-up access by authenticating and authorizing users.
8.6
Describe virtual private networks (VPNs) and discuss the technology that enables them.
Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
Module Objective 8.1 and 8.2 8.3 and 8.4 8.5 and 8.6 8.1–8.6
PPT slide
Activity/Assessment
Duration
16–17 34–35 81–82 88 MindTap MindTap MindTap
Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 08 Review Questions Module 08 Case Exercises Module 08 Exercises
MindTap MindTap
Module 08 Security for Life Module 08 Quiz
2 minutes 2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: access control: The selective method by which systems specify who may use a particular resource and how they may use it. discretionary access controls (DACs): Access controls that are implemented at the judgment or option of the data user. nondiscretionary access controls (NDACs): Access controls that are implemented by a central authority. lattice-based access controls (LDACs): A variation on mandatory access controls that assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects. role-based access control (RBAC): A nondiscretionary control where privileges are tied to the role or job a user performs in an organization and are inherited when a user is assigned to that role. task-based access control (TBAC): A nondiscretionary control where privileges are tied to a task or temporary assignment a user performs in an organization and are inherited when a user is assigned to that task. mandatory access control (MAC): A required, structured data classification scheme that assigns a sensitivity or classification rating to each collection of information as well as each user. attribute-based access control (ABAC): An access control approach whereby the organization specifies the use of objects based on some attribute of the user or system. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
attribute: A characteristic of a subject (user or system) that can be used to restrict access to an object; also known as a subject attribute. subject attribute: See attribute. identification: The access control mechanism whereby unverified or unauthenticated entities who seek access to a resource provide a label or username by which they are known to the system. authentication: The access control mechanism that requires the validation and verification of an entity’s unsubstantiated identity. authentication factors: Mechanisms that provide authentication based on something an unauthenticated entity knows, has, and is. password: A secret word or combination of characters that only the user should know; it is used to authenticate the user. passphrase: A plain-language phrase, typically longer than a password, from which a virtual password is derived. virtual password: A stream of characters generated by taking elements from an easily remembered phrase. dumb card: An authentication card that contains digital user data, such as a personal identification number, against which user input is compared. smart card: An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a personal identification number. synchronous token: An authentication component in the form of a card or fob that contains a computer chip and a display that shows a computer-generated number used to support remote login authentication; the token must be calibrated with the corresponding software on a central authentication server. asynchronous token: An authentication component in the form of a card or fob that contains a computer chip and a display that shows a computer-generated number used to support remote login authentication; the token does not require calibration of the central authentication server but uses a challenge/response system instead. strong authentication: In access control, the use of at least two different authentication mechanisms drawn from two or more different factors of authentication; this is sometimes called multifactor or dual-factor authentication. authorization: The access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
accountability: The access control mechanism that ensures all actions on a system— authorized or unauthorized—can be attributed to an authenticated identity; also known as auditability. auditability: See accountability. biometric access control: The use of physiological characteristics to provide authentication for a provided identification; also referred to as biometrics. minutiae: In biometric access controls, unique points of reference that are digitized and stored in an encrypted format when the user’s system access credentials are created and are then used in subsequent requests for access to authenticate the user’s identity. false reject rate: The rate at which authentic users are denied or prevented access to authorized areas as a result of a failure in the biometric device; also known as a Type I error or a false negative. false accept rate: The rate at which fraudulent users or nonusers are allowed access to systems or areas as a result of a failure in the biometric device; also known as a Type II error or a false positive. crossover error rate (CER): The point at which the rate of false rejections equals the rate of false acceptances; also called the equal error rate. trusted computing base (TCB): Under the Trusted Computer System Evaluation Criteria (TCSEC), the combination of all hardware, firmware, and software responsible for enforcing the security policy. reference monitor: Within the trusted computing base, a conceptual piece of the system that manages access controls. covert channels: Unauthorized or unintended methods of communications hidden inside a computer system. storage channels: TCSEC-defined covert channels that communicate by modifying a stored object, as in steganography. timing channels: TCSEC-defined covert channels that communicate by managing the relative timing of events. zeta trust architecture (ZTA): An approach to access control in IT networks that does not rely on trusting devices or network connections; rather, it relies on mutual authentication to verify the identity and integrity of devices, regardless of their location. firewall: In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside network and the inside network.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
untrusted network: The system of networks outside the organization over which the organization has no control, such as the Internet. trusted network: The system of networks inside the organization that contains its information assets and is under the organization’s control. packet-filtering firewall: A networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules. static packet filtering: A firewall type that requires the configuration rules to be manually created, sequenced, and modified within the firewall. dynamic packet filtering: A firewall type that can react to network traffic and create or modify its configuration rules to adapt. stateful packet inspection (SPI): A firewall type that keeps track of each network connection between internal and external systems using a state table and that expedites the filtering of those communications; also known as a stateful inspection firewall. address restrictions: Firewall rules designed to prohibit packets with certain addresses or partial addresses from passing through the device. state table: A tabular record of the state and context of each packet in a conversation between an internal and external user or system; used to expedite traffic filtering. application layer proxy firewall: A device capable of functioning both as a firewall and an application layer proxy server. application firewall: See application layer proxy firewall. proxy server: A server that exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server, thus protecting and minimizing the demand on internal servers; some are also cache servers. reverse proxy: A proxy server that most commonly retrieves information from inside an organization and provides it to a requesting user or system outside the organization. demilitarized zone (DMZ): An intermediate area designed to provide servers and firewall filtering between a trusted internal network and the outside, untrusted network. media access control layer firewall: firewall designed to operate at the media access control sublayer of the network’s data link layer A (Layer 2). Unified Threat Management (UTM): Networking devices categorized by their ability to perform the work of multiple devices, such as stateful packet inspection firewalls, network intrusion detection and prevention systems (IDPSs), content filters, spam filters, and malware scanners and filters.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
Next Generation Firewall (NextGen or NGFW): A security appliance that delivers Unified Threat Management capabilities in a single integrated device. single bastion host: See bastion host. bastion host: A device placed between an external, untrusted network and an internal, trusted network; also known as a sacrificial host, as it serves as the sole target for attack and should therefore be thoroughly secured. sacrificial host: See bastion host. Network Address Translation (NAT): A networking scheme in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned internal address. Port Address Translation (PAT): A networking scheme in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-many basis; that is, one external valid address is mapped dynamically to a range of internal addresses by adding a unique port number to the address when traffic leaves the private network and is placed on the public network. screened host architecture: A firewall architectural model that combines the packetfiltering router with a second, dedicated device such as a proxy server or proxy firewall. screened subnet architecture: A firewall architectural model that consists of one or more internal bastion hosts located behind a packet-filtering router on a dedicated network segment, with each host performing a role in protecting the trusted network. extranet: A segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public. configuration rules: The instructions a system administrator codes into a server, networking device, or security device to specify how it operates. content filter: A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network. reverse firewall: See content filter. data loss prevention: A strategy to ensure that the users of a network do not send highvalue information or other critical information outside the network without authorization. war dialer: An automatic phone-dialing program that dials every number in a configured range and checks whether a person, voicemail, or modem picks up. Remote Authentication Dial-In User Service (RADIUS): A computer connection system that centralizes the management of user authentication by placing the responsibility for authenticating each user on a central authentication server.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
Kerberos: An authentication system that uses symmetric key encryption to validate an individual user’s access to various network resources by keeping a database containing the private keys of clients and servers that are in the authentication domain it supervises. virtual private network (VPN): A private, secure network operated over a public and insecure network; it uses encryption to protect the data between endpoints. trusted VPN: Also known as a legacy VPN, a VPN implementation that uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected. secure VPN: A VPN implementation that uses security protocols to encrypt traffic transmitted across unsecured public networks. hybrid VPN: A combination of trusted and secure VPN implementations. deperimeterization: The recognition that there is no clear information security boundary between an organization and the outside world, meaning that the organization must be prepared to protect its information both inside and outside its digital walls. [return to top]
What's New in This Module The following elements are improvements in this module from the previous edition: •
This module was Chapter 6 in the 6th edition.
•
Content to provide context and examples of security concerns in cloud computing were added.
•
The entire module was refreshed with a general update and given more current examples.
[return to top]
Module Outline Introduction to Access Controls (8.1, 8.2, PPT Slides 3–15) I.
Describe how technical controls are essential in enforcing policy for many IT functions that do not involve direct human control.
II.
Explain the concept of technical control solutions, which when properly implemented, can improve an organization’s ability to balance the often conflicting objectives of making information more readily and widely available against increasing the information’s levels of confidentiality and integrity.
III.
Illustrate that access control is the method by which systems determine whether and how to admit a user into a trusted area of the organization.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
IV.
Remind students that there are two general types of access control systems: discretionary and nondiscretionary. •
Discretionary access controls are ones that are at the judgment or option of the user. The most common example is Microsoft Windows.
•
Nondiscretionary access controls are ones that are implemented by a central authority (e.g., IT department). These can be based on role-based access controls (RBAC) or task-based access controls (TBAC) or a combination of both.
V.
Discuss lattice-based access controls (LBACs). Explain that LBACs specify the level of access each subject has to each object, as implemented in access control lists (ACLs) and capability tables.
VI.
Describe how Mandatory Access Control schemes use of data classification schemes for granting access to data. Also, mention that MACs are a form of lattice-based, nondiscretionary access controls.
VII.
Introduce students to attribute-based access controls (ABACs), which represent a newer approach to lattice-based access controls promoted by NIST. Differentiate between the concepts of attributes and subject attributes.
Access Control Mechanisms I.
Outline the four fundamental functions of access control systems: •
Identification
•
Authentication
•
Authorization
•
Accountability
Identification I.
Define identification as a mechanism whereby unverified entities—called supplicants—who seek access to a resource propose a label by which they are known to the system.
II.
Emphasize the fact that the identifier label applied to the supplicant must be mapped to one and only one entity within the security domain.
Authentication I.
Review the definition of authentication. Explain to learners that this is the process of validating an unauthenticated entity’s purported identity.
II.
Assemble and outline the three commonly used authentication factors: •
Something you know
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
III.
•
Something you have
•
Something you are or you can produce
Detail the something you know authentication factor. •
Explain that a password is a private word or combination of characters that only the user should know.
•
Stress that one of the biggest debates in the information security industry concerns the complexity of passwords (apply the 10-4 password recommendation that was mentioned in a previous module).
•
Recall that a password should be difficult to guess but must be something the user can easily remember.
•
State that a passphrase is a series of characters, typically longer than a password, from which a virtual password is derived.
•
Give examples of acceptable passwords and non-acceptable passwords that should be used for professional and personal use.
IV. Discuss the something you have authentication factor.
V.
•
This addresses something the supplicant carries in his or her possession—that is, something they have.
•
These include dumb cards, such as ID cards or ATM cards with magnetic stripes, that contain the digital (and often encrypted) user personal identification number (PIN), against which the number a user inputs is compared.
•
An improved version of the dumb card is the smart card, which contains a computer chip that can verify and validate several pieces of information instead of just a PIN.
•
Another device often used is the token, a card or key fob with a computer chip and a liquid crystal display that shows a computer-generated number used to support remote login authentication.
•
Explain that tokens are synchronous or asynchronous and the differences between them. o
Once synchronous tokens are synchronized with a server, both devices (server and token) use the same time or a time-based database to generate a number that is displayed and entered during the user login phase.
o
Asynchronous tokens use a challenge-response system, in which the server challenges the supplicant during login with a numerical sequence.
Describe the something you are or can produce authentication factor.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
•
The process of using body measurements is known as biometrics and includes: o
Reliance on individual characteristics, such as fingerprints, palm prints, hand topography, hand geometry, or retina/iris scans
o
Additionally, something a supplicant can produce on demand, such as voice patterns, signatures, or keyboard kinetic measurements
•
Strong authentication requires at least two authentication mechanisms drawn from two different factors of authentication.
•
Emphasize that authorization credentials (or known as authorization tickets) can be programmed to be honored by all systems (known as a single-sign on (SSO) and apply a shared directory structure known as Lightweight Directory Access Protocol (LDAP).
Authorization I. Recognize the concept of authorization as the matching of an authenticated entity to a list of information assets and corresponding access levels, which can happen in one of three ways. •
Authorization for each authenticated user o
•
Authorization for members of a group o
•
This is where the system performs an authentication process to verify each entity and then grants access to resources for only that entity. This quickly becomes a complex and resource-intensive process in a computer system. Comparatively speaking, the system matches authenticated entities to a list of group memberships and then grants access to resources based on the group’s access rights. This is the most common authorization method.
Authorization across multiple systems o
Detail that a central authentication and authorization system verifies entity identity and grants it a set of credentials.
Accountability I. Explain that accountability or auditability is a system that directly attributes the actions on a system with an authenticated entity.
Biometrics I.
Detail the fact that biometric access control is dependent on recognition—the same thing that one would to do rely on friends, family, and others they know.
II.
Illustrate different biometric authentication technologies, as summarized in the text:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
III.
•
Fingerprint comparison of the supplicant’s actual fingerprint to a stored fingerprint
•
Palm print comparison of the supplicant’s actual palm print to a stored palm print
•
Hand geometry comparison of the supplicant’s actual hand to a stored measurement
•
Facial recognition using a photographic ID card, in which a human security guard compares the supplicant’s face to a photo
•
Facial recognition using a digital camera, in which a supplicant’s face is compared to a stored image
•
Retinal print comparison of the supplicant’s actual retina to a stored image
•
Iris pattern comparison of the supplicant’s actual iris to a stored image
Stress and explain, though, that only four human characteristics are unique from one another: •
Fingerprints
•
Retina of the eye (blood vessel pattern)
•
Iris of the eye (random pattern of features in the iris: freckles, pits, striations, vasculature, coronas, and crypts)
•
DNA
IV.
Guide students to review Figure 8-5, which shows unique characteristics between people.
V.
Discuss the fact that signature and voice recognition technologies are also considered to be biometric access control measures. •
Retail stores use signature recognition, or at least signature capture, for authentication during a purchase. Currently, the technology for signature capturing is much more widely accepted than that for signature comparison because signatures change due to a number of factors, including age, fatigue, and the speed with which the signature is written.
•
In voice recognition, an initial voiceprint of the user reciting a phrase is captured and stored. Later, when the user attempts to access the system, the authentication process will require the user to speak this same phrase so that the technology can compare the current voiceprint against the stored value.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
VI.
Engage in a conversation with students, getting their feedback as to whether signatures and voice recognition technologies are good ones to use in a corporate environment, and why or why not.
Effectiveness of Biometrics I.
Evaluate the three basic criteria biometrics are judged against: false reject rate, false accept rate, and crossover error rate (CER).
II.
Emphasize that the goal is to find a balance between providing the requisite level of security and minimizing authentic users’ frustrations.
III.
Classify that a CER of 1 percent is more superior and secure compared to one that has a 5 percent or 10 percent rate.
Acceptability of Biometrics I.
Denote that many biometric systems that are exceptionally reliable are often considered obtrusive by users and the system’s effectiveness on security.
II.
Analyze the findings from Table 8-1 and illustrate to students how the rankings differ on various biometric measures.
Access Control Architecture Models I.
Recognize that security access control architecture models illustrate access control implementations and can help organizations quickly make improvements through adaptation.
II.
Note that formal models often do not find their way into usable implementations but rather provide a foundation that an implementation uses.
TCSEC’s Trusted Computing Base I.
Describe the Trusted Computer System Evaluation Criteria (TCSEC). Point out that it is an older Department of Defense (DoD) standard that defines the criteria for assessing the access controls in a computer system. This is also known as the "Orange Book" and is the cornerstone of a larger series of documents that were used to determine access controls for systems within the department.
II.
Identify that the use of TCSEC is reliant on a trusted computing base (TCB) for a security policy to be enforceable.
III.
Recall that TCB is made up of the hardware and software that has been implemented to provide security for a particular information system (usually includes the operating system kernel and a specified set of security utilities).
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
IV.
Point out that one of the biggest challenges in TCB is the existence of covert channels. Mention that TCSEC defines two kinds of covert channels: storage channels and timing channels.
ITSEC I.
Discuss the Information Technology System Evaluation Criteria (ITSEC), which is an international set of criteria for evaluating computer systems.
II.
Emphasize that Targets of Evaluation (ToE) are used to compare detailed security function specifications, which net an assessment of systems functionality and comprehensive penetration testing.
The Common Criteria I.
Introduce students to the Common Criteria for Information Technology Security Evaluation, often called the Common Criteria or just CC.
II.
Mention that it is an international standard for computer security certification. It is classified as ISO/IEC 15408.
III.
Discuss the following CC terminology:
IV.
•
Target of Evaluation (ToE): the system being evaluated
•
Protection Profile (PP): user-generated specification for security requirements
•
Security Target (ST): document describing the ToE’s security properties
•
Security Functional Requirements (SFRs): catalog of a product’s security functions
•
Evaluation Assurance Levels (EALs): the rating/grading of a ToE after evaluation; has a range of EAL1 to EAL7
Examine the EAL scale and systems that would classify for the following ratings in the scale: •
EAL1: Functionally Tested: Confidence in operation against nonserious threats
•
EAL2: Structurally Tested: More confidence required but comparable with good business practices
•
EAL3: Methodically Tested and Checked: Moderate level of security assurance
•
EAL4: Methodically Designed, Tested, and Reviewed: Rigorous level of security assurance but still economically feasible without specialized development
•
EAL5: Semiformally Designed and Tested: Certification requires specialized development above standard commercial products
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
•
EAL6: Semiformally Verified Design and Tested: Specifically designed security ToE
•
EAL7: Formally Verified Design and Tested: Developed for extremely high-risk situations or high-value systems
Bell–LaPadula Confidentiality Model I.
Explain that the Bell–LaPadula (BLP) model ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances.
II.
Compare and contrast between the two access modes that are part of the BLP model: simple security and the * (star) property.
III.
•
Simple security (known as the read property) restricts users with a lower clearance from reading higher-clearance level messages but ones with a higher level can read lower levels without issue.
•
The * property, alternately, prohibits a high-level subject from sending messages to a lower-level object.
Illustrate the example provided in the text of the two access modes that are in the BLP model.
Biba Integrity Model I.
Compare and contrast the differences between the BLP and Biba integrity models. •
II.
Emphasize that the key difference between the two models is the integrity properties, as they accomplish a similar result as a BLP.
Point out that it is based on the premise that higher levels of integrity are more worthy of trust than lower ones.
Clark–Wilson Integrity Model I.
Stress that this model, compared to others, is built on change controls and not integrity levels and is designed for a commercial environment.
II.
Outline the model’s change control principles: •
No changes by unauthorized subjects
•
No unauthorized changes by authorized subjects
•
The maintenance of internal and external consistency
III.
Emphasize that this model establishes a system of subject-program-object relationships so that subjects have no access to objects, and they must go through programs to access an object.
IV.
Detail the three controls that are part of this model:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
V.
•
Subject authentication and identification
•
Access to objects by means of well-formed transactions
•
Execution by subjects on a restricted set of programs
Illustrate the four elements that make up the Clark–Wilson model: •
Constrained data item (CDI): A data item with protected integrity
•
Unconstrained data item: Data not controlled by Clark–Wilson; nonvalidated input or any output
•
Integrity verification procedure (IVP): A procedure that scans data and confirms its integrity
•
Transformation procedure (TP): A procedure that only allows changes to a constrained data item
Graham–Denning Access Control Model I.
Apply that this model has three core parts: sets of objects, sets of subjects, and sets of rights.
II.
Outline the model’s eight primitive protection rights:
III.
•
Create object
•
Create subject
•
Delete object
•
Delete subject
•
Read access right
•
Grant access right
•
Delete access right
•
Transfer access right
Emphasize that within this model, the sets of rights are what govern how subjects may manipulate the passive objects.
Harrison–Ruzzo–Ullman Model I.
Detail that the Harrison–Ruzzo–Ullman (HRU) model defines a method to allow changes to access rights and the addition and removal of subjects and objects.
II.
Contrast and emphasize that the Bell–LaPadula model does not allow changes, whereas this model does.
III.
Categorize the set of four generic rights and special set of commands that make up this model:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
•
Create subject/create object
•
Enter specific command or generic right into a subject or object
•
Delete specific command or generic right from a subject or object
•
Destroy subject/destroy object
Brewer–Nash Model I.
Discuss the Brewer–Nash Model, which is designed to prevent a conflict of interest between two parties. Point out that this model is sometimes known as a Chinese Wall.
Zero Trust Architecture I.
Explain that this model transitions defenses from static, network-based parameters and adjusts them to focus on authentication of users, assets, and resources. From there, they dynamically allow access based on access control rules.
II.
Stress that this includes environments where people bring their own devices (BYOD) and cloud-based infrastructures.
III.
Recognize that the protection is focused on resources and not network segments.
Quick Quiz 1 1. The method by which systems determine whether and how to admit a user into a trusted area of the organization is known as which of the following? a. attribute b. accountability c. access control d. auditability Answer: c 2. Which term is used to describe the process of validating a supplicant’s purported identity? a. accountability b. authentication c. authorization d. biometrics Answer: b
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
3. True or False: The authentication factor something a supplicant has relies upon individual characteristics, such as fingerprints, palm prints, hand topography, hand geometry, or retina and iris scans. Answer: False 4. The biometric technology criteria that describes the number of legitimate users who are denied access because of a failure in the biometric device is known as which of the following? a. false reject rate b. false accept rate c. crossover error rate d. accountability rate Answer: a 5. The piece of the system that manages access controls within TCB is an object known as which of the following? a. covert channel b. storage channel c. reference monitor d. standard Answer: c
Firewall Technologies (8.3, 8.4, PPT Slides 18–33) I.
Recall how a firewall prevents specific types of information from moving between an external network, known as the untrusted network, and an internal network, known as the trusted network.
II.
Discuss how the firewall may be a separate computer system, a software service running on an existing router or server, or a separate network containing several supporting devices.
III.
Categorize firewalls into three areas: processing modes, development eras, or structures.
Firewall Processing Modes I.
Classify firewalls and the four major categories of processing modes they fall into: packet-filtering firewalls, application layer proxy firewalls, MAC layer firewalls, and hybrids.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
Packet-Filtering Firewalls I.
Explain that packet-filtering firewalls examine the header information of data packets that come into a network. Apply Figure 8-7 as a visual illustration of a standard IPv4 packet structure.
II.
Relate that packet-filtering firewalls scan network data packets looking for rule compliance against the database of the firewall. Packets are inspected at Level 3 of the Open Systems Interconnect (OSI) model (which has a total of seven layers).
III.
Emphasize the restrictions most implemented are based on a combination of the following: •
IP source and destination address
•
Direction (inbound or outbound)
•
Protocol, for firewalls capable of examining the IP protocol layer
•
Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests (apply Figures 8-8 and 8-9 illustrating these)
IV.
Describe simple firewall models, which examine one aspect of the packet header: the destination and source address. Emphasize that they enforce address restrictions, rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.
V.
Explain that they accomplish this through access control lists (ACLs), which are created and modified by the firewall administrators.
VI.
Identify the three subsets of packet filtering firewalls: •
Static filtering
•
Dynamic filtering
•
Stateful packet inspection (SPI)
VII.
Evaluate how static filtering requires that the filtering rules be developed and installed with the firewall.
VIII.
Describe dynamic filtering, which allows the firewall to react to an emergent event and update or create rules to deal with the event. Note that while static filtering firewalls allow entire sets of one type of packet to enter in response to authorized requests, the dynamic packet filtering firewall allows only a particular packet with a particular source, destination, and port address to enter through the firewall.
IX.
Detail how stateful inspection firewalls, or stateful firewalls, keep track of each network connection between internal and external systems using a state table,
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
which tracks the state and context of each packet in the conversation by recording which station sent which packet and when. X.
Stress the difference between simple packet filtering firewalls and stateful firewalls. Whereas simple packet filtering firewalls only allow or deny certain packets based on their address, a stateful firewall can block incoming packets that are not responses to internal requests.
XI.
Critique how the primary disadvantage of a stateful firewall is the additional processing required to manage and verify packets against the state table, which can leave the system vulnerable to a DoS or DDoS attack.
Application Layer Proxy Firewalls I.
Describe that an application layer firewall or application firewall, is frequently installed on a dedicated computer, separate from the filtering router, but is commonly used in conjunction with a filtering router.
II.
Identify how the application firewall is also known as a proxy server, since it runs special software that acts as a proxy for a service request.
III.
Emphasize that since the proxy server is often placed in an unsecured area of the network or in the DMZ, it—rather than the Web server—is exposed to the higher levels of risk from the less trusted networks.
IV.
Define the four common applications these firewalls protect at the application layer: •
File Transfer Protocol (FTP)
•
Telnet
•
Hypertext Transfer Protocol (HTTP)
•
Simple Mail Transfer Protocol (SMTP) or Simple Network Management Protocol (SNMP)
Media Access Control Layer Firewalls I.
Comment how MAC layer firewalls are designed to operate at the media access control layer of the OSI network model. Point out that this type of firewall is not as well known or widely referenced.
II.
Explain how using this approach, the MAC addresses of specific host computers are linked to ACL entries that identify the specific types of packets that can be sent to each host, and all other traffic is blocked.
III.
Emphasize the differences between MAC layer firewalls and mandatory access controls (MACs).
IV.
Reference Figure 8-11 for additional information on this type of firewall.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
Hybrid Firewalls I.
Identify that hybrid firewalls combine the elements of other types of firewalls—that is, the elements of packet filtering and proxy services, or of packet filtering and circuit gateways.
II.
Propose how, alternately, a hybrid firewall system can consist of two separate firewall devices; each is a separate firewall system, but they are connected so that they work in tandem.
III.
Report the most recent generation of firewalls, known as Unified Threat Management (UTM) and the Next Generation Firewall (NextGen or NGFW). Point out that UTMs are categorized by their ability to perform the work of an SPI firewall, network intrusion detection and prevention system, content filter, spam filter, and malware scanner and filter.
IV.
Contrast that smaller organizations may prefer to have an all-in-one firewall approach due to budgetary constraints, whereas larger organizations may have separate firewalls.
Firewall Architectures I.
Emphasize that each of the firewall devices noted earlier can be configured in several network connection architectures.
II.
Briefly discuss the impact that cloud-based IT solutions and bring your own devices (BYOD) have on securing networks today.
III.
Stress that the firewall configuration that works best for a particular organization depends on three factors: the objectives of the network, the organization’s ability to develop and implement the architectures, and the budget available for the function.
IV.
Describe three common architectural implementations of firewalls: •
Single bastion hosts
•
Screened host firewalls
•
Screened subnet firewalls
Single Bastion Hosts I.
Emphasize that this approach provides one single firewall layer to protect an organization’s router. Denote that the single bastion host architecture can be implemented as a packet filtering router or as a firewall behind a router that is not configured for packet filtering.
II.
State that anything that is exposed to an untrusted network is often referred to as a bastion or sacrificial host.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
III.
Present the understanding that this type of setup is often common on most homes and small office/home office (SOHO) environments.
IV.
Explain that a bastion host is usually implemented as a dual-homed host. The bastion host contains two NICs. One NIC is connected to the external network, and one is connected to the internal network, providing an additional layer of protection. Reference Figure 8-12 for a visual understanding of this concept.
V.
Relate that with a two-NIC setup, all traffic must go through the firewall to move between the internal and external networks.
VI.
Discuss the implementation of this architecture, which often makes use of Network Address Translation (NAT). NAT is a method of mapping assigned IP addresses to special ranges of nonroutable internal IP addresses, thereby creating yet another barrier to intrusion from external attackers.
VII.
Compare the similarities and differences between Port Address Translation (PAT) and Network Address Translation (NAT).
Screened Host Architecture I.
Detail the process as a combination of a packet-filtering router with a separate dedicated firewall (i.e., application proxy server), which gets information for users and caches copies of Web pages and other information on its internal devices to expedite access to them.
II.
Denote that this gives a route an option to prescreen packets to reduce network traffic and load that on the internal proxy.
III.
Relate the fact, however, that a screened host firewall may present a promising target because compromise of the bastion host can lead to attacks on the proxy server that could disclose the configuration of internal networks and possibly provide attackers with an opportunity to retrieve internal information.
IV.
Apply Figure 8-13 to the discussion and explanation of screen-hosted architectures.
Screened Subnet Architecture (with DMZ) I.
Explain how the screened host architecture combines the packet filtering router with a separate, dedicated firewall, such as an application proxy server, allowing the router to prescreen packets to minimize the network traffic and load on the internal proxy.
II.
Illustrate how the application proxy examines an application layer protocol and performs the proxy services. Use Figures 8-14 and 8-15 as supplements to the discussion.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
III.
Emphasize that the dominant architecture used today, the screened subnet firewall, provides a DMZ. State how the DMZ can be a dedicated port on the firewall device linking a single bastion host, or it can be connected to a screened subnet.
IV.
Classify that a common arrangement finds the subnet firewall consisting of two or more internal bastion hosts behind a packet filtering router, with each host protecting the trusted network:
V.
•
Connections from the outside or untrusted network are routed through an external filtering router.
•
Connections from the outside or untrusted network are routed into—and then out of—a routing firewall to the separate network segment known as the DMZ.
•
Connections into the trusted internal network are allowed only from the DMZ bastion host servers.
Explain how the screened subnet is an entire network segment that performs two functions: •
It protects the DMZ systems and information from outside threats by providing a network of intermediate security.
•
It protects the internal networks by limiting how external connections can gain access to internal systems.
VI.
Identify that DMZs can also create extranets, segments of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the public.
VII.
Detail the process as a combination of a packet-filtering router with a separate dedicated firewall (i.e., application proxy server), which gets information for users and caches copies of Web pages, and other information on its internal devices to expedite access to them. Use Figure 8-15 for additional visual assistance with the concept to explain to students.
Selecting the Right Firewall I.
Outline the four questions that persons will need to answer to determine the best firewall for their organization and/or their needs: •
Which type of firewall technology offers the right balance between protection and cost for the needs of the organization?
•
What features are included in the base price? What features are available at extra cost? Are all cost factors known?
•
How easy is it to set up and configure the firewall? Does the organization have staff members on hand who are trained to configure the firewall, or would the
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
hiring of additional employees (or contractors or managed service providers) be required? • II.
Can the firewall adapt to the organization’s growing network?
Stress that cost is likely the second most important issue, and naturally the most important is the protection it will provide for the situation.
Configuring and Managing Firewalls I.
Relate that the configuration of firewall policies can be complex and difficult. Explain how each configuration rule must be carefully crafted, debugged, tested, and sorted.
II.
Emphasize that when configuring firewalls, keep one thing in mind: when security rules conflict with the performance of business, security often loses.
Best Practices for Firewalls I.
Illustrate the most frequently recommended best practices as outlined in the text for firewall installation, upkeep, and maintenance: •
All traffic from the trusted network is allowed out.
•
The firewall device is never directly accessible from the public network.
•
SMTP data is allowed to pass through the firewall, but it should be routed to a well-configured SMTP gateway to filter and route messaging traffic securely.
•
All ICMP data should be denied.
•
Telnet access to all internal servers from the public networks should be blocked.
•
When Web services are offered outside the firewall, HTTP traffic should be denied from reaching your internal networks through the use of some form of proxy access or DMZ architecture.
•
All data that is not verifiably authentic should be denied.
Firewall Rules I.
Explain how firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules.
II.
Discuss the logic, which is based on a set of guidelines programmed by a firewall administrator or created dynamically and based on outgoing requests for information.
III.
Apply the understanding that this logical set is most often referred to as firewall rules, rule base, or firewall logic.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
IV.
Explain that most firewalls use packet header information to determine whether a specific packet should be allowed to pass through or should be dropped.
V.
Summarize the rule sets provided in the text and within Tables 8-5 through 8-19. •
Rule Set 1: Responses to internal requests are allowed.
•
Rule Set 2: The firewall device is never accessible directly from the public network.
•
Rule Set 3: All traffic from the trusted network is allowed out.
•
Rule Set 4: Packets governed by this rule are allowed to pass through the firewall but are routed to a well-configured SMTP gateway (see Table 8-9 for SMTP data).
•
Rule Set 5: All ICMP (formally known as ICMP Echo requests) should be denied.
•
Rule Set 6: Telnet (terminal emulation) access should be blocked to all internal servers from the public networks. This is more specific for UNIX and LINUXbased machines and less so on Windows machines.
•
Rule Set 7: When Web services are offered outside of the firewall, HTTP and HTTPS traffic should be blocked from the internal networks via the use of a proxy access or DMZ architecture.
•
Rule Set 8: As a general practice in firewall rule construction, if a request for a service is not explicitly allowed by policy, that request should be denied by a rule.
Content Filters I.
Describe a content filter, which is a software filter—technically not a firewall—that allows administrators to restrict access to content from within a network. It is a set of scripts or programs that restricts user access to certain networking protocols and Internet locations or restricts users from receiving general types or specific examples of Internet content.
II.
Note that some refer to content filters as reverse firewalls, as their primary focus is to restrict internal access to external material.
III.
Explain to students that in most common implementation models, the content filter has two components: rating and filtering.
IV.
Emphasize that the rating is like a set of firewall rules for Web sites, and it is common in residential content filters.
V.
Classify how the filtering is a method used to restrict specific access requests to the identified resources, which may be Web sites, servers, or whatever resources the content filter administrator configures.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
VI.
Relate the most common content filters, which restrict users from accessing Web sites with obvious non-business-related material, such as pornography, or deny incoming spam e-mail.
Quick Quiz 2 1. What type of firewall examines every incoming packet header and can selectively filter packets based on header information, such as destination address, source address, packet type, and other key information? a. packet filtering b. proxy server c. media access control (MAC) layer d. application Answer: a 2. Which type of firewall filtering allows the firewall to react to an emergent event and update or create rules to deal with the event? a. static b. stable c. unstable d. dynamic Answer: d 3. True or False: All traffic exiting from the trusted network should be filtered. Answer: False 4. A network filter that allows administrators to restrict access to external content from within a network is known as which of the following? a. content filter b. dynamic filter c. static filter d. stateful filter Answer: a
Protecting Remote Connections (8.5, 8.6, PPT Slides 36–80) I.
Discuss installing Internet connections, which requires using leased lines or other data channels provided by common carriers, and therefore these connections are
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
usually permanent and secured under the requirements of a formal service agreement. II.
Explain how, in the past, organizations provided remote connections exclusively through dial-up services like Remote Authentication Service (RAS). Since the Internet has become more widespread in recent years, other options, such as Virtual Private Networks (VPNs), have become more popular.
III.
Stress that as more employees work from home or elsewhere, the need for VPNs greatly increases.
Remote Access I.
Explain how it is a widely held view that these unsecured, dial-up connection points represent a substantial exposure to attack.
II.
Comprehend that an attacker who suspects that an organization has dial-up lines can use a device called a war dialer to locate the connection points.
III.
Illustrate how a war dialer is an automatic phone-dialing program that dials every number in a configured range and checks to see if a person, answering machine, or modem picks up.
IV.
Discuss how some technologies, such as RADIUS, Diameter, TACACS, and CHAP password systems, have improved the authentication and apply strong encryption.
RADIUS, Diameter, and TACACS I.
Report that these systems are ones that authenticate the credentials of users who attempt to access an organization’s network through dial-up connections.
II.
Explain how Remote Authentication Dial-In User Service systems place the responsibility for authenticating each user in the central RADIUS server.
III.
Evaluate that when a remote access server (NAS) receives a request for a network connection from a dial-up client, it passes the request along with the user’s credentials to the RADIUS server, which then validates the credentials and passes the resulting decision (accept or deny) back to the accepting RAS.
IV.
Detail how the Diameter protocol defines the minimum requirements for a system that provides authentication, authorization, and accounting (AAA) services and can go beyond these basics and add commands and/or object attributes.
V.
Discuss diameter security, which uses respected encryption standards including IPSec or TLS, and its cryptographic capabilities are extensible and will be able to use future encryption protocols as they are implemented.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
27
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
VI.
Compare how the RADIUS system is similar in function to the Terminal Access Controller Access Control System (TACACS). Distinguish that, like RADIUS, it is a centralized database, and it validates the user’s credentials at the TACACS server.
VII.
Recommend that students review Figure 8-16 for a visual explanation of RADIUS configurations.
Kerberos I.
Present two authentication systems that provide secure third-party authentication services: Kerberos and SESAME.
II.
Detail that Kerberos keeps a database containing the private keys of clients and servers. Note that in the case of a client, this key is simply the client’s encrypted password.
III.
Illustrate how the Kerberos system remembers private keys and has the ability to authenticate one network node (client or a server) to another. Outline the following interacting services, which include database libraries:
IV.
•
Authentication server (AS), which is a Kerberos server that authenticates clients and servers
•
Key Distribution Center (KDC), which generates and issues session keys
•
Kerberos ticket granting service (TGS), which provides tickets to clients who request services
Outline the following principles that Kerberos is based on: •
The KDC knows the secret keys of all clients and servers on the network.
•
The KDC initially exchanges information with the client and server by using these secret keys.
•
Kerberos authenticates a client to a requested service on a server through TGS and by issuing temporary session keys for communications between the client and KDC, the server and KDC, and the client and server.
•
Communications then take place between the client and server using these temporary session keys.
•
Recommend that students review Figures 8-17 and 8-18 for a detailed view of Kerberos login and service request procedures.
SESAME I.
Detail that the Secure European System for Applications in a Multivendor Environment (SESAME), defined in RFC 1510, is the result of a European research and development project partly funded by the European Commission. SESAME is
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
28
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
like Kerberos in that the user is first authenticated to an authentication server and receives a token. II.
Discuss the detailed response on how the Secure European System for Applications in a Multivendor Environment (SESAME) is like Kerberos in that the user is first authenticated to an authentication server and receives a token.
III.
Explain how the token is then presented to a privilege attribute server (instead of a ticket granting service as in Kerberos) as proof of identity to gain a privilege attribute certificate (PAC).
IV.
Note that SESAME also builds on the Kerberos model by adding additional and more sophisticated access control features and more scalable encryption systems, as well as improved manageability, auditing features, and the delegation of responsibility for allowing access.
Virtual Private Networks (VPNs) I.
Define VPN as a private and secure network connection between systems that uses the data communication capability of an unsecured and public network. VPNs are commonly used to securely extend an organization’s internal network connections to remote locations beyond the trusted network.
II.
Discuss the three VPN technologies that the VPNC defines:
III.
•
A trusted VPN, or legacy VPN, uses leased circuits from a service provider and conducts packet switching over these leased circuits.
•
A secure VPN uses security protocols and encrypts traffic transmitted across unsecured public networks like the Internet.
•
A hybrid VPN combines the two, providing encrypted transmissions (as in secure VPN) over some or all of a trusted VPN network.
Note that a VPN that proposes to offer a secure and reliable capability while relying on public networks must address: •
Encapsulation of incoming and outgoing data, wherein the native protocol of the client is embedded within the frames of a protocol that can be routed over the public network as well as be usable by the server network environment.
•
Encryption of incoming and outgoing data to keep the data contents private while in transit over the public network, but usable by the client and server computers and/or the local networks on both ends of the VPN connection.
•
Authentication of the remote computer and, perhaps, the remote user. Authentication and the subsequent authorization of the user to perform specific
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
29
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
actions are predicated on accurate and reliable identification of the remote system and/or user. IV. Point out that VPN support is built into most Microsoft server software, including 2012, and client support for VPN services is built into most Windows clients.
Transport Mode I.
Explain how in transport mode, the data within an IP packet is encrypted, but the header information is not.
II.
Emphasize that this allows the user to establish a secure link directly with the remote host, encrypting only the data contents of the packet. Direct learners to review Figure 8-19 for a visual reference.
III.
Describe the two popular uses for transport mode VPNs: •
The end-to-end transport of encrypted data
•
A remote access worker or teleworker connecting to an office network over the Internet by connecting to a VPN server on the perimeter
Tunnel Mode I.
Detail that the purpose of this mode is to encrypt all traffic that will traverse an unsecured network, and the receiving server decrypts the packet to be able to send the final address.
II.
Stress that the benefit of this model is that the intercepted packet never reveals anything about its true destination system.
III.
Note that in tunnel mode, the entire client packet is encrypted and added as the data portion of a packet that is addressed from one tunneling server and to another. The receiving server decrypts the packet and sends it to the final address.
Final Thoughts on Remote Access and Access Controls (PPT Slides 68 and 83) I.
Discuss the concept of deperimeterization and how it applies to information security.
II.
Emphasize the importance of remote access to systems and how COVID-19 accelerated the need for protected connections away from the office.
Deperimeterization I.
Describe this phenomenon as the ability to expand an organization beyond the traditional security boundaries a firm would have in place.
II.
Explain the concept of “death of the perimeter” and why it is important to still have strong information system firewalls and infrastructure in place.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
30
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
III.
Realize that the network perimeter is whatever an organization defines it to be. Wherever it exists, it is the boundary between the information inside trusted technical systems and the many untrusted environments that may be interconnected to it. Regardless of the location, it still must be protected.
Remote Access in the Age of COVID-19 I.
Justify the facts that organizations that had remote access systems in place were far better equipped to handle the transformation of the workplace that was the result of the pandemic.
II.
Critique that many organizations successfully were able to transition the workplace due to this one in a lifetime event, but ones that did not likely failed.
Quick Quiz 3 1. What is the system most often used to authenticate the credentials of users who are trying to access an organization’s network via a dial-up connection?? a. VPN b. RADIUS c. SEASAME d. KDC Answer: b 2. In which mode of IPSEC is the data within an IP packet encrypted, while the header information is not? a. process mode b. tunnel mode c. transport mode d. encryption mode Answer: c 3. What is used to dial every number in a configured range and checks to see if a person, answering machine, or modem picks up? a. war dialer b. number redialer c. modem redialer d. incident redialer Answer: a © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
31
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
4. True or False: SESAME is an authentication system that is the result of a European research and development project and is similar to Kerberos. Answer True 5. Which VPN technology uses leased circuits from a service provider and conducts packet switching over these leased circuits? a. secure VPN b. hybrid VPN c. trusted VPN d. transport VPN Answer: c [return to top]
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. Which architecture for deploying a firewall is most used in businesses today? (8.3, PPT Slides 18–33) Duration 15 minutes. 2. What are the reasons that VPN technology has become the dominant method for remote workers to connect to the organizational network? (8.1, 8.2, 8.3, and 8.5, PPT Slides 3–15, 36–50, and 83) Duration 15 minutes. 3. As more work and systems go cloud-based, do you think the need for firewalls will increase or decrease their dependency on VPNs? Explain why or why not. (8.3, 8.4, 8.6, PPT Slides 36–80, and 83) Duration 15 minutes. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
32
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks
Web Browser Security
Malware Defense
Windows Password Management
Backup and Recovery and File Integrity Monitoring
Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques. Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of
Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.
1 to 1.5 hours
1 to 1.5 hours
30 minutes to 1 hour
15–20 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
33
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
OS Processes and Services
Log Management & Security
Footprinting, Scanning, and Enumeration
AlienVault OSSIM
Image Analysis Using Autopsy
basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.
60–90 minutes
30 minutes to 1 hour
40–60 minutes
2–3 hours
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
34
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
1. A hands-on exercise or even a classroom demonstration can go a long way to cementing the learning objectives of this chapter. A simple SOHO or residential router with NAT and limited firewall reporting can be brought into the classroom with two or three portable computers and used to show how a simple NAT firewall approach can be used. 2. If a more elaborate firewall environment is needed, a field trip to your organization’s main network operations center may be in order. [return to top]
Additional Resources Internet Resources • • • • •
Exposing the Underground: Adventures of an Open Proxy Firewall Guide to IPsec VPNs ICSA Labs IPSec Testing Network Policy and Access Services
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
35
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 8: Security Technology: Access Controls, Firewalls, and VPNs
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale, and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities. 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
36
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Instructor Manual Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 6 Module Outline .............................................................................................................................. 7 Discussion Questions .................................................................................................................. 31 Suggested Usage for Lab Activities ............................................................................................ 32 Additional Activities and Assignments ....................................................................................... 34 Additional Resources................................................................................................................... 34 Cengage Video Resources ....................................................................................................................... 34 Internet Resources .................................................................................................................................. 34 Appendix ...................................................................................................................................... 36 Grading Rubrics ....................................................................................................................................... 36
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Purpose and Perspective of the Module Security technologies are critically important to be current, up-to-date, and to prepare for future attacks on networks whenever possible. This module outlines and describes categories and models of intrusion detection and preventive systems. Learners will also be able to apply knowledge gained on modern intrusion and protection systems to keep information security systems intact. Finally, major categories specific to scanning, and analysis tools that are used to detect instructions, are described in detail to close out the module.
Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •
PowerPoint slides
•
Test banks, available in Word, as LMS-ready files, and on the Cognero platform
•
MindTap Educator Guide
•
Solution and Answer Guide
•
This instructor’s manual
Module Objectives The following objectives are addressed in this module: 9.1
Identify and describe the categories and models of intrusion detection and prevention systems.
9.2
Describe the detection approaches employed by modern intrusion detection and prevention systems.
9.3
Define and describe honeypots, honeynets, and padded cell systems.
9.4
List and define the major categories of scanning and analysis tools and describe the specific tools used within each category.
Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 9.1 and 9.2 9.1 and 9.2 9.3 and 9.4
PPT slide
Activity/Assessment
Duration
24–25 45–46 56–57
Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3
2 minutes 2 minutes 2 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
9.1–9.4
66 MindTap MindTap MindTap
Self-Assessment Module 09 Review Questions Module 09 Case Exercises Module 09 Exercises
MindTap MindTap
Module 09 Security for Life Module 09 Quiz
5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: intrusion: An adverse event in which an attacker attempts to gain entry into an information system or disrupt its normal operations, almost always with the intent to do harm. intrusion detection system (IDS): A system capable of automatically detecting an intrusion into an organization’s networks or host systems and notifying a designated authority. intrusion detection and prevention system (IDPS): The general term for a system that can both detect and modify its configuration and environment to prevent intrusions. An IDPS encompasses the functions of both intrusion detection systems and intrusion prevention technology. known vulnerability: A published weakness or fault in an information asset or its protective systems that may be exploited and result in loss. zero-day vulnerability: An unknown or undisclosed vulnerability in an information asset or its protection systems that may be exploited and result in loss; once it is discovered, there are zero days to identify, mitigate, and resolve the vulnerability. network-based IDPS (NIDPS): An IDPS that resides on a computer or appliance connected to a segment of an organization’s network and monitors traffic on that segment, looking for indications of ongoing or successful attacks. agent: See sensor. sensor: A hardware and software component deployed on a remote computer or network segment and designed to monitor network or system traffic for suspicious activities and report back to the host application. For example, IDPS sensors report to an IDPS application.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
monitoring port: A specially configured connection on a network device that can view all the traffic that moves through the device, also known as a switched port analysis (SPAN) port or mirror port. switching port analysis (SPAN) port: See monitoring port. mirror port: See monitoring port. protocol stack verification: The process of examining and verifying network traffic for invalid data packets, which are packets malformed under the rules of the TCP/IP protocol. application protocol verification: The process of examining and verifying the higherorder protocols (HTTP, FTP, and Telnet) in network traffic for unexpected packet behavior or improper use. passive mode: An IDPS sensor setting in which the device simply monitors and analyzes observed network or system traffic. inline sensor: An IDPS sensor intended for network perimeter use and deployed in close proximity to a perimeter firewall to detect incoming attacks that could overwhelm the firewall. host-based IDPS (HIDPS): An IDPS that resides on a particular computer or server, known as the host, and monitors activity only on that system, also known as a system integrity verifier. signature-based detection: The examination of system or network data in search of patterns that match known attack signatures, also known as knowledge-based detection or misuse detection. knowledge-based detection: see signature-based detection. misuse detection: see signature-based detection. signatures: patterns that correspond to a known attack. anomaly-based detection: An IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy, also known as behavior-based detection. Behavior-based detection: See anomaly-based detection. clipping level: A predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to write the event to a log file, notify an administrator, or both. stateful protocol analysis (SPA): The comparison of vendor-supplied profiles of protocol use and behavior against observed data and network patterns to detect misuse and attacks, sometimes referred to as deep packet inspection.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
log file monitor (LFM): An attack detection method that reviews log files generated by computer systems looking for patterns and signatures that may indicate an attack or intrusion is in process or has already occurred. security information and event management (SIEM): An information management system specifically tasked to collect and correlate events and other log data from a number of servers or other network devices for the purpose of interpreting, filtering, correlating, analyzing, storing, reporting, and acting on the resulting information. threat intelligence: A process used to develop knowledge that allows an organization to understand the actions and intentions of threat actors and develop methods to prevent or mitigate cyberattacks. centralized IDPS control strategy: An IDPS implementation approach in which all control functions are managed in a central location. fully distributed IDPS control strategy: An IDPS implementation approach in which all control functions are applied at the physical location of each IDPS component. partially distributed IDPS control strategy: An IDPS implementation approach that combines the best aspects of the centralized and fully distributed strategies. threshold: A value that sets the limit between normal and abnormal behavior. See also clipping level. blacklist: A list of systems, users, files, or addresses that have been associated with malicious activity; it is commonly used to block those entities from systems or network access. whitelist: A list of systems, users, files, or addresses that are known to be benign; it is commonly used to expedite access to systems or networks. honeypot: An application that entices people who are illegally perusing the internal areas of a network by providing simulated rich content while the software notifies the administrator of the intrusion. honeypot farm: See honeynet. honeynet: A monitored network or network segment that contains multiple honeypot systems. honeytoken: Any system resource that is placed in a functional system but has no normal use in the system, and that instead serves as a decoy and alarm, similar to a honeypot. padded cell system: An application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network. trap-and-trace application: An application that combines the function of honeypots or honeynets with the capability to track the attacker back through the network.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
pen register: An application that records information about outbound communications. back hack: The process of illegally attempting to determine the source of an intrusion by tracing it and trying to gain access to the originating system. enticement: The act of attracting attention to a system by placing tantalizing information in key locations. entrapment: The act of luring a person into committing a crime in order to get a conviction. attack protocol: A logical sequence of steps or processes used by an attacker to launch an attack against a target system or network. footprinting: The organized research and investigation of Internet addresses owned or controlled by a target organization. fingerprinting: The systematic survey of a targeted organization’s Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range. port scanner: A type of tool used both by attackers and defenders to identify or fingerprint active computers on a network, the active ports and services on those computers, the functions and roles of the machines, and other useful information. attack surface: The functions and features that a system exposes to unauthenticated users. active vulnerability scanner: An application that scans networks to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers. passive vulnerability scanner: A scanner that listens in on a network and identifies vulnerable versions of both server and client software. packet sniffer: A software program or hardware appliance that can intercept, copy, and interpret network traffic. [return to top]
What's New in This Module The following elements are improvements in this module from the previous edition: • •
This Module was Chapter 7 in the 6th edition. The entire Module was refreshed with a general update and given more current examples.
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Module Outline Introduction to Intrusion Detection and Prevention Systems (9.1, 9.2, PPT Slides 3–23 and 26–44) I.
Define the concept of intrusion and how it is a type of attack on information assets in which the instigator attempts to enter a system or disrupt the normal operations of a system with the intent to do malicious harm.
II.
Discuss intrusion prevention, which consists of activities that seek to deter an intrusion from occurring.
III.
Identify the purpose of instruction detection and why it is important to have up to date systems in place so that losses are minimal and interruptions to business are much in the same.
IV.
Compare and contrast the differences between intrusion detection systems (IDS) and intrusion detection and prevention systems (IDPS). Explain why IDSs are less frequently used now than IDPSs.
V.
Discuss how system administrators can choose the configuration of the various alerts and the associated alarm levels for each type of alert.
VI.
Review response techniques that are recommended from NIST Special Publication (SP) 800-94 Rev. 1.
IDPS Terminology I.
Recall and review the following terms that are applicable to how an IDPS operates: •
•
•
Alarm or alert: An indication or notification that a system has just been attacked or is under attack. IDPS alerts and alarms take the form of audible signals, e-mail messages, pager notifications, or pop-up windows. Alarm clustering and compaction: A process of grouping almost identical alarms that occur nearly at the same time into a single higher-level alarm. This consolidation reduces the number of alarms, which reduces administrative overhead and identifies a relationship among multiple alarms. Clustering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by system administrators. Alarm filtering: The process of classifying IDPS alerts so they can be more effectively managed. An IDPS administrator can set up alarm filtering by running the system for a while to track the types of false positives it generates and then adjusting the alarm classifications. For example, the administrator may set the IDPS to discard alarms produced by false attack stimuli or normal network operations. Alarm filters are similar to packet filters in that they can filter items
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
•
• •
•
•
•
• •
•
by their source or destination IP addresses, but they can also filter by operating systems, confidence values, alarm type, or alarm severity. Confidence value: The measure of an IDPS’s ability to correctly detect and identify certain types of attacks. The confidence value an organization places in the IDPS is based on experience and past performance measurements. The confidence value, which is based on fuzzy logic, helps an administrator determine the likelihood that an IDPS alert or alarm indicates an actual attack in progress. For example, if a system deemed 90 percent capable of accurately reporting a denial-of-service (DoS) attack sends a DoS alert, there is a high probability that an actual attack is occurring. Evasion: The process by which attackers change the format or timing of their activities to avoid being detected by an IDPS. False attack stimulus: An event that triggers an alarm when no actual attack is in progress. Scenarios that test the configuration of IDPSs may use false attack stimuli to determine if the IDPSs can distinguish between these stimuli and real attacks. False negative: The failure of a technical control (such as an IDPS) to react to an actual attack event. This is the most grievous IDPS failure, given that its purpose is to detect and respond to attacks. False positive: An alert or alarm that occurs in the absence of an actual attack. A false positive can sometimes be produced when an IDPS mistakes normal system activity for an attack. False positives tend to make users insensitive to alarms and thus reduce their reactions to actual intrusion events. Noise: In incident response these are alarm events that are accurate and noteworthy but do not pose significant threats to information security. Unsuccessful attacks are the most common source of IDPS noise although some noise might be triggered by scanning and enumeration tools run by network users without harmful intent. Site policy: The rules and configuration guidelines governing the implementation and operation of IDPSs within the organization. Site policy awareness: An IDPS’s ability to dynamically modify its configuration in response to environmental activity. A so-called dynamic IDPS can adapt its reactions in response to administrator guidance over time and the local environment. A dynamic IDPS logs events that fit a specific profile instead of minor events, such as file modifications or failed user logins. A smart IDPS knows when it does not need to alert the administrator; for example: when an attack is using a known and documented exploit from which the system is protected. True attack stimulus: An event that triggers an alarm and causes an IDPS to react as if a real attack is in progress. The event may be an actual attack in which an attacker is attempting a system compromise, or it may be a drill in which security
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
II.
personnel are using hacker tools or performing port scanning to test a network segment. • Tuning: The process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing false positives and false negatives. Compare and contrast the differences between false attacks, negatives, and positives with a legitimate true attack stimulus. Why should an organization take false events seriously?
Why Use an IDPS? I. Classify the most important reasons why an IDPS is a good tool to use to detect network intrusions.
Intrusion Detection I.
Focus on the fact that the primary purpose of an IDPS is to identify and report an intrusion.
II.
Emphasize that IDPSs can provide triggers or clues of potential upcoming or hidden intrusions that would otherwise likely go unnoticed. This is through probing activities known as doorknob rattling or fingerprinting.
III.
Recognize the fact that they can also protect assets even though systems are still exposed to known vulnerabilities or cannot respond quickly in a rapidly-changing environment.
IV.
Relate to the fact that vulnerability-tracking groups are likely aware of vulnerabilities while the public may be shielded from the information.
V.
Review the term zero-day vulnerabilities and why those are important to be aware of since they cannot be predicted or prepared for. Remember that most vulnerabilities become known when they are used in an attack.
Data Collection I.
Examine the reasons why log data should be compiled for analysis over time. This helps to examine what happened when an intrusion occurred and the motive (or reason why) as well as who may also be exposed.
II.
Recall that even though an IDPS may fail at an intrusion, the data and information collected can aid in an investigation and provide forensic evidence that could help catch the perpetrator. Additionally, this can also determine how frequently intrusions occur.
Attack Deterrence I.
Establish an understanding that an IDPS serves as a deterrent by increasing the fear factor that one may be detected among would-be attackers. If attackers are aware that this in place, they are less likely to plan an attack let alone probe the system.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Other Reasons to Deploy and IDPS I.
Review and examine the other reasons outlined in the text why an IDPS should be deployed to protect an organization’s systems from internal and external intrusions. These are summarized below: •
Provide a level of quality control for system implementations.
•
Monitoring of network traffic and system data flows.
•
Application of the kill chain process where the attack can be stopped while it is in progress once discovered. Review figure 9-1 as to the process of a cyberattack kill chain.
Types of IDPS I.
Assess the different type of IDPSs provided in the text with the foundational knowledge they are network or host-based systems.
II.
Justify that in larger organizations it is likely that both systems are used in tandem with each other or in different parts of the business depending on business needs.
Network-Based IDPS I.
Analyze and review the concept of a network based IDPS (or known as a NIDPS). •
A network based IDPS (NIDPS) resides on a computer or appliance connected to a segment of an organization’s network and monitors network traffic on that network segment, looking for indications of ongoing or successful attacks.
•
The NIDPS may include separate management software, referred to as a console, and several specialized agents or sensors.
•
When a situation occurs that the NIDPS is programmed to recognize as an attack, it responds by sending notifications to administrators.
•
When examining the packets transmitted through an organization’s networks, a NIDPS looks for attack patterns within network traffic or it looks for the exchange of a series of related packets in a certain pattern, which could indicate that a port scan is in progress.
•
NIDPSs are installed at a specific place in the network (such as on the inside of an edge router) from where it is possible to watch the traffic going into and out of a particular network segment.
•
The NIDPS can be deployed to watch a specific grouping of host computers on a specific network segment, or it can be installed to monitor all traffic between the systems that make up an entire network.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
II.
III.
•
To determine whether an attack has occurred or may be underway, NIDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base.
•
This is accomplished by the comparison of captured network traffic using a special implementation of the TCP/IP stack that reassembles the packets and applies protocol stack or application protocol verification. In the process of protocol stack verification, the NIDSs look for invalid data packets.
•
In application protocol verification, the higher-order protocols are examined for unexpected packet behavior, or improper use.
Outline the advantages of a NIDPS: •
Good network design and placement of NIDPS devices can enable an organization to use a few devices to monitor a large network.
•
NIDPSs are usually passive devices and can be deployed into existing networks with little or no disruption to normal network operations and are often not susceptible to direct attacks.
•
To the benefit of an organization, these may not be detectable by attackers at all.
Consequentially, determine the disadvantages of NIDPSs: •
They can quickly become overwhelmed by network volume and fail to recognize attacks that could be detected otherwise.
•
They must have access to all traffic to effective monitor potential intrusions.
•
NIDPSs cannot analyze encrypted packets, making some of the network traffic invisible to the process nor reliably ascertain if an attack was successful or not.
•
Attacks that are executed with fragmented packets are likely to be undetected in error.
IV.
Examine the use of wireless IDPS monitors and how they assist with analyzing wireless network traffic as that infrastructure becomes more commonplace in organizations today.
V.
Establish that wireless IDPSs can detect existing WLANs and WLAN devices for inventory purposes and detect the following: •
Unauthorized WLANs and WLAN devices.
•
Poorly secured WLAN devices.
•
Unusual usage patterns.
•
The use of wireless network scanners.
•
DoS attacks and conditions.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
• VI.
VII.
Impersonation and man-in-the-middle attacks.
List potential drawbacks of wireless IDPSs as the technology has some critical flaws: •
Physical security.
•
Sensor ranges.
•
Access point and wireless switch locations.
•
Wired network connections.
•
Cost.
•
Access points and wireless switch locations.
Identify what a network behavior analysis (NBA) system is and how it can assist in detecting network intrusions. Recall that when an intrusion occurs, this system provides the following flow data pieces:
VIII.
•
Source and destination IP addresses.
•
Source and destination TCP or UDP ports or ICMP types and codes.
•
Number of packets and bytes transmitted in the session.
•
Starting and ending timestamps for the session.
Outline what an NBA sensor can often detect on a network through passive only sensors, inline sensors, or a combination of both: •
DoS attacks (including DDoS attacks).
•
Scanning.
•
Worms.
•
Unexpected application services, such as tunneled protocols, back doors, and use of forbidden application protocols.
•
Policy violations.
Host-Based IDPS I.
Explain the differences between a host-based IDPS and network-based IDPS.
II.
Recall that the main purpose of this type of IDPS is to protect the server or host’s information assets.
III.
Detail the following description as to what is comprised in a host-based IDPS: •
A host-based IDPS (HIDPS) resides on a particular computer or server, known as the host, and monitors activity only on that system.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
IV.
V.
•
HIDPSs are also known as system integrity verifiers as they benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files.
•
A HIDPS has an advantage over NIDPS in that it can usually be installed in such a way that it can access information that is encrypted when traveling over the network.
•
Most HIDPSs work on the principle of configuration or change management, which means they record the sizes, locations, and other attributes of system files. The HIDPS then triggers an alert when one of the following changes occurs: file attributes change, new files are created, or existing files are deleted.
•
A HIDPS relies on the classification of files into various categories and then applies various notification actions, depending on the rules in the HIDPS configuration.
•
Managed HIDPSs can monitor multiple computers simultaneously by creating a configuration file on each monitored host and by making each HIDPS report back to a master console system, which is usually located on the system administrator’s computer.
Justify the strengths of a HIDPS: •
A HIDPS can detect local events on host systems and detect attacks that may elude a network-based IDPS.
•
A HIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing.
•
The use of switched network protocols does not affect an HIDPS.
•
An HIDPS can detect inconsistencies in how applications and systems programs were used by examining the records stored in audit logs.
Recognize the fact there are some critical flaws with a HIDPS: •
HIDPSs pose more management issues since they are configured and managed on each monitored host and are vulnerable both to direct attacks and to attacks against the host operating system.
•
An HIDPS is not optimized to detect multi-host scanning, nor is it able to detect the scanning of non-host network devices, such as routers or switches and are. susceptible to some DoS attacks.
•
This option often uses large amounts of disk space to retain the host OS audit logs, and to function properly, it may require disk capacity to be added to the system.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
•
Finally, these can inflict a performance overhead on its host systems, and in some cases, may reduce system performance below acceptable levels when fully engaged.
IDPS Detection Methods I.
Analyze the three methods that often dominate detection methods and evaluate network traffic: signature-based detection, anomaly-based detection, and stateful protocol analysis.
Signature-Based Detection I.
Explain that a signature-based IDPS (also known as a knowledge-based IDPS or misuse detection) examines data traffic in search of patterns that match known signatures: preconfigured, predetermined attack patterns.
II.
Focus on the fact that many signature-based IDS technologies are often widely used due to attacks having clear and distinct signatures.
III.
Recognize the downside to this type of detection is that as new attack strategies are identified, the IDS’s database of signatures must be continually updated.
Anomaly-Based Detection I.
Compare and contrast anomaly-based detection with signature-based detection. Explain how they are similar but uniquely different when examining intrusions into an information security system.
II.
Review the purpose of a clipping level and why it is important to know that as a trigger that can be sent to system administrators to investigate possible issues.
III.
Summarize the benefits and drawbacks of this detection method.
Stateful Protocol Analysis I.
Justify the purpose and reasoning why this IDPS extension is beneficial to have available when detecting possible intrusions that have come into a system.
II.
Recall that stateful protocol analyses (SPA) rely on vendor-developed universal profiles that specify how particular protocols should and should not be used.
III.
Assess the concept of deep packet inspections and why it is important to examine them at the application layer.
IV.
Identify a consequence of this type of analysis may result in an intrusion being completely undetected because the protocol is in line with acceptable behaviors. Additionally, the interference with normal operations is an additional consequence.
Log File Monitors
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
I.
Explain the purpose of a log file monitor (LFM) is and how it is similar and different to an NIDPS.
II.
Discuss how IDPS responses can be classified: active or passive. An active response is one in which a definitive action is initiated when certain types of alerts are triggered. IDPSs with passive response options simply report the information they have already collected and wait for the administrator to take actions.
Security Information and Event Management (SIEM) I.
Justify the reasons why an organization turns to a SIEM as a central location to empower a security operations center (SOC) to react and identify various events against their information systems.
II.
Describe the process of threat intelligence and why it is a core capability of SIEM systems.
III.
Review the needs that a system like this can address for large organizations, which include the following:
IV.
•
Aggregation of security-related events from across the organization regardless of the source technology.
•
Correlation of events with context from external sources, including vendorspecific updates and cooperative industry associations.
•
Integration of events from devices, systems, and technologies from disparate sources deployed throughout the organization.
•
Detection of known threats when patterns of attack behavior are known.
•
Possible detection of emerging threats when analysis is coupled with threat analysis techniques designed into the SIEM system.
•
Enabling of ad hoc searches and reporting from recorded events to allow advanced breach analysis during and after incident response and provide support for forensic investigation into breach events.
•
Tracking the actions of attackers and allowing sequencing of events to provide an understanding of what happened and when it occurred.
Evaluate the essential capabilities of an analytics-driven SIEM system: •
Real-time monitoring.
•
Incident response.
•
User monitoring.
•
Threat intelligence.
•
Analytics and threat detection.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Real-Time Monitoring I.
Express concerns that on average the duration between the start of a cyber intrusion to the time it was discovered was about 56 days according to Mandiant.
II.
Recall that improvement in an organization’s capability to detect intrusions reduces the amount of dwell time and lessens the amount of time needed to recover from it.
Incident Response I.
Conclude that SIEM platforms that are properly implemented enable the ability to identify incidents and enable a process to track and respond to them.
II.
Recognize some SIEM systems can initiate predefined defensive scripts to automatically disrupt ongoing cyberattacks.
User Monitoring I.
Review the facts that SIEM systems have the capability to analyze user access and authentication activities. This, in turn, can provide alerts for suspicious behaviors and violation of policy.
Threat Intelligence I.
Emphasize that a SIEM system must have an ability to integrate threat intelligence services that provide current information on compromise indicators and adversary tactics, techniques, and procedures (TTP) with knowledge of organizational asset criticality and usage behaviors.
II.
Express the importance of enabling event data correlations with the nature of infrastructure to prioritize threats and organizational assets.
Analytics and Advanced Threat Detection I.
Identify one of the core needs of threat intelligence is the ability for the SIEM system to analyze event data to detect anomalies or track interactions between users and places where data is stored.
II.
Recognize that some SIEM systems can initiate predefined defensive scripts to automatically disrupt ongoing cyberattacks.
IDPS Response Behavior I.
Review how once an IDPS detects an anomalous network situation, it has several options, depending on the policy and objectives of the organization that has configured it as well as the capabilities of the organization’s system.
IDPS Response Options I.
Examine and disseminate how IDPS responses can be classified as an active or passive response.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
II.
•
An active response is one in which a definitive action is initiated when certain types of alerts are triggered.
•
IDPSs with passive response options simply report the information they have already collected and wait for the administrator to take actions.
Construct a list of responses that an IDS can be configured to produce: •
Audible/visual alarm.
•
SNMP traps and plug-ins.
•
E-mail message.
•
Phone, pager, or SMS message.
•
Log entry.
•
Evidentiary packet dump.
•
Actions against intruders.
•
Launch programs.
•
Firewall reconfigurations.
Reporting and Archiving Capabilities I.
Conclude that many commercial IDPSs can generate routine reports and other detailed documents, such as reports of system events and intrusions detected over a particular reporting period.
Fail-Safe Considerations for IDPS Responses I.
Examine fail-safe procedures that are built into an IDPS that prevent it from being circumvented or defeated by an attacker or intrusion.
II.
Stress that encrypted tunnels or other cryptographic measures that hide and authenticate communications are excellent ways to ensure the reliability of the IDPS.
Selecting IDPS Approaches and Products I.
II.
Disseminate the following areas of information when selecting the best IDPS for the needs of an organization and processes. They include the following: •
Technical and policy considerations.
•
Organizational requirements and constraints.
•
IDPS features and qualities of the system.
Compile a list of benefits and drawbacks when reviewing multiple systems side-byside prior to selecting one for the organization.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Technical and Policy Considerations I.
Review the following key questions that should be asked with respect to the technical and policy capabilities of an IDPS. •
•
•
What is your systems environment? •
What are the technical specifications of your systems environment?
•
What are the technical specifications of your current security protections?
•
What are the goals of your enterprise?
•
How formal is the systems environment and management culture in your organization?
What are your security goals and objectives? •
Is the primary concern of your organization to be protected from threats that originate outside of your organization?
•
Is your organization concerned about insider attacks?
•
Does your organization want to use the output of your IDS to determine new needs?
•
Does your organization want to use an IDPS to maintain managerial control over network usage?
What is your existing security policy? •
How is it structured?
•
What are the general job descriptions of your system users?
•
Does the policy include reasonable use policies or other management provisions?
•
Has your organization defined processes for dealing with specific policy violations?
Organizational Requirements and Constraints I.
Discuss organizational requirements and constraints. Review and compose a list of questions like ones provided below with respect to this area of an IDPS to ask. •
What requirements are levied from outside the organization? •
Is your organization subject to oversight or review by another organization?
•
Are there requirements for public access to information on your organization’s systems?
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
•
•
Are there other security-specific requirements levied by law?
•
Are there internal audit requirements for security best practices or due diligence?
•
Is the system subject to accreditation?
•
Are there requirements for law enforcement investigation and resolution of security incidents?
What are your organization’s resource constraints? •
What is the budget for acquisition and life cycle support of intrusion detection hardware, software, and infrastructure?
•
Is there sufficient existing staff to monitor an IDPS full time?
•
Does your organization have authority to instigate changes based on the findings of an IDPS?
IDPS Product Features and Quality I.
Examine in-depth the product features and quality of IDPSs. When asking for specific details of the system, apply the following top-level questions and subquestions as outlined in the text: •
Is the product sufficiently scalable for your environment?
•
How has the product been tested? •
Has the product been tested against functional requirements?
•
Has the product been tested for performance against anticipated load?
•
Has the product been tested to reliably detect attacks?
•
Has the product been tested against attack?
•
What is the user level of expertise targeted by the product?
•
Is the product designed to evolve as the organization grows?
•
•
Can the product adapt to growth in user expertise?
•
Can the product adapt to growth and change of the organization’s systems infrastructure?
•
Can the product adapt to growth and change of the security threat environment?
What are the support provisions for the product? •
What are commitments for product installation and configuration support?
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
II.
•
What are commitments for ongoing product support?
•
Are subscriptions to signature updates included?
•
How often are subscriptions updated?
•
How quickly after a new attack is made public will the vendor ship a new signature?
•
Are software updates included?
•
How quickly will software updates and patches be issued after a problem is reported to the vendor?
•
Are technical support services included?
•
What are the provisions for contacting technical support?
•
Are there any guarantees associated with the IDPS?
•
What training resources does the vendor provide as part of the product?
•
What additional training resources are available from the vendor and at what cost?
Compile answers provided from the vendors to determine which system, if any, that were analyzed is the best option based on the needs of the organization.
Strengths and Limitations of IDPSs I. Comment that as one plans the security strategy for their organization’s systems, they have to understand that IDPSs can be trusted and do what goals might be better served by other security mechanisms. II. Apply these strengths and limitations provided below are based on NIST SP 800-94 and SP 800-94, Rev. 1, “Guide to Intrusion Detection and Prevention Systems,” and their predecessor, NIST SP 800-31, “Intrusion Detection Systems.” Strengths of IDPSs I. Analyze the strengths of an IDPS with respect to intrusion detection: •
Monitoring and analysis of system events and user behaviors.
•
Testing the security states of system configurations.
•
Baselining the security state of a system and then tracking any changes to that baseline.
•
Recognizing patterns of system events that correspond to known attacks.
•
Recognizing patterns of activity that vary statistically from normal activity.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
•
Managing operating system audit and logging mechanisms and the data they generate.
•
Alerting appropriate staff by appropriate means when attacks are detected.
•
Measuring enforcement of security policies encoded in the analysis engine
•
Providing default information security policies.
•
Allowing people who are not security experts to perform important security monitoring functions.
Limitations of IDPSs •
Compensating for weak or missing security mechanisms in the protection infrastructure, such as firewalls.
•
Identification and authentication systems, link encryption systems, access control mechanisms, and virus.
•
Detection and eradication software.
•
Instantaneously detecting, reporting, and responding to an attack when there is a heavy network or processing.
•
Load.
•
Detecting newly published attacks or variants of existing attacks.
•
Effectively responding to attacks launched by sophisticated attackers.
•
Automatically investigating attacks without human intervention.
•
Resisting all attacks that are intended to defeat or circumvent them.
•
Compensating for problems with the fidelity of information sources.
•
Dealing effectively with switched networks.
•
Configuring an IDPS to respond accurately to perceived threats.
Deployment and Implementation of an IDPSs I.
Understand that deploying and implementing an IDPS is often not always a straightforward task. The strategy for deploying an IDPS should consider several factors, the foremost being how the IDPS will be managed and where it should be placed.
II.
Review the NIST SP 800-94 Rev. 1 recommendation for implementation of an IDPS. In summary: •
All components should be secured appropriately as they are a prime target for attackers.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
•
Consider multiple types of IDPS technologies to achieve more comprehensive and accurate detection while preventing malicious activities from taking place.
•
Organizations that plan to use multiple types of IDPS technologies or multiple products of the same IDPS technology type should consider whether the IDPSs should be integrated.
•
Requirements should be defined before evaluating IDPS products.
•
When evaluating IDPS products, organizations should consider using a combination of data sources to evaluate the products’ characteristics and capabilities.
IDPS Control Strategies I.
Recall the purpose of a control strategy is to determine how an organization maintains and supervises the configuration of an IDPS.
II.
Examine the differences between centralized, partially distributed, or fully distributed strategies. •
A centralized IDPS control strategy implements and manages all IDPS control functions in a central location.
•
A fully distributed IDPS control strategy distributes all control functions that are applied at the physical location of each IDPS component.
•
A partially distributed IDPS control strategy combines the best of the other two strategies. While the individual agents can still analyze and respond to local threats, they report to a hierarchical central facility to enable the organization to detect widespread attacks.
IDPS Deployment I.
Recalling concept of control strategies, decisions about where to locate elements of the intrusion detection systems can be an art.
II. Comprehend as an organization selects an IDPS and prepares for implementation, planners must select a deployment strategy based on a careful analysis of the organization’s information security requirements and that integrates with the organization’s existing IT infrastructure, but at the same time, causes minimal impact. III. Emphasize NIDPSs and HIDPSs can be used in tandem to cover both the individual systems that connect to an organization’s networks and the networks themselves. IV. Discuss deploying network-based IDPSs: •
NIST recommends four locations for NIDS sensors as described below:
•
Location 1: Behind each external firewall in the network DMZ
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
•
•
•
•
•
IDPS sees attacks that originate from the outside world and may penetrate the network’s perimeter defenses.
•
IDPS can identify problems with the network firewall policy or performance.
•
IDPS sees attacks that might target the Web server or FTP server, both of which commonly reside in this DMZ.
•
Even if the incoming attack is not detected, the IDPS can sometimes recognize in the outgoing traffic patterns that suggest that the server has been compromised.
Location 2: Outside an external firewall •
IDPS documents the number of attacks originating on the Internet that target the network.
•
IDPS documents the types of attacks originating on the Internet that target the network.
Location 3: On major network backbones •
IDPS monitors a large amount of a network’s traffic, thus increasing its chances of spotting attacks.
•
IDPS detects unauthorized activity by authorized users within the organization’s security perimeter.
Location 4: On critical subnets •
IDPS detects attacks targeting critical systems and resources.
•
This location allows organizations with limited resources to focus these resources on the network assets that have the greatest value.
Reference Figure 9-11 to show where each of the four locations have sensors.
Measuring the Effectiveness of IDPSs I. Comparative effectiveness can be achieved by the following:
II.
•
Thresholds
•
Blacklists
•
Whitelists
•
Alert Settings
Direct students to the point that once implemented, IDPSs are evaluated using two dominant metrics: administrators evaluate the number of attacks detected in a known collection of probes and examine the level of use at which the IDPSs fail.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
III.
Explain that since developing this collection can be tedious, most IDPS vendors provide testing mechanisms that verify that their systems are performing as expected. Some of these testing processes will enable the administrator to do the following: •
Record and retransmit packets from a real virus or worm scan.
•
Record and retransmit packets from a real virus or worm scan with incomplete TCP/IP session connections (missing SYN packets).
•
Conduct a real virus or worm attack against a hardened or sacrificial system.
Quick Quiz 1 1. Which of the following is an event that triggers alarms when no actual attacks are in progress? a. evasion b. false positive c. false attack stimulus d. false negative Answer: c 2. The process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing false positives and false negatives is known as which of the following? a. tuning b. filtering c. clustering d. footprinting Answer: a 3. Which of the following terms involves activities that gather information about the organization and its network activities and assets? a. tuning b. filtering c. clustering d. footprinting Answer: d
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
4. True or False: Signature-based IDPS technology is widely used because many attacks have clear and distinct signatures. Answer: True 5. In which IDPS control strategy are all IDPSs control functions implemented and managed in a central location? a. centralized control strategy b. fully distributed control strategy c. partially distributed control strategy d. network-based control strategy Answer: a
Honeypots, Honeynets, and Padded Cell Systems (9.3, PPT Slides 47–51) I.
Identify the concept of honeypots as decoy systems designed to lure potential attackers away from critical systems.
II.
Explain how by encouraging attacks against these bait systems, the defender may lure them away from actual targets and perhaps detect their presence and then block access.
III.
Review the purpose of honeypots and their design: •
Divert an attacker from critical systems.
•
Collect information about the attacker’s activity.
•
Encourage the attacker to stay on the system long enough for administrators to document the event and perhaps respond.
IV.
Comprehend that honeytokens are a smaller version of a honeypot that is a single service, record, or file placed into a production system.
V.
Differentiate between standard honeypots and padded cell systems which are hardened ones. The key with this type of honeypot is the intruder transfers to a simulated environment and as a result causes no harm.
VI.
Examine the advantages of the advantages of honeypots, honeynets, and padded cell systems. •
Attackers can be diverted to targets that they cannot damage.
•
Administrators have time to decide how to respond to an attacker.
•
Attackers’ actions can be easily and more extensively monitored, and the records can be used to refine threat models and improve system protections.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
• VII.
Honeypots may be effective at catching insiders who are snooping around a network.
Discuss the disadvantages of honeypots, honeynets, and padded cell systems. •
The legal implications of using such devices are not well defined.
•
Honeypots and padded cells have not yet been shown to be generally useful security technologies.
•
An expert attacker, once diverted into a decoy system, may become angry and launch a more hostile attack against an organization’s systems.
VIII.
Administrators and security managers will need a high level of expertise to use these systems
IX.
Review Table 9-1 to examine the advantages and disadvantages of honeypots or padded cell systems.
Trip-and-Trace Systems I.
Identify the purpose of a trap and trace system and how it can be used to trace incidents back to their sources.
II.
Outline the process of how a trap often works. As mentioned in the text, it usually consists of a honey pot or padded cell and an alarm. Note that while the intruders are distracted, or trapped, by what they perceive to be successful intrusions, the system notifies the administrator of their presence.
III.
Examine and review the trace feature of the system as it is a process by which the organization attempts to determine the identity of someone who is discovered in unauthorized areas of the network or system.
IV.
Emphasize that if the individual is outside the security perimeter of the organization, then numerous legal issues arise.
V.
Compare and contrast the facts that trap-and-trace systems are similar to pen registers and earlier versions of which recorded numbers that were dialed in voice communications.
VI.
Identify the legal restrictions and drawbacks of trip-and-trace systems. •
The trap portion frequently involves the use of honey pots or honey nets.
•
When using honey pots and honey nets, administrators should be careful not to cross the line between enticement (the process of attracting attention to a system by placing tantalizing bits of information in key locations) and entrapment (luring an individual into committing a crime to get a conviction).
•
Justify the facts that enticement is legal and ethical whereas entrapment is not.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Active Intrusion Prevention I.
Emphasize that organizations often implement active countermeasures to stop attacks from occurring on their systems.
II.
Present the tool known as LaBrea as it provides active intrusion prevention. This also works by taking up the unused IP address space within a network.
III.
Discuss how if an address is not currently being used by a real computer or network device, LaBrea will pretend to be a computer at that IP address and allow the attacker to complete the connection request, also known as the three-way handshake.
IV.
Explain how once the handshake is complete, LaBrea will change the TCP sliding window size down to a low number to hold the TCP connection from the attacker open for many hours, days, or even months.
V.
Advise that holding the connection open but inactive greatly slows down networkbased worms and other attacks and it allows the LaBrea system time to notify the system and network administrators about the anomalous behavior on the network.
Scanning and Analysis Tools (9.4, PPT Slides 53–55 and 58–62) I.
Remind students that to secure a network, it is imperative that someone in the organization knows exactly where the network needs securing. Without that, it will be difficult to have a secure infrastructure in place.
II.
State that to assess the risk within a computing environment, one must deploy technical controls using a strategy of defense in depth.
III.
Explain how scanner and analysis tools can find vulnerabilities in systems, holes in security components, and unsecured aspects of the network. These are also typically used as part of an attack protocol to collect information that an attacker would need to launch a successful attack.
IV.
Review the attack protocol, which is a series of steps or processes used by an attacker in a logical sequence to launch an attack against a target system or network.
V.
Definite the process of footprinting and how it is completed as a step to complete prior to an attack to take place. Tasks that an attacker may embark upon include the following: •
Online organized research of the Internet addresses owned or controlled by a target organization.
•
Use public Internet data sources to perform keyword searches to identify the network addresses of the organization.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
27
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
VI.
Emphasize the point that to assist in the footprint intelligence collection process, an enhanced Web scanner can be used. •
VII.
Compare and contrast the differences between footprinting and fingerprinting when using scanning and analysis tools. •
VIII.
Recommend students to review Figure 9-12 for additional insight.
Footprinting is often seen as the first process whereas fingerprinting is a second and more advanced data-gathering process.
Explain how fingerprinting reveals useful information about the internal structure and operational nature of the target system or network for the anticipated attack. Since these tools were created to find vulnerabilities in systems and networks, they are valuable for the network defender since they can quickly pinpoint the parts of the systems or network that need a prompt repair to close the vulnerability.
Port Scanners I.
Describe the purpose of a port scanner (or port scanning utility device) and why it is important to use when detecting intrusions and/or attacks on systems. Relate to the fact that both attackers and defenders use this to identify (or fingerprint) the computers that are active on a network, as well as the ports and services that are active on those computers, the functions, and roles the machines are fulfilling, and other useful information.
II.
Apply knowledge that these tools can scan for specific types of computers, protocols, or resources, or their scans can be generic.
III.
Emphasize the more sophisticated the scanner is both parties can access more detailed information that can be used in the future for better or worse.
IV.
Strongly recommend generic, broad-based port scanners should be in the toolbox alongside more specific ones.
V.
Provide students and opportunity to learn more about ports. These are network channels or connection points in a data communication system. Refer them to Table 9-2 for additional information.
Firewall Analysis Tools I.
Note that several tools automate the remote discovery of firewall rules and assist an administrator in analyzing the rules to determine exactly what they allow and what they reject.
II. Emphasize that administrators who feel wary of using the same tools that attackers use should remember:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
28
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
•
Regardless of the tool that is used to validate or analyze a firewall’s configuration, it is the intent of the user that will dictate how the information gathered will be used.
•
In order to defend a computer or network well, it is necessary to understand the ways it can be attacked.
•
Thus, a tool that can help close up an open or poorly configured firewall will help the network defender minimize the risk from attack.
Operating System Detection Tools I.
State how detecting a target computer’s OS is very valuable to an attacker because once the OS is known, all of the vulnerabilities to which it is susceptible can easily be determined.
II. Stress that there are many tools that use networking protocols to determine a remote computer’s OS and adds additional opportunities to make them vulnerable to attacks. III. Identify most OSs have a unique way of responding to ICMP requests. Provide additional to attention to XProbe as it is very reliable in finding matches and thus detecting the OSs of remote computers. IV. Explain how system and network administrators should take note of this and plan to restrict the use of ICMPs through their organization’s firewalls and, when possible, within its internal networks.
Vulnerability Scanners I.
Identify the purpose of a vulnerability scanner and its purpose to determine security holes in a system.
II. Introduce students to a class of vulnerability scanners called black-box scanners or fuzzers that look for vulnerabilities in a program by feeding random input to the program or a network running the protocol. III. Compare and contrast the differences between active and passive vulnerability scanners. •
Active vulnerability scanners initiate traffic on the network to determine security holes.
•
Passive vulnerability scanners are ones that listens in on the network and determines vulnerable versions of both server and client software. They can also detect client-side vulnerabilities that active scanners cannot detect.
IV. Recognize that these tools simply monitor the network connections to and from a server to gain a list of vulnerable applications.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
29
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Packet Sniffers I.
Describe the purpose of a packet sniffer (or network protocol analyzer). These can provide a network administrator with valuable information for diagnosing and resolving networking issues.
II. Stress how putting sniffers in the wrong hands results in eavesdropping on network traffic. III. Understand these are often required to be connected to a network from a centralized location. IV. Outline the appropriate legal uses to use packet sniffers. They are the following: •
Be on a network that the organization owns.
•
Be under direct authorization of the owners of the network.
•
Have knowledge and consent of the content creators.
Wireless Security Tools I.
Classify a common fact that an organization that spends all of its time securing the wired network and leaves wireless networks to operate in any manner is opening itself up for a security breach.
II. Apply the knowledge that a security professional must be responsible for both hardwire and wireless networks and assess the risk for both. III. Compose a wireless security toolkit. This should include the ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy or confidentiality afforded on the wireless network. Quick Quiz 2 1. What term is used to describe decoy systems designed to lure potential attackers away from critical systems?
a. trap b. honeypot c. trace d. sniffer Answer: b 2. Which of the following terms are used to describe organized research of the Internet addresses owned or controlled by a target organization?
a. fingerprinting
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
30
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
b. trapping c. footprinting d. tracing Answer: c 3. A scanner that listens in on a network and identifies vulnerable versions of both server and client software is known as which of the following?
a. port scanner b. active vulnerability scanner c. sniffer d. passive vulnerability scanner Answer: d 4. What is a network tool that collects copies of packets from the network and analyzes them?
a. footprint b. router c. network trapper d. packet sniffer Answer: d 5. True or False: A wireless security toolkit should include the ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy or confidentiality afforded on the wireless network. Answer: True [return to top]
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
31
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
1. Many vendors have created enhancements to IDS systems to make them into IDPSs. Look into current developments in this area and discuss them with your class. (9.1, 9.2, PPT Slides 3–23 and 26–44) Duration 15 minutes. 2. The legal issues surrounding active defense (see “Trap and Trace Systems”) are constantly evolving. This provides an interesting focal point for discussing ethical responses to complex workplace issues. (9.3, PPT Slides 47–51) Duration 15 minutes. 3. As internet privacy increases in news coverage, consumers and organizations alike are growing concerned that they are being spied on. How can organizations defend their position when it is in their legal right to monitor networks for possible attacks or intrusions? Is it necessary for them to have to defend themselves? Explain. (9.3, 9.4, PPT Slides #52–55 and 58–62) Duration 15 minutes. [return to top]
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. Following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title
Objective
Duration
Ethical Considerations in IT and Detecting Phishing Attacks
Upon completion of this activity, you will:
Ethical Considerations lab in 15 to 20 minutes.
•
•
Web Browser Security
Upon completion of this activity, the student will be able to: •
Malware Defense
have a better understanding of the ethical expectations of IT professionals; and be able to identify several types of social engineering attacks that use phishing techniques.
Phishing E-Mail lab in 60 to 75 minutes.
1 to 1.5 hours
Review and configure the security and privacy settings in the most popular web browsers.
Upon completion of this activity, the student will be able to: •
1 to 1.5 hours
Understand the basic setup and
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
32
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Windows Password Management
use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the 30 minutes to 1 hour student will be able to: Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: •
Backup and Recovery and File Integrity Monitoring
OS Processes and Services
Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to:
Log Management & Security
Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to:
15–20 minutes
•
60–90 minutes
•
•
30 minutes to 1 hour
Access and review the various logs present in a Windows 10 computer.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
33
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Footprinting, Scanning, and Enumeration
AlienVault OSSIM
Image Analysis Using Autopsy
Upon completion of this activity, the student will be able to: Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab.
40–60 minutes
•
Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.
2–3 hours
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Demonstrate an IDPS and/or a packet sniffer to your class. Students are enthusiastic about seeing the contents of IP traffic and then watching the responses of the IDPS as the rules are evaluated. 2. Take a field trip to see your organization’s IDPS technology. [return to top]
Additional Resources Cengage Video Resources • •
MindTap Video: Security Information and Event Management MindTap Video: IDPS
Internet Resources •
Firewalk
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
34
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
• • • •
Host-based Intrusion Prevention LaBrea “Sticky Honeynet” Nessus Wireshark
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
35
Instructor Manual: Whitman and Mattord, Principles of Information Security 9e, ISBN 978-0-359-50643-1; Module 9: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
36
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
Instructor Manual Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 6 Module Outline .............................................................................................................................. 6 Discussion Questions .................................................................................................................. 22 Suggested Usage for Lab Activities ............................................................................................ 23 Additional Activities and Assignments ....................................................................................... 24 Additional Resources................................................................................................................... 25 Internet Resources .................................................................................................................................. 25 Appendix ...................................................................................................................................... 26 Grading Rubrics ....................................................................................................................................... 26
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
Purpose and Perspective of the Module Contrary to popular belief, most people think that cryptology is a science that is highly technical in nature and complex. Knitting, and word puzzles are great examples of this. In this module, students will gain an understanding of what cryptography and its application in maintaining information security systems. Additionally, one will learn about its history, basic operating principles, and major protocols that are used for secure communications.
Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. •
PowerPoint slides
•
Test banks, available in Word, as LMS-ready files, and on the Cognero platform
•
MindTap Educator Guide
•
Solution and Answer Guide
•
This instructor’s manual
Module Objectives The following objectives are addressed in this module: 10.1
Chronofile the most significant events and discoveries in the world of cryptology.
10.2
Explain the basic principles of cryptography.
10.3
Describe the operating principles of the most popular cryptographic tools.
10.4
List and explain the major protocols used for secure communications.
Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 10.1 10.2 10.3 and 10.4 10.1–10.4
PPT slide
Activity/Assessment
Duration
18–19 31–32 52–53
Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3
2 minutes 2 minutes 2 minutes
57 MindTap MindTap
Self-Assessment Module 10 Review Questions Module 10 Case Exercises
5 minutes 30–40 minutes 30 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
MindTap
Module 10 Exercises
MindTap MindTap
Module 10 Security for Life Module 10 Quiz
10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: cryptology: The field of science that encompasses cryptography and cryptanalysis. cryptography: The process of making and using codes to secure information. cryptanalysis: The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption. substitution cipher: An encryption method in which one value is substituted for another. monoalphabetic substitution: A substitution cipher that incorporates a single alphabet in the encryption process. polyalphabetic substitution: A substitution cipher that incorporates two or more alphabets in the encryption process. Vingenère cipher: An advanced type of substitution cipher that uses a simple polyalphabetic code. transposition cipher: A cryptographic operation that involves simply rearranging the values within a block based on an established pattern; also known as a permutation cipher. permutation cipher: See transposition cipher. exclusive OR operation (XOR): A function within Boolean algebra used as an encryption function in which two bits are compared; identical bits result in a binary 0 while different bits result in a binary 1. Vernam cipher: A cryptographic technique developed at AT&T and known as the “one-time pad,” this cipher uses a set of characters for encryption operations only once and then discards it. hash functions: Mathematical algorithms that generate a message summary or digest (sometimes called a fingerprint) to confirm the message’s identity and integrity. hash algorithms: Public functions that create a hash value, also known as a message digest, by converting variable length messages into a single fixed length value. hash value: See hash algorithm.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
message digest: A value representing the application of a hash algorithm on a message that is transmitted with the message so it can be compared with the recipient’s locally calculated hash of the same message; also known as a hash value. message authentication code (MAC): A key-dependent, one-way hash function that allows only specific recipients (symmetric key holders) to access the message digest. Secure Hash Standard (SHS): A standard issued by the National Institute of Standards and Technology (NIST) that specifies secure algorithms, such as SHA-1, for computing a condensed representation of a message or data file. secret key: A key that can be used in symmetric encryption both to encipher and decipher the message. symmetric encryption: A cryptographic method in which the same algorithm and secret key are used both to encipher and decipher the message. private-key encryption: See symmetric encryption. Advanced Encryption Standard (AES): The current federal standard for the encryption of data, as specified by NIST; based on the Rijndael algorithm. asymmetric encryption: A cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message; either key can be used to encrypt a message, but the other key is required to decrypt it. public-key encryption: See asymmetric encryption. public key infrastructure (PKI): An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates. digital certificates: Public-key container files that allow PKI system components and end users to validate a public key and identify its owner. certificate authority (CA): In PKI, a third party that manages users’ digital certificates. registration authority (RA): In PKI, a third party that operates under the trusted collaboration of the certificate authority and handles day-to-day certification functions. certificate revocation list (CRL): In PKI, a published list of revoked or terminated digital certificates. nonrepudiation: The process of reversing public-key encryption to verify that a message was sent by the user and thus cannot be refuted. digital signatures: Encrypted message components that can be mathematically proven as authentic.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
Digital Signature Standard (DSS): The NIST standard for digital signature algorithm usage by federal information systems; based on a variant of the ElGamal signature scheme. Diffle-Hellman key exchange: A hybrid cryptosystem that facilitates exchanging private keys using public-key encryption. session keys: Limited-use symmetric keys for temporary communications during an online session. steganography: The process of hiding messages; for example, hiding a message within the digital encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even exists. Secure Socket Layer (SSL): A security protocol developed by Netscape to use public-key encryption to secure a channel over the Internet. Secure HTTP (HTTPS): An extended version of Hypertext Transfer Protocol that provides for the encryption of protected Web pages transmitted via the Internet between a client and server. Secure/Multipurpose Internet Mail Extensions (S/MIME): A security protocol that builds on the encoding format of the Multipurpose Internet Mail Extensions (MIME) protocol and uses digital signatures based on public-key cryptosystems to secure e-mail. Privacy-Enhanced Mail (PEM): A standard proposed by the IETF that uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures. Secure Electronic Transactions (SET): A protocol developed by credit card companies to protect against electronic payment fraud. IP Security (IPSec): The primary and dominant cryptographic authentication and encryption product of the IETF’s IP Protocol Security Working Group; provides application support for all uses within TCP/IP, including virtual private networks. transport mode: In IPSec, an encryption method in which only a packet’s IP data is encrypted, not the IP headers themselves; allows intermediate nodes to read the source and destination addresses. tunnel mode: In IPSec, an encryption method in which the entire IP packet is encrypted and inserted as the payload in another IP packet; requires other systems at the beginning and end of the tunnel to act as proxies to send and receive the encrypted packets and then transmit the packets to their ultimate destination. authentication header (AH) protocol: In IPSec, a protocol that provides system-to-system authentication and data integrity verification but does not provide secrecy for the content of a network communication.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
encapsulating security payload (ESP) protocol: In IPSec, a protocol that provides secrecy for the contents of network communications as well as system-to-system authentication and data integrity verification. [return to top]
What's New in This Module The following elements are improvements in this module from the previous edition: •
This module was Chapter 8 in the 6th edition.
•
Foundation topics in cryptography were reorganized and refined.
•
Content on blockchain technologies and payment systems security was added.
[return to top]
Module Outline Introduction to Information Cryptography (10.1, 10.2, PPT Slides 3–30) I.
Recall how cryptography and cryptoanalysis can provide a sophisticated approach to security issues an organization may run into.
II.
Emphasize that many security-related tools use embedded encryption technologies.
III.
Explain how the science of encryption, known as cryptology, encompasses cryptography and cryptanalysis.
The History of Cryptology I.
Recognize that cryptology has been around since approximately 1900 B.C. and is not a new phenomenon of the Internet.
II.
Review and list key dates in history critical to the transformation and growth of cryptology.
III.
Conclude that in 1992, encryption tools were officially listed as Auxiliary Military Technology under the Code of Federal Regulations: International Traffic in Arms Regulations.
Key Cryptology Terms I.
List and define key terms that are commonly used in the field of cryptology: •
Algorithm: The mathematical formula or method used to convert an unencrypted message into an encrypted message; sometimes refers to the programs that enable the cryptographic processes.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
•
Bit stream cipher: An encryption method that involves converting plaintext to ciphertext one bit at a time.
•
Block cipher: An encryption method that involves dividing the plaintext into blocks or sets of bits and then converting the plaintext to ciphertext one block at a time.
•
Cipher: When used as a verb, the transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted components or vice versa (see Decryption and Encryption); when used as a noun, the process of encryption or the algorithm used in encryption, and a term synonymous with cryptosystem.
•
Ciphertext or cryptogram: The unintelligible encrypted or encoded message resulting from an encryption.
•
Code: The process of converting components (words or phrases) of an unencrypted message into encrypted components.
•
Decipher: See Decryption.
•
Decryption: The process of converting an encoded or enciphered message (ciphertext) back to its original readable form (plaintext), also referred to as deciphering.
•
Encipher: See Encryption.
•
Encryption: The process of converting an original message (plaintext) into a form that cannot be used by unauthorized individuals (ciphertext), also referred to as enciphering.
•
Key or cryptovariable: The information used in conjunction with the algorithm to create the ciphertext from the plaintext; it can be a series of bits used in an algorithm or the knowledge of how to manipulate the plaintext. Sometimes called a cryptovariable.
•
Keyspace: The entire range of values that can be used to construct an individual key.
•
Link encryption: A series of encryptions and decryptions between a number of systems wherein each system in a network decrypts the message sent to it, reencrypts the message using different keys, and sends it to the next neighbor. This process continues until the message reaches the final destination.
•
Plaintext or cleartext: The original unencrypted message that is encrypted and the message that results from successful decryption.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
II.
•
Steganography: The process of hiding messages; for example, hiding a message within the digital encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even exists.
•
Work factor: The amount of effort (usually expressed in units of time) required to perform cryptanalysis on an encoded message.
Explain how many common IT tools use embedded encryption technologies to protect sensitive information within applications.
Encryption Models (10.2, PPT Slides 19–30) I.
Analyze the two most common methods of encrypting plaintext: bit stream and block cipher.
II.
Review that in the bit stream method, each bit in the plaintext is transformed into a cipher bit one bit at a time whereas the block cipher method, messages are divided into 8, 16, 32, or 64-bit blocks while using an algorithm and a key.
Substitution Cipher I.
Explain how in a substitution cipher you substitute one value for another.
II.
Describe a type of substitution based on a monoalphabetic substitution and how it only uses one alphabet whereas a polyalphabetic substitution uses at least two alphabets and are more advanced in nature.
III.
Note that an advanced type of substitution cipher that uses a simple polyalphabetic code is the Vigenère cipher. Ongoing information security activities provide the appropriate support to the goals aligned with the agency mission.
Transposition Cipher I.
Compare and contrast the transposition cipher to the substitution cipher and explain how transposition ciphers can be more difficult to decipher using that method.
II.
Recall transposition ciphers can be done both at the bit level or the byte (or character) level.
III.
Discuss how transposition ciphers move these bits or bytes to another location in the block, so the bit or byte in position 1 moves to position 4, and the bit or byte in position 2 moves to position 8, and so on.
Exclusive OR I.
Define the concept of an exclusive OR operation (OR) and its importance to cryptography.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
II.
Comprehend that bit stream methods commonly use algorithm functions like the exclusive OR operation (XOR), whereas block methods can use substitution, transposition, XOR, or some combination of these operations.
III.
Identify that XOR is a function of Boolean algebra, and if two bits are identical when compared, the binary result is 0, and when they are not, it is 1. Apply Table 10-3 as part of the discussion.
Vernam Cipher I.
Relate that this is one of the oldest modern encryption methods still used to this day, having been a key factor in cryptography for well over 100 years (1917).
II.
Assemble and list the process of a Vernam cipher encryption operation: •
The pad values are added to numeric values that represent the plaintext that needs to be encrypted.
•
Each character of the plaintext is turned into a number, and a pad value for that position is added to it.
•
The resulting sum for that character is then converted back to a ciphertext letter for transmission.
•
When the two are added, if the values exceed 26, then 26 is subtracted from the total. (This is referred to as Modulo 26.)
•
The corresponding results are then converted back to text.
Book-Based Cipher I.
Examine the similarities and differences between book ciphers and key ciphers and why they are important to use in cryptography and protect the organization’s information.
II.
Analyze how the use of text in a book can be a third way to be a key to decrypting messages (although its popularity stems from spy movies).
Book Cipher I.
Detail how the cyphertext consists of a list of codes representing the page number, line number, and word number of the plaintext word.
II.
Comprehend that the receiver must have knowledge as to which book to use to decipher a message.
III.
Explain how dictionaries and thesauruses are likely the most popular sources since they guarantee every word needed. Note that almost any book will suffice applying this method.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
Running Key Cipher I.
Define the use of a running key cipher and how it applies concepts a book cipher uses for its own decrypting messages.
II.
Comprehend how the mirrored layout of a table simplifies the selection of rows and columns during encryption and decryption exercises.
Template Cipher I.
Gain awareness that a template cipher or perforated page cipher is not strictly an encryption cipher but more of an example of steganography.
II.
Examine that ciphering is often difficult to complete, physical in nature, and easy to detect, and its usefulness is minimal in cryptography if at all.
Hash Functions I.
Identify the concept of hash functions, how they are mathematical algorithms used to confirm the identity of a specific message, and confirm that the content has not been changed.
II.
Examine how hash algorithms are functions that create hash values or message digests. This is done by converting variable-length messages into a single fixedlength value.
III.
Emphasize that hashing functions do not require the use of keys. Rather, the use of a message authentication code (MAC), which is essentially a one-way hash value that is encrypted with a symmetric key, may be attached to a message to allow only specific recipients to access the message digest. Here, the recipient must have a key to access (or unlock) the message digest and to confirm the integrity of that message.
IV.
Define the concept of a Secure Hash Standard (SHS) and compare the original Secure Hash Algorithm (SHA-1) to more modern hash algorithms in use or are being proposed (SHA-256, SHA-384, and SHA-512).
V.
Stress that a recently developed attack method called rainbow cracking has generated concern about the strength of the processes used for password hashing.
VI.
Examine the 10.4 password standard and why they are important to apply to places one may access daily.
VII.
Compare and contrast ways that one can defend against time-memory trade-off attacks. This includes password hash salting, key stretching, and key strengthening.
Quick Quiz 1 1. True or False: Julius Caesar was associated with an early version of the substitution cipher. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
Answer: True 2. Which of the following terms is used to describe the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext from the ciphertext? a. cipher b. code c. cleartext d. key Answer: d 3. The science of encryption is known as which of the following? a. cryptanalysis b. steganography c. cryptology d. algorithm Answer: c 4. Which of the following terms describes the process of making and using codes to secure the transmission of information? a. algorithm b. cryptography c. steganography d. cryptanalysis Answer: b 5. True or False: Hashing functions require the use of keys. Answer: False
Cryptographic Algorithms (10.2, PPT Slides 19–30) I.
Explain that cryptographic algorithms are often grouped into two broad categories: symmetric and asymmetric.
II.
Gain awareness that most cryptosystems often deploy a hybrid combination of symmetric and asymmetric algorithms.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
III.
Review that symmetric and asymmetric algorithms can be distinguished by the types of keys they use for encryption and decryption operations.
Symmetric Encryption I.
Describe how symmetric encryption uses the same key, also known as a secret key, to encrypt and decrypt a message.
II.
Analyze the efficiency of symmetric encryption methods as they only require minimal processing to either encrypt or decrypt the message.
III.
Distinguish the drawback with this type of encryption is that both the sender and receiver must have the same key to transmit a message between them. Emphasize if either copy of the key is compromised, an intermediate can decrypt and read the messages.
IV.
Review the evolution of symmetric encryption cryptosystems and what is commonly used now which is the Advances Encryption Standard (AES). •
The Data Encryption Standard (DES) was developed in 1977 by IBM and is based on an algorithm that uses a key length of 128 bits. As implemented, DES uses a 64-bit block size and a 56-bit key. However, this is an insecure method to use.
•
Triple DES (3DES) was developed as an improvement to DES. 3DES encrypts the message three times with three different keys. While it was stronger than DES, it soon proved too weak to survive.
•
AES is based on the Rinjndael Block Cipher, a block cipher with a variable block length and a key length of either 128, 192, or 256 bits. This is the most common one used today.
Asymmetric Encryption I.
Comprehend that symmetric encryption is also known as public-key encryption.
II.
Explain that symmetric encryption uses a single key to encrypt and decrypt, but asymmetric encryption uses two different but related keys, one public and one private. For example, if Key A is used to encrypt the message, only Key B can decrypt it.
III.
Differentiate the difference between a public key and a private key. Public keys are often stored in public locations whereas private keys are only known to the owner of the key pair.
IV.
Classify asymmetric algorithms as one-way functions. This means they are simple to compute in one direction but complex to compute in the opposite direction.
V.
Introduce students to the RSA algorithm, which is one of the most popular publickey cryptosystems.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
VI.
Criticize the understanding that with asymmetric encryption, four keys are required to hold a single conversation between two parties (two public and two related private keys). The more parties that are involved in a conversation, the exponential rise of the number of keys required to be managed.
Encryption Key Size I.
Apply an understanding that when deploying ciphers, users must decide on the size of the cryptovariable (or key) as it determines the strength of the algorithm.
II.
Explain how when it comes to cryptosystems, the security of encrypted data is not dependent on keeping the encrypting algorithm secret; in fact, algorithms are often published so research to uncover their weaknesses can be done.
III.
Stress how the security of any cryptosystem depends on keeping some or all the elements of the cryptovariable(s) or key(s) secret. If any of them are shared outside of the domain, the strength quickly decreases or is eliminated.
IV.
Examine and apply Table 10.5 to illustrate the amount of time often needed to crack a cipher by guessing its key. Note as the key grows, so does the amount of time with each exponential bit.
Quick Quiz 2 1. True or False: Two hundred and eighty-five computers could crack a 56-bit key in one year, whereas 10 times as many could do it in a little over a month. Answer: True 2. Which of the following is the strongest symmetric encryption cryptosystem? a. Data Encryption System (DES) b. Advanced Encryption Standard (AES) c. Triple DES (3DES) d. RSA algorithm Answer: d 3. What term is used to describe a cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message? a. private-key encryption b. symmetric encryption c. Advanced Encryption Standard (AES) d. Asymmetric encryption © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
Answer: d 4. Which algorithm was the first public-key encryption algorithm developed (in 1977) and published for commercial use? a. 3DES b. Blowfish c. RSA d. Diffle-Hellman Answer: c 5. True or False: In the event either a public key or private key is compromised, the communication terminates as there is no way to be able to override a compromised key. Answer: False
Cryptographic Tools (10.3, PPT Slides 28–30 and 33–40) I.
Manage expectations that cryptographic capabilities must be embodied in tools that allow IT and information security practioners to apply the elements of cryptography in the world of information systems.
II.
Review some of the most widely used tools that apply the functions of cryptography to the world of information systems.
Public Key Infrastructure (PKI) I.
Examine and describe how public-key infrastructure (PKI) is an integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely.
II.
Apply information in the text regarding digital certificates as public-key container files that allow PKI system components and end users to validate a public key and identify its owner.
III.
List the ways how PKI can protect information assets. They use the following techniques: •
Authentication
•
Integrity
•
Privacy
•
Authorization
•
Nonrepudiation
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
IV.
V.
Outline components that a typical PKI solution uses to protect transmission and reception of secure information: •
Certificate authority (CA)
•
Registration authority (RA)
•
Certificate directories
•
Management protocols
•
Policies and procedures
Apply the common implementations of a PKI: •
Issuance of digital certificates to servers and users.
•
Directory enrollment.
•
Key issuing systems.
•
Provide tools to secure information.
•
Provide verification and return of certificates.
VI. Stress that certificate authorities (CAs) often perform many housekeeping activities regarding the use of keys and certificates that are used within its zone of authority. VII. Justify that periodically, certificate revocation lists (CRLs) are sent out to users at the discretion of the information security team.
Digital Signatures I.
Define what a digital signature is and which type of encryption processes are used to create them (asymmetric).
II.
Identify the process when an asymmetric cryptographic process uses the sender’s private key to encrypt a message, the sender’s public key must be used to decrypt the message.
III.
Review the process of how and when the decryption happens successfully, it provides verification that the message was sent by the sender and cannot be refuted. Note that this process is known as nonrepudiation and is the principle of cryptography that underpins the authentication mechanism collectively known as a digital signature.
IV.
Emphasize the knowledge that a digital signature is an encrypted message and can be mathematically proven authentic.
V.
Recommend digital signatures should be created using processes and products that are based on the Digital Signature Standard (DSS).
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
Digital Certificates I.
Compare and contrast the differences between a digital signature and a digital certificate.
II.
Explain that a digital certificate, which is an electronic document, is like a digital signature that is attached to a file and certifies that the file is from the organization it claims to be from and has not been modified from the original format.
III.
Justify the message that digital certificates authenticate the cryptographic key that is embedded inside a certificate and not the origin of a message.
IV.
Review Figure 10-7 as a visual example of a digital certificate.
Hybrid Cryptography Systems I.
Establish an understanding that asymmetric key encryption is used limitedly and most often only for certificates.
II.
Comprehend asymmetric key encryption, which is more often used in conjunction with symmetric key encryption as a part of a hybrid encryption system.
III.
Describe the Diffle-Hellman key exchange and why it is the most common hybrid system that is used to exchange session keys. Apply information in Figure 10-8 to aid in students understanding how hybrid encryption functions.
IV.
Emphasize that keys used in hybrid systems are limited-use symmetric keys for temporary communications. They allow two organizations to conduct quick, efficient, secure communications based on symmetric encryption.
V.
Express importance that the Diffie-Hellman approach provides the foundation for subsequent developments in public-key encryption.
Steganography I. Explain what steganography is and how it applies to cryptography and encryption standards. Stress that this is used as a data hiding method and involves embedding information within files. II. Emphasize that the word “steganography” is derived from the Greek words, “steganos,” meaning “covered” and, “graphein,” meaning “to write.” III. Assess and propose the most popular modern version of steganography, which involves hiding information within files that appear to contain digital pictures or other images. IV. State that most computer graphics standards use a combination of three-color values (red, blue, and green (RGB)) to represent a picture element, or pixel. Each one
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
of the colors has an 8-bit binary code. For example, 00000000 is no red and 11111111 is all red. V. Provide examples and justifications of applications that can hide messages. This includes .bmp, .wav, .mp3, and .au files. Unused storage on CDs and DVDs are alternate examples to share with students.
Protocols for Secure Communications (10.4, PPT Slides 41–51) I.
Recognize that most of the software currently used to protect the confidentiality of information within organizations are not true cryptosystems. Rather, they are applications that have cryptographic protocols that were added after the fact.
II.
Review Table 10-7 for a list of summarized communication protocols needed to handle exponential increases of threats.
Secure Internet communication with HTTPS and SSL I.
Provide context of the history of Secure Socket Layer (SSL) protocol to use publickey encryption and Netscape’s intention to create secure channel over public Internet connections. This birthed the opportunity to enabling secure communications.
II.
Define what Hypertext Transfer Protocol (HTTP) is any why it is important to use for secure Internet communications.
III.
Review the concept of Secure Hypertext Transfer Protocol (S-HTTP) and how it is an extended version of the Hypertext Transfer Protocol (HTTP) that provides for the encryption of individual messages between a client and server across the Internet. S-HTTP is the application of SSL over HTTP, which allows the encryption of all information passing between two computers through a protected and secure virtual connection.
IV.
Emphasize the importance for organizations to use HTTPS for internal and external websites.
Secure E-Mail with S/MIME, PEM, and PGP I.
Define the concept of Secure/Multipurpose Internet Mail Extensions (S/MIME) and their importance to use in e-mail communications.
II.
Explain what the concept of Privacy-Enhanced Mail (PEM) is and how it can be used in conjunction with S/MIME. Present to students the concept of how PEM uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures.
III.
Recognize that Pretty Good Privacy (PGP) was developed by Phil Zimmerman and uses the IDEA Cipher along with RSA for key exchange. Focus on the point that PGP
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
is functionally like S/MIME, incorporates some of the same algorithms, and can interoperate with S/MIME to some degree. IV.
Review the history of Internet email standards and state to students the first one that was used is SMTP/RFC 822 (also called SMTP). Note this standard has problems and limitations. MIME was developed to address the problems associated with SMTP.
V.
Detail how S/MIME builds on the encoding format of the Multipurpose Internet Mail Extensions (MIME) protocol and uses digital signatures based on public-key cryptosystems to secure e-mail.
Securing Web Transactions with SET, SSL, and HTTPS I.
Emphasize that just as PGP, PEM, and S/MIME work to secure e-mail operations, several related protocols work to secure Web browsers, especially at electronic commerce sites.
II.
Compare and contrast Secure Electronic Transactions (SET), Secure Socket Layer (SSL), Secure Hypertext Transfer Protocol (S-HTTP), Secure Shell (SSH-2), and IP Security (IPSec).
III.
Establish an understanding that Secure Electronic Transactions (SET) was developed by MasterCard and Visa in 1997 to provide protections from electronic payment fraud. Also state that SET uses DES to encrypt credit card information transfers and RSA for key exchange and provides the security for both Internet-based credit card transactions and credit card swipe systems in retail stores.
IV.
Mention SSL uses several algorithms but mainly relies on RSA for key transfer and uses IDEA, DES, or 3DES for encrypted symmetric key-based data transfers.
Securing Wireless Networks with WPA and RSN I.
Discuss wireless local area networks, which are thought by many in the IT industry to be inherently insecure. Without some form of protection, these signals can be intercepted by anyone with a wireless packet sniffer.
Wired Equivalent Privacy (WEP) I.
Define the concept of Wired Equivalent Privacy (WEP) and how it applies to information security systems and cryptography. •
WEP was an early attempt to provide security with the 8002.11 network protocol.
•
It is now considered too cryptographically weak to provide any meaningful protection from eavesdropping.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
II.
•
An intruder who collects enough data can threaten a WEP network in just a few minutes by decrypting or altering the data being transmitted, or by forging the WEP key to gain unauthorized access to the network.
•
WEP also lacks a means of validating user credentials to ensure only those who should be on the network are allowed to access it.
Compare and critique the reasons why WEP is too weak for use in most network settings.
Wi-Fi Protected Access (WPA and WPA2) I.
Examine the purpose of WPA and why it was created to resolve issues with WEP.
II.
Explore the process that WPA uses dynamic keys through a shared authentication server and the use of Temporal Key Integrity Protocols (TKIPs).
III.
Review the four algorithms that TKIP adds to the mix above and beyond what WEP uses: •
A cryptographic message integrity code, or MIC, called Michael, to defeat forgeries.
•
A new IV sequencing discipline to remove replay attacks from the attacker’s arsenal.
•
A per-packet key mixing function to decorrelate public IVs from weak keys.
•
A rekeying mechanism to provide fresh encryption and integrity keys, undoing the threat of attacks stemming from key reuse.
IV. Summarize the history of WPA technologies and detail the newest iteration of this technology – WPA3. V. Compare and contrast the differences between WEP and WPA via information provided in Table 10-9 within the text.
Next Generation Wireless Protocols I.
Describe in detail what the purpose of a Robust Secure Network (RSN) is and why it is important to use as more devices and systems go online for organizations.
II.
Summarize the RSN protocol functions as provided in the text: •
The wireless network interface card (NIC) sends a probe request.
•
The wireless access point sends a probe response with an RSN Information Exchange (IE) frame.
•
The wireless NIC requests authentication via one of the approved methods.
•
The wireless access point provides authentication for the wireless NIC.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
•
The wireless NIC sends an association request with an RSN IE frame.
•
The wireless access point sends an association response.
III.
Stress the facts that AES supports key lengths of up to 256 bits but lacks compatibility with older hardware.
IV.
Emphasize that a specification known as Transitional Security Network (TSN) allows RSN and WEP to coexist on the same wireless LAN.
Bluetooth I.
Analyze what Bluetooth is and its importance as being a short-range wireless communication option between devices within a 30-foot range without the addition of security controls implemented.
II.
Diagnose the two ways that Bluetooth enabled devices can be secure. Those are turning it off or not accept incoming communications requesting pairing unless one is aware of what that device is that is asking for the connection.
Securing TCP/IP with IPSec and RGP I.
Define how IP Security (IPSec) is the cryptographic authentication and encryption product of the IETF’s IP Protocol Security Working Group. Emphasize that this protocol is used to create virtual private networks (VPNs) and is an open framework for security development within the TCP/IP family of protocol standards.
II.
Compare and contrast the two modes of operation IPSec works in: transport mode and tunnel mode.
III.
•
In transport mode, only the IP data is encrypted, not the IP headers.
•
In tunnel mode, the entire IP packet is encrypted and is then placed as the payload in another IP packet.
Evaluate the IPSec protocol and describe how it operates to students. Use Figure 109 as a visual aid to assist with the explanation. •
IPSec combines several different cryptosystems in its operations: •
Diffie-Hellman key exchange for deriving key material between peers on a public network.
•
Public-key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two parties.
•
Bulk encryption algorithms, such as DES, for encrypting the data.
•
Digital certificates signed by a certificate authority to act as digital ID cards.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
•
An IP layer security is obtained by using an application header protocol or an encapsulating security payload protocol.
•
The application header (AH) protocol provides system-to-system authentication and data integrity verification, but it does not provide secrecy for the content of a network communication.
•
The encapsulating security payload (ESP) protocol provides secrecy for the contents of network communications as well as system-to-system authentication and data integrity verification.
Pretty Good Privacy (PGP) I.
Describe the purpose of PGP and its benefit of being a hybrid cryptosystem to storing and maintaining information. Note that this system uses some of the best available cryptographic algorithms to become the open-source de facto standard for encryption and authentication of e-mail and file storage applications.
II. Review the six services that a PGP security solution can provide: •
Authentication by digital signatures
•
Message encryption
•
Compression
•
E-mail compatibility
•
Segmentation
•
Key Management
Quick Quiz 3 1. True or False: Popular cryptosystems use a hybrid combination of symmetric and asymmetric algorithms. Answer: True 2. True or False: PKI systems are based on public-key cryptosystems and include digital certificates and certificate authorities. Answer: True 3. Nonrepudiation means that customers or partners cannot be held accountable for transactions, such as online purchases, which they cannot later deny. Answer: False 4. The process of hiding information within other files, such as digital pictures or other images, is known as which of the following?
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
a. digital signatures b. steganography c. registration authority d. digital certificates Answer: b 5. Which of the following is a hybrid cryptosystem that has become the open-source de facto standard for encryption and authentication of e-mail and file storage applications? a. PGP b. S-HTTP c. SSL d. S/MIME Answer: a [return to top]
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. What is the future of PKI? Acceptance of PKI solutions and product sales has fallen short of early estimates. What would the “killer app” for PKI sales look like? (10.3, PPT Slides 33–51) Duration 15 minutes. 2. Will biometrics involve encryption? How are biometric technologies dependent on the use of cryptography? (10.2, 10.3, 10.4, PPT Slides 20–30 and 33–51) Duration 15 minutes. 3. What are the risks of using an open-source cryptographic option as technology becomes more complex over time? Does it honestly make a difference? Why or why not? (10.4, PPT Slides 41–51) Duration 15 minutes. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. Following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks
Web Browser Security
Malware Defense
Windows Password Management
Backup and Recovery and File Integrity Monitoring
Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques. Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of
Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.
1 to 1.5 hours
1 to 1.5 hours
30 minutes to 1 hour
15–20 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
OS Processes and Services
Log Management & Security
Footprinting, Scanning, and Enumeration
AlienVault OSSIM
Image Analysis Using Autopsy
basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.
60–90 minutes
30 minutes to 1 hour
40–60 minutes
2–3 hours
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include the following: © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
1. Have students encode and decode messages using simple and progressively more complex encoding processes. Start with a simple Caesar cipher and move on to running book and substitution ciphers. 2. Ask students to share their experiences with cryptographic security tools. [return to top]
Additional Resources Internet Resources • • • • •
Bruce Schneier RSA Intelligence Driven Security Phillip Zimmermann, Why I Wrote PGP Distributed.net History of SSL Certificate
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 10: Cryptography
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
Instructor Manual Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 2 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 4 Module Outline .............................................................................................................................. 4 Discussion Questions .................................................................................................................. 20 Suggested Usage for Lab Activities ............................................................................................ 20 Additional Activities and Assignments ....................................................................................... 22 Additional Resources................................................................................................................... 23 Internet Resources .................................................................................................................................. 23 Appendix ...................................................................................................................................... 24 Grading Rubrics ....................................................................................................................................... 24
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
Purpose and Perspective of the Module The purpose of this module is to explore the transition of an information system blueprint and its evolution into a project plan. Within this module, students will gain an understanding of the critical personnel that make up a project team and why a project manager’s role with an information security background is paramount for projects of this nature to succeed. Additional emphasis and attention are focused on organizational considerations that a project must address as well as the technical and nontechnical strategies that must be executed. These need to be in place so that a project to be successful both in the short-term and long-term.
Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. • • • • •
PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual
Module Objectives The following objectives are addressed in this module: 11.1
Explain how an organization’s information security blueprint becomes a project plan.
11.2
Explain the significance of the project manager’s role in the success of an information security project.
11.3
Discuss the many organizational considerations that a project plan must address.
11.4
Describe the need for professional project management for complex projects.
11.5
Discuss technical strategies and models for implementing a project plan.
11.6
List and discuss the nontechnical problems that organizations face in times of rapid change.
Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 11.2–11.4
PPT slide
Activity/Assessment
Duration
27–28
Knowledge Check Activity 1
2 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
11.2–11.4 11.5 11.1–11.6
43–44 53–54 61 MindTap MindTap MindTap
Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 11 Review Questions Module 11 Case Exercises Module 11 Exercises
MindTap MindTap
Module 11 Security for Life Module 11 Quiz
2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: systems development life cycle (SDLC): A methodology for the design and implementation of an information system, which may contain different phases depending on the methodology deployed, but generally addresses investigation, analysis, design, implementation, and maintenance. methodology: A formal approach to solving a problem based on a structured sequence of procedures. waterfall model: A type of SDLC in which each phase of the process “flows from” the information gained in the previous phase with multiple opportunities to return to previous phases and make adjustments. software assurance: A methodological approach to the development of software that seeks to build security into the development life cycle rather than address it at later stages. project management: The process of identifying and controlling the goals, objectives, tasks, scheduling, and resources of a project. project plan: The documented instructions for participants and stakeholders in a project that provide details on goals, objectives, tasks, scheduling, and resource management. work breakdown structure (WBS): A list of the tasks to be accomplished in a project, the employee skill sets needed to perform the tasks, the start and end dates , the estimated resources required, and the dependencies among tasks. projectitis: A situation in project planning in which a project manager spends more time manipulating and adjusting aspects of the project management software than accomplishing meaningful project work.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
gap analysis: The process of comparing measured results against expected results and then using the resulting “gap” as a measure of project success and as feedback for project management. direct changeover conversion strategy: The conversion strategy that involves stopping the old system and starting the new one without any overlap. phased implementation conversion strategy: The conversion strategy that involves a measured rollout of the planned system: only part of the system is brought out and disseminated across an organization before the next piece is implemented. pilot implementation conversion strategy: The conversion strategy that involves implementing the entire system into a single office, department, or division and dealing with issues that arise before expanding to the rest of the organization. parallel operations conversion strategy: The conversion strategy that involves running the new system concurrently with the old system. bulls-eye model: A method for prioritizing a program of complex change that requires issues to be addressed from the general to the specific and focuses on systematic solutions instead of individual problems. technology governance: A process that organizations use to manage the effects and costs of technological implementation, innovation, and obsolescence. change control A method of regulating the modification of systems within the organization by requiring formal review and approval for each change. [return to top]
What's New in This Module The following elements are improvements in this module from the previous edition: • • • •
This Module was Chapter 10 in the 6th edition. The entire module was refreshed with a general update and given more current examples. The section on Certification & Accreditation was moved to Module 4 and rewritten to align with NIST RMF standards. The section on security models was expanded and updated.
[return to top]
Module Outline Introduction to Information Security Implementation (11.1, PPT Slides 3–18)
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
I.
Define the term systems development life cycle (SDLC) and why an organization’s set of needs and their culture will dictate what will be compromised.
II.
Gain awareness that information security must be implemented into every system of an organization and especially major systems.
III.
Identify that most organizations prefer to use an off-the-shelf application when it comes to developing and/or deploying information systems and not develop one inhouse.
IV.
Compare and contrast the following systems development protocols: •
Joint application development
•
Rapid application development
•
Agile or extreme programming
•
Development operations (DevOps)
•
Security development operations (SecDevOps)
The Systems Development Life Cycle (11.1, PPT Slides 5–18) I.
Explain why a SDLC is a methodology and its purpose for an information system.
Traditional Development Methods I.
Describe the six general phases of a traditional SDLC approach and how the waterfall model is applied to the phases.
II. Justify the reasons that once a system is implemented, it is often maintained and modified over its working life. III. Recognize that an information system often may have multiple iterations due to the cyclical nature of the SDLC.
Investigation I.
Distinguish why the investigation phase is the most important phase of the SDLC process.
II. Explain tasks that are often completed at the end of each major phase of the SDLC, including an assessment of economic, technical, and behavioral feasibilities.
Analysis I.
Classify the reasoning why information gathered in the investigation phase is important and applicable to the analysis phase of the SDLC.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
II. Establish an understanding that assessments completed in this phase are what the new system is aimed to do and how it interacts with other systems, existing or otherwise.
Logical Design I.
Emphasize the importance of designing a solution around a business need and why it is necessary.
II. Evaluate the process of this step and why having a logical design is the blueprint for a desired solution. III. Describe the reasons a design created in the SDLC is implementation independent.
Physical Design I.
Compare and contrast the Logical Design phase with the Physical Design phase.
II. Recall that selected components for the system in question are evaluated based on developing it in-house or purchasing them from a vendor.
Implementation I.
Explain the tasks performed in this part of the SDLC process.
II. Understand that individual components are often tested individually prior to them as a whole system.
Maintenance and Change I.
Present reasons why this phase of the SDLC is often the most time consuming and expensive.
II. Explain the life cycle does not have a hard ending for a system once this phase has been completed. Note that the team determines when the investigation phase may need to be launched again sometime in the future. III. Describe what happens to a system once it has reached its useful life.
Software Assurance I.
Outline the reasons why information security issues are often the consequence of software elements implemented within a system.
II. Define the concept of software assurance (SA) and the evolution of the Software Assurance Initiative created by Joe Jarzombek. III. Review the elements of the Software Assurance Common Body of Knowledge (SwA CBK) and which sections should be implemented into a software specific SDLC.
Software Design Principles
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
I.
Review the comments provided by software development leaders J.H. Saltzer and M.D. Schroeder regarding how security considerations are a vital component to good software development.
II. Identify commonplace security principles that must be implemented for a piece of software developed to be highly effective: •
Economy of mechanism
•
Fail-safe defaults
•
Complete mediation
•
Open design
•
Separation of privilege
•
Least privilege
•
Least common mechanism
•
Psychological acceptability
The NIST Approach to Securing the SDLC I.
Compare the five-phased approach NIST applies to a standard SDLC which has six phases.
II. Outline the five phases of the NIST approach to a SDLC: initiation, development/acquisition, implementation/assessment, operation/maintenance, and disposal. III. Recognize that the recommendations provided by the NIST are in the context of traditional methods but can be applied to other methods of systems development.
Initiation I.
Examine the differences between this phase and the investigation and analysis phases of a traditional SDLC.
II. Review the key security activities for this phase and the benefits of early planning and awareness of them.
Development/Acquisition I.
Outline the key activities application to security and why security components are not sequentially fixed in a top-down manner.
II. Review the core outputs generated from development and/or acquisition activities within this step of the NIST SDLC.
Implementation/Assessment © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
I.
Summarize the key steps performed within this part of the NIST SDLC.
Operations and Maintenance I.
Analyze the tasks required to be performed in this part of the NIST SDLC. Understand that that the system often requires enhancements and updates over time, and it evolves over its useful life.
II. Justify the reasons why a system is updated so that it maintains effectiveness, security, and efficiency. III. Recognize a system can reenter a previous phase of the SDLC should necessary modifications warrant a need.
Disposal I.
Describe the process outlined with respect to how a system is properly disposed. Focus should be on preserving all data from the system should it be needed for a future system.
II. Explain why there is often no definitive end for a system. III. Justify the reasons why information security should be implemented from the time a system is created and not in a particular phase of a SDLC. IV. Compare and contrast the Microsoft System Security Development Lifecycle (SDL) with the recommendations made by NIST.
Information Security Project Management (11.2–11.4, PPT Slides 19–26 and 28–42) I.
Review and list the five items that often need changed to successfully execute an information security blueprint: procedures, people, hardware, software, and data.
II. Define what a project plan is and what its intended purpose is within the implementation of the SDLC. III. Assess the importance of the information security blueprint as it is applied into a project plan. IV. Identify the three major steps in executing the project plan: project planning, task supervision and action execution, and project wrap-ups. V. Discover the importance of a project office and the benefit of using it in an information security project.
Developing the Project Plan I.
Recognize that creation of a project plan is often assigned to a project manager or champion.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
II. Examine the purpose and contents of a work breakdown structure (WBS). •
Work required to be accomplished
•
People or skill sets assigned to perform project tasks
•
Timelines which include a start and end date and the number of hours and work days
•
Estimated capital and noncapital expenses
•
Identification of dependencies between and amongst tasks in the project
III. Establish major tasks within a project plan which can then be divided into subtasks or action steps. IV. Gain awareness of projectitis and how it can affect project managers and their ability to make progress.
Work to be Accomplished I.
Discuss the importance of differentiating activities and deliverables early on in a project and why the project planner needs to provide thorough descriptions of tasks.
Assignments I.
Examine the reasoning behind why a project planner should describe the resources needed to accomplish project tasks.
II. Establish skill sets in lieu of making individual assignments.
Start and End Dates I.
Define what a project milestone is and the importance of establishing them early in the project process.
II. Comprehend the understanding that start and end dates can be added as needed.
Amount of Effort I.
Discuss the process project planners must go through in order to determine the proper amount of effort required to complete project tasks and subtasks.
II. Recognize that it is best practice to consult people who are familiar with project tasks to get an accurate estimate on the time needed for project tasks.
Estimated Capital Expenses I.
Review the process a project planner executes to accurately determine the costs for each project task.
Estimated Noncapital Expenses
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
I.
Classify the difference between a capital and noncapital expense.
II. Give examples of commonly used noncapital expenses a project planner needs to incorporate into an information security plan.
Task Dependencies I.
Define the difference between predecessors and successors that are comprised within a WBS.
Quick Quiz 1 1. Which step of the systems development life cycle (SDLC) reviews issues with a current system and establishes the requirements of the new system being created? a. maintenance and change b. investigation c. analysis d. physical design Answer: c 2. Which steps in a traditional SDLC are combined in the first phase of a NIST approach to projects? a. logical design b. investigation c. analysis d. B and C are correct answers Answer: d 3. When reviewing the Microsoft SDL, what is the final phase of their plan where an incident response plan is executed? a. response b. verification c. design d. training Answer: a 4. What is the situation called when a project manager spends more time adjusting a project management software file than focusing on the project itself? a. project creep
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
b. projectitis c. task delegation d. strategic project management Answer: b 5. True or False: When changing a security blueprint, training employees is not included as part of the process. Answer: False 6. True or False: Major tasks that are part of a work breakdown structure (WBS) are known as subtasks. Answer: True
Project Planning Considerations I.
Explain the numerous factors that project planners must consider about what they need to include in a comprehensive workplan.
Financial Considerations I.
Apply the use of a cost-benefit analysis (CBA) in determining technologies required to be used for a project, their impacts, and costs.
II. Compare and contrast the differences between public and private organizations and their budgetary approaches. III. Examine and apply benchmarked expenses for organizations similar in nature to gain insight on planned and unplanned spending.
Priority Considerations I.
Establish protocols in place to determine the order of information security controls for a project.
Time and Scheduling Considerations I.
Develop realistic timelines to schedule security control implementation, training, and other factors which can alter the project speed and timing.
Staffing Considerations I.
Review staff availability and determine if new personnel will need to be contracted for the project in order to meet and exceed project goals.
Procurement Considerations
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
I.
Examine possible constraints that are provided which can limit which technologies can be used and/or the timing of purchasing software packages to complete a project in a timely manner.
II. Recognize that financial costs are not the only costs affected when procurement decisions are made. Project timing, staffing, and implementation are also affected.
Organizational Feasibility Considerations I.
Construct an action plan where system users are provided transparency regarding the new procedures that are implemented because of a project.
II. Organize training sessions once processes are in place but prior to implementation to achieve better user buy-in.
Training and Indoctrination Considerations I.
Execute a phased-in or pilot implementation so that change can be gradually made prior to a full rollout of new information security protocols.
II. Ensure that compliance documents are distributed in a timely fashion so that all employees understand and agree to the updated policies because of the project.
Scope Considerations I.
Recognize that the project scope should be as small as possible applicable to the objectives that are in place.
II. Comprehend the fact that information security projects must be adjusted with care as they may interrupt an organization’s operations and conflict with existing controls in place.
The Need for Project Management I.
Recognize that a project manager often has a unique set of skills and a thorough understanding of several specialized knowledge categories.
II. Recall that a project manager assigned to an information security project must have experience in the field so that they understand the security environment they are manipulating.
Supervised Implementation I.
Review the purpose and reasons why a project champion may be installed as the leader of an information security project and how a project team could be structured as a result.
Executing the Plan I.
Define what a gap analysis is and why it is important to implementing an information security project.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
II. Examine the two basic situations where corrective action is taken when significant deviations occur within project tasks: flawed estimates or lagging performance. III. Name three parameters and decisions a project manager can make to correct tasks: •
Effort and money allocation
•
Elapsed time or scheduling impacts
•
Deliverable quality or quantity
Project Wrap-Up I.
Describe the process of who is tasked with wrapping up an information security project.
II. Review the tasks that are part of a project wrap-up: •
Documentation collection
•
Finalizing status reports
•
Delivering a final report
III. Interpret the goals of a project wrap-up so process improvements can be applied to future projects.
Security Project Management Certifications I.
Analyze the four types of project management certifications that often apply to an information security project: •
GIAC Certified Project Manager
•
EC-Council IT Security Project Management
•
SIA Certified Security Project Manager
•
PMI Project Management Professional
GIAC Certified Project Manager I.
Recall the focus of the SANS Institute and the topic areas they cover in their securityfocused project management course: •
Earned value technique (EVT)
•
Leadership and management strategy
•
Project communication management
•
Project cost management
•
Project human resource management
•
Project integration management
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
•
Project management framework and approach
•
Project procurement management
•
Project quality management
•
Project risk management
•
Project scope management
•
Project stakeholder management
•
Project time management
EC-Council IT Security Project Management I.
Recognize the EC-Council and their Certified Project Management (CPM) program offering as an alternative option for a security professional to become versed in project management fundamentals.
II. State the topics of their program offerings: •
Introduction to project management
•
Project scope and technology integration
•
Project scheduling and time management
•
Project cost and budget management
•
Project sourcing and vendor management
•
Project controls and quality assurance
•
Project opportunity and risk management
•
Project governance and team management
•
Project visualization, analytics, and reporting
•
Project stakeholder engagement and expectations management
SIA Certified Security Project Manager I.
Differentiate between the SIA Certified Security Project Management program and the others outlined in the text. Note that this certification focuses primarily on physical security but also includes information security.
II. Identify their project management certification program is the Certified Security Project Manager (CSPM).
PMI Project Management Profession I.
Relate that the Project Management Professional (PMP) certification is often regarded as the premier certification in the field.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
Technical Aspects of Implementation (11.5, PPT Slides 45–52) I.
Differentiate between conversion strategies, prioritization among multiple components, outsourcing, and technology governance.
Conversion Strategies I.
Examine the four commonly used strategies transitioning from an old system to a new system: •
Direct changeover
•
Phased implementation
•
Pilot implementation
•
Parallel operations
II. Recognize that existing systems must still be functional prior to the new system taking its place is fully operational for a smooth transition.
Direct Changeover I.
Present the idea that this type of conversion is known as a “cold-turkey” approach because it stops using the old method and immediately implements the new.
II. Interpret examples of a direct changeover strategy that can be implemented in an information security framework: •
Password resets with stronger levels of authentication
•
Firewall replacements
III. Understand that the major drawback of this approach is that without complete testing, the system may leave users without the system while bugs are worked out.
Phased Implementation I.
Comprehend that this is the most common approach to system implementation. This applies a measured roll of the planned system while the old one is retired piece-by-piece.
II. Justify that this approach is the best to use for security project implementation.
Pilot Implementation I.
Establish an understanding that the entire security system is put into a single entity such as an office, department, or division prior to a full implementation rollout.
II. Provides predictability with respect to what needs adjusting while minimally interfering with the performance of an organization as it is optimized.
Parallel Operations © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
I.
Summarize that this system implementation approach has both systems running at the same time.
II. Recognize that this approach is often the most complex although it provides an opportunity for the old system to act as a backup should the new one fail. III. Conclude that the drawback to this approach is both systems require maintenance for the time they are both operational. IV. Interpret examples of a direct changeover strategy that can be implemented in an information security framework.
The Bulls-Eye Model I.
Discuss the purpose of these four layered model approaches with respect to a project plan process: •
Policies: this is the outer-most layer of the diagram. It also provides the ground rules that systems must use to function correctly. When implementing complex changes, these should be used to provide clarity as to the purpose of the project being executed.
•
Networks recognize the fact that for a long time information security was focused strictly on this layer. Now, though, it is more complex due to the infrastructure encountering threats from public networks. This layer also focuses on authentication and authorization to connect to an organization’s systems via public networks.
•
Systems gain understanding that as a system gets more complex, the harder it is to maintain a secure environment for it. Additionally, this includes servers and desktops for process control and manufacturing systems.
•
Applications: this is the inner-most layer of the model and includes programs that help run an organization so work can be completed. Examples of this include office automation, e-mail programs, and customized software packages.
II. Applying this model provides knowledge necessary where to focus resources and capabilities in the information security blueprint which is then applied to the overall project plan. III. Understand how the following relate to what the model dictates regarding information security practices: •
No additional resources should be spent on controls until a sound and usable IT and information security policy is in place and deployed.
•
All resources should be focused on the goal of having strong network controls in place unless the policy needs of an organization need adjustment.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
•
Implementation should focus primarily on the process, manufacturing systems, and information once policies and network controls are established.
•
Provided that assurance is achieved and policies in place are solid, attention can then be diverted to assessing and remediating the security needs of the organization’s applications. Critical applications should, by default, get the most attention.
To Outsource or Not I.
Define best practices as to when an organization should outsource their information security and not attempt to do it in-house.
II. Emphasize that information security should be part of the contract arrangement with the supplier chosen if executing this option.
Technical Governance and Change Control I.
Review the concepts of technology governance and change controls and how they apply to a project plan: •
Technology governance are the policies in place that determine how often technical systems are updated, approved, and funded.
•
Change control are processes in place that medium-sized businesses often use to control adjustments to their systems. The benefits of using this option often include improve communication about system changes, enhanced coordination between groups, limited disruptions, higher quality of service levels, and management assurance that all are complying with policies for technology governance, procurement, accounting, and information security.
The Center for Internet Security’s Critical Security Controls I.
Define what the Center for Internet Security (CIS) is and their purpose for assisting with cyberattacks and methods to control them through the Multi-State Information Sharing and Analysis Center (MS-ISAC).
II. Examine the U.S. National Security Agency (NSA) approach as they apply an “offense must inform defense” so that controls are implemented backed on a prioritization model with intentions to block actual threats and not generate compliance documentation. III. Review the three level of controls that the CIS established to create a framework that emphasized standardized approaches and automation wherever possible or practical.
Nontechnical Aspects of Implementation (11.6, PPT Slide 55)
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
I.
Recall that not all aspects of implementing an information security project plan are technical and deal with human interfaces and interactions.
II. Recognize the need that a culture of change management is necessary for organizations facing change over time.
The Culture of Change Management I.
Comprehend that the foundation of change management are the moods and philosophy of the organization and how it adapts when changes are made.
II. Apply the Lewin change model to minimize cultural disruptions. •
•
•
Unfreezing is the approach of thawing hard-and-fast habits and established procedures. Preparing the organization for major changes through training and awareness assists with the adoption to the net results of a project. Moving is the transition from the old system to the new system. This often includes physical implantation of the new methods and departure from existing and outdates ones. Refreezing is the integration of the new method into the culture of the organization. An atmosphere of change acceptance is achieved and the new way of accomplishing a task is one used going forward and the old methods are no longer valid.
Considerations for Organizational Change I.
Recognize that organizational change often includes resistance from others and the development of a culture that welcomes changes.
Reducing Resistance to Change from the Start I.
Analyze how the level of change resistance can affect the implementation of procedural and managerial changes when a new system is adopted.
II. Recall that the more ingrained previous methods and behaviors are in place, the more difficult the changes required will be to implement. III. Review the three-step process that project managers can implement to reduce change from the start of a project: •
Communication
•
Education
•
Involvement
Developing a Culture That Supports Change I.
Review the facts that a resilient culture will prohibit necessary changes within an organization that projects attempt to achieve.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
II. Identify a project champion which is often at the executive level that can provide support for changes that need to be made. Quick Quiz 2 1. Which layer of the bulls-eye model should information security projects focus the most on? a. networks b. policies c. systems d. applications Answer: a 2. Which changeover strategy should be used when transitioning from an old system to a new system gradually? a. direct b. pilot c. phased d. parallel Answer: c 3. The ________ is a certification program that is administered by the Security Industry Association (SIA). a. CAPM b. CSPM c. PMP d. ECCPM Answer: b 4. Which consideration is focused on the selection of equipment and services for a project? a. staffing b. organizational feasibility c. procurement d. scope Answer: c
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
5. True or False: The parallel operations conversion strategy often involves running two systems concurrently. Answer: True 6. True or False: The Center for Internet Security (CIS) outlines three categories of control to detect, prevent, respond to, and mitigate damage from attacks: Basic, Foundational, and Organizational. Answer: True [return to top]
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. Outsourcing is a common option an organization can use to complete projects when resources are limited, or specific skill sets are not available. However, there are times when it may do more harm than good. What are some instances that outsourcing should not be considered when implementing information security? (11.3, PPT Slides 29–37) Duration 15 minutes. 2. Why are project management professionals with information security credentials critical to the success of projects of this type? (11.4, PPT Slide 39) Duration 15 minutes. 3. What are additional nontechnical problems that can arise that were not mentioned in the text when implanting information security changes? Why are these important to address? (11.6, PPT Slide 55) Duration 15 minutes. [return to top]
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
Lab Title Ethical Considerations in IT and Detecting Phishing Attacks
Web Browser Security
Malware Defense
Windows Password Management
Backup and Recovery and File Integrity Monitoring
OS Processes and Services
Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques. Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS
Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.
1 to 1.5 hours
1 to 1.5 hours
30 minutes to 1 hour
15–20 minutes
60–90 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
services. Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package. •
Log Management & Security
Footprinting, Scanning, and Enumeration
AlienVault OSSIM
Image Analysis Using Autopsy
30 minutes to 1 hour
40–60 minutes
2–3 hours
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module. Additional project options include: 1. Develop an exercise that consists of a defined information security project and have your students develop an appropriate project plan. The students should use a simple planning tool such as work breakdown structure (WBS). 2. Provide students with a link to the PMI Web site (www.pmi.org) and describe the PMI mission and objectives. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
Additional Resources Internet Resources • • • • • • • •
Azure Development Environment and DevSecOps Microsoft SDL Project Management Certifications in the Federal Sector Project Management Institute Sample Change Management and Control Policy Template SANS GIAC Certified Project Manager Certification Software Assurance Common Body of Knowledge The Case for Outsourcing Security—Bruce Schneier
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 11: Implementing Information Security
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
Instructor Manual Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
Table of Contents Purpose and Perspective of the Module ..................................................................................... 2 Cengage Supplements .................................................................................................................. 2 Module Objectives ......................................................................................................................... 2 Complete List of Module Activities and Assessments ................................................................ 3 Key Terms ....................................................................................................................................... 3 What's New in This Module .......................................................................................................... 5 Module Outline .............................................................................................................................. 5 Discussion Questions .................................................................................................................. 28 Suggested Usage for Lab Activities ............................................................................................ 29 Additional Activities and Assignments ....................................................................................... 30 Additional Resources................................................................................................................... 31 Internet Resources .................................................................................................................................. 31 Appendix ...................................................................................................................................... 32 Grading Rubrics ....................................................................................................................................... 32
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
Purpose and Perspective of the Module In the final module of the text, learners will be able to discuss the need for ongoing maintenance that is required for an information security program. This includes reviewing various recommended security management models to establish a full maintenance program. With regard to the maintenance program, students will be able to learn the key factors that may influence internal and external environments and how they affect system monitoring. Another important topic that is discussed is planning that must take place for a system to always remain online. While it is optimal for this to occur, it may not be the case; hence, planning, risk assessment, vulnerability, assessment, and remediation tie into this exercise. Finally, the development of readiness and review procedures and physical security controls round out this important concluding module.
Cengage Supplements The following product-level supplements provide additional information that may help you in preparing your course. They are available in the Instructor Resource Center. • • • • •
PowerPoint slides Test banks, available in Word, as LMS-ready files, and on the Cognero platform MindTap Educator Guide Solution and Answer Guide This instructor’s manual
Module Objectives The following objectives are addressed in this module: 12.1
Discuss the need for ongoing maintenance of the information security program.
12.2
Describe recommended security management models.
12.3
Define a model for a full maintenance program.
12.4
Identify the key factors involved in monitoring the external and internal environment.
12.5
Describe how planning, risk assessment, vulnerability assessment, and remediation tie into information security maintenance.
12.6
Explain how to build readiness and review procedures into information security maintenance.
12.7
Discuss physical security controls.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
Complete List of Module Activities and Assessments For additional guidance refer to the MindTap Educator Guide. Module Objective 12.1 12.2–12.6 12.7 12.1–12.7
PPT slide
Activity/Assessment
Duration
18–19 37–38 57–58 71 MindTap MindTap MindTap
Knowledge Check Activity 1 Knowledge Check Activity 2 Knowledge Check Activity 3 Self-Assessment Module 12 Review Questions Module 12 Case Exercises Module 12 Exercises
MindTap MindTap
Module 12 Security for Life Module 12 Quiz
2 minutes 2 minutes 2 minutes 5 minutes 30–40 minutes 30 minutes 10–30 minutes per question; 1+ hour per module 1+ hour 10–15 minutes
[return to top]
Key Terms In order of use: configuration and change management (CCM): An approach to implementing system change that uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track changes through completion, and maintain systems inventory and supporting documentation. configuration management: See configuration and change management (CCM). InfoSec performance management: A process of designing, implementing, and managing the use of specific measurements to determine the effectiveness of the overall security program. metric: A term traditionally used to describe any detailed statistical analysis technique on performance, but now commonly synonymous with performance measurement. See performance measurements. performance measurements: Data or the trends in data that may indicate the effectiveness of security countermeasures or technical and managerial controls implemented in the organization. Also known as performance measures or metrics. performance measures: See performance measurements. external monitoring domain: The component of the maintenance model that focuses on evaluating external threats to the organization’s information assets. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
internal monitoring domain: The component of the maintenance model that focuses on identifying, assessing, and managing the configuration and status of information assets in an organization. difference analysis: A procedure that compares the current state of a network segment against a known previous state of the same network segment (the baseline of systems and services). planning and risk assessment domain: The component of the maintenance model that focuses on identifying and planning ongoing information security activities and identifying and managing risks introduced through IT information security projects. vulnerability assessment and remediation domain: The component of the maintenance model focused on identifying specific, documented vulnerabilities and remediating them in a timely fashion. vulnerability assessment (VA): The process of identifying and documenting specific and provable flaws in the organization’s information asset environment. penetration testing: A set of security tests and evaluations that simulate attacks by a hacker or other malicious external source. Internet vulnerability assessment: An assessment approach designed to find and document vulnerabilities that may be present in the organization’s public-facing networks. intranet vulnerability assessment: An assessment approach designed to find and document selected vulnerabilities that are present on the organization’s internal networks. platform security validation (PSV): An assessment approach designed to find and document vulnerabilities if misconfigured systems are used within the organization. wireless vulnerability assessment: An assessment approach designed to find and document vulnerabilities in the organization’s wireless local area networks. war driving: The use of mobile scanning techniques to identify open wireless access points. remediation: The processes of removing or repairing flaws in information assets that cause a vulnerability or reducing or removing the risk associated with the vulnerability. physical security: The protection of physical items, objects, or areas from unauthorized access and misuse. facilities management: The aspect of organizational management focused on the development and maintenance of buildings and physical infrastructure. secure facility: A physical location with access barriers and controls in place to minimize the risk of attacks from physical threats.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
tailgating: The process of gaining unauthorized entry into a facility by closely following another person through an entrance and using the credentials of the authorized person to bypass a control point. mantrap: A small room or enclosure with separate entry and exit points, designed to restrain a person who fails an access authorization attempt. [return to top]
What's New in This Module The following elements are improvements in this module from the previous edition: • • • •
This module was Chapter 12 in the 6th edition. Digital forensics was moved to Module 5 to be integrated with the coverage of incident response. The content on physical security that was formerly in Chapter 9 of the 6th edition was reorganized and compressed and moved to this module. Additional content was added on security performance measures and benchmarking.
[return to top]
Module Outline Introduction To Information Security Maintenance (12.1, PPT Slides 3– 17) I.
Review how the successful implementation and testing of a new and improved security profile may provide a false sense of security for an organization as it feels more confident about the protection level it receives. The organization should always be on guard.
II.
Outline that once changes have been implemented and mandated by an upgraded security program, a lot of time has likely passed. Hence, the environment and security needs may have already changed and need additional refinement.
III.
Review factors that may influence or trigger changes that have to be made in an information security environment: •
Acquisitions of new assets and the divestiture of old assets
•
Emergence of vulnerabilities associated with new or existing assets
•
Shifting business priorities
•
The formation of new partnerships and potential dissolution of old partnerships
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
IV.
•
Personnel who departed who were trained, educated, and aware of policies, procedures, and technologies within the business
•
The hiring of personnel
Emphasize the importance that if a strong structure of procedures and systems is in place that are adjustable to everchanging environmental conditions, the security protocols in place are likely to remain sufficient.
Security Management Maintenance Models (12.1, PPT Slides 3–17) I. II. III.
Establish an understanding that an organization must adopt a management maintenance model for its information security systems. State that continuous improvements are essential for the model being the most up to date to protect the information it has within it. Recall the fact that, generally, management models are frameworks that structure the tasks of managing a particular set of activities or business functions.
NIST SP 800-100, “Information Security Handbook: A Guide for Managers” I.
Review the purpose of the NIST SP 800-100 handbook. Note that this document is a guide to information security governance and provides managerial guidance for the establishment and implementation of an information security program.
II.
Recognize that this handbook addresses the ongoing tasks expected of an information security manager once the program is working and day-to-day operations are established.
III.
Identify the 13 core areas of information security that are presented in the handbook. •
Information Security Governance
•
Systems Development Life Cycle
•
Awareness and Training
•
Capital Planning and Investment Control
•
Interconnecting Systems
•
Performance Management
•
Security Planning
•
Information Technology Contingency Planning
•
Risk Management
•
Certification, Accreditation, and Security Assessments
•
Security Systems and Products Acquisition
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
•
Incident Response
•
Configuration and Change Management
1. Information Security Governance I.
Comprehend that an effective information security governance program requires continuous review so that it remains relevant and accurate.
II.
Reference Table 12-1, as this illustration provides a broad overview of key ongoing activities that can assist in monitoring and improving an agency’s information governance activities. Agencies should monitor the status of their programs to ensure that: • • • •
Ongoing information security activities provide the appropriate support to the goals aligned with the agency mission. Policies and procedures are current and aligned with evolving technologies, if appropriate. Controls are accomplishing their intended purpose. Performance improvements are communicated so that security program managers can help identify areas which need improvement.
2. Systems Development Life Cycle I.
Analyze and distinguish the importance of information security activities being a critical component of the systems development life cycle (SDLC).
II.
Outline the six common core components of the SDLC and ongoing information security activities within them.
III.
Reference Table 12-2 and gain an understanding that a preliminary risk assessment is required to be done early in the life cycle so opportunities for security implementation can be done properly.
IV.
Define the purpose of configuration and change management (CCM) and that the system’s constant evolution is important to monitor and keep up to date.
3. Awareness and Training I.
Discuss awareness and training as the backbone of an information security program, ensuring that all users are both aware and trained on a minimum level of information security.
II.
Establish key performance indicators or other metrics to identify gaps or problems within an information security system.
4. Capital Planning and Investment Control I.
Identify the concept of capital planning and investment control and its relation to an information security system.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
II.
Establish key performance indicators or other metrics to identify gaps or problems within an information security system.
III.
Recall the importance that a formal enterprise capital planning and investment control process for the investment life cycle results in a seven-step process for prioritizing security investments. •
Identify the baseline.
•
Identify prioritization requirements.
•
Conduct enterprise-level prioritization.
•
Conduct system-level prioritization.
•
Develop supporting materials.
•
Implement an investment review board (IRB) and portfolio management.
•
Submit any required budget approval paperwork.
5. Interconnecting Systems I.
Define system interconnections and why an organization chooses to interconnect information systems.
II.
Interpret the risks associated with interconnecting information systems within an organization.
III.
Review the NIST SP 800-47 four-phase life cycle management approach as outlined: planning, establishing, maintaining, and disconnecting interconnections.
IV.
Analyze Table 12-3 for a checklist that an organization should apply when considering interconnecting multiple systems and identify issues that may need to be resolved should something occur.
6. Performance Management I.
Define the purpose of InfoSec performance management and the data that it produces.
II.
Explain what the purpose of performance measurements (or measures) are and why they need to be monitored in order to make managerial decisions, hold personnel accountable, and improve the effectiveness of the InfoSec function.
III.
Review the three types of measurements that organizations commonly apply to performance measurement: •
Effectiveness of the execution of InfoSec policies
•
Efficiency of the delivery of InfoSec services
•
Impacts of an incident or other security event on the organization or its mission
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
IV.
Classify the four factors that are critical to an InfoSec performance program as outlined in SP 800-55, Rev. 1.
V.
Outline the two major activities as recommended by the NIST with respect to InfoSec measurement development processes: identification and definition and measuring development and selection. Additionally, examine the seven phases that are comprised within these activities.
VI.
Explain how the 60 percent rule can be used by security personnel when exploring the issues of system and network performance.
7. Security Planning I.
Relate that planning is one of the most critical ongoing responsibilities in security management.
II.
Emphasize the importance of strategic, tactical, and operational plans that must be developed in alignment with and support of organizational and IT plans, goals, and objectives for a cohesive strategy.
8. Information Technology Contingency Planning I.
Outline what needs to be included in an information technology contingency plan. Items of note include a process for recovery and documentation of procedures for conducting recovery.
II.
Stress that contingency plans must always be in a ready state and be able to be used immediately should an emergency occur.
9. Risk Management I.
Critique the reality that risk management is a cyclical event that is fundamental to the information security program and requires continuous improvement.
II.
Examine that the principal goal is to protect the organization while the ability to perform its mission remains untouched.
III.
Recognize that risk management carries through the entire process of the SDLC, and no one step is excluded from it.
10. Certification, Accreditation, and Security Assessments I.
Comprehend that security certification and accreditation processes are strictly designed to ensure that an information system operates with the appropriate management review, ongoing security controls, and the awareness that reaccreditation periodically occurs.
II.
Review the components of an effective monitoring program.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
III.
•
Configuration management and configuration control processes for the information system
•
Security impact analyses of changes to the information system
•
Assessment of selected security controls in the information system and reporting of the system’s security status to appropriate organization officials
Summarize program questions within Table 12-5 with regard to what is commonly included in an information security assessment survey.
11. Security Services and Product Acquisition I.
Define the purpose of a cost-benefit analysis when acquiring products or services for information security system purposes.
II.
Decide what the tolerance level is based on the analysis with respect to the life cycle cost estimate for the status quo and one for each alternative selected as part of the process.
III.
Review Table 12-6, which illustrates six phases of the information security services life cycle, as they are slightly different compared to a traditional SDLC.
12. Incident Response I.
Stress the importance of accurate reporting, information gathering, and resolution as to when and why an attack occurs.
II.
Conclude that a well-defined incident response capability helps the organization detect incidents rapidly, minimize loss and destruction, identify weaknesses, and restore IT operations in a short period of time.
III.
Emphasize the importance of help-desk technicians or other IT personnel and the differences between a security problem and other systems problems that may occur in an organization.
13. Configuration and Change Management I.
Define that the purpose of configuration and change management is to manage the effects changes have on an information system and/or network.
II.
Express an understanding that configuration management varies widely from one organization to another.
III.
Discuss the reasoning why continuous monitoring and management of information system changes must be monitored to protect the health of an information security system.
IV.
Review the following terms as they apply to change management processes: •
Configuration item
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
V.
•
Configuration
•
Version
•
Built list
•
Major release
•
Revision date
•
Software library
•
Minor release
Explain the change management (CM) process and the steps required to ensure that all changes are properly requested, evaluated, and authorized. Review the five steps that make up this process: •
Step 1: Identify change
•
Step 2: Evaluate change request
•
Step 3: Implementation decision
•
Step 4: Implement approved change request
•
Step 5: Continuous monitoring
Quick Quiz 1 1. An effective information security governance program requires a(n) ________ review. a. periodic b. constant c. consistent d. annual Answer: b 2. Which of the following is defined as the direct connection of two or more information systems for sharing data and other information resources? a. system interconnection b. process interconnection c. resource interconnection d. data interconnection Answer: a
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
3. Which of the following types of planning consists of a process for recovery and documentation of procedures for conducting recovery? a. security b. contingency c. risk management d. performance Answer: b 4. Which of the following terms best describes the process of repairing known vulnerabilities? a. monitoring b. testing c. patching d. updating Answer: c 5. True or False: With respect to changes that often occur in information security systems, persons maintaining the system often need to do major and minor release updates to ensure that the system is continuously up to date. Answer: True 6. True or False: Among other factors, one of the things that is NOT likely to change with respect to an organization's information security environment is the dissolution of old partnerships. They are present indefinitely. Answer: False
The Security Maintenance Model (12.2–12.6, PPT Slides 20–36 and 39– 40) I.
II.
Comprehend that the recommended security maintenance model is dependent on the following subject areas (or domains): external monitoring, internal monitoring, planning and risk assessment, vulnerability assessment and remediation, and readiness and review. Relate the fact that maintenance models focus on an organization’s efforts to maintain the systems it has.
Monitoring the External Environment
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
I.
Understand that the objective of the external monitoring domain process in the maintenance model is to provide an early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that are needed to mount an effective and timely defense.
II.
Gain awareness that external monitoring entails collecting intelligence from data sources and then giving that intelligence context and meaning for use by decision makers within the organization.
Data Sources I.
Categorize the purpose and types of data sources that are provided relevant to monitoring external environments. Highlighted sources that these can come from include: •
Vendors
•
CERT organizations
•
Public network sources
•
Membership sites
II.
Review Table 12-8, as it provides several different external intelligence sources that can aid in collecting data on external threats. Stress that this is not an all-inclusive list.
III.
Stress the importance of the CISO and their role of creating an effective external monitoring program. Tasks that this individual and their team may need to create include: •
Staff the function with people who understand the technical aspects of information security, have a comprehensive understanding of the IT infrastructure, and have a thorough grounding in the organization’s business operations.
•
Provide up-to-date documented and repeatable procedures.
•
Train primary and backup staff assigned to perform the monitoring tasks.
•
Equip assigned staff with proper access and tools to perform the monitoring function both on-site and off-site when applicable.
•
Cultivate expertise among the monitoring analysts so that they can cull meaningful summaries and actionable alerts from the vast flow of raw intelligence.
•
Develop suitable communications methods for moving processed intelligence to designated internal decision makers in all three communities of interest.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
•
Integrate the incident response plan with the results of the external monitoring process for appropriate, timely responses.
Monitoring, Escalation, and Incident Response I. Compose a monitoring, escalation, and incident response process with information provided in the text. Understand that the basic function of the external monitoring process is to monitor activity, reports results, and escalate warnings. II.
Compare three primary deliverables that a monitoring process delivers to end users and the information security team: a. Specific warning bulletins issued when developing threats and specific attacks pose a measurable risk to the organization. b. Periodic summaries of external information. c. Detailed intelligence on the highest risk warnings.
Data Collection and Management I. Compile executive summaries and data to present to executive leadership so they are abreast of external environmental forces on the organization’s systems and action plans that can be taken in a time to maintain the integrity of the system.
Monitoring the Internal Environment I.
Define the purpose of an internal monitoring domain, which is an informed awareness of the state of the organization’s networks, information systems, and information security defenses.
II.
Review the core components that internal monitoring is composed of: •
Building and maintaining an inventory of network devices and channels, IT infrastructure and applications, and information security infrastructure elements
•
Leading the IT governance process within the organization to integrate the inevitable changes found in all network, IT, and information security programs
•
Monitoring of IT activity in real time using IDPS to detect and initiate responses to specific actions or trends of events that introduce risk to the organization’s assets
•
Monitoring the internal state of the organization’s networks and systems
Network Characterization and Inventory I.
Recall the network characterization and inventory process. Regardless of an organization’s size, it must have a fully populated inventory for all network devices, communication channels, and computing devices (through the process known as characterization). Once the characteristics have been identified, they must be
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
carefully organized and stored using a manual or automated mechanism that allows timely retrieval and rapid integration of disparate facts.
Making IDPSs Work I.
Demonstrate the thought that for internal monitoring to be successful, information coming from an IDPS must be integrated into the maintenance process. Additionally, review the purposes of the IDPS, as they include raw intelligence of anomalies that occur in an information system program and traffic analysis that can show spikes that could be a result of an attempted attack on the system.
Detecting Differences I. II.
Explain the concept of difference analysis and apply the purpose to the contents located in Table 12-9 with respect to different types of difference analyses. Conclude that the value of an analysis is dependent on the quality of the baseline and degree to which a notification of discovered differences induces actions.
Planning and Risk Assessment I.
Name the primary objective of the planning and risk assessment domain. The objective is to keep an eye on the entire information security program, in part by identifying and planning ongoing information security activities to reduce risk over time.
II.
Review the following objectives of this domain:
III.
•
Establish a formal review process for the information security program that complements and supports both IT planning and strategic planning.
•
Institute formal project identification, selection, planning, and management processes for follow-up activities that augment the current information security program.
•
Coordinate with IT project teams to introduce risk assessment and review for all IT projects so that risks introduced by the launches of new IT projects are identified, documented, and factored into decisions about the projects.
•
Integrate a mindset of risk assessment throughout the organization that encourages other departments to perform risk assessment activities when any technology system is implemented or modified.
Examine that the risk assessment group also identifies and documents risks introduced by both IT projects and information security projects. The group also identifies and documents risks that may be latent in the present environment.
Information Security Program Planning and Review
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
I.
II.
Outline the following issues that often come up with respect to information security programs planning and review: •
An organization should periodically review its ongoing information security program and any planning for enhancements and extensions.
•
The strategic planning process should examine the future IT needs of the organization and the impact those needs will have on information security.
•
A recommended approach is to take advantage of the fact that most larger organizations have annual capital budget planning cycles.
•
Projects that organizations might fund to maintain, extend, or enhance the information security program will arise in almost every planning cycle. Larger information security projects should be broken into smaller, incremental projects.
Examine the reasons why larger information security projects should be broken down into smaller or more incremental projects. They include the following: • • • •
Smaller projects tend to have more manageable impacts on the networks and users. Larger projects tend to complicate the change control process in the implementation phase. Shorter planning, development, and implementation schedules reduce any uncertainty for IT planners and financial sponsors. Most large projects can easily be broken into smaller projects, providing more opportunities to change direction and gain flexibility as events occur and circumstances change.
Security Risk Assessments I.
Identify the purpose of risk assessments and why they are the core component that drives change in the information security programs executed.
II.
Outline, compare, and contrast different types of risk assessment (RA) documents as mentioned in the text: •
Network connectivity RA
•
Business partner RA
•
Application RA
•
Vulnerability RA
•
Privacy RA
•
Acquisition or divestiture RA
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
III.
Review the structure and components provided in Table 12-10 that are commonly included in a risk assessment document.
Vulnerability Assessment and Remediation I.
Analyze and define the primary goal of the vulnerability assessment and remediation domain.
II.
Review the following tasks that are used to accomplish goals this domain attempts to achieve:
III.
•
Using documented vulnerability assessment procedures to safely collect intelligence about internal and public networks; platforms, including servers, desktops, and process control; and wireless network systems
•
Documenting background information and providing tested remediation procedures for reported vulnerabilities
•
Tracking vulnerabilities from the time they are identified until they are remediated, or the risk of loss has been accepted by an authorized member of management
•
Communicating vulnerability information, including an estimate of the risk and detailed remediation plans to the owners of vulnerable systems
•
Reporting on the status of vulnerabilities that have been identified
•
Ensuring that the proper level of management is involved in deciding to accept the risk of loss associated with unrepaired vulnerabilities
Outline the four common vulnerability assessment (VA) processes as depicted in Figure 12-8.
Penetration Testing I.
Recognize the fact that a penetration test, or pen test, is performed as part of a fullscale security audit.
II.
Highlight that vulnerability testing is usually performed inside the organization’s security perimeter with complete knowledge of the networks’ configuration and operations; pen testing can be conducted in one of two ways—black box pen testing and white box pen testing.
III.
Point out that in black box pen testing, or blind testing, the “attacker” has no prior knowledge of the systems or network configurations and thus must investigate the organization’s information infrastructure from scratch. In white box testing, also known as full-disclosure testing, the organization provides information about the systems to be examined, allowing for a faster, more focused test.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
IV.
Emphasize that a common methodology for pen testing is found in the Open Source Security Testing Methodology Manual (OSSTMM), a manual on security testing and analysis created by Pete Herzog and provided by ISECOM, the nonprofit Institute for Security and Open Methodologies.
Internet Vulnerability Assessment I.
Define the purpose of an Internet vulnerability assessment and outline the steps that make up the process of it. •
Planning, scheduling, and notification of penetration testing
•
Target selection
•
Test selection
•
Scanning
•
Analysis
•
Record keeping
II.
Emphasize the fact that devices that personnel bring from the outside onto the network (known as BYOD) are in scope for a vulnerability assessment—whether for an Internet or intranet review.
III.
Construct the sequence of processes that make up an intranet vulnerability assessment. Like an Internet vulnerability assessment, they are the following: •
Planning, scheduling, and notification of the penetration testing: Large organizations often take an entire month to perform the data collection phase, using nights and weekends and avoiding change control blackout windows.
•
Target selection: Working from the network characterization elements that are stored in the risk, threat, and attack database, the penetration targets are selected.
•
Test selection: Using the external monitoring intelligence generated previously, the test engine is configured for the tests to be performed.
•
Scanning: The penetration test engine is unleashed at the scheduled time using the planned target list and test selection. The results of the entire test run are logged in text log files for analysis.
•
Analysis: A knowledgeable and experienced vulnerability analyst screens the test results for the vulnerabilities logged during scanning.
•
Record keeping: The organization records the details of the documented vulnerability in the vulnerability database, identifying the logical and physical
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
characteristics and assigning a response risk level to the vulnerability to differentiate the truly urgent from the merely critical. IV.
Conclude that skilled attackers from this direction can take advantage of any loophole or flaw; this assessment is usually performed against all public-facing addresses, using every possible penetration testing approach.
Intranet Vulnerability Assessment I.
Compare and contrast an Internet vulnerability assessment with an intranet vulnerability assessment. Explain the differences and similarities.
II.
Construct the sequence of processes that make up an intranet vulnerability assessment. Although they are the same steps as an Internet assessment, the details of each step are different: •
Planning, scheduling, and notification of the penetration testing: There will be substantially more systems to assess. Intranet administrators often prefer that penetration testing is performed during working hours.
•
Target selection: At first, the penetration test scanning and analysis should focus on testing only the highest-value and most critical systems. As the configuration of these systems is improved, and fewer candidate vulnerabilities are found in the scanning step, the target list can be expanded.
•
Test selection: The selection of the tests to be performed usually evolves over time to correspond with the evolution of the threat environment. Most organizations focus their intranet scanning efforts on a few critical vulnerabilities at first, and then expand the test pool to include more scripts.
•
Scanning: Just as it is in Internet scanning, the process should be monitored so that if an invasive penetration test causes disruption, it can be reported for repair.
•
Analysis: It follows the same three steps as Internet analysis: classify, validate, and document.
•
Record keeping: It is identical to the one followed in an Internet vulnerability analysis.
Platform Security Validation I.
Detail the purpose of a platform security validation (PSV) assessment and what is used to validate compliance of platform configurations. Gain awareness that misconfigured systems fail to comply with company policy or standards as adopted by the IT governance groups and are communicated in the information security and awareness program are flagged in this process.
II.
Discuss the approach to achieving PSV:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
•
Product selection
•
Policy configuration
•
Deployment
•
Measurement
•
Exclusion handling
•
Reporting
•
Remediation
Wireless Vulnerability Assessment I.
Explain that the purpose of a wireless vulnerability assessment is to find and document vulnerabilities in the organization’s wireless networks.
II.
Gain an understanding that attackers from this direction are likely to take advantage of any loophole or flaw; this assessment is usually performed against all publicly accessible areas, using every possible wireless penetration testing approach (or the use of war testing).
III.
Arrange the steps in this process in the following order: •
Planning, scheduling, and notification of wireless penetration testing
•
Target selection
•
Test selection
•
Scanning
•
Analysis
Documenting Vulnerabilities I.
Classify the details that data stored in a vulnerability database should contain to be effective when an issue occurs: •
A unique vulnerability ID number for reporting and tracking remediation actions
•
Linkage to the risk, threat, and attack database based on the physical information asset underlying the vulnerability; the IP address is a good choice for this linkage
•
Vulnerability details, which are usually based on the test script used during the scanning step of the process; if the Nessus scanner is used, each test script has an assigned code (NASL, or Nessus attack scripting language) that can identify the vulnerability effectively
•
Dates and times of notification and remediation activities
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
II.
•
The current status of the vulnerability, such as found, reported, or repaired
•
Comments, which give analysts the chance to provide system administrators with detailed information for fixing the vulnerability
•
Other fields as needed to manage the reporting and tracking processes in the remediation phase
Establish an understanding that the vulnerability database is an essential part of an effective remediation process because it helps organizations keep track of vulnerabilities as they are reported and mediated.
Remediating Vulnerabilities I.
Define the purpose and goal of remediation.
II.
Assemble a strategic plan when approaching the remediation process. It is important to recognize that building relationships with those who control the information assets is the key to success. Success depends on the organization adopting a team approach to remediation in place of push and pull between departments.
Readiness and Review I.
Establish that the primary goal of readiness and review is to keep information security programs functioning as they are designed and continuously over time.
II.
Examine the three tasks that can accomplish the goal of keeping a domain ready and reviewed. They are policy reviews, program reviews, and rehearsals.
Policy Review and Planning Review I.
Explain how policy review is the primary initiator of the readiness and review domain. Note that policy needs to be reviewed periodically. Apply the use of Figure 12-9 to aid the discussion.
II.
Stress the understanding that as a policy shifts, an independent and thorough review of the entire information security program is needed.
III.
Discuss how major planning elements should be rehearsed whenever possible. Rehearsal adds value by exercising procedures, identifying shortcomings, and providing security personnel the opportunity to improve the security plan before it is needed. In addition, rehearsals make people more effective when an actual event occurs. Rehearsals that closely match reality are called war games.
Quick Quiz 2 1. Which of the following is the component of the maintenance model that focuses on identifying, assessing, and managing the configuration and status of information assets in an organization? © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
a. external monitoring domain b. planning and risk assessment domain c. internal domain d. planning domain Answer: c 2. Which of the following is designed to find and document vulnerabilities that may be present in the organization’s public network? a. difference analysis b. Internet vulnerability assessment c. external monitoring d. digital assessment Answer: b 3. The primary objective of the ________ domain is to keep a lookout over the entire information security program. a. internal b. external c. planning and risk assessment d. digital assessment Answer: c 4. The primary goal of the ________ domain is to identify specific, documented vulnerabilities and their timely remediation. a. vulnerability assessment and remediation b. external c. planning and risk assessment d. digital assessment Answer: a 5. True or False: Penetration testing is a set of security tests and evaluations that simulate attacks by a hacker or other malicious external source. Answer: True
Physical Security (12.7, PPT Slides 41–57 and 60–63) © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
I.
Assess the need that physical security of information security systems is as important as logical or computer security processes.
II.
Review the list of the seven most common sources of physical loss as denoted in the book written by Donn B. Parker and outlined in the text.
III.
•
Extreme temperatures
•
Gases
•
Liquids
•
Living organisms
•
Projectiles
•
Movement
•
Energy anomalies
Justify that the importance that implementation of physical security measures requires sound organizational policies to be in place and up to date.
Physical Access Controls I.
Define the concept of facility management and its role in maintaining a secure facility where information is stored, housed, and transmitted.
II.
Summarize the purpose of a secure facility and why there must be multiple layers of defense in place should an attack occur—physically or otherwise.
Physical Security Controls I.
Compose a list of common major controls that a facility may have to protect itself from external forces. These include but are not limited to the following: • • • • • • • •
Walls, fencing, and gates Guards and dogs ID cards and badges Locks and keys Electronic monitoring Alarms and alarm systems Computer rooms and wiring closets Interior walls and doors
Walls, Fencing, and Gates I.
Measure the level of access to determine if external perimeter controls, walls, and fences with suitable gates are an essential starting point when employees require access to physical locations the organization owns or controls.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
II.
Judge the level of security by being aware that expert planning is required for this type of physical barrier to be effective.
Guards and Dogs I.
Relate to the fact that guards can evaluate each situation as it arises and make reasoned responses.
II.
Select the use of dogs if a facility requires a need to sense and smell intrusions that humans may otherwise not detect and detect intrusions should they occur.
ID Cards and Badges I.
Compare the differences between an identification (ID) card and badge.
II.
Discuss the concept of tailgating and why it is a common source of access issues in a secure facility.
III.
Explain the use of mantraps and why they are effective and ineffective.
Locks and Keys I.
Compare and contrast the use of mechanical and electromechanical lock mechanisms. Briefly summarize the different types of keys and locks that are often used in a facility.
II.
Examine the backup protocols that must be in place when controlled access devices fail.
Computer Rooms and Wiring Closets I.
Obtain an understanding that janitors or custodians are often the least scrutinized people in a facility, yet they have access to nearly every part of a facility—including computer rooms and wiring closets.
II.
Establish an understanding of the consequences that can occur should a person obtain access to computing equipment that is critical to information security management.
Fire Safety and Security I.
Recognize that fires account for more property damage, personal injury, and death than any other threat to physical security. Physical security plans must implement strong measures to detect and respond to fires and fire hazards.
II.
Classify that the most combustible item in an office setting is paper.
III.
Maintain awareness that before a fire can be suppressed, it must be detected.
Failure of Supporting Utilities and Structural Collapse
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
I.
II.
Demonstrate an understanding that supporting utilities, such as heating, ventilation, air conditioning, power, and water, have a significant impact on a facility’s safe operation. Assess the need that utilities must be responsibly managed to prevent damage to information and information systems within an organization. Backup systems should be in place in areas where fluctuations are likely to occur.
Heating, Ventilation, and Air Conditioning I.
II.
Interpret the fact that traditionally a responsibility of facilities management, the operation of the heating, ventilation, and air conditioning (HVAC) system can have a dramatic impact on information, information systems, and their protection. Justify things such as the impact temperature and filtration, humidity, and static electricity can have on information systems and security systems in place.
Temperature and Filtration I.
Outline the core temperatures that computing equipment can efficiently operate in. •
Temperatures below 32 degrees Fahrenheit or above 100 degrees can cause hardware and media failures and potentially destroy the equipment.
•
Optimal temperatures for a facility without protective clothing is 70 to 74 degrees Fahrenheit.
Humidity and Static Electricity I.
Recognize that high humidity levels often create condensation problems, and a lack of humidity can increase the risk of static electricity.
II.
Justify the fact that electrostatic discharges (ESDs) are a leading cause of failure for sensitive circuitry. Static electricity can exceed 12,000 volts when someone walks across a carpet.
III.
Examine the two common types of failures damaged chips receive. •
Immediate or catastrophic failures: occur right away and require chip replacement
•
Latent failures: delayed failures that can occur weeks or months after damage occurs
Ventilation Shafts I.
Recall the fact that some ductwork in commercial buildings may pose a security threat, as a person can climb through it to reach a destination unnoticed.
II.
Recommend the use of wire mesh grids to act as a barrier to various points to compartmentalize ventilation shaft runs.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
Power Management and Conditioning I.
Emphasize the need that power supplies must be properly grounded when used to maintain an organization’s physical environment. II. Recommend that in areas where water accumulation is possible, computing and other electrical equipment must be uniquely grounded using ground fault circuit interruption (GFCI) equipment. III. Organizations should identify computing systems that are critical to the operation of the facility so that they can be connected to an uninterruptible power supply (UPS). • Can exceed upward of up to 10,000 VA • Goal of a UPS is to have enough time to keep critical systems online and give them time to safely shut down IV. Recommend that backup systems be tested frequently and documentation of the facility’s configuration, operation, and function should be integrated into disaster recovery plans and standard operating procedures.
Interception of Data I.
Review the three types of data interception: direct observations, interception of data transmissions, and electromagnetic interception. • Direct observations require that a person be close enough to the information to breach confidentiality. • Interception of data transmissions can occur from anywhere, as they are not restricted to a location with the exception to tapping into a LAN, eavesdropping on a secure network, or wiretapping. • Electromagnetic interception is another type of interception, although it is unlikely to occur. Though possible, it is difficult, impractical, and expensive to carry out.
Securing Mobile and Portable Systems I.
II. III.
Justify the cause-and-effect mobile devices and portable systems have on an information security network. Due to their portability, they must have stronger levels of security than stationary counterparts such as desktops. Review different software and hardware techniques that can be used to protect devices that move in and out of an office. Emphasize the fact that laptops must always remain secure. Apply suggestions provided in the text to reduce the risk that a mobile computing device is stolen or damaged.
Remote Computing Security
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
I.
Comprehend the fact that remote site computing involves a wide variety of computing sites outside the organization’s main facility and includes all forms of telework.
II.
Define the concept of telework and how it impacts an organization’s information security plan and protocols.
III.
Obtain an understanding that mobile devices and off-site media must be made more secure than the organization's systems due to the risk of them being stolen or damaged.
IV.
Decide what an organization needs to do to accommodate personnel off-site so that they have the strongest protections possible away from the office, yet they can complete tasks in a timely manner.
Special Considerations for Physical Security I.
Review special considerations an organization must employ to develop a comprehensive physical security program and the advantages and disadvantages of them. They include the choice of handling physical security in-house or outsourcing it and social engineering.
Quick Quiz 3 1. What is the optimal temperature that computing equipment can operate in? a. no less than 40 degrees Fahrenheit b. between 50 and 60 degrees Fahrenheit c. between 70 and 74 degrees Fahrenheit d. does not matter, as computing equipment can operate at any temperature Answer: c 2. How many volts of static electricity can be discharged if someone is walking across a carpeted floor/surface? a. in excess of 1,200 VA b. up to 4,000 VA c. up to 8,000 VA d. upward of 12,000 VA Answer: d 3. The primary power source for an organization’s computing equipment is most often the ________ utility that serves the facility.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
27
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
Answer: electric 4. What is the concept called when someone gains unauthorized entry by closely following another person through a secure entrance using their credentials to bypass a control point? a. tailgating b. man trapping c. sprinting d. human chaining Answer: a 5. True or False: It is not necessary to have an alternate procedure in place in the event a lock fails because a door or access point will open automatically without any additional assistance. Answer: False [return to top]
Discussion Questions You can assign these questions several ways: in a discussion forum in your LMS, as wholeclass discussions in person, or as a partner or group activity in class. These questions are separate from the review questions and exercises in the textbook. For answers to the textbook questions, see the associated solutions for this module. Additional class discussion options: 1. Maintenance is an essential task that is often considered to be dull. In information security, penetration testing may be wrongly perceived as being a hacker-like activity. In fact, when done correctly, ethical hacking is an important part of risk management. Clarify to your students that penetration analysts work under very restrictive rules of engagement when testing systems. You may want to brainstorm ways that penetration analysts limit the risk they pose to internal systems. (12.1, 12.2, 12.3, 12.4, PPT Slides 3–17 and 20–23) Duration 15 minutes. 2. Do risk assessments catch all risks that an information security system could receive? What are additional topics not discussed that may need to be discussed in the future as technology evolves? (12.5, PPT Slides 24–38) Duration 15 minutes. 3. Of the physical security controls that were discussed, which ones are the most likely to be used the most and the least? How would they affect the integrity of information security systems? (12.7, PPT Slides 41–57 and 60–63) Duration 15 minutes.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
28
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
[return to top]
Suggested Usage for Lab Activities A series of hands-on labs has been developed to complement the text material for this course and are available for download at the Instructor Center. The labs do not depend on specific chapter content, so instructors can insert them where they best suit the syllabus. The following is a list of lab titles, objectives, and approximate durations to assist with lesson planning. Lab Title Ethical Considerations in IT and Detecting Phishing Attacks
Web Browser Security
Malware Defense
Windows Password Management
Backup and Recovery and File Integrity Monitoring
Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques. Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Upon completion of this activity, the student will be able to: • Understand the basic setup and use of an open-source AV product. • Install and use Clam AV on a Windows system. • Using a USB storage device create a portable AV scanner. • Understand what a YARA file is and how it is used. Upon completion of this activity, the student will be able to: • Review and configure password management policies in a Windows client computer. Upon completion of this activity, you will be able to: • Describe backup and recovery
Duration Ethical Considerations lab in 15 to 20 minutes. Phishing E-Mail lab in 60 to 75 minutes.
1 to 1.5 hours
1 to 1.5 hours
30 minutes to 1 hour
15–20 minutes
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
29
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
OS Processes and Services
Log Management & Security
Footprinting, Scanning, and Enumeration
AlienVault OSSIM
Image Analysis Using Autopsy
processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). • Perform file integrity monitoring using file hash values. Upon completion of this activity, the student will be able to: • Review available and enabled OS services. • Review available and enabled OS processes. • Review current system resource utilization. Upon completion of this activity, the student will be able to: • Access and review the various logs present in a Windows 10 computer. Upon completion of this activity, the student will be able to: • Identify network addresses associated with an organization. • Identify the systems associated with the network addresses. Upon completion of this activity, the student will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab. Upon completion of this activity, the student will be able to perform basic drive image analysis using the Autopsy software package.
60–90 minutes
30 minutes to 1 hour
40–60 minutes
2–3 hours
45–70 minutes
[return to top]
Additional Activities and Assignments Please see associated solutions for the Closing Scenario at the end of the textbook module.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
30
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
Additional project options include: 1. See if your organization has a penetration testing team in place. Ask if the members of the team can address your class or if your class can observe their work. If a penetration testing team is not available on campus, see if any local organizations can help. 2. Have students look at popular news sources for stories related to computer vulnerabilities. Then have students research the vulnerabilities that they read about to see if there are any inconsistencies between the way the press reports them and the way researchers have documented them. [return to top]
Additional Resources Internet Resources • • • • • •
Cyber Security Certifications ISACA’s CMMI Maturity Models NISP SP 800-100 OSSTMM SANS Reading Room—Penetration Testing US-CERT Program
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
31
Instructor Manual: Whitman and Mattord, Principles of Information Security 7e, ISBN 978-0-357-50643-1; Module 12: Information Security Maintenance
Appendix Grading Rubrics Providing students with rubrics helps them understand expectations and components of assignments. Rubrics help students become more aware of their learning process and progress, and they improve students’ work through timely and detailed feedback. Customize these rubrics as you wish. The grading rubric suggests a 4-point scale, and the discussion rubric indicates 30 points. Grading Rubric These grading criteria can be applied to open-ended Review Questions, Real-World Exercises, Case Studies, and Security for Life activities. 3 2 1 0 Exceeds Expectations Meets Expectations Needs Improvement Inadequate • Student • Student • Student’s • Student’s response demonstrates demonstrates response is missing or accurate accurate demonstrates a incomplete. understanding of understanding of gap in • Student’s response the concept. the concept. understanding of demonstrates a • Student applies the • Student applies the concept. critical gap in concept the concept • Student applies understanding. appropriately. appropriately. the concept • Student is unable • Student uses • Student develops incorrectly. to apply the sound critical a complete • Student’s concept. analysis to develop response to the response is poorly an insightful and prompt. developed or comprehensive incomplete. response to the prompt. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
32
Labs for Principles of Information Security 7th Edition
richard@qwconsultancy.com
1|Pa ge
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Hands-On Lab: Ethical Considerations in IT and Detecting Phishing Attacks To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks
Table of Contents Objective......................................................................................................................................... 2 Estimated Completion Time ......................................................................................................... 2 Materials Required ........................................................................................................................ 2 Introduction ................................................................................................................................... 2 Ethical Considerations in the Use of Information Security Tools .............................................. 3 Are You a White Hat? ................................................................................................................. 3 The White Hat Agreement ......................................................................................................... 4 (ISC)2 Code of Ethics ................................................................................................................... 5 Self-Reflection and Response ....................................................................................................... 7 Instructor’s Response ................................................................................................................ 7 Detecting and Responding to Phishing Attacks .......................................................................... 8 Legitimate Messages Don’t Request Sensitive Information ................................................... 8 Legitimate Messages Usually Call You by Your Name ........................................................ 9 Legitimate Messages Come from Authentic Domains ......................................................... 10 Legitimate Messages Come from People Who Know How to Spell and Write ................... 11 Legitimate Messages Don’t Force You to a Web Site ............................................................ 12 Legitimate Messages Don’t Include Unsolicited Attachments ............................................. 13 Legitimate Messages Have Links that Match Legitimate URLs ............................................ 13 Legitimate Messages Don’t Create an Artificial Sense of Urgency....................................... 14 Legitimate Messages Display Reliable Names....................................................................... 15 Legitimate Messages Don’t Solicit Money .............................................................................. 16 How You Should Respond to Phishing E-Mails ...................................................................... 18 Test Your Knowledge ........................................................................................................... 19 Instructor’s Response: ............................................................................................................. 26
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
1
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Objective Upon completion of this activity, you will: • •
have a better understanding of the ethical expectations of IT professionals; and be able to identify several types of social engineering attacks that use phishing techniques.
Estimated Completion Time If you are prepared, you should be able to complete: • •
The Ethical Considerations lab in 15 to 20 minutes. The Phishing E-Mail lab in 60 to 75 minutes.
Materials Required Completion of this lab does not require any software to be installed and configured on your computer.
Introduction This module does not include a “hands-on” project to develop specific skills. Instead, it discusses two topics that will be useful for the projects you perform in the later modules. You will first learn about the ethical dimension of using information security tools and techniques that many consider to be from the “dark side.” Social engineering is a term to describe malicious actions that exploit human psychology to gain access to sensitive information or money. Attackers manipulate people through dishonest social interactions and exploit the human tendency to trust to gather valuable information. Phishing is a popular form of social engineering attack in which an attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site to extract personal or confidential information. The best defense against e-mail phishing attacks is user awareness. Many organizations now filter employee e-mail using commercial products, but even the best of these products will not stop every phishing e-mail. Having an alert workforce and a trained service support staff are also required. In the second part of this lab, you will begin by reading about the indicators that an e-mail is actually a phishing attack. Next, you will assume the role of a help-desk analyst who is responding to alerts from users that have received suspicious e-mails. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
2
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Ethical Considerations in the Use of Information Security Tools Using some of the “tools of the trade” in information security might lead students (and their instructors) to use software and techniques that are designed to break the rules and allow bad acts to occur. Because each academic community sets certain standards, you need to be aware of how they might apply in your specific circumstances. Conformance to standards and exhibiting ethical behavior is required to ensure the unhindered pursuit of knowledge and the free exchange of ideas. Academic integrity means that you respect the right of other individuals to express their views and opinions, and that you, as a student or faculty member, do not engage in plagiarism, cheating, illegal access, misuse or destruction of college property, or the falsification of college records or academic work. As a member of the academic community, and as a future InfoSec or IT professional, you are expected to adhere to standards of ethical behavior. You are expected to read and follow your institution’s code of conduct, which usually is found in your student handbook. You need to be aware that if you violate these standards, you will be subject to penalties outlined in your institution’s student conduct and academic integrity procedures. These penalties likely range from grade penalties to permanent expulsion. Your instructor may require you to read the white hat agreement and code of ethics that follow. Your instructor might also ask you to sign a form acknowledging that you agree to abide by these ethical standards while you are a student. Your agreement would indicate that you understand the ethical behavior expected of you as part of an academic community, and that you understand the consequences of violating those standards. For those of you in InfoSec or cybersecurity programs, the standard is even higher, given that you will be a guardian of an organization’s data in the future.
Are You a White Hat? As part of this course, you may be exposed to systems, tools, and techniques related to information security. With proper use, these components allow a security administrator or technician to better understand vulnerabilities and the security precautions used to defend an organization’s information assets. Misuse of these components, either intentionally or accidentally, can result in breaches of security, damage to data, or other undesirable results. Because the labs in this book will sometimes be carried out in a public network that is used by people for real work, you must agree to the following before you can participate. If you are unwilling to sign this agreement, your instructor may not allow you to participate in the projects.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
3
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
The White Hat Agreement If you have questions about any of the following guidelines, please contact your instructor. This document may be changed from time to time by your instructor, who will notify you of such changes and may ask you to reaffirm your understanding and agreement. 1. Just because you can do something doesn’t mean you should. 2. As you engage in projects, you will be granted access to tools and training that have the potential to do harm even when they are used to determine or investigate the security of an information system. Use these tools with care and consideration of their impact, and only in the ways specified by your instructor. 3. If any question arises in your mind about whether you can or should perform an activity or use a tool in a particular way, stop and ask your instructor for clarification. In information security, it is most definitely NOT easier to ask for forgiveness than for permission. 4. You are only allowed to use the tools and exercises if you are currently registered for a grade in the course. An instructor always has the right to ask students for appropriate identification if necessary. 5. Any instance of suspected misconduct, any illegal or unauthorized use of tools or exercises, or any action construed as being outside the guidelines of the course syllabus and instruction will be investigated by the instructor and may result in severe academic and/or legal penalties. Being a student does not exempt you from consequences if you commit a crime. 6. All students are expected to follow the (ISC)2 code of ethics, which is available at www.isc2.org/ethics and included later in this document. 7. By acknowledging this agreement, you confirm that you will: •
Only perform the actions specified by the course instructor for using security tools on assigned systems.
•
Report any findings to the course instructor or in specified reporting formats without disclosing them to anyone else.
•
Maintain the confidentiality of any private information learned through course exercises.
•
Manage assigned course accounts and resources with the understanding that their contents may be viewed by others.
•
Hold harmless the course instructor and your academic institution for any consequences or actions if you use course content outside the physical or virtual confines of the specified laboratory or classroom.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
4
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
•
Abide by the computing policies of your academic institution and by all laws governing the use of computer resources on campus.
8. By acknowledging this agreement, you confirm that you will not: •
Attempt to gain access to a system, attempt to increase privileges on any system, or access any data without proper authorization.
•
Disclose any information that you discover as a direct or indirect result of this course exercise.
•
Take actions that will modify or deny access to any system, data, or service except those to which administrative control has been delegated to you.
•
Attempt to perform any actions or use utilities presented in the laboratory outside the confines and structure of the projects or classroom.
•
Use any security vulnerabilities beyond the target accounts in the course or beyond the duration of the course exercise.
•
Pursue any legal action against the course instructor or the university for any consequences or actions if you use what you learn in the course outside the physical or virtual confines of the laboratory or classroom.
9. You will abide by the following code of ethics: Safety of the commonwealth, duty to our principles, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
(ISC)2 Code of Ethics Protect society, the common good, necessary public trust and confidence, and the infrastructure. •
Promote and preserve public trust and confidence in information and systems.
•
Promote the understanding and acceptance of prudent information security measures.
•
Preserve and strengthen the integrity of the public infrastructure.
•
Discourage unsafe practice.
Act honorably, honestly, justly, responsibly, and legally. •
Tell the truth; make all stakeholders aware of your actions on a timely basis.
•
Observe all contracts and agreements, express or implied.
•
Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principles, individuals, and the profession in that order.
•
Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
5
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
•
When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service.
Provide diligent and competent service. •
Preserve the value of systems, applications, and information.
•
Respect the trust and privileges granted to you.
•
Avoid conflicts of interest or the appearance thereof.
•
Render only those services for which you are fully competent and qualified.
Advance and protect the profession. •
Sponsor for professional advancement those best qualified. All other things being equal, prefer those who are certified and who adhere to these canons.
•
Avoid professional association with those whose practices or reputation might diminish the profession.
•
Take care not to injure the reputation of other professionals through malice or indifference.
•
Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others.
The ISC2 code of ethics is available from www.isc2.org/ethics.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
6
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Self-Reflection and Response In the space below, write a brief statement indicating your intention to abide by the ethics codes spelled out in this lab.
Instructor’s Response
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
7
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Detecting and Responding to Phishing Attacks The following questions indicate some of the telltale signs of phishing attacks. In general, you should ask yourself these questions for each e-mail you receive: • • • • • • • •
Does the message ask for sensitive information, such as account numbers, passwords, or even your birthday? Does the message use your correct name and refer to other details accurately? Does the address look authentic? Are there misspelled words and improper grammar? Does the message force you to a web site? Does the message have an attachment you are not expecting? Do links in the message fail to match the visible URL? Does the message request that you send money?
Each of these questions is explained with examples in the following sections.
Legitimate Messages Don’t Request Sensitive Information If you receive an unsolicited e-mail that appears to be from an official institution and the message includes a functional link or attachment, it’s a scam. Most companies do not send e-mail asking for passwords, credit card information, credit scores, or tax numbers, nor do they send log-in links. If a company needs information, you will usually be asked to visit its web site or mobile app, but you should not need a special e-mail link—after all, you do business with the company already.
Figure L01-1 Global Pay Phishing E-Mail In Figure L01-1, notice the unsolicited web link attachment. Also, look at the generic salutation at the beginning (“Dear customer”). Such greetings are discussed next.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
8
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Usually Call You by Your Name Phishing e-mails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.” If a company you deal with actually required information about your account, the e-mail would refer to you by name and would probably direct you to contact the company via phone, a phone app, or the official company web site. However, some hackers simply avoid a salutation altogether. This is especially common with advertisements. In the phishing e-mail shown in Figure L01-2, everything is nearly perfect. So, how would you spot it as suspicious?
Figure L01-2 Hotels.com Phishing E-Mail The example in Figure L01-2 is very convincing, but the fact that the message has the recipient’s name spelled correctly does not make it legitimate. The clue that the message is not legitimate is indicated by the e-mail domain, as you will learn next.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
9
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Come from Authentic Domains Don’t just check the name of the person who sent you the e-mail. Check the e-mail address by hovering your mouse over the contents of the From line. Make sure there have been no alterations, such as additional numbers or letters. For example, be suspicious if the e-mail address appears to be michelle@paypal.com but is michelle@paypal23.com when you hover the mouse over the From line. This isn’t a foolproof method of demonstrating fraud, however. Some companies make use of varied domains to send e-mails, and some smaller companies use third-party e-mail providers.
Figure L01-3 Costco Phishing E-Mail In the example shown in Figure L01-3, the Costco logo is just a bit off. To see the actual logo, you can go to https://costco.com. Do you see the difference? Also, note the “From” field is from a different business: “cbcbuilding.com” rather than “costco.com” Also, note that most companies use the https:// service in their URLs. If the “s” is missing, dig a little deeper.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
10
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Come from People Who Know How to Spell and Write Possibly the easiest way to recognize a suspicious e-mail is through its use of bad grammar and misspelled words. An e-mail from a legitimate organization is usually well written. Look at this example:
Figure L01-4 Best Buy Phishing E-Mail In addition to the generic salutation in Figure L01-4, the grammar gaffes and extra spaces are a good clue that something is wrong—for example, note the sentence that begins “Please fill this form.” Also, notice the “17” that appears in the middle of the next sentence for no reason.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
11
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Don’t Force You to a Web Site Phishing e-mails are sometimes coded so that the entire message is a graphic image tagged as a hyperlink. Clicking anywhere in the e-mail will open a fake Web page or download malware, ransomware, or spam to your computer. For this reason, you must be careful and deliberate when performing analysis on suspect e-mails. If you click or activate the attachment, it can infect your system. You will need tools to render the attachment or headers harmless without activating the trap. Right clicking your mouse and using basic tools can be very helpful.
Figure L01-5 USPS Phishing E-Mail The entire e-mail shown in Figure L01-5 was sent as an image tagged as a single hyperlink. If a recipient clicked anywhere in the e-mail, a malicious attack would be initiated. You can guard against this by hovering your mouse cursor over the message to see if a link address preview appears. You can also see the spelling and grammar errors in the body of the “Notification.”
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
12
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Don’t Include Unsolicited Attachments Unsolicited e-mails that contain any type of attachment should make you suspicious. Typically, authentic institutions do not randomly send you e-mail with attachments, but instead direct you to download documents or files from their secured web site. Like many of the other tips in this lab, this method isn’t foolproof. Companies that already have your e-mail address sometimes send you information, such as a white paper, that may require a download. In that case, be on the lookout for high-risk attachment file types, such as .exe, .scr, and .zip. Even .pdf and .docx files are suspicious. If you think the e-mail might be legitimate but you have doubts, contact the sender directly using information obtained from a source other than the e-mail.
Figure L01-6 ePayment Phishing E-Mail Before you wonder what’s in the .zip file attached in Figure L01-6, remember that curiosity killed the cat.
Legitimate Messages Have Links that Match Legitimate URLs If an e-mail appears to be suspicious, take precautions with any web links in the message. Make a habit to always double-check URLs. If the link in the text isn't identical to the URL displayed when you hover the mouse cursor over the link, that's a sure sign you will be taken to a site you don’t want to visit. If a hyperlink’s URL doesn’t seem correct or doesn’t match the context of the e-mail, don’t trust it. Instead, use your web browser to find the company’s authentic web site. To help ensure security, hover your mouse over an embedded link (without clicking!), confirm that it begins with https://, and consider whether the rest of the link looks like what you might expect.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
13
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Figure L01-7 Nokia Phishing E-Mail Although the preceding message looks convincing, Nokia wouldn't actually send a "Save your stuff" e-mail from info@news.nokia.com. A mouse flyover of the link would show a domain you should not trust.
Legitimate Messages Don’t Create an Artificial Sense of Urgency Scammers know that most of us procrastinate and then have to get things done in a hurry so many phishing attempts request that we act now before it’s too late. Scammers also understand that crises in the workplace are common and must be handled quickly. Unfortunately, hurrying creates a greater chance of making mistakes and bad choices. When you take time to think about something, you are much more likely to notice things that don’t seem quite right. For instance, when you receive an unexpected e-mail from a major company, maybe you’ll think twice and realize that the organization has never contacted you via e-mail. Maybe you’ll receive what appears to be a frantic e-mail from a co-worker and realize that he simply would have called you in case of an actual emergency.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
14
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
A common workplace scam is to pretend that a problem has arisen with a commonly used service or account, such as that with a bank or credit card company an organization uses. Any actual problems with such accounts would cause an immediate inconvenience. Criminals know we’re likely to drop everything if our boss e-mails us with a vital request, especially when other senior colleagues are supposedly waiting for us to act. A typical example looks like Figure L01-8.
Figure L01-8 Mobile Phishing E-Mail
Legitimate Messages Display Reliable Names A favorite phishing tactic among cybercriminals is to spoof the display name of an e-mail, just like robocalling telemarketers can spoof your phone’s caller ID. For example, if a fraudster wanted to impersonate your bank, the top of the e-mail message might look like Figure L01-9. Check out the domain name (in the example, accounts@secure.com) to see if it matches the display name (My Bank).
Figure L01-5 Secure.com Phishing E-Mail
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
15
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Don’t Solicit Money Many successful phishing attacks create a false sense of urgency or appeal to a person’s greed. One type of scam that attempts to exploit greed is the advance fee fraud, which uses confidence tricks and is much older than e-mail. This approach typically involves promising the victim a significant share of a valuable prize, a desired business objective, or a sum of money in return for a small, up-front payment. This payment is needed to obtain the larger sum—hence the name “advance fee fraud.” One of the best-known frauds is the Nigerian 4-1-9 scam, which has been around for a long time. Originally conducted via phone, fax, and traditional mail, this scam invites victims to send a small amount of money with the promise of receiving a much larger sum in return. The development of e-mail has made it much easier for scammers to reach new victims. The best-known source of these e-mail scams is Nigeria, although they can originate from anywhere. In Nigeria, the e-mails have become a significant source of income for some, although section 4-1-9 of the Nigerian legal code prohibits them (hence the name). A typical Nigerian 4-1-9 scam begins with a potential victim opening a letter or e-mail that’s purportedly from a famous person or an exiled politician. The person may claim to be from a place that’s currently in the news, possibly because of a recent civil disturbance. The message explains that, due to political instability or the death of a relative, a significant amount of money is trapped in some form of escrow account. The message goes on to explain that if the reader could send just a small amount of cash, it will pay the fee needed to access the account. In return for their trust and generosity, the reader is promised a large percentage of the money that’s locked away. If the reader does decide to send money, more requests will follow. According to subsequent e-mails sent by the scammer, unexpected costs are often discovered, such as increased taxes or bribes to officials. The scammers will continue to ask for money as long as the victim sends it. Needless to say, victims will never receive a payout, regardless of how much money they send. A variant of the 4-1-9 attack involves vendors that supposedly sell products or rent accommodations online. A fraudster first identifies a company from a foreign country that offers to buy a product, rent a property, or contract a service. The fraudster then sends the victim a fake check or international money order for a much greater amount than the item or activity is worth, along with an explanation for why they cannot pay a smaller amount. The fraudster asks the victim to deposit the money in a personal bank account and then transfer the overage back to the fraudster. Later, of course, the victim discovers the swindle and that the original “payment” was fake.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
16
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
These types of scams have some common traits: • • • • •
The message (usually an e-mail) is unexpected. You don’t know the sender. There is a long, sad story about why the sender needs your help to access money. You are asked to help by transferring funds. A large payment is offered in exchange for assistance.
The examples of advance fee fraud are many and varied; they include investment proposals, lottery winnings, and online dating scams. The example shown in Figure L01-10 is fairly typical.
Figure L01-10 UAE World Expo Phishing E-Mail
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
17
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
How You Should Respond to Phishing E-Mails The easiest response to suspected phishing e-mails is to delete them. Most larger organizations have automated filters in place to catch phishing attempts. Most companies also offer staff assistance to deal with such e-mail, and offer an account like abuse@yourcompany.com where you can send suspicious messages. Many organizations have a web resource that explains examples of current phishing messages that are making the rounds; this resource helps users stay abreast of emerging threats in social engineering. At Kennesaw State University in Georgia, the resource is called the phishmarket. You can see it at https://uits.kennesaw.edu/ocs/phish-market/index.php. When dealing with suspicious e-mail, the best advice is to be skeptical. Phishers are good at what they do. Many malicious e-mails include convincing brand logos, persuasive language, and a seemingly valid e-mail address. However, if an e-mail message looks even remotely suspicious, do not open it. If the message seems too important to ignore and you cannot easily toss it away, try to follow up using resources you can find that are NOT in the e-mail. Go to the sender’s web site or call the colleague who allegedly sent you the attachment or urgent request. If the original message was valid and urgent, the sender will appreciate your follow-up. You should report fraudulent e-mail and other types of social engineering attacks. If you work for a company, contact the help desk or the information security team. For suspicious e-mails sent to your personal account, your e-mail provider or ISP may be able to help you. After evaluation, the company’s technical support team should follow up to ensure that the e-mail was deleted, and no losses occurred. If you fall victim to a phishing attack, get help as soon as possible because lost time can factor into the ability to recover losses. If the attack involved a bank or a credit card company, or if you have an identity protection service (like LifeLock), get them involved as soon as you can. When dealing with phishing attacks, it does not matter if your organization has the most secure security system in the world. It takes only one untrained employee to be fooled and give away data your organization has worked hard to protect. Make sure that you and your co-workers understand the examples illustrated in this lab so you can detect the telltale signs of a phishing attempt.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
18
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Test Your Knowledge Now let’s test your knowledge. Imagine that you are a help-desk analyst reading your organization’s abuse e-mail account as co-workers send in suspicious messages. Look at each of the following messages and then determine whether you think they are legitimate or suspicious. Print out the answer page at the end of the lab for recording your answers. For each suspicious message, explain why you think it fails the “smell test.” Here is a handy list you can use when evaluating each of the following example e-mails: • • • • • • • •
The message asks for sensitive information. The message does not contain your correct name; other details are incorrect as well. The address does not look authentic. There are misspelled words and improper grammar. The message forces you to a web page. The message has an attachment that is not expected. Links in the message seem suspicious. The message requests that you send money.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
19
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 1
Example 2
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
20
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 3
Example 4
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
21
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 5
Example 6
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
22
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 7
Example 8
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
23
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 9
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
24
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 10
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
25
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Phishing Email Responses Email Example 1 Example 2 Example 3 Example 4 Example 5 Example 6 Example 7 Example 8 Example 9 Example 10
Trustworthy (T) or Suspicious (S)
Reason
Instructor’s Response:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
26
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Hands-On Lab: Web Browser Security To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Table of Contents Introduction ................................................................................................................................... 2 Objective ..................................................................................................................................... 2 Estimated Completion Time ...................................................................................................... 2 Materials Required..................................................................................................................... 2 Minimum System Configuration ............................................................................................... 2 Web Browser Security for Google Chrome ................................................................................. 2 Autofill ......................................................................................................................................... 3 Safety Check ............................................................................................................................... 7 Privacy and Security ................................................................................................................... 9 Incognito Browsing .................................................................................................................. 13 Web Browser Security for Mozilla Firefox ................................................................................. 14 Protections Dashboard............................................................................................................ 15 Privacy and Security ................................................................................................................. 17 Private Window Browsing ....................................................................................................... 22 Web Browser Security for Microsoft Edge ................................................................................. 23 Profiles ...................................................................................................................................... 25 Privacy, Search and Services ................................................................................................... 27 Family Safety ............................................................................................................................ 30 InPrivate Window Browsing .................................................................................................... 31 Web Browser Security for Apple Safari ...................................................................................... 32 Self-Reflection and Response ..................................................................................................... 34 Instructor’s Response .............................................................................................................. 34
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
1
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Introduction This module describes how to configure the security and privacy features of several popular web browsers to minimize the probability of unwanted disclosures or exploits. Modern web browsers are some of the most used tools to access remote information. Organizations develop complex web sites to share information with their customers and suppliers, and internal site to share information with employees. While the examination of all the features of the various available web browsers is beyond the scope of this lab exercise, we will look at some of the more common security features and settings of the more common browsers. Note: if you are performing these labs on organizational equipment, like computers in a university lab or at a business, some of these options may not be available. All may be performed on your personal computer or laptop.
Objective Upon completion of this activity, the student will be able to: •
Review and configure the security and privacy settings in the most popular web browsers.
Estimated Completion Time If you are prepared, you should be able to complete: •
The Web Browser Security and Privacy labs in 1 to 1.5 hours.
Materials Required Access to the named web browsers.
Minimum System Configuration Completion of this lab requires that the user have the appropriate rights and privileges to modify software on the local system.
Web Browser Security for Google Chrome The first web browser discussed is Google Chrome (https://www.google.com/chrome/), shown in Figure L02-4.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
2
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02- 1 Google Chrome Website 1. Download the Google Chrome browser by going to https://google.com/chrome above and clicking the Download Chrome button. Follow the on-screen prompts, until the software has installed. 2. Access the Google Chrome settings by clicking the Customize and Control Google Chrome button (looks like a vertical ellipse) beneath the close window button in the upper right corner, or type chrome://settings/ in the URL field. On this screen are several settings important to security, including AutoFill, Passwords, Payment Methods, Safety Checks and Privacy & Security.
Autofill The first set of options to investigation are in the Autofill section, as shown in Figure L02-5. Here the user can configure the browser’s ability to remember Passwords, Payment Methods, and Addresses for the user.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
3
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-2 Google Chrome Settings 3. Click the Passwords menu option shown in Figure L02-2. You should see the options shown in Figure L02-3. If you are sharing a computer with anyone else, even a family member, you should disable both the Offer to save passwords and AutoSignin options, by clicking on the slider to the right of the option to the left. Similarly, if you are using a computer owned by an organization, and not by you, you should disable these options. On your personal systems, you can log into Google Chrome and it will sync your settings across multiple computers. This is fine if you remember to log out of Google Chrome before logging out of the computer system. Use caution with this feature as someone else using the computer could have access to your credentials.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
4
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-3 Google Chrome Passwords Settings 4. If you have been using Google Chrome for some time, and storing system credentials in the browser, you may want to periodically check your credentials (usernames and passwords). Hackers work to compromise systems and steal credentials. They then sell or share this information on “the dark web”. Google scans the dark web and allows you to see if one of your system credentials have been found there. Click the Check passwords button to review your credentials. 5. As shown in Figure L02-4, Google Chrome will let you know when there is a problem with your stored credentials, including those with passwords that Chrome views as “weak”. You will have the option to chance any password Chrome has flagged for your review by clicking on the Change password button beside the account credentials shown. If there were any compromised passwords, they would be listed above the Weak passwords section.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
5
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-4 Google Chrome Check Passwords Results 6. Return to the Settings menu by selecting the left arrow next to the Settings menu title, or the back arrow next to the URL field. 7. Select Payment methods in the Autofill field. As shown in Figure L02-5, Google Chrome can remember your commonly used payment methods. You should use extreme caution when allowing Chrome to do this, as this would allow anyone else using the system to use your payment methods. Chrome does require you to validate the use of a payment card by entering the security code on the reverse, however if someone saw you using a card, they may have remembered that information, and thus could shop with your credit.
Figure L02-5 Google Chrome Payment Methods Settings
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
6
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
8. For systems you share with others, or which belong to an organization, it is recommended that you disable the Save and fill payment methods and Allow sites to check if you have payment methods saved options by sliding the button to the right of the options to the left. Any payment methods saved will be listed at the bottom of this menu and can be accessed there. 9. Return to the Settings menu by selecting the left arrow next to the Settings menu title, or the back arrow next to the URL field. 10. Click on the Addresses and more option under Autofill. As shown in Figure LM01-9, here you can allow Google Chrome to remember key addresses, much the same as passwords and payment methods. Again, disable this option on shared systems, or systems owned by an organization.
Figure L02-6 Google Chrome Addresses and more Settings 11. Return to the Settings menu by selecting the left arrow next to the Settings menu title, or the back arrow next to the URL field.
Safety Check The next area to examine is the Safety Check menu, shown in Figure L02-7. Just like the Password check in the previous section, this function will determine if there are any issues with your Google Chrome.
Figure L02- 7 Google Chrome Safety Check 12. Click on the Check now button to run the Safety check. Figure L02-8 shows a sample results screen.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
7
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02- 8 Google Chrome Safety Check Results 13. Review and resolve any issues identified by clicking the corresponding button to the right of the menu option. If you did not resolve all issues with Google Chrome managed passwords, you will have the option to fix those here as well, by clicking the Review button. 14. If your system is not currently using Safe browsing, select the Manage button and select the options that best suits your preferences. At a minimum you should select Standard protection under Safe Browsing. Enhanced protection is the best option, however it does send browsing data to Google, as illustrated in Figure L02-9. 15. There are additional options under Advanced you may specify. If available select Use secure DNS. There are also options to manage your certificates and implement the Google Advanced Protection Program here. The GAPP program allows you to implement multi-factor authentication for your Google browser, requiring the use of specifical software on your phone or a hardware token to authenticate your Google login. Visit https://landing.google.com/advancedprotection/ if you want to learn more about the GAPP program. 16. Also available under Safety check is Extensions management. Extensions are addons for Google Chrome to provide additional functionality. Some however may introduce new vulnerabilities. If you have any issues with extensions in your version of Chrome, the option to resolve those will appear here (See Figure L02-8 above). 17. Return to the Settings page by using the back option again.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
8
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-9 Google Chrome Safe Browsing Settings
Privacy and Security Back at the Settings screen, the next section is Privacy and Security. As shown in Figure L0210, here you can clear your browsing data, cookies and adjust other security features.
Figure L02-1 Google Chrome Privacy and Security Settings
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
9
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
18. Click on Clear browsing data. Here you can specify whether you want to clear your browsing history, cookies and cached images and files from your browser. Periodically you may experience issues using a piece of software that caches files on your system. Clearing your browsing data by checking the options shown in Figure L02-11 and clicking the Clear data button will give you a fresh start and force your browser to download all new web content. If you are not logged in to Google, this action will only clear the cached information on the local machine. If you are logged in, it will clear this information for all systems you are logged into, as the data is stored and synced by Chrome. 19. You can specify how much data to clear by using the pull-down box next to Time range. Use this option to select All time, if not already selected and click Clear Data.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
10
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-2 Google Chrome Clear Browsing Data Settings 20. Click the Cookies and other site data option. As shown in Figure L02-12, here you can specify which Cookies to allow to be stored on your system. While you can block all cookies, you would quickly find issues trying to access some web sites. At a minimum, it is recommended you select the option Block third-party cookies in Incognito, as shown in the Figure, although you may decide to select Block thirdparty cookies to provide more privacy. To change your options, simply click on the radio button (circle) to the left of the desired option.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
11
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-3 Google Chrome Cookies and Other Site Data Settings 21. Further down this screen you can view all cookies currently stored on your system by selecting the See all cookies and site data option. This allows you to selectively delete the cookies from one vendor by clicking on the trash can icon shown in Figure L02-13.
Figure L02-43 Google Chrome View Cookies 22. You can also add specific sites to whitelist (allow) or blacklist (deny) their access to your cookies use, if you choose to allow all or block all in the previous step. You can also specify certain sites to dump their cookies (and no others). 23. Return to the settings page using the back arrows. 24. The Security menu option takes you back to the Safe Browsing options. 25. Click the Site Settings menu option. As shown in Figure L02-14, here you can specify the permission associated with the use of your system for specific sites. This is commonly used to allow or deny the use of location information (for pizza
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
12
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
delivery!), your camera, and your microphone (for web conferencing). It also allows you to specify permissions for notifications (popup reminders). Review the options available and adjust to your preferences.
Figure L02-5 Google Chrome Permissions Settings 26. The Additional content settings menu allows you to specify things like the preferred software to play sounds and open images and PDFs. It also allows you to blacklist certain sites with misleading or offensive ads.
Incognito Browsing 27. While there are other settings and options in Google Chrome, these are the dominant settings related to privacy and security. There is one other feature of interest, especially if you’re using a shared computer. Incognito browsing involves the use of a specifical instance of the browser to prevent the retention of history and cookies (if selected). The easiest way to start an incognito browser session is to right click on the Chrome icon or menu option and select New incognito window. Do so now. 28. As shown in Figure L02-15, this gives you an increased level of privacy over the standard browser. Keep in mind that this simply protects you from retained data on the local system, it does not screen you from systems that monitor network use, such as the organization or university’s IT department, or the internet service provider.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
13
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-65 Google Chrome Incognito Browsing
Web Browser Security for Mozilla Firefox Mozilla’s Firefox browser has many of the same features as other browsers. Firefox can be downloaded from https://www.mozilla.org/en-US/, selecting the Firefox browsers option in the top menu, as shown in Figure L02-16.
Figure L02-76 Mozilla Firefox
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
14
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
1. If you do not have Mozilla Firefox installed, go to the URL listed above and follow the instructions to download and install. Then start Firefox. 2. To access the security and privacy options in Firefox, first click on the menu button (three parallel lines in upper left corner under the Close button).
Protections Dashboard 3. The first security option we’ll look at is the Protections Dashboard. To access the Protections Dashboard on the shield icon in the address bar when visiting a web page or you can accessed it by entering the text "about:protections" into the address bar. As shown in Figure L02-17, you can see the first security feature is the Enhanced Tracking Protection. This is always on, so it’s just a report of how Firefox is working to protect you from online tracking software. Also on this menu is the offer to sign up for Breach alerts with Firefox Monitor. This is currently free but requires a Firefox account (also free). Like Google Chrome, signing into your Firefox browser allows you to sync your settings across multiple systems. Firefox monitor (Shown in Figure L02-18) will alert you if it finds your credentials (based on your e-mail address) in a compromised system.
Figure L02-17 Mozilla Firefox Protections Dashboard
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
15
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-18 Mozilla Firefox Monitor 4. At the bottom of this screen is the Password Management feature, shown in Figure L02-19, which allows you to manage stored passwords in Firefox. Click the Manage Passwords button.
Figure L02- 19 Mozilla Firefox Password Management
5. This opens the Firefox Lockwise feature, used to manage your passwords on various web sites, as shown in Figure L02-20. Here you can edit and remove any stored passwords for your Firefox account, if logged in, or on the local system only, if not. Lockwise can also be directly accessed through the menu by selecting Logins and Passwords.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
16
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-80 Mozilla Firefox Lockwise
Privacy and Security 6. Open the menu and select Options. Here you can specify general Firefox settings. In the left menu, select Privacy & Security. As shown in Figure L02-21, here you can specify the level of tracking allowed. At a minimum, you should ensure your system is set to Standard. While there is no lower setting available, someone may have created a custom configuration which allows fewer security features and protections. If you desire, you can set your system(s) to Strict, providing increased protection.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
17
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-91 Mozilla Firefox Browser Privacy Settings 7. Further down this page, you have the options to clear and manage Cookies, Logins and Passwords, Forms and Autofills, History, and the Address Bar as shown in Figure L02-22.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
18
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-102 Mozilla Firefox Cookies and Site Data Settings
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
19
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
8. Click Clear Data under Cookies and Site Data. When prompted, select both Cookies and Site Data and Cached Web Content, and click the Clear button. 9. Next, click Clear History under History. Select Everything in the Time range to clear pull down menu, and check all boxes under History and Data. Then click OK. 10. While most of these are self-explanatory, one feature deserves additional attention. The Primary Password is a feature that allows additional protection for systems used by multiple users, allowing the secure use of saved credentials. If this feature is enabled by checking the box to the left of the option, each session (new web browser) will prompt you for a “Primary Password” to use the saved password functions. This will prevent someone from using a shared system and then taking advantage of saved credentials. The Primary password is typically your Firefox account password. You are also prompted for this password if you try to add, remove, or edit stored passwords. 11. Review each of these options and enter the settings that you desire. 12. Further down on this screen are the Permissions settings for specific applications, as shown in Figure L02-23. Here you can specify which applications can use which features such as your location, the web camera, and microphone.
Figure L02-113 Mozilla Firefox Permissions Settings 13. Also located in the options menu is the specification for Firefox Data Collection and Use, shown in Figure L02-24, which provides specific criteria which you can select to craft what data, if any, you allow Mozilla to collect and use.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
20
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-124 Mozilla Firefox Data Collection and Use Settings 14. The last set of options in this menu are the Security features not covered elsewhere. Here you can Block dangerous and deceptive content, review your certificates, and specify the use of HTTPS (HTTP Secure) protocol. Ensure the minimum levels of security by reviewing your settings and making sure they are at least as secure as the ones shown in Figure L02-25.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
21
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-135 Mozilla Firefox Security Settings
Private Window Browsing 15. Users can create anonymous browsing windows by right clicking the Mozilla Firefox icon and selecting New Private Window. This window, shown in Figure L02-26, allows the user to avoid saving passwords, cookies, and browsing history while in a private window. It allows the user to access any stored materials from normal browsing but will not save any new materials. Again, private windows do not block your information from an organization’s IT department or the Internet Service Provider.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
22
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-26 Mozilla Firefox Private Window Browsing While there are many other options you can configure for Mozilla Firefox, these are the primary security and privacy features.
Web Browser Security for Microsoft Edge Microsoft Edge is the newest browser from Microsoft, provided with its Windows operating systems. Edge replaces the venerable (and vulnerable) Microsoft Internet Explorer. Like other browsers, Edge can sync settings between systems if the user creates an account with Microsoft and logs in. 1. Microsoft Edge can be downloaded from https://www.microsoft.com/en-us/edge, as shown in Figure L02-27, although it most likely is already installed if you are using a Windows operating system like Windows 10.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
23
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-27 Microsoft Edge 2. The first set of security and privacy features are accessed by selecting the menu (the ellipsis in the upper left corner under the close button), then selecting Settings. As Figure L02-28 shows, options are listed on the left, with configuration on the right.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
24
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-28 Microsoft Edge Settings
Profiles 3. Select Profiles (if not already selected). The profiles section, shown in Figure L02-29, allows quick access to sync functions, password management, and retained payment preferences.
Figure L02-29 Microsoft Edge Your Profile Settings
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
25
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
4. Click Passwords. As shown in Figure L02-30, here you can specify whether to allow Edge to save passwords for you, sign in automatically and provide a “reveal passwords” button so you can determine if you entered a password correctly. If you are using a shared computer, ensure these options are turned off.
Figure L02-140 Microsoft Edge Profiles/Passwords Settings 5. Click the back arrow next to Profiles / Passwords in the right side of the window, to return to the Your profile page. Next, click the Payment info option. As shown in Figure L02-31, here you can allow the saving and use of payment information and manage saved payment information like credit and debit cards, or online payment account. If you have already added a payment card, you can edit its attributes. On shared systems, ensure this option is disabled by clicking the blue oval with a white dot in it, located to the right of the option. Once it is off, the oval will turn white, with a black dot on the left side.
Figure L02-151 Microsoft Edge Profiles/Payment Info Settings
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
26
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Privacy, Search and Services 6. Click the Privacy, search and services option on the left side of the Settings menu. As shown in Figure L02-32, here you can specify one of three options for your Tracking prevention settings. At a minimum, you should select the Balanced option. You can also review blocked trackers by clicking that option beneath the three boxes and specify exceptions for trackers. Review these options now.
Figure L02-16 Microsoft Edge Tracking Prevention Settings 7. Scroll down the Privacy, search, and settings menu on the right. The next section allows you to Clear your browsing data, and to specify what is cleared. Click the Choose what to clear button. Figure L02-33 shows the Clear browsing data area of the menu, while Figure L02-34 shows the option available once you click the Choose what to clear (there are two versions of this window as the second shows the additional options when scrolling down).
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
27
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-173 Microsoft Edge Clear Browsing Data Selection
Figure L02-184 Microsoft Edge Clear Browsing Data Settings 8. Select All time in the Time range pull down window, then check all of the option boxes and click Clear now to completely clear Microsoft Edge’s browsing data. You can also select Choose what to clear every time you close the browser to configure Edge to clear its cached data each time you close the browser. 9. The next areas of interest are Privacy, Required diagnostic data, and Optional diagnostic data, located in the next sections after Clear browser data. The Privacy options allow you to specify whether your system allows sites to check if you have payment methods stored in Edge, as shown in Figure L02-35. Shared systems should enable Send “Do Not Track” requests and disable the payment methods option.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
28
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02- 195 Microsoft Edge Privacy and Diagnostic Data Settings 10. To see what data Edge is collecting and reporting to Microsoft, you must click the Windows diagnostic data setting hyperlink shown at the bottom of Figure L02-38. If this is the first time you are doing this you will have to allow this action in the popup window that follows. You will find yourself at the Diagnostics & feedback setting. Review these options carefully to ensure you are comfortable with their current settings. Make changes as needed. You can also select Delete under Delete diagnostic data to purge data already collected and sent to Microsoft. This also deletes the data from their systems. 11. Figure L02-36 shows the Security menu options, including the ability to manage certificates.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
29
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-206 Microsoft Edge Security Settings 12. It also includes the Microsoft Defender SmartScreen, which can block malicious content and web sites, in conjunction with the Microsoft Defender antimalware application. This sometimes-annoying popup, shown in Figure L02-37, will stop suspicious programs. It may give you the option to “run anyway” in which case you should be sure the application is safe before running. Clicking on the More info option when encountering the pop-up can help you decide whether to do so or not.
Figure L02-37 Microsoft Defender SmartScreen
Family Safety 13. A feature that is relatively unique to Microsoft browsers is the Family safety options. Select Family safety in the left side menu of the Settings window. As shown in Figure L02-38, you can enable this to create accounts for underage children to restrict their online access, report their browsing habits, and filter inappropriate web sites.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
30
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-38 Microsoft Edge Family Safety
InPrivate Window Browsing 14. Users can create anonymous browsing windows by right clicking the Microsoft Edge icon and selecting New InPrivate Window. This window, shown in Figure L02-39, allows the user to avoid saving passwords, cookies, and browsing history while in a private window. It allows the user to access any stored materials from normal browsing but will not save any new materials. Again, private windows do not block your information from an organization’s IT department or the Internet Service Provider.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
31
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-39 Microsoft Edge InPrivate Browsing While there are many other options you can configure for Microsoft Edge, these are the primary security and privacy features.
Web Browser Security for Apple Safari While we won’t go into detail about the security features of Apple’s Safari browser, it is available from https://www.apple.com/safari/, and contains many of the same features demonstrated in the other browsers noted. Apple Safari only runs on Apple Mac and other iOS devices like the iPad and iPhone. On mobile devices, much of the browser configuration is managed through the Device configuration rather than an options menu within Safari. Safari also has a Private browsing mode like other browsers.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
32
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Figure L02-40 Apple Safari Which browser(s) did you improve the security and privacy for? (Check all that you performed.)
Google Chrome Mozilla Firefox Microsoft Edge Apple Safari
Were you able to access all the security and privacy features of the browsers you used? Yes No (explain what you could not revise)
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
33
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security
Self-Reflection and Response Which browser(s) did you improve the security and privacy for? (Check all that you performed.)
Google Chrome Mozilla Firefox Microsoft Edge Apple Safari
Were you able to access all the security and privacy features of the browsers you used?
Yes No (explain what you could not revise)
Do you feel more equipped to make your browser experience more secure?
Yes No
Please explain:
Instructor’s Response
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
34
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Hands-On Lab: Malware Defense To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Table of Contents Introduction ................................................................................................................................... 2 Objective ..................................................................................................................................... 2 Estimated Completion Time ...................................................................................................... 2 Materials Required..................................................................................................................... 2 Minimum System Configuration ............................................................................................... 2 Downloading Clam AV ............................................................................................................... 3 Installing AVG ............................................................................................................................. 3 Scanning the Local System with AVG ....................................................................................... 5 Installing ClamAV to a USB device ............................................................................................ 5 YARA Rules in Information Security .......................................................................................... 7 Installing Spybot S&D............................................................................................................. 8 Scanning the Local Drive with Spybot S&D .......................................................................... 9 Enabling Windows Security ..................................................................................................... 17 Windows Security Options and Operations ........................................................................... 17 Self-Reflection and Response ..................................................................................................... 21 Instructor’s Response .............................................................................................................. 21
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
1
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Introduction Malicious software (a.k.a. malware) has been an ever-present concern even before the recent explosion of networked devices known as Internet of Things. In this lab, you will explore a few options that are available to deal with the threat of viruses and other malware.
Objective Upon completion of this activity, the student will be able to: • • • •
Understand the basic setup and use of an open-source AV product. Install and use Clam AV on a Windows system. Using a USB storage device create a portable AV scanner. Understand what a YARA file is and how it is used.
These activities will help you complete future labs in this course.
Estimated Completion Time If you are prepared, you should be able to complete: •
The Anti-virus/Malware labs in 1 to 1.5 hours, depending on the complexity of the computer being scanned.
Materials Required Students will need their: • • •
laptop or desktop computer. USB device 8GB in size that can be formatted. Two downloads from Clam AV web site.
Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: • • • • •
Intel i5 or better CPU 8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version 8 Gb USB storage device
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
2
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Virus and Malware Prevention with Clam AV This lab will be using Clam AV to introduce a standard open-source multiplatform signature-based antivirus engine. Clam AV runs on Windows, Linux, BSD, Solaris, and Macintosh operating systems. Clam AV also has multiple projects and tools based around the source code. Clam Av uses a virus database for managing signature and is extensible with YARA rules. We cover YARA rules further along in the lab. More information on Clam AV can be found in their documentation.
Downloading Clam AV 1. Open your preferred web browser and navigate to https://www.clamav.net/downloads#otherversions 2. This should present on the Alternate Versions of ClamAV downloads web page. I am testing on Windows 10 system 64-bit system. I will need to download the *portable.zip file and the .exe file shown in Figure L03-1. At the time of testing, clamav-0.103.2 is the latest version. Choose the latest version available.
Figure L03-1 ClamAv dowload site Win64
Installing AVG 3. Using Windows Explorer, go to the location the file was downloaded and double click it or double click the downloaded file from your web browser. 4. Follow the instructions to install Clam AV. Use the defaults provided. You may need to authorize the execution of the program if you get a Windows pop-up asking for permission.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
3
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
5. You will need to open a PowerShell Command Line Interface (CLI) in order to complete the installation. In the Windows Search Bar, type PowerShell, navigate your mouse over the application in the menu, right click, and select “Run as administrator”. 6. Change to the Clam AV installation directory by typing: a. cd "c:\program files\clamav". 7. In the PowerShell window preform the following commands. a. copy .\conf_examples\freshclam.conf.sample .\freshclam.conf b. copy .\conf_examples\clamd.conf.sample .\clamd.conf
Figure L03-2 PowerShell commands for ClamAV 8. Next, we will run the write.exe command. This will open the specific conf file (short for config) in WordPad and allow us to delete the line that says “Example” as shown in Figure 3. a. Write.exe .\freshclam.conf b. Save the file and close WordPad 9. Repeat the same procedure for clamd.conf a. Write.exe .\clamd.conf b. Save the file and close WordPad
Figure L03.3 Delete "Example" from the conf file
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
4
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
10. Next, update the ClamAV Database. In the PowerShell window run: a. .\freshclam.exe 11. Provide a screen shot of your Power Shell window showing a successful update to Clam AV.
Scanning the Local System with AVG 12. Now that Clam AV is installed on the system and the virus database is updated, we will perform a scan of the c: drive or [root] drive. In the PowerShell windows type: a. .\clamscan.exe “C:\Windows” -r (This will take some time to run) b. The PowerShell screen should start to scroll showing the files that have been scanned and if the files are OK or malicious as seen in Figure L03-5.
Figure L03-4 ClamAV scanning files 13. Provide a Screen shot of the PowerShell window showing a completed scan.
Installing ClamAV to a USB device The next section we will the portable version of ClamAV and install it on a USB drive. This is a useful tool to have if an analyst needs to scan systems that can’t have active antivirus installed or are separated from the internet. 14. Insert your 4Gb or larger USB device. You should backup and relocate any files that you need to keep that are present om the device. 15. Using Windows Explorer, go to the location the file, “*portable.zip” was downloaded and double click it in the default Zip Application. 16. Extract the folder contained in the “*portable.zip” file to the USB device. We are using 7zip in the example shown in figure L03-6.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
5
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Figure L03-5 Using 7zip to extract the zip file 17. Now we perform the same procedure we did above to prepare ClamAV. Open up or return to your PowerShell window opened with administrative privileges. Navigate to the USB drive using cd <drive_letter>:\ (i.e. cd g:\) 18. Type pwd in the PowerShell window to verify you’re on the root of your USB device. 19. In the PowerShell window, perform the following commands. a. copy .\conf_examples\freshclam.conf.sample .\freshclam.conf b. copy .\conf_examples\clamd.conf.sample .\clamd.conf
Figure L03-6 PowerShell commands on USB device 20. Next, we will run the write.exe command. This will open the specific conf file (short for config) in WordPad and allow us to delete the line that says “Example” as shown in Figure 3. a. Write.exe .\freshclam.conf. b. Save the file and close WordPad. 21. Repeat the same procedure for clamd.conf. a. Write.exe .\clamd.conf . b. Save the file and close WordPad.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
6
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
22. Next, update the ClamAV Database. In the PowerShell window, run: a. .\freshclam.exe 23. Save a screen shot of the update performed on the USB device.
YARA Rules in Information Security Composing a YARA Rule for use in ClamAV is beyond the scope of this lab. However, it is important to talk about how YARA rules are used in information security and more specifically malware research and detection. YARA Rules are tools used primarily for malware research and detection. It was originally developed by Victor Alvarez of Virus Total. These are rules used to scan files, memory images, or network traffic looking for textual or binary patterns that match known malware samples. YARA rules use strings and Boolean expressions to apply different conditions as well as a modified form of PERL regular expressions. YARA Rules basically allows analyst to react write custom rules and updates for multiple information security platforms at one time. These can be very useful when an IR analyst has discovered an indicator of compromise for a malware and wants generate a rule to alert on the presence of that malware. As an example, A YARA rule written to detect a bad string in a file can also be applied to a tool like volatility.exe and used to scan a memory image for the same malicious strings. Rules that are well written and tested can be applied for detection in IDS/IPS devices monitoring network traffic as well as next generation firewalls.
Figure L03-7 YARA Rule Example In Figure L03 8 is an example of simple example of a YARA Rule. The rule name is “silent_banker”, it looks for three specific strings ($a,$b,$c) and it will alert if it finds any of
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
7
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
those three strings based on the condition statement. When finished with this lab, uninstall AVG, and reboot the computer.
Malware Detection with Spybot Search & Destroy Another leading free anti-malware tools available today is Spybot Search & Destroy. Unlike traditional antivirus/anti-malware software, Spybot S&D is on demand, meaning it doesn’t run all the time, monitoring your systems. If you purchase the upgraded version of Spybot + AV, it will provide real-time anti-virus protection. The free version, however, does not provide AV support. Begin by checking to see if Spybot S&D has already been installed on your system. 1. Click the Windows Start button and scroll down the list of installed applications that appears on the right. Look for Spybot S&D. If it is installed, skip the installation process that follows.
Installing Spybot S&D 2. Using a Web browser, go to https://www.safer-networking.org/download/. 3. Select one of the Safer-Networking Ltd. Mirror sites to download the software, as shown in Figure L03-9. noting the location where the.exe is stored (note your version may be labeled differently). Note you may find a newer version than this.
Figure L03-9 Spybot Download Locations 4. Using Windows Explorer, go to the location the file was downloaded and double click the .exe file, or click on the link at the bottom of your web browser to install Spybot S&D. Follow the instructions on the screen to complete the installation, selecting the “more control” option when prompted. Accept the agreements and specify the installation location. Then specify Spybot (without anti-virus) as this © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
8
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
requires a purchased subscription. Next, click through the remaining windows until Spybot installs. 5. The last step is to specify the startup options as shown in Figure L03-10.
Figure L03-10 Spybot setup Wizard options
Scanning the Local Drive with Spybot S&D 6. Once Spybot is started (See Figure L03-11), it should automatically update.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
9
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Figure L03-11 Spybot Start Center 7. Click the Associated Tasks menu at the top of Spybot and select Settings. As shown in Figure L03-12, here you can specify a number of configuration options. Spend a few minutes familiarizing yourself with these options.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
10
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Figure L03-12 Spybot Settings Menu 8. One key feature of this menu is the ability to schedule a scan, rather than having to do it manually. On the Schedule tab, you would select Add if no scan is currently scheduled. As shown in Figure L03-13, the software has automatically set up a scan for the example system for the first of every month at 12:30 am. If you want to change this, you click the Edit button and make any needed changes.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
11
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Figure L03-13 Spybot Schedule Scan example 9. Click the Associated Tasks menu at the top of Spybot and select Systems Scan. You should see a window similar to Figure L03-14 appear. Make sure your settings match those in Figure L03-14 and click Start a Scan in the left side menu.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
12
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Figure L03-14 Spybot System Scan Menu 10. Let the application run. Note it may take several minutes for the scan to finish, depending on the size and number of your system’s hard drives. It took approximately 17 minutes on the system used for this example, which had several multi-terabyte drives, each with hundreds of gigabytes of data. 11. Spybot will scan your system for specific malware attacks that an AV program might overlook, including spyware monitoring software, startup tools and rootkits. You can see what malware is being scanned for at the bottom of the System Scan window. Some organizations may intentionally install employee-monitoring software, so check with our supervisor if you’re using this on an office computer. Once the scan has finished, review the results. You may see pages of tracking cookies, stored temporary files, and possibly even malware in the results, as shown in Figure L03-15.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
13
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Figure L03-15 Spybot Scan Results 12. You can save your scan log by Save scan log… in the System scan menu on the left. 13. If you want to fix the issues identified by Spybot, leave all the items checked in the right pane and click the Fix selected button at the bottom. If you only want to fix selected items, uncheck those you do not want to fix. 14. Some options available in Spybot include Immunization and Quarantine, under the Associated Tasks menu. Immunization updates a Windows host file noting web sites that contain malware. It also prevents the storage of cookies on the system and blocks the installation of spyware from known sources. Quarantine allows the user to override the software and restore a file that Spybot thinks is malware. Most Malware/AV software will automatically quarantine or delete files they think are malicious. However, sometimes a file isn’t really malware, but is easily mistaken for it. (Search for the term “EICAR testfile” for an example). If you have a file that gets quarantined, you can select this menu option and restore the file.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
14
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
15. You can generate a report of your results by selecting Associated Tasks then Report Creator, as shown in Figure L03-16. Spybot will walk you through the process.
Figure L03-16 Spybot Report Creator 16. If you installed this on your personal system, you can leave it installed. Otherwise, ask your instructor if they want you to uninstall the software.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
15
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Virus and Malware Prevention with Windows Security If you’re running a current Windows OS, like Windows 10, you have a free anti-virus application installed. Windows Security (formerly known as Windows Defender Security Center) is installed by default. It will be disabled if you’re running a third-party application, but in the absence of another application, it can provide protection. Begin by checking to see if Windows Security is active on your system. If you are using a computer in your university’s lab or in a commercial office, you may not be able to perform all of the labs below, but can still review the settings and watch the indicate videos. 1. Click the Windows Start button and scroll down the list of installed applications that appears on the right. Look for Windows Security. Click on the link. If it is active, you will see a screen like Figure L03-17 and can skip the installation process that follows.
Figure L03-16 Windows Security
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
16
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Enabling Windows Security 2. The only way to enable Windows Security is to uninstall all other versions of antivirus/anti-malware. If you are performing these labs on your personal computer, you may want to ensure no other AV software is installed. New computers may have trial versions of AV software installed. If you don’t plan to renew those applications, uninstall them, and open Windows Security.
Windows Security Options and Operations 1. If Windows security is not already started, type Windows Security in the Taskbar search field, and click on the link that appears. The front page shown in Figure L0316 above should have a green check mark or the words “no action needed’ for the top six menu options. The good news is that the majority of this application is automated, if you have it set up properly. If you don’t have a green check mark on the boxes, you will need to check that link and follow the prompts to activate that portion of the application. 2. Click the Virus & threat protection menu on the left, or the icon in the top left corner of the right side of the menu. You should see the screen shown in Figure L03-17 below.
Figure L06-17 Window Security Virus & Threat Protection
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
17
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
3. First learn a little more about Windows Defender Antivirus by clicking the link in the upper left corner titled “Learn more about Virus and threat protection.” This will take you to a Windows community web site where there are several videos about Windows Security and Windows Defender. Watch the following videos: a. Windows Security: The dashboard for device protections https://community.windows.com/en-us/videos/windows-security-thedashboard-for-device-protections/e_Z2bk7Cp1g?from=search b. Virus & threat protection: Keep Defender antivirus at full strength https://community.windows.com/en-us/videos/keep-your-pc-moresecure-with-windows-security-updates/YmIitr4eJ8E?from=search c. Windows Defender team: Make security easier https://community.windows.com/en-us/videos/windows-defenderteam-make-security-easier/vuduNkegxb8?from=search 4. Click the button labeled Quick scan. his will scan your core Windows files. It only takes a few minutes. 5. If you want a more thorough scan, click the Scan options menu below the Quick scan button. As shown in Figure L03-18, you can perform a full scan, custom scan, or offline scan.
Figure L06-18 Windows Defender Scan Options
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
18
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
6. Click the back arrow at the top left of the Windows Security window. The Allowed threats option gives you the option to provide an exception for a particular file you know is safe, but Windows Defender keeps deleting. 7. Click the Protection history menu option. Here you can see what actions Windows Defender has taken over the past few days, as shown in Figure L03-19. If you have a long list, the Filters button allows you to sort and filter the threats shown.
Figure L06-19 Windows Defender Protection History 8. Click the back arrow to go back to the Virus & threat protection menu. Look at the Virus & threat protection updates. Is your version up to date? If it isn’t, you can click the Check for updates link to access the Protection updates menu shown in Figure L03-20 below. If your system isn’t up to date with a “Last update” date within the last week, click the Check for updates button on the Protection updates menu.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
19
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Figure L06-20 Window Security Protection updates 9. The last option we’ll examine is the Ransomware Protection. If you are using a personal computer to perform these labs, and have access to Microsoft OneDrive you can set up protected space on the OneDrive to allow you to recover key files in case your computer is locked or encrypted by Ransomware. Never pay the ransom! Click the Manage ransomware protection link to view the options shown in Figure L06-21.
Figure L06-21 Windows Security Ransomware protection 10. Close the Windows Security window.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
20
Hands-on Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Malware Defense
Self-Reflection and Response Please share your experiences in installing the antivirus software program.
Did your scan reveal any malware operating on your computer? If yes, please describe.
Did your scan reveal any malware operating on your computer? If yes, please describe.
Were you able to install and run SpyBot Search and Destroy? If yes, describe the results of your scan.
Please share your experiences in using the Windows AntiVirus solution. Did it find malware undiscovered by the earlier programs?
Instructor’s Response
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
21
Hands-on Lab: Installing Security Onion Whitman and Mattord, Principles of Incident Response and Disaster Recovery, Third Edition, 2022, 978-0-357-508329; Module 4: Incident Response: Planning
Table of Contents Objective......................................................................................................................................... 2 Estimated Completion Time ......................................................................................................... 2 Materials Required ........................................................................................................................ 2 Introduction ................................................................................................................................... 3 Installing Security Onion ........................................................................................................... 4 Reflection: ................................................................................................................................. 15 Instructor’s Response: ............................................................................................................. 15
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
1
Objective Upon completion of this activity, you will have successfully created your own virtual machine to help you complete future labs in this course.
Estimated Completion Time If you are prepared, you should be able to complete this lab in 40 to 60 minutes.
Materials Required The following software must be installed and configured on your workstation before you begin the steps of the procedure later in this lab: •
Microsoft Windows 10, or another operating system version as specified by the lab instructor
•
VMware Workstation 16.X Player (or newer version) from www.vmware.com/products/workstation-player.html
This lab also requires that the following software be downloaded and that the installation file be locally available: •
Security Onion 2.3.70 (or similar version) from https://github.com/Security-OnionSolutions/security-onion/blob/master/Verify_ISO.md
You will also need the following information from your instructor to configure Security Onion. If you are installing Security Onion in a home lab, determine the values yourself and record them in the table: Data you will need
Record the value provided by your instructor
A static IPv4 address assigned to your computer The subnet mask to use on your local network The IPv4 address of your local network gateway The IPv4 address of your DNS server The local DNS search domain name The network address of a network that Security Onion will monitor Information on creating an e-mail address for the administrator account Information on creating a password for the administrator account Allowed addresses that can access Security Onion
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
2
Note that Security Onion collects and records network traffic. Ensure that you have permission to do so before continuing with this lab. If you need more information on Security Onion, go to https://docs.securityonion.net/en/latest/analyst-vm.html#.
Introduction In this project, you will set up a virtual system that runs Security Onion, an open-source intrusion detection and network monitoring application. You will use Security Onion in several future hands-on labs, so it’s important to get the application set up and running. To complete the process, you will need to download the software as an ISO file from the Security Onion link provided earlier in the Materials Required section. You should download the file prior to beginning the steps in the next section; the file is large and might take some time for most of you to download. After you download the security-onion2.3.0.iso file, you will use it to build your virtual image using the procedure that follows. If you go to the Internet to locate this image and find that the specific version number is no longer available, the current stable build should probably work for your needs. However, you may notice some differences between the build and the figures included in the following steps. You will build the virtual image using a product called VMware Workstation Player, a virtualization application that is provided at no cost for personal and educational use. This tutorial assumes that your computer has already had VMware Workstation Player installed and configured; those instructions are not provided here. Installing and configuring VMware Workstation Player is a relatively simple task. This tutorial also assumes that you are using the 16.X version of VMware Workstation Player. Other versions will likely work, including the current stable build, although you may notice differences between the interface and the instructions that follow. The Security Onion ISO file contains the CentOS 7 operating system, so you do not have to download or install an operating system prior to beginning this project. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
3
Installing Security Onion 1. Start VMware Workstation Player and click the Create a new Virtual Machine link. This will bring up the Welcome screen with two choices. Please select the Custom (advanced) radial button and click Next. 2. Choose the Virtual Hardware Compatibility. This allows you to choose what hardware compatibility versions of VMware the new machine is built to emulate. Accept the default and then click Next. 3. Choose the Installer disc image file (iso) option and click Browse. 4. When the navigation window opens, navigate to the folder where you saved the Security Onion ISO file, select the file, and then click Open. 5. When the navigation window closes, click Next. 6. In the Select a Guest Operating System window, click the Linux button, select CentOS 7 64 bit in the Version menu, and then click Next. 7. Give your virtual image a name, such as “Security Onion for IRDR.” Verify the location your want to keep the virtual machine. (Hint: there should be enough room to store the system) 8. Select the number of Processors and Cores for the virtual machine. Security Onion 2.3 requires a minimum of 2 processors. Click the drop-down arrow next to “Number of Processors” and select 2. (Note: As a safeguard, it is recommended you never give a virtual machine more than half of the available Processors or Cores. It can cause the host system to become unresponsive.) Then click Next to continue. 9. Set the amount of Memory for the system. The minimum recommended is 4 GB. Use the slider button on the left side or the text box in the upper right-hand side to set the Memory to 4096 MB. 10. Select the type of network for the system. Your professor should provide this. For my example, I will use “bridge networking”. These labs should also work with NAT networking. Click next to continue. 11. Select the I/O Controller Type, Use “LSI Logic (Recommended)” and then click Next. 12. Select a Disk Type: use “SCSI (Recommended)" and then click Next. 13. Select a Disk: Please select “Create a new virtual disk” ‘and click Next to continue. 14. Set the maximum disk size to 200 GB. Do not change the default option, “Split virtual disk into multiple files.” Click Next. 15. Next it will ask you to specify the disk file to use. This will have a default name. Leave it default or change the value. Click Next to continue. 16. Click Finish to complete the configuration of features in your virtual system.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
4
17. To power on your virtual machine, click the Play virtual machine link. 18. If you are asked to download VMWare Tools for Linux, select Remind Me Later. 19. When the startup menu appears, as shown in Figure 4-1, Use your mouse click on the virtual machine desktop. Use the arrow down key to select Install Security Onion 2.3.0 in basic graphics mode on the Linux desktop and press Enter.
Figure 4-1 Security Onion startup menu 20. The operating system (OS) begins to load as the guest virtual OS. A warning screen like the one in Figure 4-2 appears and asks you to type “yes” to proceed. Enter yes and press Enter.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
5
Figure 4-2 Security Onion warning before installation & Administrator account setup 21. Enter a username for the administrator account (i.e., soadmin, does not need to be an email address) and press Enter. 22. Enter a password for the administrator account, press Enter, verify the password for the administrator account, and press Enter again. The installer begins. 23. When you see the “Initial Install Complete” message in the console, press Enter to reboot. Press Enter again. The system reboots and goes through several load screens. 24. Next, the computer boots to a terminal window, as shown in Figure 4-3. Enter the administrator username and appropriate password when prompted.
Figure 4-3 Security Onion username and password 25. The Security Onion Setup console screen appears. “Would you like to continue?” Make sure <YES> is highlighted and press Enter.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
6
26. This launches the Security Onion Setup. It will ask you to “Select an option”, “Install” or “Configure Network”, Highlight “Install”, press the Tab key to highlight <OK>. Press Enter to continue.
Figure 4-4 Security Onion Setup – Install Configure Network 27. You have five setup options, as shown in Figure 4-5. Press the down arrow until the cursor is next to IMPORT, press the space bar to select the IMPORT option (*), and press the Tab key to highlight <OK>. Press Enter to continue.
Figure 4-5 Security Onion setup options 28. A license agreement will appear for the Elastic Stack, this is a core component of Security Onion. Please type all capital letters “AGREE”, press TAB to highlight <OK>. Press Enter to continue.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
7
Figure 4-6 Elastic Static License Agreement 29. Enter an appropriate hostname (for example, “securityonion-irdr”) in the highlighted area. Press Tab to highlight <OK> and then press Enter to continue. If you use a unique host name, skip the next step and proceed with step 32. 30. If the default name “securityonion” is used it will generate a warning: “to prevent host conflicts”. If you are on an isolated system, then you may press Tab until you highlight <Use Anyway>, otherwise choose <Change> and provide a unique hostname or use one provided by the instructor.
Figure 4-7 Hostname Default Warning 31. Choose the appropriate network interface card (NIC) from which you plan to manage the virtual machine, as shown in Figure 4-8. Note that the interface name on your system may be different. Use the up and down arrows to move the cursor and then press the space bar to select the interface your instructor has specified. Press Tab to highlight <OK> and then press Enter to continue.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
8
Figure 4-8 Security Onion network interface selection 32. Choose the STATIC option for the management NIC’s IPv4 address, as shown in Figure 4-9, then highlight <OK> and press Enter to continue.
Figure 4-9 Security Onion management interface option 33. Enter an appropriate IP address and subnet assigned to your computer (provided by your instructor in the format shown in Figure 4-10) or determined by you on a home system. This should be in a CIDR notation where the first component is the IP address and after the slash denotes the subnet mask used; 172.16.99.66/24. Highlight <OK> and press Enter to continue.
Figure 4-10 Security Onion local system IP address and Subnet in CIDR notation © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
9
34. Enter the correct local network gateway IP address for your network, as provided by your instructor. Highlight <OK> and press Enter to continue. 35. Enter a DNS server address to use for name resolution services, as provided by your instructor. Many people use the Google DNS address, which is 8.8.8.8 or 8.8.4.4. Highlight <OK> and press Enter to continue.
Figure 4-11 DNS search domain 36. Enter your DNS search domain name (Your local domain name). You can leave this field at the default setting unless given different directions by your instructor. Press Tab to Highlight <OK> and press Enter to continue. 37. Security Onion Setup will now initialize networking. Press Enter to continue. 38. The administrator is then asked to choose if this install has Internet access or is Airgap? Some information on networks is so sensitive that Internet access is not allowed. Security tools still need operate in this environment. For this lab please select “Standard”, Press Tab to highlight <OK>. Press Enter to continue.
Figure 4-12 Internet Access
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
10
39. The administrator will be asked “How would you like to connect to the Internet?” Please choose the Direct option here unless you have been provided different instructions. If you are using a Proxy, your instructor will need to provide that. Highlight <OK> and press Enter to continue.
Figure 4 -13 Internet Connection Type 40. This will initiate a pre-flight check of the OS. When it is finished, enter the network address that your version of Security Onion is assigned to monitor, as given by your instructor. The default setting is to use the RFC 1918 addresses for 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12. Highlight <OK> and press Enter to continue.
Figure 4-14 The network Security Onion should monitor. 41. Next, you are asked to enter an e-mail address to create an administrator for the Web account. Your instructor will tell you which address to use; highlight <OK> and press Enter to continue. 42. Enter and confirm a password for the Web administrator account you just created.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
11
43. Choose the interface method for the Web interface, as shown in Figure 4-10. Leave this setting at the default value of “IP,” then press Tab to highlight <OK> and press Enter to continue.
Figure 4-15 Security Onion Web interface access method 44. “Would you like to configure ntp servers?”, highlight <NO> and press Enter to continue unless instructed otherwise. This will use the preconfigured NTP servers for setting the system clock.
Figure 4-16 Configure the NTP servers. 45. When asked how the console will operate, answer the question about whether to allow access to the Web tools by highlighting <NO> and pressing Enter, unless you have been provided alternate instructions. This runs a script so-allow that opens port 80 and 443 on the Security Onion firewall to allow remote access via web browser. Students can run “sudo so-allow” from a bash prompt and achieve the same results post installation.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
12
46. You are then prompted with a summary screen of the Security Onion option that have been selected. Your screen should look similar to figure 4-17 below but may be different based on the environment settings. Verify your settings. Press Tab to highlight <Yes> and press Enter to continue. This initiates the next phase of the install and can take some time to complete.
Figure 4-17 Security Onion setup summary 47. The Security Onion Setup should continue and start to load the required packages. This may take some time to complete. When it is finished you will see figure 4-18. Press Enter to reboot.
Figure 4-18 Finished IMPORT Installation
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
13
48. After the reboot, a terminal screen appears and asks for login credentials. Type the administrator username you set up during the OS installation and press Enter. Type the correct password when prompted and press Enter. •
At the command prompt that appears, type sudo so-analyst-install and press Enter.
•
When prompted, type the password for the administrator account and press Enter.
49. In reply to the warning that this process will create permanent changes to the system, type yes and press Enter. The installation of the analyst workstation begins. 50. When the installation is finished, you should see a screen like that in Figure 4-19.
Figure 4-19 Installation complete 51. Press Enter to reboot. The system should restart and present a graphical user login. Enter the administrator email username you provided earlier and click Next. 52. Enter the password for the administrator email account you created earlier and click the Sign in button. 53. You should see a desktop like that shown in Figure 4-20. Security Onion is now installed. Tell your instructor that the installation is ready to use.
Figure 4-20 Security Onion
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
14
Reflection: In 100 - 150 words, describe any problems you encoutnered installing Security Onion. Were you able to resolve these issues? What steps did you take?
Instructor’s Response:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
15
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Hands-On Lab: Backup and Recovery and File Integrity Monitoring To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Backup and Recovery and File Integrity Monitoring
Table of Contents Introduction ................................................................................................................................... 2 Objective ..................................................................................................................................... 2 Estimated Completion Time ...................................................................................................... 2 Materials Required..................................................................................................................... 2 Minimum System Configuration ............................................................................................... 2 Overview of PC Data Backup and Recovery ................................................................................ 3 Microsoft Windows 10 ............................................................................................................... 3 Apple macOS .............................................................................................................................. 4 Linux ............................................................................................................................................ 4 Simple File Integrity Monitoring with PowerShell Get-FileHash............................................. 5 Accessing PowerShell............................................................................................................. 5 Using PowerShell Get-FileHash Utility .................................................................................. 6 Using Word to Compare Two PowerShell Get-FileHash Output Files................................ 7 Simple File Integrity Monitoring with HashCalc....................................................................... 9 Download/Install HashCalc ................................................................................................... 9 Using HashCalc to Calculate Hashes .................................................................................. 10 Using Maresware Hash64 and Hashcmp to Monitor File Integrity ...................................... 13 Downloading Hash64 and Hashcmp .................................................................................. 13 Using Hash64 to Calculate File Hashes .............................................................................. 14 Using Hashcmp to Compare File Hashes ........................................................................... 15 Self-Reflection and Response ..................................................................................................... 16 Instructor’s Response .............................................................................................................. 16
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
1
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Introduction The most significant action you can take to improve the resilience and survivability of your computer system is to create a robust and tested backup process. In this lab, you will explore the process of making a backup copy of a computer system. The lab discusses how to set up regular system and data backups for a Windows, Apple, and Linux OS. If you are using a different OS, the process should be relatively similar. You can use a web browser or your OS’s help files to locate the steps for your specific OS. Next, we will examine the process of determining if a file has changed, whether as a result of a backup and restore or as part of an attack.
Objective Upon completion of this activity, you will be able to: • •
Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). Perform file integrity monitoring using file hash values.
Estimated Completion Time If you are prepared, you should be able to complete all tasks in this lab in 15 to 20 minutes. Backup and recovery tasks may take longer if you have a large drive with an extensive amount of data to back up.
Materials Required Completion of this lab requires the following software to be installed and configured on your personal computer: •
Microsoft Windows 10, or another operating system version specified by the lab instructor.
•
Windows PowerShell enabled on the system.
•
HashCalc from https://www.slavasoft.com/download.htm, and hash.exe and hashcmp.exe from Maresware downloaded as part of the second set of labs.
To perform and store actual system and data backups, you will need an internal hard drive or external USB drive not currently used on your system. The lab instructions make use of Microsoft Word.
Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: •
Intel i5 or better CPU
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
2
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
• • •
8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version
[return to top]
Overview of PC Data Backup and Recovery Several good tutorials are available online that demonstrate the use of backup and recovery procedures. Rather than replicate their work, this lab simply points to those tutorials. As a future IT or security professional, it is important that you “walk the walk” as well as “talk the talk.” In other words, you must be responsible for providing security for yourself as well as for others. Given the widespread availability of low-cost cloud storage and high-capacity external USB drives, there is no excuse for losing key files. Quite a few cloud backup services are available: • • • • •
Carbonite (www.carbonite.com) Dropbox (www.dropbox.com) Microsoft (through OneDrive at www.onedrive.live.com) Apple (through iCloud at www.apple/icloud) Google (through Google Drive at www.google.com/drive/)
Several of these vendors have space they provide at no cost once you establish an account with them. All of the preceding vendors provide additional services and larger storage capacities with a paid subscription. For example, Dropbox offers 2 GB of storage for free. Dropbox works by allowing you to create file folders in Windows Explorer (for Windows systems). The folders you create and the files in them are stored on your local system and then synchronized with Dropbox cloud storage. You can install Dropbox on multiple computers, allowing synchronization among the computers and multiple users.
Microsoft Windows 10 For local data backup and recovery, including system backups, Microsoft uses a feature called “Back up using File History.” You can locate it by typing “Backup” in the Windows search bar. This feature allows traditional backups and recovery using local or networked drives. Review each of the documents listed below and perform a test backup using the instructions provided. •
•
The Windows support page that describes backup and recovery using the Windows 10 File History feature is available at https://support.microsoft.com/enus/help/4027408/windows-10-backup-and-restore. A related article on Microsoft’s support site discusses recovery options under Windows 10: https://support.microsoft.com/en-us/help/12415/windows-10-recovery-
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
3
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
•
options. Windows Central (www.windowscentral.com), a popular user help site, provides an article titled “How to use Windows 10 File History to back up data” at www.windowscentral.com/how-use-file-history-back-your-files.
Many more excellent online tutorials discuss Windows backup and recovery. If the preceding links do not provide satisfactory instructions, use a web browser to search for others.
Apple macOS Like Windows, Apple provides backup and recovery instructions for its users. Between iCloud and the “Time Machine” built-in backup utility, Apple users have a number of options. • •
Apple’s support site provides instructions for backing a Mac up to a Time Machine backup: https://support.apple.com/en-us/HT201250. Apple’s support site also provides instructions for restoring a Mac from a Time Machine backup: https://support.apple.com/en-us/HT203981.
Linux Linux users may have to conduct some research to learn how their version of Linux performs backups. Some parts of the process will depend on the type of file system that’s installed (for example, Ext3 or Ext4). Web resources like the following link provide instructions for performing command-line backups using external USB drives: •
How-To Geek (www.howtogeek.com), a popular user support site, provides the following article that demonstrates how to perform Linux backups using the rsync utility: www.howtogeek.com/427480/how-to-back-up-your-linux-system/.
[return to top]
File Integrity Monitoring What is file integrity monitoring? Simply put, it’s the evaluation of a file to see if it has changed. This is the foundation of backup and recovery file validation and commonly used in host intrusion detection and prevention systems. For backup and recovery, we calculate the hash of a file before we back it up, and then compare that hash to the hash of the file once it’s restored. If the two are the same, the file is valid and unchanged. If the hashes have changed, then something went wrong. Most network systems do something similar when they transmit a file – using something called a checksum. This is the same basic practice.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
4
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
In host IDPS, the system can calculate the hash of all key files that should not change. It then periodically calculates new hashes and compares the two. If the hash has changed, then the file has changed and the HIDPS notifies an administrator to look to see if an update was performed, or whether an attacker has modified the file. Any changes to the file will result in changed hash values. In this lab, we’ll look at a simple way you can use common Windows tools to perform a simple file hash and comparison.
Simple File Integrity Monitoring with PowerShell Get-FileHash In this lab, we will calculate the hash values of a number of files, and then use Microsoft Word to compare a before and after. For the first part of this exercise, we will use the built-in Windows utility PowerShell.
Accessing PowerShell 1. Before we start this lab, on a USB drive or student directory you can access during the lab, create a folder called hashtest. n that folder create two more subfolders called docs and hashes, as shown in Figure L05-1.
Figure L05-1 hashtest folders 2. Next, find and save a few files to the docs folder to use in the exercise. It doesn’t matter what they are as long as you can edit at least one of them. In my example, I’ve downloaded several NIST Special publication PDFs and a .txt file I can edit called important_information.txt. 3. Next start PowerShell by right clicking the Windows Start button, then selecting Windows PowerShell. You should see the Windows PowerShell window open as shown in Figure L05-2.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
5
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Figure L05-2 Windows PowerShell
Using PowerShell Get-FileHash Utility 4. The PowerShell Utility Get-FileHash (described here: https://docs.microsoft.com/enus/powershell/module/microsoft.powershell.utility/getfilehash?view=powershell-7.1) provides a way to calculate the Hash value using a number of different algorithms. Our example will use the default SHA256. Other options and parameters are described in the above Microsoft document. 5. Navigate to the hashtest folder you created. Then type the following command: Get-FileHash d:\hashtest\docs\*.* (replacing d: with the path to your hashtest folder) and hit Enter. You should see a list of the files contained in your docs directory and their hash values. This information is only placed on the PowerShell windows right now.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
6
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Figure L05- 3 Get-FileHash Results 6. To copy the results to a file, type the same command with the following modifications: Get-FileHash d:\hashtest\docs\*.* > d:\hashtest\hashes\hash1.txt (replacing d: with the path to your hashtest folder) and hit Enter. 7. You won’t see much happen as the system redirects the output to the text file you specify. Using Windows Explorer, navigate to your hashtest/hashes directory and look. You should see a text file: hash1.txt. Double click to open it. It should be identical to the results you saw on your screen.
Using Word to Compare Two PowerShell Get-FileHash Output Files 8. Our next step is to change one of the files and then use Get-FileHash to calculate another hash text file, and then use Word to compare the two to see if we can detect the changes. Open one of the files you saved and make a few changes. It only takes a single change to end up with a different hash. Save your changes and then run the previous PowerShell command sending the output to a different text file as follows: Get-FileHash d:\hashtest\docs\*.* > d:\hashtest\hashes\hash2.txt (replacing d: with the path to your hashtest folder) and hit Enter. (As a shortcut in PowerShell, you can use the up arrow to scroll through your previous commands and then change them). 9. Look in your hashtest/hashes folder. You should see two text files now: hash1.txt and hash2.txt. 10. Open Microsoft Word, and then open both text files in Word. If Word prompts you with a File Conversion window, just select Unicode, and click OK. 11. Click the Review menu tab at the top of one of the text files in Word, then, click the Compare drop-down button. First set up the output windows by selecting Show Source Documents and then selecting Show Both. 12. Next click the Compare button again and select the Compare… command in the menu to open the Compare Documents dialog box.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
7
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
13. Under Original document, select hash1.txt. It should be available since you have the file opened. If not, navigate to the hashtest/hashes folder and select it. 14. Next, under Revised document, select hash2.txt, and click OK. 15. Word will open a new document with any differences flagged as shown in Figure L05-4. In your document, you should see a red bar beside the file you changed.
Figure L05-4 Word Comparison of hash text files 16. The original document and revised document appear at the right side of the screen. The compared document appears in the center of the screen. Any revisions appear in the “Revisions” pane at the left side of the screen. Here you see one entry for “author deleted” and one for “author inserted.” This means the two hash values in the two documents are different. You can do this with hundreds of file hash values and the process will not only detect changed hash values but also new or missing files.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
8
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Simple File Integrity Monitoring with HashCalc In this lab, students will calculate multiple hash values using a freely available program from SlavaSoft.
Download/Install HashCalc 1. Using a web browser, go to https://www.slavasoft.com/ and select the Downloads option in the top menu at the bottom of this page, shown in Figure L05-5.
Figure L05-5 lavaSoft Downloads Page 2. At the bottom of the page, click the download links for HashCalc 2.02. 3. Save the downloaded zip file to your hashtest directory where you can execute it. Once you extract the file from its zip containers, you will need to install the HashCalc. 4. Double click the HashCalc setup.exe. When prompted accept the agreement. Install it to your hashtest directory, using the options provided. When the install finishes, it should start HashCalc automatically, as shown below.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
9
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Figure L05-6 SlavaSoft HashCalc
Using HashCalc to Calculate Hashes 5. HashCalc is a tool that can calculate the value of a file or a data string using multiple algorithms simultaneously. Begin by selecting the … button to the right of the data field and navigating up to your docs folder. Select a document you can edit and click Open, as shown in Figure L05-7 below.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
10
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Figure L05-7 SlavaSoft HashCalc selecting file 6. Next check all the boxes to on the left of HashCalc, and then click the Calculate button at the bottom as shown here in Figure L05-8. HashCalc creates the hash values using all these different algorithms.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
11
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Figure L05-8 SlavaSoft HashCalc results 7. Close the HashCalc utility when finished.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
12
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Using Maresware Hash64 and Hashcmp to Monitor File Integrity While HashCalc does a great job of calculating single hash values, we need more functionality to do a file integrity check, especially with multiple files. We can use two utilities from Dan Mare’s “MaresWare.” Dan Mares is a long renowned expert in Computer Forensics and has recently made some of his utilities free to download.
Downloading Hash64 and Hashcmp 1. Using a web browser, go to http://www.dmares.com/maresware/gk.htm. Scroll down to Hash and click the Get the 64-bit .exe link at the bottom, as shown in Figure L05-9. (Do NOT select Get the 32 bit .exe). Save the file to your hashtest directory. You can view help for Hash here: http://www.dmares.com/maresware/html/hash.htm.
Figure L05-9 MaresWare Hash utility download 2. Scroll down to Hashcmp and click the Get the 32 bit .exe link at the bottom, as shown in Figure L05-10. Save the file to your hashtest directory. You can view help for Hashcmp here: http://www.dmares.com/maresware/html/hashcmp.htm.
Figure L05-10 MaresWare Hashcmp utility download
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
13
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Using Hash64 to Calculate File Hashes 3. Neither of these are installed utilities, as they both run directly from the .exe. We’ll begin by using the hash command line tool to calculate the hash of one of our files. Hash.exe can do the same things as the PowerShell version, calculating the hash of a single file or entire folder of files. You could calculate the hash values of your entire hard drive if you chose to do so. Open a command window by typing cmd in the Windows task bar search field. Navigate to your hashtest directory and type the following command: hash64 -p d:\hashtest\docs\ -256. This will give us both the MD5 and SHA-256 hashes for all files in our docs directory, as shown below in Figure L05-11.
Figure L05-11 Mareware hash64 results 4. We can redirect this output to a file for future comparison by adding the Windows redirect: hash64 -p d:\hashtest\docs\ -256 > d:\hashtest\hashes\mareshash.txt (substituting your folder locations for d: here). You should be able to verify the output file in your hashes folder as shown below in Figure L05-12.
Figure L05-12 Mareware Hash64 text output
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
14
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Using Hashcmp to Compare File Hashes 5. Now it’s time for the second part, the comparison. First open one of the files in your docs directory and change it. Then run the previous command again, directing your output to a second file like this: hash64 -p d:\hashtest\docs\ -256 > d:\hashtest\hashes\mareshash2.txt (substituting your folder locations for d: here). 6. Now type the following command: hashcmp d:\hashtest\hashes\mareshash.txt d:\hashtest\hashes\mareshash2.txt (substitute your directory information for d. as before). You should see a message that there was a difference found between the files in the two hash output files as shown in Figure L05-13.
Figure L05-13 7. This is a clear indication that the two files are different. Why they are different is a different task entirely. You could automate the entire process in a batch file accomplishing the following: • First you would run a hash to output on a specified folder of files. • Then you would develop a .bat (batch) program to run a hash on the same folder directing the output to a new file, and then run hashcmp to compare the new hash output file to the old. This would essentially be a host intrusion detection process, where you detect changed files in the target directory.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
15
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Backup and Recovery and File Integrity Monitoring
Self-Reflection and Response Have you chosen to make a backup copy of your computer system? In the space below, explain why or why not. What steps did you take (or will you take in the future) to research and implement your method?
Can you think of another reason, not mentioned in the lab, for using the File Integrity monitor featers found in PowerShell? Describe how you might use it.
Were you able to install and use the hashing tools from MaresWare? What was your experience using these tools?
Instructor’s Response
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
16
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Hands-On Lab: OS Processes and Services To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Table of Contents Introduction ................................................................................................................................... 2 Objective ..................................................................................................................................... 2 Estimated Completion Time ...................................................................................................... 2 Materials Required..................................................................................................................... 2 Minimum System Configuration ............................................................................................... 2 Windows Process Assessment ..................................................................................................... 3 Reviewing Windows Processes with Task Manager ................................................................ 3 Opening Task Manager .......................................................................................................... 3 Reviewing Windows Processes with Task Manager ............................................................ 3 Reviewing Windows Processes with Process Explorer ........................................................... 9 Windows Service Assessment .................................................................................................... 11 Opening Task Manager ........................................................................................................... 11 Reviewing Windows Services with Task Manager ................................................................. 11 Active Processes and Services Assessment with msconfig .................................................. 15 Opening msconfig ................................................................................................................ 15 Reviewing Windows Services .............................................................................................. 16 Service Assessment with Performance and Resource Monitor ........................................... 17 Using the Performance Tab ................................................................................................ 17 Opening Resource Monitor ................................................................................................. 19 Using Resource Monitor ...................................................................................................... 20 Self-Reflection and Response ..................................................................................................... 22 Instructor’s Response .............................................................................................................. 22
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
1
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Introduction Part of the job of the information security function is to detect when things are not working as expected, specifically when we have technology that may have been compromised or corrupted so that it cannot be trusted to handle our information without risk of breach of confidentiality, integrity, or availability. While there are many complex tools available that can assist us in detecting unusual activity on a computer, we can also perform some routine evaluations ourselves to detect whether a system has an issue that warrants further investigation. This lab will discuss the utilities available in Windows 10 that allow the user and administrators of the system to review, identify, and resolve potential issues with running processes and services, and with the current operations of the system
Objective Upon completion of this activity, the student will be able to: • • •
Review available and enabled OS services. Review available and enabled OS processes. Review current system resource utilization.
These activities will help you complete future labs in this course.
Estimated Completion Time If you are prepared, you should be able to complete this lab in 60-90 minutes.
Materials Required Completion of this lab requires the following software to be installed and configured on your personal computer: •
Microsoft Windows 10, or another operating system version specified by the lab instructor.
Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: • • • •
Intel i5 or better CPU 8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
2
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Windows Process Assessment It is important to know what programs and applications are running processes on your system, to be able to detect when a program is malfunctioning, or an application is running that you didn’t authorize. There are several utilities available to allow the user to review the running processes. Once you can review these processes you can determine which are legitimate and which are not.
Reviewing Windows Processes with Task Manager One of the first utilities that is integral to Microsoft Windows is the Task Manager, a tool that is native to Microsoft Windows.
Opening Task Manager 1. There are a number of ways to access the Windows Task Manager. a. In the Windows search bar, type Task Manager and click the app. b. Right click on the Windows Start button and select Task Manager. c. Select the Ctrl + Alt + Del keys and select Task Manager. d. You can also select the Ctrl + Shift + Esc keys. Choose one of these ways and open the Task Manager.
Reviewing Windows Processes with Task Manager 2. Once open, the default view in Task Manager shows the running processes active on this system. If your view does not look like Figure L06-1 below, click on the More details option at the bottom. You may also need to expand the window by dragging on the right edge to see additional columns.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
3
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Figure L06-1 Windows Task Manager 3. Processes are instances of a program or application that are current running on the system. As indicated in Figure L06-1, there are currently many processes associated with Google Chrome running on the example system. You can examine each process individually by clicking the arrow to the left of the process, as shown in Figure L06-2. Each process consumes resources, although inactive processes consume less. The first thing to examine when your system becomes sluggish is whether you have too many processes running, whether they are active or not. In Task Manager, processes are grouped into Applications (programs), Background Processes, and Windows Processes.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
4
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Figure L06-2 Multiple Google Chrome Processes 4. You can select an individual process and end it by clicking on the process and then clicking on the End task button at the bottom. This is especially useful when a process/program becomes unresponsive. You can also view additional details by selecting the process, right clicking, and selecting details, or by simply selecting the Details tab in the top menu. Look at the details of several processes now. 5. It is important to become familiar with the processes a computer is running by examining this list from time to time. You can learn more about a process by letting Windows look it up for you on the web. Select any process, right click on it, and select Search Online. See Figure L06-3 for an example.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
5
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Figure L06-3 Process Right Click Menu 6. This will allow you to learn more about the process, in case you don’t recognize it. You can also view the properties of the process in the same menu. Examples of the properties window and its corresponding details tab are shown in Figure L06-4.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
6
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Figure L06-4 Microsoft Word Process Properties and Details 7. The biggest challenge in managing processes are the numerous processes run on your behalf by the operating system. Scroll down in your list of processes, and you’ll see a group called Windows processes. In that group you’ll see many instances of Service Host – Window’s tool for running services connected to dynamic link libraries (DLL) – resources to support your computer use. The details of these components of the operating system are beyond this lab. There are a number of online references that can help you understand this better. We recommend “HowTo Geek: https://www.howtogeek.com/. 8. If you want to document the running processes for future reference, you can use a Command window or PowerShell: a. Open a command window by typing cmd in the window search bar and press Enter. Then type tasklist at the prompt and press Enter. You’ll get a long list on your screen with some basic information as shown in Figure L065. To redirect this to a file, repeat the command adding a redirect – tasklist > processes.txt and press Enter. This will copy the screen output to a text file.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
7
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Figure L06-5 Command prompt display of Windows processes b. You can do the same thing with the PowerShell command. Open a PowerShell session by right clicking the Windows Start button on the left side of the task bar and selecting Windows PowerShell. In the PowerShell window, type Get-process and press Enter. Again, you can redirect this to a file by typing Get-process > processes.txt and pressing Enter.
Figure L06-6 Windows PowerShell Get-process command and results
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
8
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Reviewing Windows Processes with Process Explorer Microsoft has a special utility you can use to learn more about a process, specifically about what resources a process has open. If you’ve ever tried to close a file and received an error message that the file is open or in use, but can’t find an associated application, a process may have it locked as in use. Download Process Explorer 9. First ask your instructor if Process Explorer is already installed. If not, go to https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer and click on the Download Process Explorer link at the top of the page. Save the zip file to your local drive and then extract the files to a location you can access. 10. Double click the proceexp64.exe file and accept the license agreement. Process Explorer will start as shown in Figure L06-7.
Figure L06-7 Sysinternals Process Explorer
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
9
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
11. To view a process’ threads (parts of a process) with Process Explorer, select a process and open the process properties by clicking on the process, right click to open a menu, and then select the Properties menu item. Then click on the Threads tab. As shown in Figure L06-8, you’ll see any threads associated with that process. Note the threads are numbered with an ID (TID) and not named.
Figure L06-8 Threads associated with a process 12. Here you can see CPU consumption and other information. This information is also color coded with new threads highlighted in green, and threads that exit highlighted in red.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
10
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Windows Service Assessment The Windows Task Manager can also be used to examine services. Services are processes that run in the background and don’t directly interact with the user or the desktop.
Opening Task Manager 1. If you don’t have the Task Manager running already, open it now using one of the following methods: a. In the Windows search bar, type Task Manager and click the app. b. Right click on the Windows Start button and select Task Manager. c. Select Ctrl + Alt + Del keys and select Task Manager.
Reviewing Windows Services with Task Manager 2. Once Task Manager is open, select the Services tab at the top. As shown in Figure L06-9, services are listed alphabetically, including a brief description and their status as running or stopped. Since services run in the background, if you don’t review the list, you may never know what is running on your system.
Figure L06-9 Task Manager Services 3. Just like you could with Processes, you can learn more about a particular service by selecting it and looking at its menu. Right click one of the services running on your system and select Details. This brings you back to the Details tab, where both processes and services are listed with additional information.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
11
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
4. Go back to the Services tab, and right click the service again, this time selecting Search online. This will open a web browser with a search on that particular service, allowing you to better understand the service. 5. If you want to document the running services for future reference, you can use a Command window or PowerShell, just like you did with Processes: a. Open a command window by typing cmd in the window search bar and press Enter. Then type net start at the prompt and press Enter. You’ll get a long list on your screen of just the services that are started and running, as shown in Figure L06-10. To redirect this to a file, repeat the command adding a redirect – net start > services.txt and press Enter. This will copy the screen output to a text file.
Figure L06-10 Command prompt display of started Windows services b. You can do the same thing with the PowerShell command. Open a PowerShell session by right clicking the Windows Start button on the left side of the task bar and selecting Windows PowerShell. In the PowerShell window, type Get-service and press Enter. Unlike the command window, PowerShell includes all services and their status as stopped or running. Again, you can redirect this to a file by typing Get-service > processes.txt and pressing Enter.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
12
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Figure L06-11 Windows PowerShell Get-service command and results 6. If you wanted to stop a running service or start a service that is stopped, you can do so from the Task Manager. Back at the Task Manager, right click a service, and select Open Services. This opens the Services MMC, as shown in Figure L06-12. As shown in Figure L06-13, if you right click a service in the Services MMC, you open a menu allowing you to change the status of a service and look at its properties.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
13
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Figure L06-12 WIndows Services MMC
Figure L06-13 Windows Service Sub-menu
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
14
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
The properties include its dependencies on other services, drivers, etc. (see Figure L06-14.) Review the properties on a few services to become more familiar with this information.
Figure L06-14 Service Properties Screen
Active Processes and Services Assessment with msconfig Windows System Configuration Utility, better known as msconfig, is a utility used to troubleshoot issues with a windows system. It includes service information, just like task manager, but also includes information on system boot and other useful information.
Opening msconfig 1. In the Windows task bar search field, type msconfig and press Enter. You should see the Systems Configuration utility as shown in Figure L06-15.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
15
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Figure L06-15 Windows System Configuration Utility (msconfig)
Reviewing Windows Services 2. Click on the Services tab. This tab shows much of the same information shown in Task Manager and Services MMC, as shown in Figure L06-16. From this tab, you can directly enable or disable (start or stop) multiple services at once, by unchecking (to stop) or checking (to start) the services and clicking the Apply button. Since these can have an unwanted impact on the function of your system, it is not recommended unless you know a service to be malicious.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
16
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Service Assessment with Performance and Resource Monitor The last utilities we’ll look at are the Windows Task Manager Performance tab and the Windows Resource Monitor.
Using the Performance Tab 1. Open your Windows Task Manager as described in a previous lab assignment. Select the Performance tab. Here you will see an overview of how your system is using its resources like the Central Processing Unit (CPU), Memory, Drives and Internet connection, as well as Graphical Processing Unit (GPU), as shown in Figure L06-16. You can select the different categories on the left side of the utility to review each. You can also hover your mouse over parts of the screen to see additional information (See Figure L06-17). However, this still doesn’t provide a lot of detail. For that we’ll need the Resource Monitor.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
17
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Figure L06-16 Windows Task Manager Performance Tab
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
18
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Figure L06-17 Task Manager Performance Tab additional information
Opening Resource Monitor 1. There are several ways to open the Resource monitor: a. Select the Open Resource Monitor link at the bottom of the Task Manager Performance tab, as shown in Figure L06-16 and -17 above. b. Type Resource Monitor in the Windows task bar search field and then click on the app. c. Click the Windows Start button, then, select All Apps, then Windows Administrative Tools, then Resource Monitor. d. Open the msconfig utility as described previously, and select Resource Monitor from the Tools tab. Resource Monitor will open, as illustrated in Figure L06-18.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
19
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Figure L06-18 Windows Resource Monitor
Using Resource Monitor 2. As you can see in Figure L06-18 above, Resource Monitor provides a lot more detail than the Task Manager Performance tab does. The processes and services that are running are shown in the CPU window at the top. Each can be right clicked to reveal a sub-menu, allowing stopping, and Searching Online for more information. Select a few entries and use the Search Online feature to examine in more detail.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
20
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
3. Below the CPU window are entries for Disk (drive), Network, and Memory. If one of these categories doesn’t have anything below it, click on the down arrow button. That should “unhide” the entries for that category. On the right side of the Resource Monitor are several graphical representations of systems use. Some power users like to keep this running on their desktop, just to see what applications are demanding the most systems resources. High resource use could be an indicator of something unwanted, especially if you’re not actively engaging in a program that you would expect to have this impact, like watching a streaming video, playing an online computer game, or opening 62 Google Chrome tabs. Applications that are sending and receiving data, when you’re not active online, can also indicate the presence of applications that might be stealing your information, or they could just be your backup program, Dropbox or Microsoft OneDrive updating synchronized records. It’s important for you to get familiar with what SHOULD occur in the normal course of using your system, to make it easier for you to detect what SHOULD NOT occur.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
21
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; OS Processes and Services
Self-Reflection and Response What is the difference between a process and a service in the Windows operating system?
Can you think of why you would need to be able to determine which processes are running on your Windows computer?
Can you think of why you would need to be able to determine which services are running on your Windows computer?
Instructor’s Response
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
22
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Hands-On Lab: Log Management & Security To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Table of Contents Introduction ................................................................................................................................... 2 Objective......................................................................................................................................... 2 Estimated Completion Time ......................................................................................................... 2 Materials Required ........................................................................................................................ 2 Minimum System Configuration .................................................................................................. 2 Log Security Issues with Event Viewer ......................................................................................... 3 Opening Command Window (CMD) and Determine Local IP Address .................................. 3 Using Event Viewer .................................................................................................................... 4 Assigning Tasks to Logs and Events ..................................................................................... 7 Cleaning and Managing Event Viewer Logs ....................................................................... 12 Researching Events ..................................................................................................................... 15 Self-Reflection and Response ..................................................................................................... 17 Instructor’s Response .............................................................................................................. 17 Resources ..................................................................................................................................... 18
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
1
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Introduction Computer systems do many things and accomplish many complex tasks very quickly. Sometimes things go wrong inside the system and sometime things happen that the system does not expect. When these things happen, the computer will record the event to a computer log – a record of events and activities that occur on a system. Some logs are routine, noting when users log in and access certain resources. Others are security-related, with unexpected activities and potential intrusions. In this lab, students will examine the default logs present in a standard Windows operating system. Since the modern Microsoft Windows user OS, like Windows 10 is based on the same underlying architecture as Microsoft’s server systems, this knowledge can be scaled to understand the actions of commercial servers as well as end-user systems.
Objective Upon completion of this activity, the student will be able to: •
Access and review the various logs present in a Windows 10 computer.
Estimated Completion Time If you are prepared, you should be able to complete: •
The log management lab in 30 minutes to 1 hour.
Materials Required Completion of this lab requires a standard Windows 10 installation.
Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: • • • •
Intel i5 or better CPU 8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
2
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Log Security Issues with Event Viewer To review the logs in a Windows OS-based computer, you will use the Event Viewer utility. While some specialized servers have their own log system, Event Viewer is used for most Windows platforms. “Event Viewer displays these types of events: • • •
•
•
Error: A significant problem, such as loss of data or loss of functionality. For example, if a service fails to load during startup, an error will be logged. Warning: An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a warning will be logged. Information: An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, an Information event will be logged. Success Audit: An audited security access attempt that succeeds. For example, a user's successful attempt to log on to the system will be logged as a Success Audit event. Failure Audit: An audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt will be logged as a Failure Audit event.
The Event Log service starts automatically when you start Windows. Application and System logs can be viewed by all users, but Security logs are accessible only to administrators.”1
Opening Command Window (CMD) and Determine Local IP Address 1. Open the Event Viewer using one of the following methods: a. Right click on the Windows Start button and select Control Panel. Next select System & Security, then double-click Administrative tools. Finally, double-click Event Viewer. b. Type Event Viewer in the Windows Task bar search field, and click on the app. c. Hold the Windows key, and press R to open the run field and type eventvwr (or eventvwr.msc) and select OK. 2. Once Event Viewer has started, you should see the default view shown in Figure L071.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
3
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Figure L07-1 Windows Event Viewer
Using Event Viewer 3. Once Event Viewer is running, select the Windows Log entry in the left pane. Here you will see the five default operating systems logs associated with most windows systems, shown in Figure L07-2. Specialized services like SQL servers and Domain controllers have additional logs.
Figure L07-2 Event Viewer Windows Logs
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
4
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
4. Select Application in the left pane. The center of Event Viewer will display the various entries the system has recorded. The Level of each entry was discussed in the Introduction to this lab. Scroll down your list and look for one entry of each type: Information, Warning, and Error. As shown in Figure L07-3, once you select an entry, the details are displayed in the bottom center box.
Figure L07-3 Event Viewer Application Log 5. Select Security in the left pane. Again, the center of Event Viewer will display the various entries the system has recorded. You will most likely see many “Audit Success” entries, representing when a user or application accesses the system successfully. Scroll down your list and look for any Audit Failure entries, like the one shown in Figure L07-4. If you find multiple Audit failures, you may have detected someone trying to guess the password for the system, or it may just be a user that is not paying attention to their typing. Consistent failures should always be investigated.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
5
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Figure L07-4 Event Viewer Security Log Audit Failure 6. Select Setup in the left pane. Again, the center of Event Viewer will display the various entries the system has recorded. If you’ve updated Windows and there were issues, they’ll be logged here. 7. Select System in the left pane. Here issues with the operating system are recorded. For example, the system in Figure L07-5 has an issue updating the drivers associated with an HP printer. Issues here are usually referred to the helpdesk unless you are the helpdesk. Scroll through this list and look for any Errors.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
6
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Figure L07-5 Event Viewer System Log 8. The Forwarded Events log documents log entries that were forwarded to an outside resource, like a dedicated log server. Log servers can collect information from multiple systems and look for patterns that could indicate a systematic problem, or an attacker looking at multiple systems for a vulnerability that would allow them access. 9. In the left pane, click on Applications and Services Logs. While Windows Logs show operating system-focused events, here you see specialized logs for installed applications, and utilities like Internet Explorer, Microsoft Office applications and Windows PowerShell. Take a few minutes and scroll through the entries in these logs.
Assigning Tasks to Logs and Events 10. An interesting feature of the Event Viewer is its ability to perform a special task if there is an entry to a particular log, or a recurrent of a particular message. Back in the Event Viewer, look in the bottom right corner. Here are several tools an administrator can use to improve their ability to manage the logs. Click on the Windows Security Log. Then In the upper right menu, select Attach a Task to this Log…, indicated by the arrow in Figure L07-6.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
7
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Figure L07-6 Event Viewer Actions Menu 11. As shown in Figure L07-7, this brings up the Create Basic Task Wizard, where you can name this Task. You would normally start by naming this task. We won’t be saving this task, so the information you put in isn’t important. Click the Next > button.
Figure L07-7 Event Viewer Create Basic Task Wizard For Log, step 1 12. In the next window, you would accept the default settings, as this particular task does not allow additional information. If your system does, it may have a different configuration than the example computer. © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
8
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Figure L07-8 Event Viewer Create Basic Task Wizard For Log, step two 13. Click the Next > button to go to the next step, where you will specify the action to be taken when this log has a new entry (See Figure L07-9). The system can Start a specific program, send you an e-mail, or display a pop-up message on the screen.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
9
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Figure L07-9 Event Viewer Create Basic Task Wizard for Log, step three 14. Unless this is your personal computer and you want to activate this task, click Cancel. 15. You can also assign a task to a specific event. Back in the Security log, scroll down to an Audit Failure event. If you were the administrator for this computer and wanted to be notified if another Audit Failure associated with this, you would click Attach Task To This Event option indicated by the arrow in Figure L07-10 below.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
10
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Figure L07-10 Event Viewer Attach Task to This Event 16. The process from here forward, as shown in Figure L07-11 is the same as the previous “Attach a Task”. You would name it, assign an action, then save it. Click Cancel when you’ve reviewed these steps.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
11
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Figure L07-10 Event Viewer Create Basic Task Wizard for Entry
Cleaning and Managing Event Viewer Logs 17. If you find your system has tens of thousands of entries like the example system, you may want to periodically delete the archived log files. While they’re typically small – this system’s Event Viewer logs were only 227.5 KB, it’s not a bad idea to keep the file small if you want to review it later. To clean up ALL Log files, select File then Options from the Event Viewer menu at the top of the window. 18. As shown In Figure L07-12, here you can simply click the Delete Files button to empty out the log.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
12
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Figure L07-11 Event Viewer Disk Cleanup 19. To clean up a specific log, right click the name of the log in the left view and select Clear Log, as shown in Figure L07-13.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
13
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Figure L07-12 Selected Log Menu Options 20. If you’d rather save the entries in your logs, there are two ways to do this. If you want to save an entire log, you would use the menu from Figure L07-13 above, and select Save All Events As… which will open a Save File window and prompt you for a name. The default option saves the logs in a proprietary format (Event Files .evtx), although you can change this to XML (.xml), Text (.txt) or CSV (Comma Separated)(.csv) to allow review in a more user-friendly format. 21. If you just want to save a subset of a log’s entries, you can select those files by clicking on the first entry, holding the shift (to select sequential entries) or Control (to select individual entries) key, right clicking, and selecting Save Selected Events… from the menu, as shown in Figure L07-14.
Figure L07-13 Selected Events Menu Options
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
14
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Researching Events The last task you would perform should you find an anomaly in a log is to research it. This essentially involves web searches, looking at reputable sites for more information on a particular error. 1. Scroll back through the Windows logs and identify a number of Audit Failures, Warnings, and Errors. Then open a web browser and type the name of the error, and any Event ID that is associated with it. 2. At first you may have difficulty finding a reputable resource to help you. There are some support sites like https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default. aspx, that have searchable encyclopediad of Windows Event Viewer ID codes, as shown in Figure L07-12 below. Go to this site now.
Figure L07-14 Ultimate Windows Security from Ultimate IT Security 3. Here you can scroll down the list and find the Windows Security Log Event ID from our example system (4625) and learn more about it. While this entry was rather obvious, and performed just for this lab, there are probably entries in your system that aren’t so obvious. Scroll down and select one of the Event IDs.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
15
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
4. As shown in Figure L07-13, you can now find out more about the error, and even browser related links. Feel free to review several other log entries, and familiarize yourself with the process of researching these events. One day you’ll have a system issue and need to perform these steps to determine if the entry is malicious or a system or user error.
Figure L07-15 Ultimate Windows Security Entry for Event ID 4625.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
16
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Self-Reflection and Response What are some of the reasns you would need to look at the Windows System Log?
Breifly describe how you might manage the growth in the size of system log files. Why would you need to keep copies of log files?
How long do you think system logs shold be retained?
Instructor’s Response
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
17
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Log Management & Security
Resources 1
How to use Event Viewer in Windows, https://kb.blackbaud.com/knowledgebase/articles/Article/75433
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
18
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Hands-On Lab: Footprinting, Scanning, and Enumeration To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Table of Contents Introduction ................................................................................................................................... 2 Objective......................................................................................................................................... 2 Estimated Completion Time ......................................................................................................... 2 Materials Required ........................................................................................................................ 2 Minimum System Configuration .................................................................................................. 2 Network Reconnaissance with Command Line Tools ............................................................. 3 Opening Command Window (CMD) ..................................................................................... 3 Using nslookup ....................................................................................................................... 3 Using ping ............................................................................................................................... 5 Using traceroute..................................................................................................................... 7 Web Reconnaissance with Web Browsers ............................................................................... 9 Opening Web site in Web Browser (CMD) ........................................................................... 9 Using page source .................................................................................................................. 9 Using Inspect ........................................................................................................................ 10 Using Whois .......................................................................................................................... 11 Using Other Web Resources ............................................................................................... 14 Scanning with Nmap ................................................................................................................ 14 Download and Install Nmap................................................................................................ 14 Use Nmap ............................................................................................................................. 16 Self-Reflection and Response ..................................................................................................... 21 Instructor’s Response .............................................................................................................. 21
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
1
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Introduction In this set of labs, students learn how attackers perform reconnaissance on potential targets using a variety of tools to perform what is known as “Footprinting.” This process includes both researching information from printed resources as well as gathering facts that can be collected from online resources and through social engineering efforts.
Objective Upon completion of this activity, the student will be able to: • •
Identify network addresses associated with an organization. Identify the systems associated with the network addresses.
These activities will help you complete future labs in this course.
Estimated Completion Time If students are prepared, they should be able to complete this lab in 40 to 60 minutes. **** Evan, please track your time and suggest better times for this lab ******
Materials Required This lab can be used from any Windows computer system where the user is authenticated with the appropriate rights and privileges to modify the targeted software on the system being used. Lab-based computer systems often have these privileges locked. Students will need to be able to invoke and run Windows PowerShell.
Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: • • • •
Intel i5 or better CPU 8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
2
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Network Reconnaissance with Command Line Tools This lab uses utilities available in most operating systems. Many of these tools – like nslookup, ping, traceroute, and whois are command-line tools designed to assist network and systems administrators in debugging connections and systems. In the wrong hands, they provide information on the availability and identity of systems that can be used to exploit them.
Opening Command Window (CMD) 1. Open a command window by typing cmd in the window search bar and press Enter. You can also run these command from Windows Powershell.
Using nslookup 2. Type nslookup /?. You should see the help menu for nslookup.
Figure L08-1 nslookup help menu 3. Interactive mode nslookup puts the user in a session with the DNS system, whereas “just look up” just provides a response. Type nslookup cengage.com and press Enter. You should see a response like Figure L08-2, which gives you a) your DNS server and b) the IP address for the DNS server for Cengage. Repeat for your university’s domain (e.g. stateuniv.edu). For the Microsoft tech document, visit https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windowsxp/bb490721(v=technet.10)?redirectedfrom=MSDN.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
3
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Figure L08-2 nslookup for cengage.com 4. The same action can be performed using the web site at nslookup.io (See Figure L08-3. As some systems may be configured to prohibit nslookups, this may be a better alternative. The web site also will provide name server (NS) and mail server (MX) records, among others. Repeat your previous searches using this web site. 5. As nslookup gives you some fundamental information about the IP address range associated with a particular organization, the attacker may verify availability of identified servers using ping or may move to a more detailed, yet equally available service – traceroute and whois.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
4
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Figure L08-3 nslookup.io
Using ping Ping is a systems utility designed to confirm the availability of a server. It was named for the sound made by sonar systems. Note that ping may be disabled on servers – at least on their public interfaces - as it is a tool commonly used as the basis for attacker tools and exploits. 6. In your command window, type ping /? and press Enter. Your results should be like Figure L08-4, with the basic command structure and available options.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
5
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Figure L08-4 ping /? 7. Ping works with either domain names or IP addresses. In your command window, type ping cengage.com and press Enter. You should receive a number of successful pings including the time in milliseconds it takes for the ICMP echo request to travel to the Cengage server and return. (Note: for computer gamers, pings are often used to find a gaming server closer to the gamer allowing quicker response and better performance!). If you were a systems administrator trying to figure out why you can not communicate with a particular system, ping is very useful as you can experiment with different troubleshooting techniques.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
6
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Figure L08-5 ping cengage.com results You will notice in the previous example that the ping only used four messages before stopping. If you needed ping to continue non-stop, you would use the -t option which would continue until you enter Ctrl + C to stop it. Attackers use ping to see if the system is up and responding to requests, which would then allow them to move to other tools to begin to collect additional information.
Using traceroute Traceroute provides a listing of all of the intermediate servers and networking devices between the user and the target. Again, either IP addresses or DNS names may be used to perform a traceroute. 8. In your command window, type tracert /? and press Enter. You should see results like Figure L08-6.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
7
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Figure L08-6 tracert /? 9. Next, type tracert cengage.com and press Enter. This may take a minute as each “hop” between your system and Cengage’s server responds. As you can see from Figure L08-7, when a specific node doesn’t respond in time (times out), you get an asterix (*) rather than a value. The traceroute continues, however, until you get to the destination. (Note the gray box is to conceal the author’s home networks).
Figure L08-7 tracert cengage.com results
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
8
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
10. You can see how the series of tools provides more and more information on the target and its networks and systems. If the target system was inside the organization’s network, and the network wasn’t properly configured, the traceroute would include network addresses of internal systems. From here we go to webbased resources.
Web Reconnaissance with Web Browsers This lab uses a function built into certain web browsers and web sites to support the development of web pages and the assignment of web addresses.
Opening Web site in Web Browser (CMD) 1. In your browser search bar, go to www.cengage.com and press Enter.
Using page source 2. Right click on the web page and select View Page Source (note: this is the same command in Chrome, Firefox, and Edge). 3. If you are using Google Chrome, check the Line wrap box at the top. You should see results similar to Figure L08-8.
Figure L08-8 cengage.com view page source results 4. It may be startling to realize you can view the HTML code on most web pages. In the early days of web site design, the web developer would put a good deal of
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
9
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
background information in the comments section of the HTML code, including their name, title, phone number, and address, so that if someone found an issue they would know who to contact. Even today, organizations may put information in that they really don’t mean for the average user to be able to view. Attackers will look at this code for clues as to the type of web service, software, operating system, etc. Modern web design emphasizes removing any unnecessary information in the html code to minimize the chance that it can be used to assist an attacker. 5. Scroll down through the code and look for any information that you think an attacker might find useful. Repeat this exercise for your school’s home page.
Using Inspect 6. Most web browsers have additional tools to assist in web-site development for web developers and unfortunately for attackers will allow them to experiment with the web site code. Using your browser, on the cengage.com home page right click and select inspect. You should see results like Figure L08-9.
Figure L08-9 Google Chrome inspect cengage.com results
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
10
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
7. Using this tool, you can change the HTML code and observe the results. Since the editing only takes place on your system, it doesn’t constitute hacking. A talented attacker could, however, experiment to see what they can learn from manipulating the code.
Using Whois Whois is another network service designed to provide information contained in the Internet’s online databases, like the DNS database and IP registries. Like the other tools, it’s useful to help system and network administrators to troubleshoot problems. Also, like other tools, it can be used by attackers to learn more about an organization’s systems before attempting to directly access them. 8. In the web browser, go to www.internic.net. As shown in Figure L08-10, InterNIC is a public database to provide information on domain and IP registrations.
Figure L08-10 interNIC.net 9. Select the Whois menu option at the top. This will redirect you https://lookup.icann.org/ as shown in Figure L08-11. ICANN is the non-profit Internet Corporation for Assigned Names and Numbers, responsible for © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
11
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
coordinating the databases that manage internet IP addresses and URL names.
Figure L08-11 ICANN.org 10. Type cengage.com in the space provided for Domain Names and press the Lookup button. You may have to click to accept the terms of the site in a popup to continue. Scrolling down you should see the information shown in Figure L08-12. Here you will find some of the information previously viewed on the name servers, and domain registration information, among others.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
12
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Figure L08-12 icann.org cengage.com lookup results 11. At the bottom, you can expand the Raw Registry RDAP Response and the Raw Registrar RDAP Response to see the raw data of the various responses. You may notice that several fields have the term “REDACTED FOR PRIVACY: Object redacted due to authorization.” This means the system has been set up to hide some information that could assist attackers. This is a relatively new update to the lookup function. Previously the system would provide a list of all of the IP address ranges and other data associated with the lookup target. If you can’t get what you want here, you may be able to get it from another site.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
13
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Using Other Web Resources There are many other internet resources that can be used to find out an organization’s IP address range. A quick web search finds ip-netblocks.whiosxmlapi.com/lookup. There are many others. 12. Using your web browser, go to ip-netblocks.whiosxmlapi.com/lookup (or other similar web site), enter cengage.com into the lookup. You should see results like Figure L08-12, which found 56 separate IP address ranges for Cengage.
Figure L08-13 WhoisXMLAPI cengage.com results 13. An attacker could then use these address ranges in other, more sophisticated tools to begin probing the target’s systems to determine more about them. However, a) do not do this, and b) this concludes the “footprinting” section of the lab. Having started with just a domain name, you now know about the target’s DNS server, Name Servers, Mail Servers, and all of the IP address ranges that are assigned to the organization.
Scanning with Nmap In this lab, students will scan a network to discovery all systems and then inventory their operating systems and services. Systems administrators use Nmap regularly, however so do attackers. Due to its free and open-source nature, it is a tool of choice for those who don’t wish to expend the funds for an expensive commercial competitor.
Download and Install Nmap 1. Begin by checking to see if Nmap has already been installed. If not, use a web browser and go to https://nmap.org/. There are many resources here beyond what this lab will entail, including a complete installation guide, documents, and
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
14
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
references. 2. Click on the Download link on the left. For this lab, you will be downloading both Nmap and Zenmap – the graphical front end for Nmap. Nmap itself is a command line utility. For our purposes, the Zenmap GUI will make our tasks easier. Scroll down to the Microsoft Windows binaries section shown in Figure L08-14 and click the link next to Latest stable release self-installer: in our case nmap-7.91setup.exe. You may see a newer edition as Nmap is regularly updated and supported. Save the file to a directory you can easily access later.
3. Figure L08-14 Nmap download information 4. Once the download has finished, double click the .exe to install, and agree to the License Agreement. 5. Accept the default settings in Choose Components and click Next >. 6. Specify the directory Nmap will install to and click Install. 7. You will be required to accept another License Agreement for Npcap (packet
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
15
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
capture utility) at this point, then specify installation options. We recommend accepting the defaults, unless you plan to scan a wireless network, in which case you can add that option. Click Install again. 8. Click Next once completed, then Finish. 9. Nmap will finalize overall installation, select Next >, accept the Shortcuts by clicking Next > again, then click Finish one more time.
Use Nmap Do NOT use Nmap on a network that you do not have explicit permission to scan. Legally you may only scan a network that a) you own, b) you have permission from the systems owner to scan, and c) all users on that system know they may be scanned and have consented to such a scan. Normally the organization owns the network, the CEO or their designated representative (e.g. the CIO) gives permission, and all users acknowledge the need to scan the system in their annual security briefing – and sign a document acknowledge this (along with a list of other necessary activities). Failure to follow these instructions can result in a loss of Internet Services by your ISP, and/or legal ramification. Again, do NOT simply enter a target address and begin scanning. All examples are provided on a privately owned network by the system owner, with full knowledge by all users. The Nmap user’s guide is located at https://nmap.org/book/man.html. Portions of the book “The Official Nmap Project Guide to Network Discovery and Security Scanning” by Gordon “Fyodor” Lyon, are available at https://nmap.org/book/toc.html. • The portion of the book pertaining to Zenmap are located at https://nmap.org/book/zenmap.html. 10. Start Nmap by double clicking the Nmap-Zenmap desktop icon or selecting it from the Windows menu. The Zenmap GUI will begin as shown in Figure L08-15 below. • •
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
16
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Figure L08-15 Nmap Zenmap Interface 11. The first thing you should note is the Command window which shows the command line for nmap with the default options. You can look up these options at: https://nmap.org/book/man-briefoptions.html. 12. Begin with a ping scan, which will simply ping all addresses in the assigned range. Select Ping scan in the pull-down menu next to Profile. 13. Next, specify the system(s) or network(s) by entering the IP address in the Target: field. The example network is a Class C address in the 10.X.X.X private networking class. The entry in the example is 10.0.0.0 /8 which tells the system that a) it’s an IPv4 address, b) it’s multiple systems on a network segment and c) the right-most 8 bits are the host address, and the rest are the network address. Since all the systems on this network are in this range (10.0.0.1 to 10.0.0.253) this simplifies the scan. Enter your assigned address range in this format: a. IP address if one system b. IP address and the CIDR extension e.g. /8 for multiple systems on a network
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
17
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Note: you can also use hyphenated ranges (e.g. 10.0.0.1-253) See https://nmap.org/book/man-target-specification.html for additional specifications. 14. Click Scan. Since this is a relatively simple scan, the response should be quick. As shown in Figure L08-16, you will see the MAC and IP addresses for any hosts the system detects. (Note: Since MAC addresses are hard coded to specific and identifiable devices, they’ve been redacted in the example.)
Figure L08-16 Sample Nmap Ping Scan results 15. As is obvious from this example, the scanned network is a home network, with
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
18
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
several networked technologies. The “Internet of Things” has resulted in an explosion of networked technologies, which must be protected as well. These networked devices may be exploited by an attacker resulting in unwanted breaches of privacy and loss of personal information. 16. Set the value in the Profile: field with Quick scan plus and click Scan. This will take longer than the previous scan (several minutes) but will provide more detailed information. It is generally recommended NOT to use the Intense scan as there is a chance the scan can cause the scanned system to crash. 17. As you can see from Figure L08-17, you now get detailed information on the OS (as far as Nmap can determine) and open and available ports (color coded no less). The two systems shown are in fact a managed Cisco network switch, and a Dell Windows 7 PC. 18. When finished with the lab, close the Zenmap window. Uninstall if promoted by your instructor.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
19
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Figure L08-16 Nmap Quick scan plus results
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
20
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Footprinting, Scanning, and Enumeration
Self-Reflection and Response Some of the activties in this lab were flagged as being considered potentially hostile unless you have permission to do them. Why would a company want to keep network users from using thse tpye of tools?
Can you think of reasons why you would need to be able to determine who controls a web address or web site?
What are some reasons you may want to use nmap on your own network?
Instructor’s Response
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
21
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Hands-On Lab: AlienVault OSSIM To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Table of Contents Introduction ................................................................................................................................... 2 Objective ..................................................................................................................................... 3 Estimated Completion Time ...................................................................................................... 3 Materials Required..................................................................................................................... 3 Minimum System Configuration ............................................................................................... 4 Data From Your Instructor ........................................................................................................ 4 Setting up AlienVault OSSIM ......................................................................................................... 4 Downloading and Installing VMware Workstation 16 Player ................................................. 4 Downloading and Installing AlienVault OSSIM ........................................................................ 5 Starting AlienVault OSSIM ......................................................................................................... 7 Web UI Access ............................................................................................................................ 8 Configuring and Using AlienVault OSSIM .................................................................................. 10 Self-Reflection and Response ..................................................................................................... 23 Instructor’s Response .............................................................................................................. 23
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
1
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Introduction Many organizations have come to rely on security information and event management (SIEM) as a central element to empower a security operations center (SOC) to identify and react to the many events, incidents, and attacks against their information systems. SIEM’s roots are in the UNIX syslog approach to log file aggregation; for years, organizations and security professionals have sought ways to leverage existing systems and have them work together to maintain situation awareness, identify noteworthy issues, and enable response to adverse events. A SIEM system supports threat detection and informs many aspects of threat intelligence. It is also instrumental in managing aspects of compliance and vulnerability management. It often plays a pivotal role in an organization’s security incident management through data collection and analysis by enabling near real-time and historical analysis of security events. It integrates data from multiple sources, including local events and contextual data sources. SIEM systems are derived from legacy log file monitoring systems and procedures. AlienVault OSSIM (Open Source SIEM) provides a feature-rich, open source tool complete with event collection, normalization, and correlation. The software was created by security engineers because few open-source products were available to serve a critical need. AlienVault OSSIM addresses the challenges faced by security professionals with a unified platform that provides essential security capabilities, including the following: • • • • •
Asset discovery Vulnerability assessment Intrusion detection Behavioral monitoring SIEM event correlation
The OSSIM environment shown in Figure L09-1 would be a typical setup in a corporate setting. In this example, a sensor is used to collect multiple data sources. It then organizes the data through filtering, classification, and normalization before the information is sent to the OSSIM server. This type of deployment is typical because it allows the enterprise to do the following: 1. Place the sensors close to the source of data to speed up processing. 2. Offload the processing between the two system components to prevent overloading. Note the various types of processes performed and information collected at the sensor. The sensor is responsible for network scanning, NetFlow collection, log collection, host intrusion detection system (HIDS) collection, and raw network traffic captures (NIDS). Once these data sources are collected and processed based on the setup, they will be forwarded to the OSSIM server for further enrichment based on the policies and rules that have been
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
2
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
applied. These policies and rules should place context around events and allow the collected data to be interpreted more accurately.
Figure L09-1 OSSIM functional blocks (Source: https://cybersecurity.att.com/forms/webcast-thank-you/getting-started-with-ossim) This lab uses a proof of concept (POC) deployment in a virtual environment that combines the server and sensor in a single system. This setup is fine for purposes of the lab but should never be deployed in an enterprise environment except for testing.
Objective Upon completion of this activity, you will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. You will use the software more extensively in a subsequent lab.
Estimated Completion Time If you are prepared, you should be able to complete this lab in 2-3 hours.
Materials Required Completion of this lab requires the following software to be installed and configured on your workstation prior to beginning the procedure steps: •
Microsoft Windows 10, or another operating system version as specified by the lab instructor
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
3
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
•
VMware Workstation 16 Player (or similar version)
•
Internet access to download the specified software
Minimum System Configuration To complete the labs included, it is recommended that you operate them from a computer system (desktop or laptop) that is running Windows 10 and has: • • • •
Intel i5 or better CPU 8 GB RAM (minimum) - 16 GB RAM (recommended) 1 TB Hard Drive with at least 250 GB free (minimum) - 350 GB free (recommended) Microsoft Windows 10 or latest version
Data From Your Instructor Your course instructor or lab supervisor will provide these details: Data A static IPv4 address assigned to their virtual OSSIM system The subnet mask to use on the local network The IPv4 address of the local network gateway The IPv4 address of the DNS server Root password (Created during installation) Local time zone (Chosen during setup)
Value:
Administrator password (Chosen during setup and used through Web access)
Setting up AlienVault OSSIM Work through the steps in the following sections to install and explore the AlienVault OSSIM software.
Downloading and Installing VMware Workstation 16 Player In the following steps, you will download and install a virtual host platform. If your lab instructor has provided you with instructions to use another version or another application, please follow those instructions. 1. Use a web browser to search for “VMware Workstation 16 Player download”. Locate the download link and download the free installer for your computer operating system. Run the installer allowing the permissions for it to be installed as it progresses. You may be asked to reboot your computer.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
4
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Downloading and Installing AlienVault OSSIM In the following steps, you will download AlienVault OSSIM, install it, and perform initial configuration setup for the software. 2. Go to https://cybersecurity.att.com/products/ossim and click the blue Download AlienVault OSSIM ISO button. After you have downloaded the AlienVault OSSIM ISO file, you will install it to your virtual machine. 3. Start VMware Workstation Player and click the Create a new Virtual Machine link. 4. Choose the Installer disc image file (iso) option and click Browse. 5. When the navigation window opens, navigate to the folder where you saved the OSSIM ISO file, select the file, and then click Open. 6. When the navigation window closes, click Next. 7. In the Select a Guest Operating System window, click the Linux button, select Debian OS instance in the Version menu, and then click Next. 8. Give your virtual image a name, such as “OSSIM.” 9. Verify that the location is correct. If it is not, select the desired location. 10. Click Next. 11. Set the maximum disk size to 500 GB. Do not change the default option, “Split virtual disk into multiple files.” Click Next. 12. Click Customize Hardware. 13. In the left pane of the window, click Memory. Change the “Memory for this virtual machine” value in the right pane to 8192 MB. 14. Next, in the left pane, click Network Adapter, change the Network connection setting from NAT to Bridged, and then click Close. 15. Click Finish to complete the configuration of features in your virtual system. 16. To power on your virtual machine, click the Play virtual machine link. 17. If you are asked to download VMWare Tools for Linux, select Remind Me Later. 18. If you are using VMware Workstation as the host virtual machine, here is a recap of the needed parameters: • Operating System (OS): Linux Debian 8 x 64 • Processors: 2 CPUs • Memory: 8 GB • Hard Drive: 500 GB (thin provisioned) • CD-ROM: ISO File—point to the OSSIM ISO file you downloaded • Network Interface Cards (NICs): Add three more NICs for a total of 4 NICs 19. When you have created the VM guest instance and initiated the Debian OS instance, select Power on in your virtual machine environment to launch the OS installation. In the installation screen shown in Figure L09-2, select Install AlienVault OSSIM (64 Bit)
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
5
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
and press Enter.
Figure L09-2 AlienVault OSSIM installation screen 20. The installation will take you through a series of setup options. Select appropriate options for the following settings. (The options used for testing are in parentheses.) • • •
Select Language: (English) Select Location: (United States) Keymap to use: (American English)
The installation then loads the necessary components and detects hardware settings. 21. Next, configure the network by assigning the following settings. (Your instructor may provide these addresses to you.) •
Choose the primary network interface. There should be four options; use ETH0 for the primary interface.
•
IP Address: Select an IP address on the network that you have been assigned by your instructor. If using your own network, choose an address that is not in use.
•
Netmask: Usually 255.255.255.0
•
Gateway: The IP address for the network router/gateway (for example, 192.168.1.1)
•
DNS Server Address: Usually the network router/gateway
The IP address you provide will be the Web address you use to access the Web user interface (UI) for AlienVault OSSIM later in this lab. Note: Record these addresses for future reference. 22. The installer will have you set up the root password. This will be used for the root login account in the AlienVault OSSIM OS. A separate account will be set up for console access. Record your OS password. 23. When prompted, set up your time zone.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
6
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
The installation proceeds. It could take 35 minutes or longer, depending on machine resources.
Starting AlienVault OSSIM When the installation has finished and the system has rebooted, you should see a login screen like the one in Figure L09-3.
Figure L09-3 Login screen that appears after installation 1. Log in to the system by using the root account and entering the password you designated during OS setup in the preceding section. In the upper-left corner of the next screen, you should see the IP address assigned during installation (see Figure L09-4). The OSSIM console should display several options, but no further configuration should be required from this screen.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
7
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-4 AlienVault login management screen
Web UI Access The next step is to access the Web UI and set up your administrator account for console access. 1. Open your web browser. In the navigation bar, enter the IP address you selected earlier in the setup process. If the browser displays a connection privacy warning, click Advanced and then click Proceed to <the IP address you entered>. You should see the page shown in Figure L09-5.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
8
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-5 Administrator account creation 2. Create an administrator account on the Welcome page by filling in all the fields that have an asterisk (*) next to the field names. The username should be “admin.” 3. When you have completed the screen shown in Figure L09-5, a login screen appears. Log in to the system using admin as the username and the password created in the preceding screen. 4. Click Login to enter the Web UI. The program’s Getting Started Wizard appears, as shown in Figure L09-6.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
9
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-6 AlienVault OSSIM Getting Started Wizard 5. Take a screen shot of this screen to submit to your instructor to show completion of the setup. 6. In the lower-left corner of the window, click Skip AlienVault Wizard. The system is ready to use.
Configuring and Using AlienVault OSSIM 1. If it isn’t already running, start the AlienVault OSSIM server in the virtual environment that was installed in the Module 7 lab. The system might take a few minutes to start completely. When the system is running, the virtual machine should display a login prompt, as shown in Figure L09-7.
Figure L09-7 AlienVault login prompt 2. Open a web browser on the local machine and navigate to the IP address you used in the previous lab by entering https:// followed by the IP address. A login screen should
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
10
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
appear. If the browser displays a connection privacy warning, click Advanced and then click Proceed to <the IP address you entered>. 3. Log in through the web browser using admin as the username and the password you used previously. 4. When you first log in to OSSIM via a web browser, the OSSIM Getting Started Wizard appears. This wizard is the easiest way to get a system up and running. You will not use the wizard in this lab but note that it provides the easiest way to configure multiple network interfaces for the OSSIM. Figure L09-8 shows how multiple network interfaces may be configured for various components of the SIEM system.
Figure L09-8 Network interfaces The primary interface eth0 will be the management interface; this interface was set up during the initial installation in the previous lab. The IP address is the same one you used to log in through the web browser. Another IP address is used to collect log files for ingestion. In this case, administrators can forward syslog files from a firewall or other devices of interest to OSSIM using that IP address. Also, two network cards are configured for network monitoring. The interfaces would either collect raw packet data (sniff) or be connected to a device that sniffs network traffic, like a terminal access point (TAP). To collect this information, the network cards must be in promiscuous mode. Monitoring network traffic at this level requires special permissions from the network owner; in a virtual environment, it also requires a special configuration in VMware. 5. If the OSSIM Getting Started Wizard does appear, click Skip AlienVault Wizard in the lower-left corner. 6. Take a moment to examine the next screen that appears (see Figure L09-9). The top part of the screen displays who is logged in, the IP address the system is using, the internal system e-mail, a Settings menu, a Support menu, and a logout option. The Support menu provides a wealth of information about OSSIM setup and use. The next part of the screen displays five tabs—Dashboards, Analysis, Environment, Reports, and Configuration—that can be used to configure, monitor, and report on the environment.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
11
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-9 AlienVault OSSIM dashboard 7. AlienVault OSSIM is designed to interface with the AlienVault OTX (open threat exchange). This service includes both free and paid subscriptions that provide opensource intelligence (OSINT) to Alien Vault OSSIM and can provide information and further context around malicious traffic and alerts in the environment. Analysts can sign up for this service, but it is not required in order to complete the lab assignment. If an analyst signs up, he or she will receive an API key that can be applied to OSSIM to allow OTX to interface with the system. Click the Configuration tab and then click Open Threat Exchange, as shown in Figure L09-10. You can add the API key and choose whether you want to share information with OTX from your environment. If you have registered for an account with OTX, you can add the key here or register and get a key.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
12
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-10 AlienVault OSSIM open threat exchange 8. The next step is to define your network and perform an asset discovery. Click the Environment tab, click Assets & Groups, and then click the Networks tab, as shown in Figure L09-11.
Figure L09-11 AlienVault OSSIM Environment tab 9. You should have your network defined via CIDR notation in this tab. If you need to add a network, click the Add Network button on the right side of the page. You should see the window shown in Figure L09-12. For example, to capture a 192.168.1.0 network, you should enter 192.168.1.0/24; for the full range, enter 192.168.0.0/16. Other metadata can also be added, such as asset value, which allows for more emphasis to be placed on higher-value network assets (1 is the lowest value and 5 is the highest).
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
13
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-12 AlienVault OSSIM new network entry 10. Still in the Assets & Groups menu, click Schedule Scan to see a list of scans set up in OSSIM. (Note that OSSIM uses Nmap for scanning and asset discovery.) To create a new scan, click Schedule New Scan on the right side of the window. The window shown in Figure L09-13 appears. Provide a name, sensor, targets to scan, scan type, timing template, and scan frequency. The Nmap tool will begin to scan when these settings are saved.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
14
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-13 AlienVault OSSIM new asset scan 11. To see what assets have been discovered, click the Assets tab under the Assets & Groups menu. You can also click the Add Assets button on the right side of the screen to add more assets. Figure L09-14 shows the New Asset window.
Figure L09-14 Adding new assets 12. Next, you configure a vulnerability scan for the environment. Click the Environment tab at the top of the screen and then select the Vulnerabilities menu. OSSIM uses the Open VAS vulnerability scanner. 13. When scanning for vulnerabilities, it is preferred to use valid credentials, but not required. You can skip this step, but note that an analyst could click the Settings button on the right side of the screen and then enter a credential set into the system, as shown in Figure L09-15. For example, an analyst could enter credentials for one Windows system and scan one system in the environment.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
15
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-15 New credentials entry in AlienVault OSSIM 14. Still under Vulnerabilities, click the Scan Jobs tab and then click the New Scan Job button on the left side of the screen. Provide a job name, select a sensor, choose the default profile, and schedule the scan to occur immediately. You can also choose particular assets to scan from the tree on the lower-right side of the screen, as shown in Figure L09-16. Click Save when you finish. The scan should start in a minute or so. Be patient; it will take a while to complete.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
16
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-16 Creating a scan job in AlienVault OSSIM 15. Once the vulnerability scan is complete, click the Overview tab to see the scan results. Figure L09-17 shows an example of information from a vulnerability scan. OSSIM provides a view of the overall vulnerabilities in the environment and a list of vulnerabilities found for each machine. Reports are available in HTML, PDF, and CSV format.
Figure L09-17 AlienVault OSSIM scan results 16. This lab comes with a report from a Windows 7 system that should clarify what the scanning tool can do. Open the LM8-Vulnerability-AV-OSSIM-ScanResult.pdf file and review the report. 17. Next, you will review the network intrusion detection system (NIDS). Click the Configuration tab and select Deployment from the menu to see the window shown in Figure L09-18. This window provides detailed information about system status, RAM usage, CPU usage, and new updates that are available.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
17
Commented [MW1]: Find, copy and renumber
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-18 AlienVault OSSIM Configuration tab 18. To get a more detailed view of the current system, click the spyglass icon indicated by the arrow in Figure L09-18. (Do not click the trash can icon.) The detailed view of the system status page is shown in Figure L09-19. Current RAM and CPU usage is displayed in addition to the assigned values of network cards and how much traffic they are receiving. You can use this view to check that NIDS devices are receiving traffic.
Figure L09-19 AlienVault OSSIM system status view
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
18
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
19. OSSIM also has a host intrusion detection system (HIDS) component and several versions of agents ready to deploy. Click the Environment tab again and select Assets & Groups from the menu. Examine the individual devices on the resulting page, as shown in Figure L09-20. OSSIM shows whether an HIDS agent has been deployed to each device. Select the spyglass icon next to Not Deployed to open the Assets Details page.
Figure L09-20 HIDS status 20. On the right side of the window, click the Action button and then choose the last option, Deploy HIDS Agent. 21. The Deploy HIDS window appears. Enter the correct username and password for the selected system, and enter the domain name if the system is within an enterprise. An HIDS agent will be deployed, although the process will take a few minutes. When the agent has finished installing without error, you can check the target system files under C:\Program File (x86)\ossec-agent\ to confirm the installation. If you see the directory, you can look for a file named win32ui.exe and launch the application. Compare your results to those in Figure L09-21 to see if the installed service is running. If the ossecagent directory is missing, a manual installation is required.
Figure L09-21 Deploying HIDS agent credentials in AlienVault OSSIM
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
19
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
You have completed the basic setup routines for AlienVault OSSIM. However, there are many more functions to consider when working in an enterprise environment. For example, you did not learn about specific plug-ins for other devices that assist in processing incoming data, such as logs. 22. When the SIEM system is processing the required data, you can go to the area of the software where analysts will spend most of their time. In the OSSIM console, click the Analysis tab and then choose Security Events (SIEM) from the menu to see the window shown in Figure L09-22.
Figure L09-22 AlienVault OSSIM Analysis tab 23. Note the various drop-down menus and ways to look at the information from the SIEM system. There are multiple ways to track down events. There are prebuilt time filters on the left side of the screen as well as custom dates and times that you can set. The bottom of the screen presents individual events as they are processed. The Data Sources menu includes multiple options for sorting events, most notably from HIDSs and NIDSs, as shown in Figure L09-23.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
20
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-23 AlienVault OSSIM data sources 24. An analyst can also click an event of interest to see more details about it. Scroll down to the bottom of the detailed event view (Figure L09-24) to see the raw event log that generated it (Figure L09-25).
Figure L09-24 AlienVault OSSIM event details
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
21
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Figure L09-25 AlienVault OSSIM raw log file You have completed a basic walk-through of the OSSIM console and its configuration. Many more components, plug-ins, and modifications can be added to tune the OSSIM system for better reporting and performance. Consolidating the large amounts of data required in an enterprise is always complicated. The more accurate the SIEM system’s reporting is, the less time is wasted tracking down meaningless alerts.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
22
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; AlienVault OSSIM
Self-Reflection and Response Attach the screen shot taken at completionof OSSIM setup or insert it here. Were you able to complete the setup, configuration, and use of OSSIM?
If you were not able to complete the setup and configuration, explain what went wrong.
Instructor’s Response
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
23
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Hands-On Lab: Image Analysis Using Autopsy To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Table of Contents Introduction ................................................................................................................................... 2 Objective ..................................................................................................................................... 2 Estimated Completion Time ...................................................................................................... 2 Materials Required..................................................................................................................... 2 Image Analysis Using Autopsy ...................................................................................................... 2 Downloading and Installing Autopsy........................................................................................ 2 Importing a Suspect Image File Using Autopsy ....................................................................... 3 Examining the Suspect Image File Using Autopsy ................................................................... 6 Self-Reflection and Response ..................................................................................................... 12 Instructor’s Response .............................................................................................................. 12
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
1
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Introduction In this project, you will use Autopsy, the open-source digital forensics analysis tool (www.autopsy.com). Autopsy includes case management features, supports various types of file analysis, and allows searching and sorting of allocated, unallocated, and hidden files. Autopsy is a GUI front end for The Sleuth Kit, which is available at https://sourceforge.net/projects/sleuthkit. You do not need to download The Sleuth Kit separately. For more information on Autopsy, you can go to https://hub.packtpub.com/digitalforensics-using-autopsy/.
Objective Upon completion of this activity, you will be able to perform basic drive image analysis using the Autopsy software package.
Estimated Completion Time If you are prepared, you should be able to complete this lab in 45 to 70 minutes.
Materials Required Completion of this lab requires the following software to be installed and configured on your workstation: • • •
Microsoft Windows 10, or another operating system version as specified by the lab instructor Autopsy version 4.17 (or similar version) The suspectdrive.img file provided with this lab on a USB drive, local folder, or accessible network share
Image Analysis Using Autopsy This lab is separated into three parts: • • •
Downloading and installing Autopsy Importing a suspect image file Examining the suspect image file with Autopsy
Downloading and Installing Autopsy 1. Download the correct version of Autopsy from www.autopsy.com/download/. This lab uses the Windows 64-bit version 4.17 for demonstration. 2. Run the Autopsy.msi file. 3. In the Welcome to the Autopsy Setup Wizard, click Next.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
2
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
4. Get the installation path from your instructor, specify this path in the Select Installation Folder window, and click Next. 5. Click Install. 6. If Windows prompts you about a User Account Control permission, click Yes. 7. Click Finish when the Completing the Autopsy Setup Wizard window appears. Autopsy should now be fully installed.
Importing a Suspect Image File Using Autopsy 1. Start Autopsy. If this is the first time the installation has been used, you may be prompted to enable the central repository. Click Yes. 2. Click New Case. 3. In the New Case Information window, enter the Case Name. Your instructor may provide details for this portion of the lab; otherwise, enter R Lawne Investigation as the Case Name. 4. Specify a unique folder for the case files by clicking the Browse button and selecting or creating a folder. You can also enter a folder name in the Base Directory field. 5. Leave the Case Type field as Single User and click Next. 6. For the Case number, use a number provided by your instructor or make one up yourself. 7. Enter the remaining information in the appropriate fields. 8. Click Finish when you have entered the information. The software generates the appropriate files and displays the Add Data Source window, as shown in Figure L10-1.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
3
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Figure L10-1 Autopsy’s Add Data Source window 9. As Step 1 of the procedure listed on the left side of Figure L10-1, click the Disk Image or VM File button to add the image file provided by your instructor. Click Next. 10. As Step 2 (Select Data Source) in the Add Data Source window, click Browse next to the Path field and navigate to the suspectdrive.img file on your system or USB drive. If your instructor has provided this file to you on an external drive or network location, save it to a USB drive and copy the file to the case folder you specified earlier. You may need to leave the Autopsy window for a moment to move the file to a location you can access. When Autopsy has accessed the file, it will copy the file to the folder you specified earlier. 11. Make sure the Time Zone value is correct in the window. 12. In an actual investigation, you would enter the hash values for the .img file into the fields provided for entry into your case records. Figure L10-2 shows these values calculated with the HashCalc tool from SlavaSoft; this tool is available from www.slavasoft.com/hashcalc/. If your instructor wants you to do so, you can download and run the tool, copying the hash values to Autopsy.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
4
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Figure L10-2 HashCalc values for suspectdrive.img 13. Click Next. 14. As Step 3 (Configure Ingest Modules) in the Add Data Source window, simply click Next. 15. Step 4 (Add Data Source) in the window should indicate that the “Data source has been added to the local database. Files are being analyzed.” Click Finish to complete the import.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
5
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Examining the Suspect Image File Using Autopsy Normally, an investigation would begin with alleged misconduct or criminal activity against a suspect. Forensic investigators would legally seize all computer media and image them so that analysis would not risk modifying the original evidence. The image files can then be copied and analyzed with tools like Autopsy, FTK, or Encase. The analysis of these tools would be framed with instructions for what a prosecutor or defense attorney is looking for, such as “Any files, communications, or other computerbased information associated with X, as well as any other clearly illegal or unauthorized activity.” If a forensic investigator were looking for evidence related to embezzlement in a corporate case but found evidence of other crimes, the evidence could be used to expand any legal charges against the suspect. (Technically, investigators look for items of evidentiary value, not evidence. Only when the information is entered into a legal proceeding does it become evidence. In the case of Richard S. Lawne, the suspect is accused of teaching inappropriate content in a school. 1. Restart Autopsy, if necessary, and select the case created in the previous steps. Your system layout should look similar to that in Figure L10-3.
Figure L10-3 Autopsy after image import 2. In the left pane of the window, click the plus sign next to Data Sources, and then click the suspectdrive.img filename. You can resize the window shown to more easily view the files in the upper-right pane. You should see a listing of items contained in the image, as shown in Figure L10-4.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
6
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Figure L10-4 Contents of suspectdrive.img Several file types are automatically identified by Autopsy. It finds hidden files and deleted files on the imaged drive. 3. In the left pane of the window under the Views menu, click the plus sign next to File Types. Next, under File Types, click the plus sign next to Extension and then click Images. The window shows all undeleted graphics contained in the imaged drive. If you click in the list on the right side of Figure L10-4, the display will look like that in Figure L10-5.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
7
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Figure L10-5 Analysis using Autopsy 4. Click the plus sign next to the Deleted Files option on the left side of the window, and then click the All option. You see all files that were deleted but are still intact on the suspect’s drive. Scroll through the various images. Can you guess what Richard S. Lawne is accused of? 5. If you were the investigator, you could “tag” files that you felt were related to the charges or represented new crimes. Autopsy will add these files to the case file. To tag files and add them to the case file, select the file in the upper-right pane, right-click the file, select Add File Tag, and then specify which tag you want to assign (see Figure L106).
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
8
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Figure L10-6 Adding a file tag 6. In the Add File Tag submenu, you could select a follow-up tag for information you think is related but you need to investigate further, or you could select a definitive tag by clicking Tag and Comment. In the window that appears, you can specify the tag type and enter comments, as shown in Figure L10-7.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
9
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Figure L10-7 Select Tag option 7. Go ahead and tag a few files. Afterward, notice that the tagged files are easily accessible at the bottom of the left menu under the Tags option. This allows you to revisit the images in later sessions. 8. You can extract files from the image by right-clicking the filename in the upper-left pane and selecting Extract. In the Save window that appears, you can specify where to save the extracted file. 9. Click the Discovery menu at the top of the Autopsy window. The Discovery feature allows you to search the image with specific parameters, such as file type, file size, and commonality. Specify the following parameters by checking the box next to each field and selecting the indicated options. Next, click Search. • • • •
Images File Size: XSmall, Small, and Medium Data Source: suspectdrive.img Past Occurrences: Common, Rare, and Unique
10. The files found in the search appear in a new window, as shown in Figure L10-8. 11. A real investigation could involve dozens of imaged drives and thousands of files and images that must be reviewed and determined to be relevant or not. Select and tag all files that support the charges that Richard S. Lawne is teaching evolution. If you suspect that a file is relevant but you’re not sure, use the Follow Up tag shown in Figure L10-7. If you are confident that a file provides evidence Lawne is teaching evolution, use the Notable tag.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
10
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Figure L10-8 Discovery Editor search results 12. After you have tagged all suspicious items, select the Generate Report menu at the top of the Autopsy window. 13. Specify HTML Report, enter Richard S. Lawne Investigation as the Header, enter your name as the Footer, and then click Next. 14. Ensure that suspectdrive.img is selected in the “Select which data source(s) to include” window. 15. Ensure that All Tagged Results is selected in the Configure Report window, and then click Finish. 16. Click Close when the report has been generated. 17. The report is available in the left menu, at the bottom under Reports. Open this menu and double-click the file. Open the file in the web browser of your choice. Your instructor may want you to print the file to a PDF or save it to an external drive before submitting it.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
11
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Image Analysis Using Autopsy
Self-Reflection and Response Attach the final report. Were you able to complete the setup, configuration, and use of Autopsy?
If you were not able to complete the setup and configuration, explain what went wrong.
Instructor’s Response
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
12
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Instructor’s Manual for Hands-On Labs Whitman and Mattord, Principles of Information Security, Seventh Edition
Table of Contents Introduction ................................................................................................................................... 2 Module 1: Ethical Considerations in IT and Detecting Phishing Attacks ................................... 3 Module 2: Web Browser Security ................................................................................................. 5 Module 3: Malware Defense ......................................................................................................... 6 Module 4: Windows Password Management .............................................................................. 7 Module 5: Backup and Recovery and File Integrity Monitoring ................................................. 8 Module 6: OS Processes and Services ......................................................................................... 9 Module 7: Log Management & Security..................................................................................... 10 Module 8: Footprinting, Scanning & Enumeration ................................................................... 11 Module 9: AlienVault OSSIM ....................................................................................................... 12 Module 10: Image Analysis Using Autopsy ................................................................................ 14
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
1
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Introduction Welcome to the instructor’s manual for the labs that support Principles of Information Security, 7th edition.
Recommended Usage of Lab Modules There is no direct linkage between the labs provided and the textbook. To provide such a linkage would result in multiple labs for some textbook modules and none for others. Instead there are 10 lab modules provided, many with multiple sub-labs that instructors can use to select and structure as suitable for your classes. It is recommended that instructors read through the labs and corresponding instructors guides carefully and determine what resources and coordination are needed on their part before assigning them to the student. The students may have access to the labs themselves but may not have access to the guidelines that assist the instructors in getting ready for the labs. In general, the labs start relatively easy and slowly progress in difficulty. None require the purchase of software and may be performed at home or in a university computer lab with a few exceptions. The labs provided includes some of the “why” the software is useful, as well as the “how” to use them. None are designed to make experts of the students but fall in the category of “familiarization”. When complete, students can confidently tell a potential employer, for example, “yes, I’ve used Nmap”. We recommend that before instructors assign the lab to the students they give them an overview of the purpose of the lab, and what the students should derive from the experience. It is also recommended that instructors clearly specify what deliverables, if any, are expected. Each lab includes a simple set of questions, which, when completed, demonstrate the student has completed the lab. Instructors may wish to supplement these assessments, requiring screenshots, or providing additional or replacement questions. Instructors are also encouraged to expand upon these labs, adding more complexity or details as they see fit. There are also many other open-source, or freeware, software applications available. These labs simply choose some of the easier ways to access applications, in many case, those functions of operating systems and web browsers that can be used to emphasize key security aspects of personal and organizational end-user computing.
Recommended System Requirements These labs take advantage of the flexibility provided by virtual machine environments. Students should have access to a workstation or laptop with at least four cores, although two cores and two threads would also work. Student computers should also have 8 GB of RAM, a minimum of a 1-TB hard drive, and USB 3.0. These labs were tested using a Microsoft Surface device with an Intel i5 processor, 8 GB of RAM, and a 128-GB hard drive with an external USB 3.1 TB solid-state drive for virtual machine storage.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
2
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Module 1: Ethical Considerations in IT and Detecting Phishing Attacks Purpose of Lab Module Upon completion of this activity, students will have a better understanding of the ethical expectations of IT professionals, and be able to identify several types of social engineering attacks that use phishing techniques.
Estimated Completion Time If students are prepared, they should be able to complete these assignments 75 to 95 minutes.
Infrastructure Comments No additional infrastructure required.
Data Provided to Students No additional information required for this lab.
Rubrics and Evaluation The Ethics Considerations in IT exercises has a self-reflection exercise. The Detecting Phishing Attacks includes written response pages. Students receive a point apiece for identifying each of the following elements in the 10 example e-mails listed in the “Test Your Knowledge” section of the lab. Example 1 1 Point 1 Point 1 Point Example 2 1 Point 1 Point 1 Point 1 Point Example 3 1 Point Example 4 1 Point 1 Point 1 Point Example 5
Dropbox Transfer The message does not use a correct name; other details are also incorrect. The address does not look authentic. The message has an unexpected attachment. Congratulations you have won The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar. The message has an unexpected attachment. Bears Moving Co Booking Confirmation This is a legitimate e-mail. Sextortion E-mail The address does not look authentic. There are misspelled words and improper grammar. The message wants you to send money. Payment Advice Notification
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
3
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
1 Point 1 Point 1 Point Example 6 1 Point 1 Point 1 Point 1 Point Example 7 1 Point 1 Point 1 Point 1 Point Example 8 1 Point 1 Point 1 Point 1 Point 1 Point Example 9 1 Point 1 Point 1 Point 1 Point 1 Point Example 10 1 Point 1 Point 1 Point
The message does not use a correct name; other details are also incorrect. The address does not look authentic. The message has an unexpected attachmen.t I Send The Money To Your Name See Payment Copy In Attach The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar. The message has an unexpected attachment. Please I Need Ur Help!! The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar. The message wants you to send money. FDIC The message asks for sensitive information. The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar. Links in the message seem suspicious. Dear Friend The message asks for sensitive information. The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar. The message wants you to send money. Norton LifeLock The message does not use a correct name; other details are also incorrect. The address does not look authentic. There are misspelled words and improper grammar.
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
4
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Module 2: Web Browser Security Purpose of Lab Module Upon completion of this activity, students will be able to review and configure the security and privacy settings in the most popular Web browsers.
Estimated Completion Time If students are prepared, they should be able to complete all tasks in this project in 60 to 90 minutes.
Infrastructure Comments This lab can be used from any Windows computer system where the user is authenticated with the appropriate rights and privileges to modify the targeted software on the system being used. Lab-based computer systems often have these privileges locked.
Data Provided to Students No additional information required for this lab.
Rubrics and Evaluation There is a student response form included for this lab. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
5
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Module 3: Malware Defense Purpose of Lab Module Upon completion of this activity, students will be able to: • • • •
Understand the basic setup and use of an open-source AV product. Install and use Clam AV on a Windows system. Using a USB storage device create a portable AV scanner. Understand what a YARA file is and how it is used.
Estimated Completion Time If students are prepared, they should be able to complete this project in 60 to 90 minutes.
Infrastructure Comments This lab can be used from any Windows computer system where the user is authenticated with the appropriate rights and privileges to modify the targeted software on the system being used. Lab-based computer systems often have these privileges locked. Students will need to have or be provided a USB memory device of at least 4GB.
Data Provided to Students No additional information required for this lab.
Rubrics and Evaluation There is a student response form included with this lab. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
6
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Module 4: Windows Password Management Purpose of Lab Module Upon completion of this activity, the student will be able to: •
Review and configure password management policies in a Windows client computer.
Estimated Completion Time If students are prepared, they should be able to complete this lab in 30 to 60 minutes.
Infrastructure Comments This lab can be used from any Windows computer system where the user is authenticated with the appropriate rights and privileges to modify the targeted software on the system being used. Lab-based computer systems often have these privileges locked.
Data Provided to Students No additional information required for this lab.
Rubrics and Evaluation There is a student response form included with this lab. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
7
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Module 5: Backup and Recovery and File Integrity Monitoring Purpose of Lab Module Upon completion of this activity, you will be able to: • •
Describe backup and recovery processes and will be aware of basic backup activities using Windows 10 or another desktop operating system (OS). Perform file integrity monitoring using file hash values.
Estimated Completion Time: If students are prepared, they should be able to complete this project in 15 to 20 minutes plus the amount of time needed to perform backup data transfers which are dependent on the local file storage size.
Infrastructure Comments This lab can be used from any Windows computer system where the user is authenticated with the appropriate rights and privileges to modify the targeted software on the system being used. Lab-based computer systems often have these privileges locked. Students will need to be able to invoke and run Windows PowerShell. Students will need to be able to download or otherwise have access to: • •
HashCalc from https://www.slavasoft.com/download.htm, and hash.exe and hashcmp.exe from MaresWare downloaded as part of the second set of labs.
To perform and store actual system and data backups, you will need an internal hard drive or external USB drive not currently used on your system.
Data Provided to Students No additional information is required for this lab.
Rubrics and Evaluation There is a student response form included with this lab. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
8
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Module 6: OS Processes and Services Purpose of Lab Module Upon completion of this activity, the student will be able to: • • •
Review available and enabled OS services. Review available and enabled OS processes. Review current system resource utilization.
Estimated Completion Time If students are prepared, they should be able to complete this project in 60 to 90 minutes.
Infrastructure Comments This lab can be used from any Windows computer system where the user is authenticated with the appropriate rights and privileges to modify the targeted software on the system being used. Lab-based computer systems often have these privileges locked.
Data Provided to Students No additional information is required for this lab.
Rubrics and Evaluation There is a student response form included with this lab. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
9
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Module 7: Log Management & Security Purpose of Lab Module In this lab, students will examine the default logs present in a standard Windows operating system. Since the modern Microsoft Windows user OS, like Windows 10 is based on the same underlying architecture as Microsoft’s server systems, this knowledge can be scaled to understand the actions of commercial servers as well as end-user systems.
Estimated Completion Time If students are prepared, they should be able to complete this project in 30 to 60 minutes.
Infrastructure Comments This lab can be used from any Windows computer system where the user is authenticated with the appropriate rights and privileges to modify the targeted software on the system being used. Lab-based computer systems often have these privileges locked. Students will need to be able to invoke and run Windows PowerShell.
Data Provided to Students None is required.
Rubrics and Evaluation There is a student response form included with this lab. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
10
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Module 8: Footprinting, Scanning, & Enumeration Purpose of Lab Module Students learn how attackers perform reconnaissance on potential targets using a variety of tools to perform what is known as “Footprinting.” This process includes both researching information from printed resources as well as gathering facts that can be collected from online resources and through social engineering efforts.
Estimated Completion Time If students are prepared, they should be able to complete this project in 70 to 120 minutes.
Infrastructure Comments This lab can be used from any Windows computer system where the user is authenticated with the appropriate rights and privileges to modify the targeted software on the system being used. Lab-based computer systems often have these privileges locked. Students will need to be able to invoke and run Windows PowerShell.
Data Provided to Students None is required.
Rubrics and Evaluation There is a student response form included with this lab. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
11
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Module 9: AlienVault OSSIM Purpose of Lab Module This lab seeks to introduce the student to the basic setup and operation of a SIEM environment using AlienVault OSSIM. Upon completion of this activity, students will understand the basic requirements for operating the AlienVault OSSIM software as a security information and event management (SIEM) tool. The lab will have students install the AlienVault OSSIM security information and event management system. Upon completion of this activity, students will be much more knowledgeable about the AlienVault OSSIM software and how to install, configure, and operate it. They will use the software more extensively in a subsequent lab.
Estimated Completion Time If students are prepared, they should be able to complete this project in 120 to 180 minutes.
Infrastructure Comments There should be no additional infrastructure requirements unless the lab has been modified by the instructor. Note: AlienVault OSSIM is a fully functional SIEM system with several open-source components, including Nmap, Open VAS, NetFlow, and full packet capture. This system may overtax a small student laptop, which is why the lab takes students on a walk-through.
Data Provided to Students Data that students will need to be given or determine themselves A static IPv4 address assigned to their virtual OSSIM system The subnet mask to use on the local network The IPv4 address of the local network gateway The IPv4 address of the DNS server Root password Local time zone
Record the value
Administrator password (used through Web access)
Required
Required Required Required Required Created during installation Chosen during setup
Rubrics and Evaluation This lab is a series of steps with screen shots that explain how to install AlienVault OSSIM. Students have successfully completed the lab if they can provide a screen shot of the OSSIM Getting Started Wizard:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
12
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Several self-reflection questions are also included. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
13
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Module 10: Image Analysis Using Autopsy Purpose of Lab Module The purpose of this lab is to introduce students to the Autopsy forensic tool. Students will create a case, load a drive image, and analyze the results. Upon completion of this activity, students will have installed Autopsy on a local machine and analyzed the accompanying file of evidence.
Estimated Completion Time If students are prepared, they should be able to complete this project in 45 to 70 minutes.
Infrastructure Comments The latest version of Autopsy is 4.17.0 as of this writing. Autopsy can be installed directly to the student's system and should not require use of virtualization software like VMware Workstation or VirtualBox.
Data Provided to Students The students will need access to the evidence in the file named suspectdrive.img.
Rubrics and Evaluation This lab is an introduction to Autopsy. The only item that students need to submit is an HTML-generated report at the end. Because interpretation of evidence can vary from analyst to analyst, some people may tag every file and some may only tag files they feel certain are related to the case. There are multiple options for file tags, including Notable and Follow Up. A report that contains the information shown in the following screen would be acceptable for full credit.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
14
Instructor’s Manual for Hands-On Labs: Whitman and Mattord, Principles of Information Security, Seventh Edition
Several self-reflection questions are also included. [return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part.
15