InterviewSolution
Saved Bookmarks
InterviewSolution
This section includes InterviewSolutions, each offering curated multiple-choice questions to sharpen your knowledge and support exam preparation. Choose a topic below to get started.
| 51. |
Mention The Operational Controls Of Nist Sp 800-26 ? |
Answer»
|
|
| 52. |
Lis The Management Controls Of Nist Sp 800-26? |
|
Answer» Risk Management Review of Security Controls Authorization of Processing Certification and Accreditation Risk Management Review of Security Controls Life Cycle Maintenance Authorization of Processing Certification and Accreditation System Security Plan. |
|
| 53. |
What Is The Alternate Security Models Available Other Than Iso 17799/bs 7799? |
|
Answer» ANOTHER approach available is described in the many documents available from the Computer Security Resource Center of the National Institute for STANDARDS and Technology (csrc.nist.gov) - Including: NIST SP 800-12 - The Computer Security Handbook NIST SP 800-14 - Generally Accepted PRINCIPLES and Practices for Securing IT Systems NIST SP 800-18 - The Guide for Developing Security PLANS for IT Systems.
Another approach available is described in the many documents available from the Computer Security Resource Center of the National Institute for Standards and Technology (csrc.nist.gov) - Including: NIST SP 800-12 - The Computer Security Handbook NIST SP 800-14 - Generally Accepted Principles and Practices for Securing IT Systems NIST SP 800-18 - The Guide for Developing Security Plans for IT Systems.
|
|
| 54. |
What Are The Objectives Of Iso 17799? |
|
Answer» ORGANIZATIONAL SECURITY Policy is needed to provide management direction and SUPPORT Objectives: Operational Security Policy Organizational Security Infrastructure Asset Classification and Control PERSONNEL Security PHYSICAL and Environmental Security Communications and Operations Management System Access Control System Development and Maintenance Business Continuity Planning Compliance. Organizational Security Policy is needed to provide management direction and support Objectives: Operational Security Policy Organizational Security Infrastructure Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations Management System Access Control System Development and Maintenance Business Continuity Planning Compliance. |
|
| 55. |
Mention The Drawbacks Of Iso 17799/bs 7799 ? |
|
Answer» Several countries have not adopted 17799 claiming there are fundamental PROBLEMS: The global information security community has not defined any justification for a code of practice as identified in the ISO/IEC 17799 17799 lacks "the necessary measurement PRECISION of a technical standard" There is no reason to believe that 17799 is more useful than any other approach currently available 17799 is not as complete as other frameworks available 17799 is perceived to have been hurriedly prepared given the TREMENDOUS impact its ADOPTION COULD have on industry information security controls. Several countries have not adopted 17799 claiming there are fundamental problems: The global information security community has not defined any justification for a code of practice as identified in the ISO/IEC 17799 17799 lacks "the necessary measurement precision of a technical standard" There is no reason to believe that 17799 is more useful than any other approach currently available 17799 is not as complete as other frameworks available 17799 is perceived to have been hurriedly prepared given the tremendous impact its adoption could have on industry information security controls. |
|
| 56. |
Define Iso 17799/bs 7799 Standards And Their Drawbacks ? |
|
Answer» One of the most widely referenced and often DISCUSSED security models is the Information Technology - CODE of Practice for Information Security Management, which was originally published as British Standard BS 7799 This Code of Practice was adopted as an international standard by the International ORGANIZATION for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799 in 2000 as a framework for information security. One of the most widely referenced and often discussed security models is the Information Technology - Code of Practice for Information Security Management, which was originally published as British Standard BS 7799 This Code of Practice was adopted as an international standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799 in 2000 as a framework for information security. |
|
| 57. |
What Is Information Security Blueprint? |
|
Answer» The Security Blue PRINT is the BASIS for DESIGN,SELECTION and Implementation of Security Policies,education and training programs,and TECHNOLOGY controls. The Security Blue Print is the basis for Design,Selection and Implementation of Security Policies,education and training programs,and technology controls. |
|
| 58. |
What Are Acl Policies? |
|
Answer» ACLs ALLOW CONFIGURATION to restrict ACCESS from anyone and ANYWHERE ACLs regulate:
ACLs allow configuration to restrict access from anyone and anywhere ACLs regulate: |
|
| 59. |
Define Issue-specific Security Policy (issp) ? |
|
Answer» The ISSP: ADDRESSES specific areas of technology contains an issue statement on the organization's position on an issue. The ISSP: addresses specific areas of technology requires frequent updates contains an issue statement on the organization's position on an issue. |
|
| 60. |
What Is Security Program Policy? |
|
Answer» A SECURITY program policy (SPP) is also KNOWN as:
A security program policy (SPP) is also known as: |
|
| 61. |
What Are The Three Types Of Security Policies? |
|
Answer» Management DEFINES three types of SECURITY POLICY:
Management defines three types of security policy: |
|
| 62. |
Give An Example Of Risk Determination ? |
|
Answer» For the purpose of relative risk assessment: risk = likelihood of vulnerability occurrence TIMES value (or impact) - percentage risk already controlled + an element of uncertainty Information Asset A has an value score of 50 and has one vulnerability: Vulnerability 1 has a likelihood of 1.0 with no CURRENT controls and you ESTIMATE that assumptions and data are 90 % accurate Asset A: vulnerability RATED as 55 = (50 * 1.0) - 0% + 10%. For the purpose of relative risk assessment: risk = likelihood of vulnerability occurrence times value (or impact) - percentage risk already controlled + an element of uncertainty Information Asset A has an value score of 50 and has one vulnerability: Vulnerability 1 has a likelihood of 1.0 with no current controls and you estimate that assumptions and data are 90 % accurate Asset A: vulnerability rated as 55 = (50 * 1.0) - 0% + 10%. |
|
| 63. |
Mention The Risk Identification Estimate Factors ? |
|
Answer»
PERCENT of Risk Mitigated Uncertainty. Likelihood Value of Information Assets Percent of Risk Mitigated Uncertainty. |
|
| 64. |
What Is Risk Assessment? |
|
Answer» We can determine the RELATIVE risk for each of the vulnerabilities through a PROCESS called risk assessment Risk assessment assigns a risk rating or score to each specific information ASSET, useful in GAUGING the relative risk introduced by each VULNERABLE information asset and making comparative ratings later in the risk control process. We can determine the relative risk for each of the vulnerabilities through a process called risk assessment Risk assessment assigns a risk rating or score to each specific information asset, useful in gauging the relative risk introduced by each vulnerable information asset and making comparative ratings later in the risk control process. |
|
| 65. |
What Is Vulnerability Identification? |
|
Answer» We now face the challenge of reviewing each information asset for each threat it faces and creating a list of the vulnerabilities that remain VIABLE risks to the organization. Vulnerabilities are specific avenues that threat agents can exploit to ATTACK an information asset. Examine how each of the threats that are possible or likely COULD be perpetrated and list the organization's assets and their vulnerabilities. The process works best when groups of PEOPLE with diverse backgrounds within the organization work iteratively in a series of BRAINSTORMING sessions. We now face the challenge of reviewing each information asset for each threat it faces and creating a list of the vulnerabilities that remain viable risks to the organization. Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset. Examine how each of the threats that are possible or likely could be perpetrated and list the organization's assets and their vulnerabilities. The process works best when groups of people with diverse backgrounds within the organization work iteratively in a series of brainstorming sessions. |
|
| 66. |
Explain The Process Of Threat Identification? |
|
Answer» Threat Identification Each of the threats identified so far has the potential to ATTACK any of the assets protected This will quickly BECOME more COMPLEX and OVERWHELM the ability to plan To make this part of the PROCESS manageable, each step in the threat identification and vulnerability identification process is managed separately, and then coordinated at the end of the process. Threat Identification Each of the threats identified so far has the potential to attack any of the assets protected This will quickly become more complex and overwhelm the ability to plan To make this part of the process manageable, each step in the threat identification and vulnerability identification process is managed separately, and then coordinated at the end of the process. |
|
| 67. |
What Are Security Clearances? |
|
Answer» The other side of the data classification scheme is the personnel security CLEARANCE structure Each USER of data in the organization is assigned a single level of authorization INDICATING the level of classification Before an individual is allowed access to a specific set of data, he or she must meet the need-to-know requirement This extra level of protection ENSURES that the CONFIDENTIALITY of information is properly maintained. The other side of the data classification scheme is the personnel security clearance structure Each user of data in the organization is assigned a single level of authorization indicating the level of classification Before an individual is allowed access to a specific set of data, he or she must meet the need-to-know requirement This extra level of protection ensures that the confidentiality of information is properly maintained. |
|
| 68. |
Define Data Classification And Management? |
|
Answer» A variety of CLASSIFICATION schemes are used by corporate and military organizations Information owners are RESPONSIBLE for CLASSIFYING the information assets for which they are responsible Information owners MUST review information classifications periodically The military uses a five-level classification scheme but most organizations do not need the detailed level of classification used by the military or FEDERAL agencies. A variety of classification schemes are used by corporate and military organizations Information owners are responsible for classifying the information assets for which they are responsible Information owners must review information classifications periodically The military uses a five-level classification scheme but most organizations do not need the detailed level of classification used by the military or federal agencies. |
|
| 69. |
How Information Assets Are Classified? |
|
Answer» Examples of these kinds of classifications are: confidential DATA internal data public data Informal organizations may have to organize themselves to create a useable data CLASSIFICATION MODEL The other side of the data classification scheme is the personnel security CLEARANCE structure. Examples of these kinds of classifications are: confidential data internal data public data Informal organizations may have to organize themselves to create a useable data classification model The other side of the data classification scheme is the personnel security clearance structure. |
|
| 70. |
What Are The Asset Information For Data? |
|
Answer»
Owner/creator/manager Size of data structure Data structure used - SEQUENTIAL, relational Online or OFFLINE Where located Backup PROCEDURES employed. Classification Owner/creator/manager Size of data structure Data structure used - sequential, relational Online or offline Where located Backup procedures employed. |
|
| 71. |
What Are Asset Information For Procedures? |
|
Answer» Description What elements is it tied to Where is it stored for REFERENCE Where is it stored for UPDATE purposes. Description Intended purpose What elements is it tied to Where is it stored for reference Where is it stored for update purposes. |
|
| 72. |
What Are Hardware, Software, And Network Asset Identification? |
|
Answer» When deciding which INFORMATION assets to track, consider including these asset attributes:
When deciding which information assets to track, consider including these asset attributes: |
|
| 73. |
What Is Asset Information For People? |
|
Answer» POSITION name/number/ID Supervisor Security clearance LEVEL SPECIAL skills. Position name/number/ID Supervisor Security clearance level Special skills. |
|
| 74. |
What Are Asset Identification And Valuation ? |
|
Answer» This ITERATIVE process begins with the identification of assets, including all of the elements of an ORGANIZATION's system: PEOPLE, procedures, data and information, software, hardware, and NETWORKING elements. This iterative process begins with the identification of assets, including all of the elements of an organization's system: people, procedures, data and information, software, hardware, and networking elements. |
|
| 75. |
What Is The Process Of Risk Identification? |
|
Answer» A risk management STRATEGY calls on us to "KNOW ourselves" by identifying, CLASSIFYING, and prioritizing the ORGANIZATION's information ASSETS These assets are the targets of various threats and threat agents and our goal is to protect them from these threats. A risk management strategy calls on us to "know ourselves" by identifying, classifying, and prioritizing the organization's information assets These assets are the targets of various threats and threat agents and our goal is to protect them from these threats. |
|
| 76. |
What The Roles To Be Played By The Communities Of Interest To Manage The Risks An Organization Encounters? |
|
Answer» It is the responsibility of each COMMUNITY of interest to manage risks; each community has a role to PLAY:
It is the responsibility of each community of interest to manage risks; each community has a role to play: |
|
| 77. |
Define Man-in-the-middle ? |
|
Answer» Man-in-the-middle is an attacker SNIFFS packets from the network, MODIFIES them, and INSERTS them back into the network. Man-in-the-middle is an attacker sniffs packets from the network, modifies them, and inserts them back into the network. |
|
| 78. |
Define Spoofing ? |
|
Answer» It is a technique used to GAIN unauthorized access WHEREBY the intruder sends messages to a computer with an IP ADDRESS indicating that the MESSAGE is COMING from a trusted host. It is a technique used to gain unauthorized access whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. |
|
| 79. |
What Is Denial-of-service (dos) ? |
|
Answer» ATTACKER sends a large NUMBER of connection or information requests to a target so MANY requests are made that the target system cannot handle them successfully ALONG with other, legitimate requests for SERVICE may result in a system crash, or merely an inability to perform ordinary functions. attacker sends a large number of connection or information requests to a target so many requests are made that the target system cannot handle them successfully along with other, legitimate requests for service may result in a system crash, or merely an inability to perform ordinary functions. |
|
| 80. |
What Are The Various Forms Of Attacks ? |
Answer»
|
|
| 81. |
Define Dictionary Attack ? |
|
Answer» The dictionary PASSWORD ATTACK NARROWS the field by selecting specific accounts to attack and uses a LIST of COMMONLY used passwords (the dictionary) to guide guesses. The dictionary password attack narrows the field by selecting specific accounts to attack and uses a list of commonly used passwords (the dictionary) to guide guesses. |
|
| 82. |
What Is Back Door? |
|
Answer» BACK Doors - Using a known or previously UNKNOWN and newly discovered ACCESS mechanism, an ATTACKER can gain access to a system or NETWORK resource. Back Doors - Using a known or previously unknown and newly discovered access mechanism, an attacker can gain access to a system or network resource. |
|
| 83. |
What Is Distributed Denial-of-service (ddos)? |
|
Answer» DDOS is an attack in which a coordinated stream of REQUESTS is LAUNCHED against a TARGET from many locations at the same TIME. DDoS is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time. |
|
| 84. |
Define Hoaxes ? |
|
Answer» Hoaxes - A more DEVIOUS APPROACH to attacking COMPUTER SYSTEMS is the transmission of a virus hoax, with a real virus attached. Hoaxes - A more devious approach to attacking computer systems is the transmission of a virus hoax, with a real virus attached. |
|
| 85. |
Define Virus ? |
|
Answer» Virus - Each infected machine INFECTS certain common EXECUTABLE or script FILES on all computers to which it can WRITE with virus CODE that can cause infection. Virus - Each infected machine infects certain common executable or script files on all computers to which it can write with virus code that can cause infection. |
|
| 86. |
What Is A Malicious Code? |
|
Answer» This kind of attack includes the EXECUTION of viruses, worms, Trojan HORSES, and active web scripts with the intent to destroy or steal information. The state of the art in attacking SYSTEMS in 2002 is the multi-vector WORM USING up to six attack vectors to exploit a variety of vulnerabilities in commonly found information system devices. This kind of attack includes the execution of viruses, worms, Trojan horses, and active web scripts with the intent to destroy or steal information. The state of the art in attacking systems in 2002 is the multi-vector worm using up to six attack vectors to exploit a variety of vulnerabilities in commonly found information system devices. |
|
| 87. |
What Is An Attack? |
|
Answer» An attack is the deliberate act that exploits vulnerability It is accomplished by a threat-agent to damage or steal an organization's information or PHYSICAL ASSET An exploit is a technique to compromise a system A vulnerability is an identified weakness of a controlled system whose controls are not present or are no LONGER effective An attack is then the use of an exploit to achieve the compromise of a controlled system. An attack is the deliberate act that exploits vulnerability It is accomplished by a threat-agent to damage or steal an organization's information or physical asset An exploit is a technique to compromise a system A vulnerability is an identified weakness of a controlled system whose controls are not present or are no longer effective An attack is then the use of an exploit to achieve the compromise of a controlled system. |
|
| 88. |
What Is Technological Obsolescence? |
|
Answer» When the infrastructure becomes antiquated or outdated, it leads to unreliable and untrustworthy systems MANAGEMENT MUST recognize that when technology becomes outdated, there is a risk of LOSS of data integrity to threats and attacks Ideally, proper planning by management should prevent the RISKS from technology obsolesce, but when obsolescence is identified, management must take ACTION. When the infrastructure becomes antiquated or outdated, it leads to unreliable and untrustworthy systems Management must recognize that when technology becomes outdated, there is a risk of loss of data integrity to threats and attacks Ideally, proper planning by management should prevent the risks from technology obsolesce, but when obsolescence is identified, management must take action. |
|
| 89. |
What Are Technical Software Failures Or Errors? |
Answer»
|
|
| 90. |
What Are Technical Hardware Failures Or Errors? |
|
Answer» Technical hardware failures or errors OCCUR when a manufacturer distributes to USERS equipment containing flaws These defects can cause the SYSTEM to perform OUTSIDE of expected parameters, resulting in unreliable service or lack of availability Some errors are terminal, in that they result in the unrecoverable LOSS of the equipment Some errors are intermittent, in that they only periodically manifest themselves, resulting in faults that are not easily repeated. Technical hardware failures or errors occur when a manufacturer distributes to users equipment containing flaws These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability Some errors are terminal, in that they result in the unrecoverable loss of the equipment Some errors are intermittent, in that they only periodically manifest themselves, resulting in faults that are not easily repeated. |
|
| 91. |
What Are The Forces Of Nature Affecting Information Security? |
|
Answer» Forces of nature, force majeure, or acts of God are dangerous because they are UNEXPECTED and can occur with very little warning Can disrupt not only the lives of individuals, but also the storage, transmission, and use of information Include fire, flood, earthquake, and lightning as WELL as volcanic eruption and INSECT infestation Since it is not possible to avoid many of these threats, management must implement controls to limit damage and also prepare contingency plans for CONTINUED operations. Forces of nature, force majeure, or acts of God are dangerous because they are unexpected and can occur with very little warning Can disrupt not only the lives of individuals, but also the storage, transmission, and use of information Include fire, flood, earthquake, and lightning as well as volcanic eruption and insect infestation Since it is not possible to avoid many of these threats, management must implement controls to limit damage and also prepare contingency plans for continued operations. |
|
| 92. |
What Are Deliberate Software Attacks? |
|
Answer» When an INDIVIDUAL or group designs software to attack systems, they create malicious code/software called malware Designed to DAMAGE, destroy, or deny service to the target systems Includes: macro virus boot virus worms Trojan horses logic bombs BACK door or trap door denial-of-service ATTACKS polymorphic hoaxes. When an individual or group designs software to attack systems, they create malicious code/software called malware Designed to damage, destroy, or deny service to the target systems Includes: macro virus boot virus worms Trojan horses logic bombs back door or trap door denial-of-service attacks polymorphic hoaxes. |
|
| 93. |
What Are The Deliberate Acts Of Theft? |
|
Answer» Illegal TAKING of another's PROPERTY - physical, electronic, or intellectual The value of information suffers when it is copied and taken away without the owner's knowledge Physical theft can be CONTROLLED - a wide variety of MEASURES used from locked doors to guards or alarm systems Electronic theft is a more complex problem to manage and control - organizations may not even know it has occurred. Illegal taking of another's property - physical, electronic, or intellectual The value of information suffers when it is copied and taken away without the owner's knowledge Physical theft can be controlled - a wide variety of measures used from locked doors to guards or alarm systems Electronic theft is a more complex problem to manage and control - organizations may not even know it has occurred. |
|
| 94. |
What Is Cyber Terrorism? |
|
Answer» Cyberterrorism is amost SINISTER form of HACKING involving CYBERTERRORISTS hacking systems to conduct terrorist activities through network or internet pathways. An EXAMPLE was defacement of NATO web pages during the war in Kosovo. Cyberterrorism is amost sinister form of hacking involving cyberterrorists hacking systems to conduct terrorist activities through network or internet pathways. An example was defacement of NATO web pages during the war in Kosovo. |
|
| 95. |
What Is Deliberate Acts Of Sabotage And Vandalism? |
|
Answer» Individual or group who want to deliberately sabotage the operations of a COMPUTER system or business, or perform acts of VANDALISM to either destroy an asset or damage the IMAGE of the organization These threats can range from petty vandalism to organized sabotage Organizations rely on image so Web defacing can lead to dropping CONSUMER confidence and sales RISING threat of hacktivist or cyber-activist operations - the most extreme version is cyber-terrorism.
Individual or group who want to deliberately sabotage the operations of a computer system or business, or perform acts of vandalism to either destroy an asset or damage the image of the organization These threats can range from petty vandalism to organized sabotage Organizations rely on image so Web defacing can lead to dropping consumer confidence and sales Rising threat of hacktivist or cyber-activist operations - the most extreme version is cyber-terrorism.
|
|
| 96. |
What Is Information Extortion? |
|
Answer» INFORMATION extortion is an attacker or formerly trusted insider stealing information from a computer system and demanding compensation for its return or non-use. Extortion found in credit CARD number theft(A RUSSIAN hacker named Maxus,who HACKED the online vendor and stole several hundred thousand credit card numbers). Information extortion is an attacker or formerly trusted insider stealing information from a computer system and demanding compensation for its return or non-use. Extortion found in credit card number theft(A Russian hacker named Maxus,who hacked the online vendor and stole several hundred thousand credit card numbers). |
|
| 97. |
Who Are Hackers? What Are The Two Hacker Levels? |
|
Answer» The CLASSIC perpetrator of deliberate acts of espionage or trespass is the hacker. Hackers are "people who use and CREATE computer software [to] GAIN access to information illegally". Generally two skill LEVELS among hackers: Expert hacker unskilled hacker(Script KIDDIES). The classic perpetrator of deliberate acts of espionage or trespass is the hacker. Hackers are "people who use and create computer software [to] gain access to information illegally". Generally two skill levels among hackers: Expert hacker unskilled hacker(Script kiddies). |
|
| 98. |
What Is Deliberate Acts Of Espionage Or Trespass? |
Answer»
|
|
| 99. |
How Intellectual Property Can Be Protected? |
|
Answer» Enforcement of copyright has been ATTEMPTED with technical security mechanisms,such as using DIGITAL watermarks and embedded code.The most common reminder of the individual's obligation to fair and responsible USE is the license AGREEMENT window that usually pops up during the INSTALLATION of a new software. Enforcement of copyright has been attempted with technical security mechanisms,such as using digital watermarks and embedded code.The most common reminder of the individual's obligation to fair and responsible use is the license agreement window that usually pops up during the installation of a new software. |
|
| 100. |
What Is Intellectual Property? |
|
Answer» Intellectual property is "the ownership of ideas and control over the tangible or virtual REPRESENTATION of those ideas" . Many ORGANIZATIONS are in business to CREATE intellectual property.
Intellectual property is "the ownership of ideas and control over the tangible or virtual representation of those ideas" . Many organizations are in business to create intellectual property. |
|