Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Review Questions

advertisement 
Chapter 11
Review Questions
1. A(n) _____ is a weakness that allows a threat agent to circumvent security.
a. vulnerability
b. exploit
c. risk
d. mitigation
2. The _____ defines the overall process involved with developing a security policy.
a. security policy cycle
b. risk identification cycle
c. monitoring scope
d. evaluation cycle
3. Each of the following is a step of risk identification except _________________.
a. Inventory the assets
b. Decide what to do about the risks
c. Determine what threats exist against the assets
d. Write the security policy
4. Each of the following is an asset except _________________.
a. data
b. wireless access point
c. antivirus software
d. loans
5. Each of the following is an attribute that should be compiled for a wireless access
point when performing an asset identification except _________________.
a. the name of the equipment
b. the manufacturer’s serial number
c. the MAC and IP address
d. the number of wireless devices that associate with it
6. A tool that is used in threat modeling is a threat tree. True or false?
7. A vulnerability appraisal is the first step of compliance monitoring and
evaluation. True or false?
8. It is possible to eliminate the risk for all assets. True or false?
9. A guideline is a document that outlines specific requirements or rules that must be
met. True or false?
10. Two elements that must be balanced in an information security policy are trust
and control. True or false?
11. _____ means that one person’s work serves as a complimentary check on another
person’s. Separation of duties
12. A(n) _____ defines what actions the users of a system may perform while using
the computing and networking equipment. acceptable use policy (AUP)
13. An information security policy should clearly outline that all information is
provided on a strictly _____ basis. need-to-know
14. A(n) _____ is policy that governs how an employee can use a hotspot. public
access WLAN use policy
15. _____ is defined as the obligations that are imposed on owners and operators of
assets to exercise reasonable care of the asset and take necessary precautions to
protect it. Due care
16. Explain the difference between a policy, a standard, and a guideline.
A policy is the correct means by which an organization can establish for wireless
security. Unlike a policy, a standard is a collection of requirements specific to the
system or procedure that must be met by everyone. For example, a standard may
describe how to a wireless user must configure her wireless network adapter
interface card to connect to the network. Users must follow this standard exactly if
they want to be able to connect. On the other extreme, a guideline is a collection of
suggestions that should be implemented. These are not requirements to be met but
are strongly recommended.
17. What is a public access WLAN use policy and why is it important?
Because of the proliferation of public access wireless hotspots in coffee shops and
restaurants, airports, hotels, convention centers, business travelers frequently make
use of these facilities to check e-mail or communicate with customers and vendors.
However, these facilities rarely have any type of wireless security in place in order
to minimize technical difficulties for users. Many organizations now enforce a
public access WLAN use policy to address accessing public hotspots.
18. What are the actions that an incidence response team (IRT) should take when an
attack occurs.
After an incident is identified, the IRT is immediately convene and assess the
situation. They quickly decide how to contain the incident. If the attack is coming
electronically through the network, it may be necessary to take preventive measures
to limit the spread of the attack, such as temporarily shutting off the wireless LAN.
Other containment actions may include reconfiguring firewalls, updating antivirus
software, or implementing an emergency patch management system. In extreme
cases even the connection to the Internet may be terminated. After the incident is
contained, the next steps are to determine the cause of the attack, assess its damage,
and implement recovery procedures to get the organization back to normal as
quickly as possible. When the incident is over, a review of security is essential to
ensure that a repeat attack is not successful.
19. List and define the three actions an organization may take regarding risk.
There are three options an organization can take with the risks: 1) Accept the risk –
This is accomplished by doing nothing at all but leaving everything as is. 2)
Diminish the risk – To diminish or reduce the risk, additional hardware, software,
or procedures would be implemented; 3) Transfer the risk – This option makes
someone else responsible for the risk.
20. What is threat modeling and how can attack trees to be used?
Determining the threats that could pose a risk to the assets can be a complicated
process. One way to approach this task is a process known as threat modeling.
Threat modeling constructs scenarios of the types of threats that assets can face. The
goal of threat modeling is to better understand who the attackers are, why they
attack, and what types of attacks may occur. A valuable tool used in threat modeling
is the construction of an attack tree. An attack tree provides a visual image of the
attacks that may occur against an asset. Drawn as an inverted tree structure, an
attack tree shows the goal of the attack, the types of attacks that may occur, and the
techniques used in the attacks.
Related documents
Presentation - WordPress.com
Presentation - WordPress.com
ex_buisness_expansion
ex_buisness_expansion
WAEA
WAEA
ZigBee Based Intelligent Helmet for Coal Miners
ZigBee Based Intelligent Helmet for Coal Miners
Dr. Luk R. Arnaut
Dr. Luk R. Arnaut
Wireless structural health monitoring system(Literature review
Wireless structural health monitoring system(Literature review
wireless - Home and Learn
wireless - Home and Learn
Chapter 10
Chapter 10
Download
advertisement