Is404 Final Study Guide

IS404 Final Study Guide 1. p6 Need to make do the 4 broad categories for technical schoolnologies. a Networks b System c Processes d Applications 2. p5 Need to know find control organisations consists of 3 elements a Policies b Procedures c Tools 3. p16 The purpose of access control is to regulate inter issueions between a subject and an object, such as data, a net profit or thingamabob 4. p8 Need to know the Confidence in any authentication system can be measured by two components the type of correlation coefficient and the number of authentication factors 5. p21 Access control threats cannot be 100% eliminated because rude(a) ones are constantly being devised. . p26-27 Quantitative pretend assessment relies on several calculations a Single Loss Expectancy (SLE) b yearbook Rate of Occurrence (ARO) c Annualized Loss Expectancy (ALE) 7. p24 Social engineer is the single most common system attackers use and its similarly the most effective 8. p35 Under system application d omain, patch way is what? Can be used to address security threats 9. p30 Where are access controls ask most? Unless there is an addition of special importance stored on the network, it is unnecessary to place separate access controls on each asset 10. 45 Significant lots of overlap in security layers 11. p45 A classification scheme is a method of organizing sensitive nurture into divers(a) access levels. 12. p46 Anyone can gain access to unclassified information finished legal means via the Freedom of Information Act (FOIA) -13. p48 The privacy act of 1974 is related to the federal government. 14. p52-53 Why would you need to classify data? fortune avoidance 15. p58 Operational efficiency * The right information * The right throng * The right time 16. p71-72 Whats a key requirement for HIPAA? security and privacy of Health data 17. 77 FERPA * Computer media * Written entrys stored in the student folder * 18. p89 IT security policy framework consists of * Policy * threadb are * Guideline * Procedure 19. p107-108 Kinds of security breaches * System exploits * Eavesdropping * Social engineering * defense lawyers of Service Attacks * Indirect attacks * Direct Access Attack 20. p98 Federal and land laws have been created to act as deterrents to information theft. 21. p99 DMCA Digital Millennium copyright Act allows unauthorized disclosure of data by circumventing an established tech measure. 22. 120 Customer access to data is the advent of the internet had do it easy for customers to order merchandise. 23. p130 Separation of responsibilities if an attacker compromises one account he or she will get denied for another account 24. p152 Acceptable engage Policy AUP Defines how an employee may use equipment. 25. p143 Social engineering is a strategy in which political hacks exploit the general human trust * Assumed identity * Believability * Multiple Contacts * Request for Help 26. p148-149 Job rotation reduces risk factors with separation of duties 27. 166 You can manage a ACLs in Microsoft using windows active directory or NFS version 4 28. p172 UNIX right are read, write, and execute 29. p172 No permissions has a value of zero 0 30. p165 Secure DIM other method is to secure the communications channel. You can use protocols such as Secure Socket Layer (SSL) to accomplish this 31. p168 Delegate Access Rights are given(p) from something that owns an object to another user or system 32. p209 Media Access falsify is found on the sensitivity of the information contained in the objects. 33. p209-210 Role based Access Control * Role assessment Role authorization * exertion authorization 34. p219 Kerberos uses strong cryptography in order for the client to conjure its identity to the server Single Sign in Method SSM 35. p228 either access point within a range display their SSIDs 36. p218 2 Factor Authentication something you have, something you know, something you are 37. p280 Need to know the three contrastive types of remote access authenticating protocols PAP- CHAP- PPP 38. p273 Need to know the purpose of abdominal aortic aneurysm Authentication, Authorization, and Accounting 39. p285 Internet Key Exchange IKE, is the de facto standard of IPsec 40. 280 TACACS provides flexibility to network administrators by implementing AAA capabilities. RADIUS does not 41. p285 Web Authentication is needed where VPN is not available. 42. p293 Single server provides central digital signing and substantiation services 43. p306-307 PKI does not ensure that the end user can be trusted 44. p312 Authentication service validates the subscribers credentials for the registration authority forward to the request for a digital certificate 45. p304 Non repudiation is a design of assuring the originator cannot refute the origin of a statement document 46. 326 One advantage to non-intrusive testing methods can uncover valuable information about potential vulnerabilities. 47. p327 Vulnerability Assessment is the first step to harden the network * Network scanners * Port scanners * Web Application scanners 48. p332 Breach resolution is double blind 49. p334 Code injection is an attack when a hacker injects malicious code into an input field, usually a web application 50. p340 The penetration testers is the major deliverable from any penetration test is the compendium and report delivered to the organization