New Semester
Started
Get
50% OFF
Study Help!
--h --m --s
Claim Now
Question Answers
Textbooks
Find textbooks, questions and answers
Oops, something went wrong!
Change your search query and then try again
S
Books
FREE
Study Help
Expert Questions
Accounting
General Management
Mathematics
Finance
Organizational Behaviour
Law
Physics
Operating System
Management Leadership
Sociology
Programming
Marketing
Database
Computer Network
Economics
Textbooks Solutions
Accounting
Managerial Accounting
Management Leadership
Cost Accounting
Statistics
Business Law
Corporate Finance
Finance
Economics
Auditing
Tutors
Online Tutors
Find a Tutor
Hire a Tutor
Become a Tutor
AI Tutor
AI Study Planner
NEW
Sell Books
Search
Search
Sign In
Register
study help
computer science
principles of information security
Principles Of Information Security 7th Edition Michael E. Whitman, Herbert J. Mattord - Solutions
Present the fact that trespassing often leads to unauthorized, real, or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.Discuss that the classic perpetrator of deliberate acts of espionage or trespass is the hacker. In the gritty
Discuss the term privilege escalation. Explain that a common example of privilege escalation is called jailbreaking or rooting.Justify that according to the U.S. Copyright Office, the practice of jailbreaking smartphones was considered legal as a special exemption under the Digital Millennium
Describe that there are other terms for system rule breakers as mentioned in the text:Crackers are now commonly associated with an individual who “cracks” or removes software protection that is designed to prevent unauthorized duplication.Phreaker shack the public telephone network to make free
Discuss how forces of nature, force majeure, or acts of God pose some of the most dangerous threats, because they are unexpected and can occur with little warning.Emphasize that pandemics, such as the 2020 COVID-19 outbreak, are considered a force of nature even though most things remained
Recognize that solar flares or extremes in radiation can affect power grids and power lines, blow out transformers, and shut down power stations.Emphasize that businesses that rely on satellites should have alternate options available should communications from them be disrupted.
Describe this category and comment to students that it includes the possibility of acts performed without intent or malicious purpose by an individual who is an employee of an organization.Discuss the fact that employees constitute one of the greatest threats to information security, as they are
Define within the context of information security that social engineering is the process of using social skills to convince people to reveal access credentials or other valuable information to the attacker.Explain that people are the weakest link. You can have the best technology— firewalls,
Compare and contrast one of most common social engineering attacks, known as the advance-fee fraud (AFF) and phishing.Stress that AFF is also known as 4-1-9 fraud due to it being named after a Nigerian Penal Code and not an area code in northern Ohio.Examine a sample letter, as illustrated in
Distinguish phishing as an attempt to gain personal or financial information from an individual, usually by posing as a legitimate entity.Emphasize that a variant is spear phishing, a label that applies to any highly targeted phishing attack. While normal phishing attacks target as many recipients
Point out another form of social engineering is called pretexting, which is sometimes referred to as phone phishing.Emphasize that VOIP phone services have made it easy to spoof caller IDs and hence hide the identity of someone who may be on the other end of the line.
Explain that the latest type of attack in this category is known as ransomware, which is a malware attack on the host system that denies access to the user and then offers to provide a key to allow access back to the user’s system and data for a fee.Compare and contrast the two different types of
Summarize that this type of threat involves the deliberate sabotage of a computer system or business or acts of vandalism to either destroy an asset or damage the image of an organization.Emphasize that these threats can range from petty vandalism by employees to organized sabotage against an
Explain that security experts are noticing a rise in another form of online vandalism, hacktivist or cyber activist operations. A more extreme version is referred to as cyberterrorism (which is explained next).Stress that the concept of doxing is where a hacker would use online resources to find
Describe malware as malicious code or malicious software. Point out that other attacks that use software, such as redirect attacks and denial-of-service attacks, also fall under this threat. Note that the malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web
State that a computer virus consists of code segments that perform malicious actions. Point out to students that one of the most common methods of virus transmission is via e-mail attachments.Mention that viruses can be classified by how they spread themselves. Discuss the most common types of
Explain that worms are viruses that replicate themselves like bunnies until all available resources have been exhausted.Relate to the speed that worms can spread by applying the examples of the Nimda outbreak in 2001 and the Klez worm that infiltrated computers much in the same way.Examine the
Discuss how by using a known or previously unknown and newly discovered access mechanism, an attacker can gain access to a system or network resource through a back door. Point out that these doors are often referred to as maintenance hooks.Stress that a back door, or trap door, access process is
Recall that spam is unsolicited commercial e-mail. While many consider spam a nuisance rather than an attack, it is emerging as a vector for some attacks. Explain that mail bombing is another form of e-mail attack that is also a denial of service (DoS), in which an attacker routes large
Explain that common software-based communications attacks include several subcategories designed to intercept and collect information in transit. Point out to students that the emergence of the Internet of Things (IoT) increases the possibility of these types of attacks.Describe that a packet
Emphasize that technical hardware failures or errors occur when a manufacturer distributes a user’s equipment containing a known or unknown flaw. These defects can cause the system to perform outside of expected parameters, resulting in unreliable or unavailable service. Discuss that some
Compare and contrast the differences between mean time between failure (MTBF) and mean time to failure (MTTF).Explain that in hardware terms, failures are measured in mean time between failure (MTBF) and mean time to failure (MTTF). Point out that MTBF and MTTF are sometimes used
Explain that in hardware terms, failures are measured in mean time between failure (MTBF) and mean time to failure (MTTF). Point out that MTBF and MTTF are sometimes used interchangeably.Also note that additionally, the mean time to diagnose (MTTD) is the average amount of time a technician needs
List the top 10 Web application security risks, as outlined by the Open Web Application Security Project (OWASP):InjectionBroken authenticationSensitive data exposureXML external entities (XXE)Broken access controlSecurity misconfigurationCross-site scripting (XSS)Insecure
Explain that some software development problems result in software that is difficult or impossible to deploy in a secure fashion. There are at least two dozen problem areas or categories in software development (which is also called software engineering) that are recommended to be summarized to
Discuss how antiquated or outdated infrastructure leads to unreliable and untrustworthy systems. Management must recognize that when technology becomes outdated, there is a risk of loss of data integrity from attacks.Explain that proper planning by management should prevent technology from becoming
Define theft as the illegal taking of another’s property. Within an organization, that property can be physical, electronic, or intellectual.Summarize how physical theft can be controlled quite easily. Many measures can be taken, including locking doors, training security personnel, and
Stress that an information security program begins with policies, standards, and practices that are the foundation for the program and its blueprint. This will require coordinated planning, and it should be done regardless of an organization’s size.Denote that the information security (InfoSec)
What type of planning occurs where the actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals are followed by estimates and schedules for the allocation of resources necessary to achieve those goals and
Outline that within the planning stage of the InfoSec model are activities that are necessary to support the design, creation, and implementation of strategies within the planning environments of an organization. Emphasize that this does include the information technology (IT) department.Report
According to the text and the information security governance roles and responsibilities graphic, who is responsible for policy implementation, reporting security vulnerabilities, and breaches?a. Chief executive officerb. Mid-level managersc. Janitorial staffd. Enterprise staff/employees
Review the three categories of policy that are presented here. Enterprise information security policy (EISP): Developed within the context of the strategic IT plan, this sets the tone for the InfoSec department and the InfoSec climate across the organization. The CISO typically drafts the program
The ________ process entails the review and assessment of organizational information security performance toward goals and objectives by the governing body. a. Evaluateb. Directc. Monitord. Assure
Relate that InfoSec operations that are specifically managed are often known as programs (or entities). Apply the example of security education, training, and awareness (SETA) programs or a risk management program.Give additional examples of different programs that may be part of InfoSec operations.
True or False: ISO 27014:2021 is the ISO 27000 series standard for Governance of Information Security.
True or False: Strategic planning sets the long-term direction to be taken by the organization and each of its component parts. It should also guide organizational efforts and focus resources toward specific, clearly defined goals.
Emphasize that people are the most critical link of the InfoSec program. State that people may include security personnel (professional information security employees), the security of personnel in an organization, and items mentioned in the SETA.
Which of the following terms best describes a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls?a. Blueprintb. The NIST handbookc. Information security frameworkd. Security plan
Which document is an excellent reference for security managers involved in the routine management of information security?a. SP 800-12, “An Introduction to Computer Security”b. SP 800-14, “Generally Accepted Principles and Practices for Securing Information Technology”c. SP-800-30 Rev. 1:
Recognize that whatever will be implemented in the InfoSec space, it must be managed as a project.Identify that project management involves the application of a project management discipline to all elements of the InfoSec program. Project management involves identifying and controlling the
True or False: SP 800-18, “Guide for Developing Security Plans for Federal Information Systems,”is considered the foundation for a comprehensive security blueprint and framework.
Explain that long-term strategic planning is critical to the information security program and that the planning effort should have specific clearly defined goals for the organization.Discuss the organization of the planning process from the broad goals and vision of the organization down to the
As indicated earlier, one of the foundations of security architectures is the requirement to implement security in layers. This layered approach is referred to as which of the following?a. Frameworkb. Security perimeterc. Security domaind. Defense in depth
Which of the following defines the edge between the outer limit of an organization’s security and the beginning of the outside world?a. Frameworkb. Security perimeterc. Security domaind. Defense in depth
Explain to students that strategic plans and objectives are used to create tactical plans, which are used to develop operational plans.Compare and contrast tactical planning (one-to two-year timelines) with operational planning (day-to-day) tasks.Discuss how the chief information security officer
Remind students that the primary objective of the CISO and the Information Security (IS) management team is to create the security strategic plan. Explain that this plan is an evolving statement of how the CISO will implement the objectives expressed in the Enterprise Information Security
Establish how management from all communities of interest must consider policies as the basis for all information security planning, design, and deployment.Explain how policies direct how issues should be addressed and how technologies should be used.Emphasize that they should not explain the
Detail how an enterprise information security policy (EISP) is also known as a general security policy, organizational security policy, IT security policy, or information security policy. This policy sets the strategic direction, scope, and tone for all security efforts within the
Detail the purpose of a statement of policy. Emphasize that it should begin with a clear statement and purpose.Comment that within the introductory section, the following questions should be answered:What is the scope of the policy?Who is responsible and accountable for policy implementation?What
Explain that each policy should have a procedure and a timetable for a periodic review.
Recall that this section is often the final section of a policy and has a general statement of liability or disclaimers.Summarize that the policy should state that if employees violate a company policy or any law using company technologies, the company will not protect them and is not liable for
Emphasize that while issue-specific policies are formalized as written documents to be distributed to users and agreed to in writing, SysSPs are frequently codified as standards and procedures to be used when configuring or maintaining systems.Explain that systems-specific policies can be combined
Discuss the managerial guidance SysSPs. Note that a managerial guidance SysSP document is created by leadership to guide the implementation and configuration of technology, as well as to address the behavior of people in the organization in ways that support the security of information.Establish an
Discuss that while a manager can work with a systems administrator to create managerial policy as described in the preceding section, the system administrator may need to create a policy to implement the managerial policy.State the purpose and definition of access control lists (ACLs). Comment that
Explain that many organizations create a single document that combines the management guidance SysSP and the technical specifications SysSP. This often is confusing to casual users but is practical since it puts the guidance from both managerial and technical perspectives in a single place.
Develop the six tasks that must be done properly in order for a policy to be legally defensible:Development: Policies must be written using industry-accepted practices and formally approved by management.Dissemination: Policies must be distributed using all appropriate methods.Review: Policies must
Outline that in most cases, policy development is comprised of three parts:Designed and writtenSenior management or an executive along with legal counsel reviews and approves the documentManagement processes developed in the final state, which, in turn, results in policy enforcement within the
Compare and contrast the options of providing hard copy policy documents and electronic ones.Stress that distribution of materials, regardless of method, may still not get to individuals. Unlike in law, ignorance of policy, where policy is inadequately distributed, is considered an acceptable
Identify that one of the common barriers of employees reading policies arises from literacy or language issues. Provide the fact that, according to Macrotrends, 1 in 15 adults cannot read and write with understanding. Language issues are even more prevalent in organizations with multiple locations
Record that an employee must agree to policies by act or affirmation with respect to policies developed within an organization.Emphasize that through direct collection of a signature or the equivalent digital alternative the organization can prove that it has obtained an agreement to comply with
Comment that a simple action of not including a date on a policy can cause mass confusion for an organization.Stress that without the dates, it will be nearly impossible to determine which version of a policy is the most current or if a past version needs to be referenced, which one that
Recognize that the final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil
Describe the purpose of policy management and stress that they are living documents that must be managed and nurtured, as they constantly change and grow. These documents must be properly disseminated and managed.Assess situations where special considerations should be made. Give examples of this
Detail that a policy administrator is the person that is responsible for the creation, revision, distribution, and storage of a policy in an organization.Stress that this person does not have to have proficient knowledge in the technologies, but rather policy administration requires only a moderate
Organize understanding that policies can be only so effective provided they are kept current. Hence, an organization must actively seek to meet the requirements of the market they operate in.Justify that once a year for policy review is a minimum baseline, but it is up to the leadership to
Explain that to facilitate policy reviews, the policy manager should implement a mechanism by which people can comfortably make recommendations for revisions, whether via e-mail, office mail, or an anonymous drop box.Assess the benefits of using automation, which can streamline the repetitive steps
Present that this provides the best practices and security principles that can direct the security team in the development of a security blueprint.Assess and discuss the philosophical principles that the security team should integrate into the entire security process, as described below:Security
Introduce how to establish the context, which includes understanding the organization’s internal and external operating environments and other factors that could impact the RM process.Identify the risk:a. Create an inventory of information assetsb. Classify and organize assets meaningfullyc.
State that this document can be used for a comprehensive security blueprint and framework. It can also be a useful guide to the activities described in this module and as an aid in the planning process. It also includes templates for major application security plans.Stress that a blueprint must be
Analyze the following with respect to NIST’s approach to managing risk in the organization.Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controlsMaintaining awareness of
Review the text, as it offers several professional societies and organizations that have Websites and resources that can assist with building strong security frameworks.
Examine the overview of different types of security architectures that can help with blueprint construction, implementation, and maintenance. These include spheres of security, levels of controls, defense in depth, and security perimeters.
Summarize that information security safeguards offer three levels of controls: managerial, operational, and technical.Managerial controls are security processes that are designed by strategic planners and implemented by the security administration of the organization. Management controls set the
Distinguish that a basic tenet of security architectures is layered implementation of security. Thus, an organization must establish multiple layers of security controls and safeguards, which can be organized into policy, training and education, and technologies, as shown in the CNSS model
Describe the purpose a security perimeter. This is the boundary between the outer limit of an organization’s security and the beginning of the outside world. It is the level of security that protects all internal systems from outside threats.Relate that the security perimeter does not protect
Risk identification is performed within a larger process of identifying and justifying risk controls that is called which of the following?a. Risk assessmentb. Risk managementc. Risk controld. Risk identification
Emphasize how as aspiring information security professionals your students will have a key role to play in risk management.Remind your students that the IT community must serve the information technology needs of the broader organization, and at the same time, leverage the special skills and
The application of controls that reduce the risks to an organization’s information assets to an acceptable level is known as which of the following?a. Risk assessmentb. Risk managementc. Risk controld. Risk identification
Explain how risk management is the process of identifying vulnerabilities in an organization’s information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components in the organization’s information system.Emphasize how risk
For information security purposes, which of the following terms is used to describe the systems that use, store, and transmit information?a. Inventoryb. Threatsc. Controlsd. Assets
Emphasize how we must first know ourselves by identifying, examining, and understanding the information and systems currently in place.Explain how in order to protect our assets, defined here as the systems that use, store, and transmit information, we have to understand everything about the
True or False: The information technology community of interest must assist in risk management by configuring and operating information systems in a secure fashion.
Emphasize how for information security knowing the enemy means identifying, examining, and understanding the threats that most directly affect our organization and the security of our organization’s information assets.Discuss how we can use our understanding of these aspects to create a list of
True or False: The information technology community of interest must ensure sufficient resources are allocated to the risk management process.
Explain how to identify the risk.Explain how to determine the current level of risk (risk analysis).Discuss how to determine if the current level of risk is acceptable (risk evaluation).Determine how to treat the risk to bring it to an acceptable level.
True or False: The process an organization uses to assign a risk rating or score to each information asset is a risk evaluation.
Explain how each community of interest must manage the risks the organization encounters.Explain how information security understands the threats and attacks that introduce risk into the organization, so they often take a leadership role.Explain how management and users play a part in the early
The probability that a specific vulnerability within an organization will be the target of an attack is known as which of the following?a. Probabilityb. Manageabilityc. Likelihoodd. Practicality
Explain that the RM policy is a strategic document that formalizes much of the intent of the governance group.Explain that the RM policy must include purpose and scope, RM intent and objectives, roles and responsibilities, resource requirements, risk appetite and tolerances, RM program development
Which risk control strategy attempts to reduce the impact of a successful attack through planning and preparation?a. Transferenceb. Defensec. Acceptanced. Mitigation
Explain that designing the RM program means defining and specifying the details tasked to be performed by the framework team and the process team.Understand that the framework team must also formally document and define the organization’s risk appetite and draft the RM plan.
Which risk control strategy attempts to shift residual risk to other assets, other processes, or other organizations?a. Transferenceb. Defensec. Acceptanced. Mitigation
Explain that the RM Framework team needs to understand and determine residual risk.Document risk appetite.
The calculation of the value associated with the most likely loss from an attack is called which of the following?a. AROb. ALEc. CBAd. SLE
Explain how the organization may distribute the plan to managers for a desk check prior to deployment.Understand that the organization could pilot-test the plan and use a phased approach to implement the plan.Understand that the RM framework team should carefully monitor, communicate, and review
Which of the following terms best describes comparing an organization’s efforts against practices of a similar organization or an industry-developed standard to produce results it would like to duplicate?a. Baseliningb. Performance gapc. Benchmarkingd. Feasibility reporting
Introduce that the framework team continues to monitor the conduct of the RM process while simultaneously reviewing the success of the framework planning.Understand that the framework team is concerned with the oversight of the RM framework and plan.
Introduce the RM process as preparing for the risk process by performing the following tasks:Identify the purpose of the assessment.Identify the scope of the assessment.Identify the assumptions and constraints associated with the assessment.Identify the sources of information to be used as inputs
Understand that the external context means understanding the impact the following external factors could have on the RM process, its goals, and its objectives:The business environment and its customers, suppliers, competitors.The legal/regulatory/compliance environment: laws, regulations, industry
Understand the internal factors that could impact or influence the RM process:The organization’s governance structure (or lack thereof).The organization’s internal stakeholders.The organization’s culture.The maturity of the organization’s information security program.The organization’s
Define data classification schemes as a formal access control methodology used to assign a level of confidentiality to an information asset, restricting the number of people who can access it.Point out examples of data classification categories: confidential, internal, and public. Mention that any
Showing 600 - 700
of 745
1
2
3
4
5
6
7
8
Step by Step Answers
Get 50% OFF
Claim Now
