Threats are always present and can’t be eliminated. The potential for a threat to do harm or the impact of a threat can be reduced but not the threat itself. However, many steps can be taken to reduce vulnerabilities. The most important vulnerabilities are those that are likely to match up as a threat/vulnerability pair. Once the likely threat/vulnerability pairs have been identified, mitigation techniques can be implemented.
The U.S. federal government has many resources that organizations can use to manage risk. The National Institute of Standards and Technology (NIST) has published several Special Publications. The SP 800 series includes many publications targeted for IT security. The Department of Homeland Security also has many divisions focused on IT security. Its resources are freely available to IT and security professionals.
A document with a rigid set of rules created so that people follow it explicitly to be effective and avoid technical problems
A technical control used to enforce security
A physical control used to enforce security
A document created by senior managers that identifies the role of security in the organization and is used as a defense mechanism to protect the assets of the organization
What should be used to ensure that users are granted only the rights to perform actions required for their jobs?
Principle of least privilege
Principle of need to know
Principle of limited rights
Separation of duties
What should be used to ensure that the amount spent on mitigating a risk (such as buying insurance) is proportional to the risk?
Principle of least privilege
Principle of proportionality
Principle of limited rights
Principle of limited permissions
Which of the following security principles divides job responsibilities to reduce fraud?
Need to know
Least privilege
Separation of duties
Mandatory vacations
What can be used to ensure that unauthorized changes are not made to systems?
Input validation
Patch management
Version control
Configuration management
What are two types of intrusion detection systems?
Intentional and unintentional
Natural and man-made
Host based and network based
Technical and physical
A technical control prevents unauthorized personnel from having physical access to a secure area or secure system.
True
False
What allows an attacker to gain additional privileges on a system by sending unexpected code to the system?
Buffer overflow
MAC flood
Input validation
Spiders
What is hardening a server?
Securing it from the default configuration
Ensuring it cannot be powered down
Locking it in a room that is hard to access
Enabling necessary protocols and services
Which of the following steps could be taken to harden a server?
Removing unnecessary services and protocols
Keeping the server up to date
Changing defaults
Enabling local firewalls
All of the above
Which government agency includes the Information Technology Laboratory and publishes SP 800-30?
NIST
DHS
NCCIC
US-CERT
Which of the following is a Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach?
SP 800-34
SP 800-35
SP 800-37
SP 800-84
Which U.S. government agency regularly publishes alerts and bulletins related to security threats?
NIST
FBI
US-CERT
MITRE Corporation
The CVE list is maintained by _______.
What is the standard used to create information security vulnerability names?