Quiz 2 study guide

Chapter 3: Administrative Control

• Administrative Control: A set of parameters involved in developing and ensuring compliance with policies and procedures.

• Asset: Any item of value to an organization or individual.

• Brute-Force Password Attack: A method to compromise logon and password access by attempting every possible input combination; often involves social engineering to obtain user information.

• Corrective Control: Safeguards that mitigate or lessen the effect of a threat.

• Countermeasure: Specific actions taken to address a particular threat.

• Credential Harvesting: Unauthorized access to systems using stolen user IDs and passwords; also known as credential stuffing.

• Detective Control: Controls that detect when an action has occurred; examples include smoke detectors, log monitors, and system audits.

• Deterrent Control: Warns users that performing a certain action may violate security policies or pose a threat.

• Eavesdropping: 1) Listening in on conversations, 2) Monitoring network IP packets using a packet sniffer.

Chapter 4: Concepts in Security

• Ethical Hacker: Information security professionals using penetration testing tools to identify or fix vulnerabilities; also known as white-hat hackers.

• Event: Any observable occurrence within a computer or network.

• Exploit: The realization of a threat against a vulnerability.

• Hacker: A computer expert who gains knowledge about computing environments.

• Hijacking: An attack where the attacker takes control of a session between two machines masquerading as one.

• Impact: The severity of potential harm caused by a threat leveraging a vulnerability.

• Incident: An event that violates a security policy or poses a significant threat.

• Intellectual Property: Unique knowledge providing competitive advantages to businesses.

• Likelihood: The probability of a vulnerability being exploited in a given threat environment.

• Loss Expectancy: The financial loss associated with an IT asset failure.

• Malicious Attack: Attempts to exploit IT vulnerabilities.

Security Types and Assessments

• Man-in-the-Middle Attack: When an attacker interposes themselves between two communicating parties to intercept messages.

• Opportunity Cost: Financial loss due to downtime, whether intentional or unintentional.

• Phishing: Fraud attempts tricking victims into revealing personal information.

• Preventive Control: Safeguards that stop actions before they happen; includes measures like locked doors and firewalls.

• Qualitative Risk Assessment: Describes risks and ranks their potential impact on business operations.

• Quantitative Risk Assessment: Assigns numerical values to risks for objective impact comparisons.

• Replay Attack: Using network sniffers to capture traffic and retransmit it to gain unauthorized access, aiming at authentication packets.

• Residual Risk: The risk that remains after controls have been implemented.

• Risk Management: The overall process of identifying, assessing, prioritizing, and addressing risks.

• Safeguard: Tools or actions incorporated into a system to address weaknesses that could lead to an exploit.

Additional Security Terms

• Sniffing: Physical interception of data communication.

• Social Engineering: Persuading someone to divulge information through manipulation.

• Spoofing: Disguising oneself as another entity to gain access to resources.

• Technical Control: Controls managed through the computer system.

• Zero Day: An unrecognized exploit with no specific defenses available; indicates the rapidity of knowledge in the hacking community.

Policies and Risk Analysis

• Acceptable Use Policy (AUP): Defines what is permissible in the use of IT assets by employees and contracted personnel.

• Accounting: Recording audit trails and events for monitoring access control effectiveness.

• Business Driver: Elements like people, information, financials, and performance goals that advance business objectives.

• Gap Analysis: Comparing existing security controls against those needed to address identified threats.

• Inherent Risk: The existing risk with current controls in place.

• Mobility: The ability to perform job functions without being confined to a single location.

• Privacy Policy: Guidelines outlining how an organization manages individuals' data.

• Project Management Body of Knowledge (PMBOK): A collection of best practices within project management.

• Project Management Institute (PMI): A non-profit entity promoting the field of project management.

• Recovery Point Objective (RPO): Maximum allowable data loss after a disaster.

• Recovery Time Objective (RTO): The maximum time allowed for recovery of an IT system, application, and data access.

• Risk Methodology: Framework for managing risks, including approaches and techniques for addressing each risk.

• Risk Register: A list of identified risks from the risk identification processes.

• Security Gap: Discrepancy between current security measures and necessary controls to address vulnerabilities.

• Security Policy: Defines how an organization secures its infrastructure and meets regulatory requirements.

• Threat Analysis: The process of identifying and documenting threats to critical resources.