Security+ Guide to Network Security Fundamentals, 2eSolutions 11-1

Chapter 11 Review Questions

  1. A(n) _____ is a weakness that allows a threat agent to bypass security.
  2. vulnerability
  3. exploit
  4. risk
  5. mitigation
  6. The _____ defines the overall process involved with developing a security policy.
  7. security policy cycle
  8. risk identification cycle
  9. monitoring scope
  10. evaluation cycle
  11. Each of the following is a step of risk identification except ______.
  12. Inventory the assets
  13. Decide what to do about the risks
  14. Determine what threats exist against the assets
  15. Write the security policy
  16. Each of the following is an asset except ______.
  17. data
  18. buildings
  19. software
  20. loans
  21. Each of the following is an attribute that should be compiled for hardware when performing an asset identification except ______.
  22. the name of the equipment
  23. the manufacturer’s serial number
  24. the MAC and IP address
  25. the cost
  26. A tool used in threat modeling is an attack tree. Trueor false?
  27. A vulnerability appraisal is the last step of compliance monitoring and evaluation. Trueor false?
  28. It is possible to eliminate the risk for all assets. True or false?
  29. A guideline is a document that outlines specific requirements or rules that must be met.Trueor false?
  30. Two elements that must be balanced in an information security policy are trust and control.True or false?
  31. _____ is defined as the obligations that are imposed on owners and operators of assets to exercise reasonable care of the asset and take necessary precautions to protect it. Due care
  32. _____ means that one person’s work serves as a complimentary check on another person’s.Separation of duties
  33. An information security policy should clearly outline that all information is provided on a strictly _____ basis.need-to-know
  34. A(n) _____ defines what actions the users of a system may perform while using the computing and networking equipment. acceptable use policy (AUP)
  35. A(n) _____ is a contract between a vendor and an organization for services. service-level agreement (SLA) policy
  36. Explain the composition and goals of a security policy development team.

Security policy design should be the work of a team and not one or two technicians. A security policy development team should be formed to handle the task. The team should be charged with developing the initial draft of the policy, determining which groups are required to review each policy, the required approval process and finally how it will be implemented. Ideally the team should have these representatives:

•a senior level administrator

•a member of management who can enforce the policy

•a member of the legal staff

•a representative from the user community

The size of the security policy development team will depend on the size and scope of the policy. Small scale policies may only require a few participants while larger policies may require a team of ten.

The team should first decide on the scope and goals of the policy. The scope should be a statement about who is covered by the policy while the goals outline what the policy attempts to achieve. The team must also decide on how specific to make the policy. A security policy is not meant to be a detailed plan regarding how it is to be implemented.

  1. What actions should be taken by the incidence response team (IRT) when an attack penetrates security?

Once an incident is identified the IRT should immediately convene and take assessment of the situation. The immediately decision will be how to contain the incident. If the attack is coming electronically through the network it may be necessary to take preventive measures to limit the spread of the attack, such as temporarily shutting off the mail server from replicating a virus. Other containment actions may include reconfiguring firewalls, updating antivirus software, or implementing an emergency patch management system. In extreme cases even the connection to the Internet may be terminated. After the incident is contained the next steps are to determine the cause of the attack, assess its damage, and implement recovery procedures to get the organization back to normal as quickly as possible. Once the incident is over a review of security is essential to ensure that a repeat attack is not successful.

  1. Explain why an ethics policy can be useful.

The main purpose of an ethics policy to state the values, principles and ideals that each member of an organization must agree to. In particular, the code is intended to uphold and advance the honor, dignity and effectiveness of the organization. A code of ethics can also help to clarify some of the ethical obligations and responsibilities undertaken by users. This is important because no single set of rules could apply to the enormous variety of situations and responsibilities that exist. While users must always be guided by their own professional judgment, a code of ethics will help when difficulties arise. A code of ethics also emphasizes to members and the public, employers, and clients that the members of an organization are professionals who are resolved to uphold their ethical ideals and obligations.

  1. Describe the steps in the security policy cycle and what each one does.

The security policy cycle defines the overall process involved with developing a security policy. The first part of the cycle is risk identification. Risk identification seeks to determine the risks that an organization faces against its information assets. That information then becomes the basis of developing a security policy. A security policy is a document or series of documents that clearly defines the defense mechanisms that an organization will employ to keep information secure. It also outlines how the organization will respond to attacks and the duties and responsibilities of its employees for information security. Once the policy is completed it must constantly be reviewed for compliance. And because new assets are continually being added to the organization and new threats appear against the assets, compliance monitoring and evaluation must regularly be conducted. The results of the monitoring and evaluation (such as revealing that a new asset is unprotected) then become input back into risk identification and the process begins again.

  1. List and define the three actions an organization may take regarding risk.

There are three options an organization can take with these the risks:

  • Accept the risk – This is accomplished by doing nothing at all but leaving everything as is. The assumption is that an attack will occur sometime in the future, but a decision has already been made to do nothing to protect against it.
  • Diminish the risk – To diminish or reduce the risk, additional hardware, software, or procedures would be implemented.
  • Transfer the risk – This option makes someone else responsible for the risk.