Deck 12: Information Security Maintenance

A general guideline for performance of hard drives suggests that when the amount of data stored on a particular hard drive averages 95% of available capacity for a prolonged period, you should consider an upgrade for the drive.

Wireless vulnerability assessment begins with the planning, scheduling, and notification of all Internet connections, using software such as Wireshark.

Inventory characteristics for hardware and software assets that record the manufacturer and versions are related to technical functionality, and should be highly accurate and updated each time there is a change.

The vulnerability database, like the risk, threat, and attack database, both stores and tracks information.

The target selection step of Internet vulnerability assessment involves using the external monitoring intelligence to configure a test engine (such as Nessus) for the tests to be performed.

An intranet vulnerability scan starts with the scan of the organization's default Internet search engine.

Over time, policies and procedures may become inadequate due to changes in the organization's mission and operational requirements, threats, or the environment.

External monitoring entails collecting intelligence from various data sources and then giving that intelligence context and meaning for use by decision makers within the organization.

The internal monitoring domain is the component of the maintenance model that focuses on identifying, assessing, and managing the physical security of assets in an organization.

Digital forensics helps an organization understand what happened, and how, after an incident.

All systems that are mission critical should be enrolled in platform security validation (PSV) measurement.

Documenting information system changes and assessing their potential impact on system security is an important and consequential part of digital forensics.

Over time, external monitoring processes should capture information about the external environment in a format that can be referenced across the organization as threats emerge and for historical use.

Remediation of vulnerabilities can be accomplished by accepting or transferring the risk, removing the threat, or repairing the vulnerability.

If an organization deals successfully with change and has created procedures and systems that can be adjusted to the environment, the existing security improvement program will probably continue to work well.

Documentation procedures are not required for configuration and change management processes.

An effective information security governance program requires no ongoing review once it is well established.

US-CERT is generally viewed as the definitive authority for computer emergency response teams.

Intelligence for external monitoring can come from a number of sources: vendors, CERT organizations, public network sources, and membership sites.

CM assists in streamlining change management processes and prevents changes that could detrimentally affect the security posture of a system before they happen. _________________________

For configuration management (CM) and control, it is important to document the proposed or actual changes in the system security plan. _________________________

Rehearsal adds value by exercising the procedures, identifying shortcomings, and providing security personnel the opportunity to improve the security plan before it is needed.

An affidavit is sworn testimony that certain facts are in the possession of an investigating officer and that they warrant the examination of specific items located at a specific place.

The systems development life cycle (SDLC) is the overall process of developing, implementing, and retiring information systems through a multistep approach-initiation, analysis, design, implementation, and use. _________________________

Threats cannot be removed without requiring a repair of the vulnerability.

The basic function of the external monitoring process is to monitor activity, report results, and escalate warnings. _________________________

A maintenance ​ticket is opened when a user calls about an issue. _________________________

CERT stands for "computer emergency recovery team." _________________________

In some instances, risk is acknowledged as being part of an organization's business process.

The NIST SP 800-100 Information Security Handbook provides technical guidance for the establishment and implementation of an information security program. _________________________

Major planning components should be reviewed on a periodic basis to ensure that they are current, accurate, and appropriate.

Specific routine bulletins are issued when developing threats and specific attacks pose a measurable risk to the organization. _________________________

Policy needs to be reviewed and refreshed from time to time to ensure that it's providing a current foundation for the information security program.

When setting a policy about whether to pursue attacks against its systems, organizations must choose from three approaches.

In some organizations, facilities management is the identification, inventory, and documentation of the current information system's status-hardware, software, and networking configurations. _________________________

US-CERT is a set of moderated mailing lists full of detailed, full-disclosure discussions and announcements about computer security vulnerabilities. It is sponsored in part by SecurityFocus. _________________________

Digital forensics involves chemical and microscopic analysis of evidence using computerized laboratory instruments.

Tracking compliance involves assessing the status of the program as indicated by the database information and mapping it to goals established by the agency. _________________________

An effective information security governance program requires constant change. _________________________

A chain of custody is the detailed documentation of the collection, storage, transfer, and ownership of evidence from the crime scene through its presentation in court. ___________

The internal vulnerability assessment is usually performed against every device that is exposed to the Internet, using every possible penetration testing approach. _________________________

The final process in the vulnerability assessment and remediation domain is the exit phase. _________________________

The simplest part of an investigation is analyzing a copy or image for potential evidentiary material. __________

To be put to the most effective use, the information that comes from the IDPS must be integrated into the inventory process. _________________________

In digital forensic investigations for information security, most operations focus on policies-documents that provide managerial guidance for ongoing implementation and operations. ____________

WLAN stands for "wide local area network." _________________________

The primary goal of the external monitoring domain is to maintain an informed awareness of the state of all the organization's networks, information systems, and information security defenses. _________________________

A(n) war game puts a subset of plans in place to create a realistic test environment. _________________________

An affidavit is used as permission to search for evidentiary material at a specified location and/or to seize items to return to an investigator's lab for examination after being signed by an approving authority. _____________

The process of identifying and documenting specific and provable flaws in the organization's information asset environment is called vulnerability assessment (VA). _________________________

The best method of remediation in most cases is to repair a vulnerability. _________________________

The CISO uses the results of maintenance activities and the review of the information security program to determine if the status quo can adequately meet the threats at hand. _________________________

When possible, major incident response plan elements should be rehearsed. _________________________

Organizations should have a carefully planned and fully populated inventory of all their network devices, communication channels, and computing devices. _________________________

An example of the type of vulnerability exposed via traffic analysis occurs when an organization is trying to determine if all its device signatures have been adequately masked. _________________________

You can document the results of the verification of a vulnerability by saving the results in what is called a(n) profile. _________________________