Confidentiality is secure / Integrity is Accurate AUP (User Policy) is same as Computer Use Policy Due Diligence is investigating and

understanding risks In risk management, Operate & Maintain is where you carry out audits Monitor and Evaluate is where you review audit results Treason is not covered under Confidentiality of CIA Privilege Management control over user permissions and access rights Security Admin defines, configures and maintains the security mechanisms protecting the organization If a system reboots immediately after a TCB failure but goes into maintenance mode after a failure caused lower privileged user permissions Substitution cipher replaces the original text in a message Bitlocker encrypts an entire volume (drive) w/128 bit encryption Encryption provides Confidentiality (Privacy) An encryption algorithm is a mathematical formula Link encryption works at physical and data link and encrypts complete data packet ECC requires fewer resources over RSA Public keys are published through digital certificates SKIP uses hybrid encryption to convey session keys A weak key of an encryption algorithm facilitates attacks against the algorithm Cert path validation checks legitimacy of certificates RSA = encryption and digital signatures Von Neuman = there is no inherent difference between data & programming instructions in memory Social Engineering the art of influencing people to divulge sensitive info by either coercion or masquerading Byte code is faster than interpreted language Proprietary protocols and data formats are unsafe because they typically rely on security by obscurity Expert systems are comprised of a knowledge base combining modeled human experience & inference engine For an application security program to be effective, develop the security policy that can be enforced Slow servers CPU at 100% - Network traffic high = Worm Only valid or legal transactions that dont violate any user-defined integrity constraints in DBMS is Consistency Best defense against Session Highjacking & MITM is to use the following in the development of your software: unique and random identification Certification = Technical evaluation of assurance that security requirements have been met Quantitative Risk Analysis attempts to predict the likelihood a threat will occur and assigns monetary values in the event a loss occurs Disk systems that provide against data loss if a single drive fails: Disk Mirroring, Disk Stripe w/parity and FRDS

BIA concerned with identifying vulnerabilities, threats and risks BCP during identify preventative controls is where you would determine a DMZ should be implemented BIA Primary concern = Identify all business resources that could be lost DRP = Damage Assessment = determines which functions were affected by the flooding and which are most critical Usually not provided in an offsite vendor contract is the specific location of the offsite facility BIA Developing recovery strategies should include: Backup plan / Roles & Responsibilities BCP-DRP = primarily concerned with minimizing property damage and loss of life Cold Site disadvantages: Recovery time and testing availability