CC – Certified in Cybersecurity
A) The law
Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow? (D1, L1.4.2) Question options: A) The law B) The policy C) Any procedures the company has created for the particular activities affected by the law D) Lankesh should be allowed to use personal and professional judgment to make the determination of how to proceed
Bot
Malicious code that acts like a remotely controlled "robot" for an attacker, with other Trojan and worm capabilities.
Adequate Security
Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information
A. Business
The Business Continuity effort for an organization is a way to ensure critical ______ functions are maintained during a disaster, emergency, or interruption to the production environment. Question options: A) Business B) Technical C) IT D) Financial
International Organization of Standards (ISO)
The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies.
National Institutes of Standards and Technology (NIST)
The NIST is part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. NIST sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions.
Personally Identifiable Information (PII)
The National Institute of Standards and Technology, known as NIST, in its Special Publication 800-122 defines PII as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information."
Artificial Intelligence
The ability of computers and robots to simulate human intelligence and behavior.
Authentication
The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station or originator.
Probability
The chances, or likelihood, that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities.
Confidentiality
The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes.
A) Confidentiality
The concept of "secrecy" is most related to which foundational aspect of security? (D1, L1.1.1) Question options: A) Confidentiality B) Integrity C) Availability D) Plausibility
State
The condition an entity is in at a point in time.
Risk Treatment
The determination of the best way to address an identified risk.
Business Continuity Plan (BCP)
The documentation of a predetermined set of instructions or procedures that describe how an organization's mission/business processes will be sustained during and after a significant disruption.
Incident Response Plan (IRP)
The documentation of a predetermined set of instructions or procedures to detect, respond to and limit consequences of a malicious cyberattack against an organization's information systems(s).
Non-repudiation
The inability to deny taking an action such as creating information, approving information and sending or receiving a message.
Internet Engineering Task Force (IETF)
The internet standards organization, made up of network designers, operators, vendors and researchers, that defines protocol standards (e.g., IP, TCP, DNS) through a process of collaboration and consensus.
Risk Tolerance
The level of risk an entity is willing to assume in order to achieve a potential desired result. Source: NIST SP 800-32. Risk threshold, risk appetite and acceptable risk are also terms used synonymously with risk tolerance.
Breach
The loss of control, compromise, unauthorized disclosure, unauthorized acquisition or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for other than an authorized purpose
Impact
The magnitude of harm that could be caused by a threat's exercise of a vulnerability.
Security Controls
The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information.
Information Security Risk
The potential adverse impacts to an organization's operations (including its mission, functions and image and reputation), assets, individuals, other organizations, and even the nation, which results from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems.
Likelihood
The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.
Encryption
The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.
Incident Handling or Incident Response (IR)
The process of detecting and analyzing incidents to limit the incident's effect.
Governance
The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.
Risk Assessment
The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.
Risk Management
The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.
Disaster Recovery Plan (DRP)
The processes, policies and procedures related to preparing for recovery or continuation of an organization's critical business functions, technology infrastructure, systems and applications after the organization experiences a disaster. A disaster is when an organization's critical business function(s) cannot be performed at an acceptable level within a predetermined period following a disruption.
Integrity
The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose.
Data Integrity
The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing and while in transit.
System Integrity
The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.
Privacy
The right of an individual to control the distribution of information about themselves.
Authorization
The right or a permission that is granted to a system entity to access a system resource.
Encrypt
To protect private information by putting it into a form that can only be read by people who have permission to do so.
Fasle - Members from across the organization, not just IT, should participate in creating the BCP to ensure that all systems, processes and operations are accounted for in the plan.
True or False? The IT department is responsible for creating the organization's business continuity plan. Question options: True False
Single-Factor Authentication
Use of just one of the three available factors (something you know, something you have, something you are) to carry out the authentication process being requested.
Vulnerability
Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.
Vulnerability
Weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source
A
What is meant by non-repudiation? (D1, L1.1.1) Question options: A)If a user does something, they can't later claim that they didn't do it. B)Controls to protect the organization's reputation from harm due to inappropriate social media postings by employees, even if on their private accounts and personal time. C)It is part of the rules set by administrative controls. D)It is a security feature that prevents session replay attacks.
A
Which of these activities is often associated with DR efforts? Question options: A) Employees returning to the primary production location B) Running anti-malware solutions C) Scanning the IT environment for vulnerabilities D) Zero-day exploits
D - Backups
Which of these components is very likely to be instrumental to any disaster recovery (DR) effort? Question options: A) Routers B) Laptops C) Firewalls D) Backups
C) Report the candidate to ISC2.
While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do? (D1, L1.5.1) Question options: A) Nothing—each person is responsible for their own actions. B) Yell at the other candidate for violating test security. C) Report the candidate to ISC2. D) Call local law enforcement.
B. Incident detection
You are working in your organization's security office. You receive a call from a user who has tried to log in to the network several times with the correct credentials, with no success. After a brief investigation, you determine that the user's account has been compromised. This is an example of a(n)_______. Question options: A)Risk management B)Incident detection C)Malware D)Disaster
B. Event
You are working in your organization's security office. You receive a call from a user who has tried to log in to the network several times with the correct credentials, with no success. This is an example of a(n)_______. Question options: A)Emergency B)Event C)Policy D)Disaster
Quantitative Risk Analysis
method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain.
Multi-Factor Authentication
sing two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification.
Risk Management Framework
A structured approach used to oversee and manage risk for an enterprise.
Business Continuity (BC)
Actions, processes and tools for ensuring an organization can continue critical operations during a contingency.
Incident
An event that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits.
Threat Actor
An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.
Risk Avoidance
Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.
Risk Acceptance
Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.
C) Procedure
Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop. This document is an example of a ________. (D1, L1.4.1) Question options: A) Policy B) Standard C) Procedure D) Guideline
Institute of Electrical and Electronics Engineers
IEEE is a professional organization that sets standards for telecommunications, computer engineering and similar disciplines.
General Data Protection Regulation (GDPR)
In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.
Defense in Depth
Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.
Risk Transference
Paying an external party to accept the financial impact of a given risk.
Risk Mitigation
Putting security controls in place to reduce the possible impact and/or likelihood of a specific risk.
Technical Controls
Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.
A) Avoidance
Siobhan is deciding whether to make a purchase online; the vendor wants Siobhan to create a new user account, and is requesting Siobhan's full name, home address, credit card number, phone number, email address, the ability to send marketing messages to Siobhan, and permission to share this data with other vendors. Siobhan decides that the item for sale is not worth the value of Siobhan's personal information, and decides to not make the purchase. What kind of risk management approach did Siobhan make? (D1, L1.2.2) Question options: A) Avoidance B) Acceptance C) Mitigation D) Transfer
Threat Vector
The means by which a threat actor carries out their objectives.
Health Insurance Portability and Accountability Act (HIPAA)
This U.S. federal law is the most important healthcare information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions while protecting the privacy of individual's health information. Other provisions address fraud reduction, protections for individuals with health insurance and a wide range of other healthcare-related activities. Est. 1996.
D. Zero Day
When responding to a security incident, your team determines that the vulnerability that was exploited was not widely known to the security community, and that there are no currently known definitions/listings in common vulnerability databases or collections. This vulnerability and exploit might be called ______. Question options: A)Malware B)Critical C)Fractal D)Zero-day
D. Conflate
Which of the following is NOT one of the four typical ways of managing risk? (D1, L1.2.1) Question options: A) Avoid B) Accept C) Mitigate D) Conflate
A. Checklists
Which of the following is often associated with DR planning? Question options: A) Checklists B) Firewalls C) Motion detectors D) Non-repudiation
B. Data Backups
Which of the following is very likely to be used in a disaster recovery (DR) effort? Question options: A) Guard dogs B) Data backups C) Contract personnel D) Anti-malware solutions
Security Operations Center
A centralized organizational function fulfilled by an information security team that monitors, detects and analyzes events on the network or system to prevent and resolve issues before they result in business disruptions.
Discretionary Access Control (DAC)
A certain amount of access control is left to the discretion of the object's owner, or anyone else who is authorized to control the object's access. The owner can determine who should have access rights to an object and what those rights should be.
A) Management/Administrative control
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a: (D1, L1.3.1) Question options: A) Management/Administrative control B) Technical control C) Physical control D) Cloud control
Baseline
A documented, lowest level of security configuration allowed by a standard or organization.
Criticality
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.
Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event.
Sensitivity
A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.
Qualitative Risk Analysis
A method for risk analysis that is based on the assignment of a descriptor such as low, medium or high.
Exploit
A particular attack. It is named this way because these attacks exploit system vulnerabilities.
Token
A physical object a user possesses and controls that is used to authenticate the user's identity. Source: NISTIR 7711
Zero Day
A previously unknown system vulnerability with the potential of exploitation without risk of detection or prevention because it does not, in general, fit recognized patterns, signatures or methods.
Intrusion
A security event, or combination of security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without authorization.
Likelihood of Occurrence
A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.
Business Impact Analysis (BIA)
An analysis of an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.
Crime Prevention through Environmental Design (CPTED)
An architectural approach to the design of buildings and spaces which emphasizes passive features to reduce the likelihood of criminal activity.
Insider Threat
An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service
B. Intrusion
An external entity has tried to gain access to your organization's IT environment without proper authorization. This is an example of a(n) _________. Question options: A)Exploit B)Intrusion C)Event D)Malware
iOS
An operating system manufactured by Apple Inc. Used for mobile devices.
Threat
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.
Event
Any observable occurrence in a network or system
Asset
Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.
Firewalls
Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.
Availability
Ensuring timely and reliable access to and use of information by authorized users.
Adverse Events
Events with a negative consequence, such as system crashes, network packet floods, unauthorized use of system privileges, defacement of a web page or execution of malicious code that destroys data.
Disaster Recovery (DR)
In information systems terms, the activities necessary to restore IT and communications services to an organization during and after an outage, disruption or disturbance of any kind or scale.
Audit
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures
Protected Health Information (PHI)
Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act).
Classified or Sensitive Information
Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.
A. Yes
Is it possible to avoid risk? (D1, L1.2.1) Question options: A) Yes B) No C) Sometimes D) Never
C) The users
Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission. According to the ISC2 Code of Ethics, to whom does Kristal ultimately owe a duty in this situation? (D1, L1.5.1) Question options: A) The governments of the countries where the company operates B) The company Kristal works for C) The users D) ISC2
Physical Controls
Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.
Administrative Controls
Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager.
