ISC2 Certified in Cybersecurity: Chapter 1

¡Supera tus tareas y exámenes ahora con Quizwiz!

What controls make up the Security Controls?

1. Administrative Controls 2. Physical Controls 3. Technical Controls

An _____ is something in need of protection. A _____ is a gap or weakness in those protection efforts. A _____ is something or someone that aims to exploit a vulnerability to thwart protection efforts.

1. Asset 2. Vulnerability 3. Threat

Name some regulations.

1. Health Insurance Portability and Accountability Act (HIPAA) 2. General Data Protection Regulation (GDPR)

What are the 3 takeaways to remember about risk identification?

1. Identify risk to communicate it clearly 2. Employees at all levels of the organization are responsible for identifying risk. 3. Identify risk to protect against it.

Name some standards.

1. International Organization for Standardization (ISO) 2. National Institute of Standards and Technology (NIST) 3. Internet Engineering Task Force (IETF) 4. Institute of Electrical and Electronics Engineers (IEEE)

What are the four (ISC)2 Code of Ethics Canons?

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure. 2. Act honorably, honest, justly, responsibly and legally. 3. Provide diligent and competent service to principles. 4. Advance and protect the profession.

What are the types of authentication?

1. Single-Factor Authentication (SFA) 2. Multi-Factor Authentication (MFA)

What are the common methods of authentication?

1. Something you know (Knowledge-Based) 2. Something you have (Token-Based) 3. Something you are (Characteristics-Based)

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. NIST SP 800-60 Vol 1 Rev 1

Criticality

Which of the following is NOT one of the four typical ways of managing risk? (D1, L1.2.1) A) Avoid B) Accept C) Mitigate D) Conflate

D) Conflate

Ports 1024-65,535 are commonly referred to as what?

Dynamic Ports

In 2016, the European Union passed this comprehensive legislation that addresses personal privacy, deeming it a individual human right?

General Data Protection Regulation (GDPR) GDPR applies to all organizations, foreign or domestic, doing business in the EU or any persons in the EU.

What are the port numbers and transport protocol for the following protocols? HTTP Telnet SMTP DNS FTP HTTPS

HTTP - Port 80 - TCP, UDP, SCTP Telnet - Port 23 - TCP SMTP - Port 25 - TCP DNS - Port 53, TCP, UDP FTP - Port 20 (Data) - TCP, SCTP FTP - Port 21 (Control or Program) - TCP, UDP, SCTP HTTPS - Port 443 - TCP, UDP, SCTP

In the United States personal health privacy is protected by HIPAA. What does HIPAA stand for?

Health Insurance Portability and Accountability Act (1996)

A term referring to information regarding one's health status.

Protected Health Information (PHI)

A method for risk analysis that is based on the assignment of a descriptor such as low medium or high. NISTIR 8286

Qualitative Risk Analysis

A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain. NISTIR 8286

Quantitative Risk Analysis

These are commonly issued in the form of laws, usually from government and typically carry financial penalties for noncompliance.

Regulations

What is taking no action to reduce the likelihood of a risk occurring?

Risk Acceptance

Process of identifying, estimating and prioritizing risks to an organization's operations, assets, individuals, other organizations and even the nation.

Risk Assessment

The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.

Risk Assessment

What is the decision to attempt to eliminate the risk entirely?

Risk Avoidance

What includes taking action to prevent or reduce the possibility of a risk event or its impact?

Risk Mitigation

What is the most common type of risk management?

Risk Mitigation

The level of risk an entity is willing to assume in order to achieve a potential desired result NIST SP 800-32

Risk Tolerance

What is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment?

Risk Transference

The determination of the best way to address an identified risk?

Risk Treatment

In the world of cyber, identifying _____ is not a one and done activity. It's a recurring process of identifying different possible _____, characterizing them and then estimating their potential for disrupting the organization.

Risks

What are the port numbers and transport protocol for the following protocols? SSH Kerberos POP3 IMAP MySQL RDP

SSH - Port 22 - TCP, UDP, SCTP Kerberos - Port 88 (Network Authentication System) - TCP, UDP Kerberos - Port 464 (Change/Set Password) - TCP, UDP POP3 - Port 110 - TCP IMAP - Port 143 - TCP, UDP MySQL - Port 3306 - TCP RDP - Port 3389 - TCP, UDP

The management operational and technical controls prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. FIPS PUB 199

Security Controls

What does SOC stand for?

Security Operations Center

What is considered a headquarters for an information security team?

Security Operations Center (SOC)

Where does an information security team monitor, detect, and analyze events on the network so they can prevent and resolve issues before they disrupt the business?

Security Operations Center (SOC)

_____ information is information that if improperly disclosed (confidentiality) or modified (integrity) would harm an organization or individual.

Sensitive

What is a measure of the importance assigned to information by its owner, or the purpose of denoting its need for protection? NIST SP 800-60 Vol 1 Rev 1

Sensitivity

Use of just one of the three available factors to carry out the authentication process is known as?

Single-Factor Authentication (SFA)

The ability of computers and robots to simulate human intelligence and behavior.

Artificial Intelligence (AI)

Anything of value that is owned by an organization. This includes both tangible items such as information systems and physical property, and intangible items such as intellectual property.

Assets

These are often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.

Standards

The condition an entity is at a point in time.

State

The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. NIST SP 800-27 Rev. A

System Integrity

_____ _____ refers to the maintenance of a known good configuration and expected operational function as the system processes the information.

System Integrity

_____ controls are security controls that computer systems and networks directly impact.

Technical

Security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

Technical Controls

In modern organizations, many physical control systems are linked to what systems that may use badge readers connected to door locks?

Technical Controls (Logical Controls)

Something or someone that aims to exploit a vulnerability to gain unauthorized access is a _____?

Threat

An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.

Threat Actors

The means by which a threat actor carries out their objective

Threat Vector

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service. NIST SP 800-30 Rev 1

Threats

A physical object a user possesses and controls that is used to authenticate the user's identity. NIST IR 7711

Tokens

Something you have authentication methods.

Tokens, Memory Cards, Smart Cards

A gap or weakness in an organization's protection of its valuable assets, including information is a _____?

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. NIST SP 800-30 Rev 1

Vulnerability

Ports 0-1,023 are commonly referred to as what?

Well-Known Ports

The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes.

Confidentiality

To define security, it has become common to use the CIA Triad. Define the CIA Triad.

Confidentiality Integrity Availability

Using two or more distinct instances of the three factors of authentication for identity verification is known as?

Multi-Factor Authentication (MFA)

Siobhan is deciding whether to make a purchase online; the vendor wants Siobhan to create a new user account, and is requesting Siobhan's full name, home address, credit card number, phone number, email address, the ability to send marketing messages to Siobhan, and permission to share this data with other vendors. Siobhan decides that the item for sale is not worth the value of Siobhan's personal information, and decides to not make the purchase. What kind of risk management approach did Siobhan make? (D1, L1.2.2) A) Avoidance B) Acceptance C) Mitigation D) Transfer

A) Avoidance

What is meant by non-repudiation? (D1, L1.1.1) A) If a user does something, they can't later claim that they didn't do it. B) Controls to protect the organization's reputation from harm due to inappropriate social media postings by employees, even if on their private accounts and personal time. C) It is part of the rules set by administrative controls. D) It is a security feature that prevents session replay attacks.

A) If a user does something, they can't later claim that they didn't do it.

A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a: (D1, L1.3.1) A) Management/Administrative control B) Technical control C) Physical control D) Cloud control

A) Management/Administrative control

Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow? (D1, L1.4.2) A) The law B) The policy C) Any procedures the company has created for the particular activities affected by the law D) Lankesh should be allowed to use personal and professional judgment to make the determination of how to proceed

A) The law

Is it possible to avoid risk? (D1, L1.2.1) A) Yes B) No C) Sometimes D) Never

A) Yes

_____ controls are directives, guidelines or advisories aimed at the people within the organization.

Administrative

Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation.

Administrative Controls

Access control process that compares one or more factors of identification to validate that the identity claimed by a user or entity is known to the system.

Authentication

Access control process validating that the identity being claimed by a user or entity is known to the system by comparing one or more factors of identification.

Authentication

When users have stated their identity, it is necessary to validate that they are the rightful owners of that identity. This process of verifying or proving the user's identification is known as _____.

Authentication

The right or a permission that is granted to a system entity to access a system resource.

Authorization

Ensuring timely and reliable access to and use of information by authorized users.

Availability

What can be defined as timely and reliable access to information and the ability to use it by authorized users?

Availability

The options commonly used to respond to risk are?

Avoidance Acceptance Mitigation Transfer

A documented, lowest level of security configuration allowed by a standard or organization.

Baseline

Integrity of data or system can always be ascertained by comparing the _____ with the current _____.

Baseline and State If the two match, then the integrity of the data or the system is intact; if they two do not match, then the integrity of hte data or the system has been compromised.

Biological characteristics of an individual, such as a fingerprint, hadn't geometry, voice, or iris patterns.

Biometrics

Something you are authentication methods.

Biometrics, Measurable Characteristics

Malicious code that acts like a remote controlled robot for an attacker, with other Trojan and worm capabilities.

Bots

Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop. This document is an example of a ________. (D1, L1.4.1) A) Policy B) Standard C) Procedure D) Guideline

C) Procedure

While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do? (D1, L1.5.1) A) Nothing—each person is responsible for their own actions. B) Yell at the other candidate for violating test security. C) Report the candidate to (ISC)2. D) Call local law enforcement.

C) Report the candidate to (ISC)2.

Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission. According to the (ISC)2 Code of Ethics, to whom does Kristal ultimately owe a duty in this situation? (D1, L1.5.1) A) The governments of the countries where the company operates B) The company Kristal works for C) The users D) (ISC)2

C) The users

The chances that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. NIST SP 800-30 Rev 1

Probability

The National Institute of Standards and Technology defines _____ as the characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes. NIST SP 800-66

Confidentiality

These are detailed steps to complete a task that support departmental or organizational policies.

Procedures

The property that data has not been altered in an unauthorized manner. This covers data in storage, during processing and while in transit. NIST SP 800-27 Rev. A

Data Integrity

_____ _____ is the assurance that data has not been altered in an unauthorized manner.

Data Integrity

The magnitude of harm that could be caused by a threat's exercise of a vulnerability.

Impact

Name some types of threat actors?

Insider Outsider Nonpolitical Formal Entities (Business Competitors and Cybercriminals) Political Formal Entities (Terrorists, Nation-States, and Hacktivists) Technology (Bots, Artificial Intelligence)

The property that data has not been altered in an unauthorized manner.

Integrity

What measures the degree to which something is whole and complete, internally consistent and correct?

Integrity

The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.

Likelihood

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.

Likelihood of Occurrence

Technical controls are sometimes referred to as what?

Logical Controls

Administrative controls are sometimes referred to as what?

Managerial Controls

The inability to deny taking an action, such as creating information, approving information, or sending and receiving a message.

Non-Repudiation

The inability to deny taking an action, such as sending an email message.

Non-Repudiation

Something you know authentication methods.

Passwords, Paraphrases, PIN (Personal Identification Number), Secret Code

A term pertaining to any data about an individual that could be used to identify them.

Personally Identifiable Information (PII)

_____ controls address process-based security needs using physical hardware devices, such as badge readers, architectural features of buildings and facilities, and specific security actions to be taken by people.

Physical

Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc.

Physical Controls

These are put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations.

Policies

The right of an individual to control the distribution of information about themselves.

Privacy


Conjuntos de estudio relacionados

System Analysis and Design: Project Management Quiz 12 (CH11)

View Set

Financial Accounting Chapter 9 LearnSmart

View Set

Macro test 31 Open economy macro Basics

View Set

PNB 2274 Muscles of the Axial Skeleton

View Set

Chapter 68: Management of Patients With Neurologic Trauma

View Set

ISDS705: ISMG Chapter 12: A Manager's Guide to the Internet and Telecommunications

View Set