ISACA Studying CyberSecurity Fundamentals

VPN protection should be 3 fold. including 1. terminate VPN traffic from remote users 2. provide a hub for terminating VPN traffic from remote sites 3. Terminate traditional dial-in users 4. terminate all traffic from malicious IP's

1. terminate VPN traffic from remote users 2. provide a hub for terminating VPN traffic from remote sites 3. terminate traditional dial-in users.

Datasecurity: Access control technology that can be used to impose limitations on the usegae of digital content and devices. A) DRM B)TMS C)DMS

A) Digital rights management (DRM)

First generation firewalls were: A) Packet Filtering B) Application firewall systems c) Stateful Inspection firewalls

A) Packet Filtering

Guess the fire wall: Intruder must get through 2 different layers to get in the network. Internet -> router ->bastion ->private network. A)screened-host firewall B)Dual-homed firewall C) DMZ or Screened-Subnet Firewall

A) Screened-Host Firewall

Select all that apply. Which of the following are considered functional areas of network management as defined by ISO? a. Accounting management b. Fault management c. Firewall management d. Performance management e. Security management

A. Accounting Management B. Fault Management D. Performance Management E. Security Management

Approaches to cybersecurity: Compliance-based

Also known as standards-based security, this approach relies on regulations or standards to determine security implementations. Controls are implemented regardless of their applicability or necessity, which often leads to a checklist attitude towards security

What are the two types of application firewalls?

Application-level gateway: uses proxies for each service. Can cause performance issues. circuit-level gateway : One proxy server for all services.

A _______ is something of value worth protecting.

Asset

Datasecurity: controlling access to hard copy tape drive and disk backups. Pick 2 a) DRM b) TMS c) DMS d) CMS

B) Tape management systems C) Disk management systems

Packet filtering firewalls inspect what part of the packet? A) Content B) Header C)Footer

B)Header

Name the attack vector: It can allow an attacker to compromise passwords, keys or session tokens and impersonate users.

Broken authentication and session management

Any change, error or interruption within an IT infrastructure such as a system crash, disk error or a user forgetting their password. A) Occurrence B) Incident C)Event

C) Event

A violation or immanent threat of violation of a computer security policies or standard security practices. A) Threat B) Event C) Incident

C) Incident

Cyberterrorist

Characterized by their willingness to use violence to achieve their goals, cyberterrorists frequently target critical infrastructures and government groups.

Name the attack vector: Occurs when an application takes untrusted data and sends it to a web browser without proper validation. This is the most prevalent web application security flaw. Attackers can use this to hijack user sessions, insert hostile content, deface web sites and redirect users.

Cross-Site Scripting

Name the attack vector: Occurs when an attacker forces a user's browser to send forged HTTP requests, including session cookies. This allows an attacker to trick victims into performing operations on the illegitimate web site.

Cross-site request forgery

Port 53

DNS domain name system

Types of Incidents: Cat 2

Denial-of-service

Guess the firewall: Connected to 2 or more networks. Divides traffic going to information servers and other private networks. a)Screen-host firewall b)dual-homed firewall c) DMZ or screened-subnet firewall

Dual-Homed firewall

Port 20 -21

FTP

______ contain step-by-step instructions to carry out procedures

Guidelines

Common attacks against first gen firewalls are ?

IP Spoofing (change sender info) Source routing specification (specify the path so as to by pass the firewall) Miniature fragment attack (send mini mal packets that are hide their intent by only having the first section examined.)

Types of Incidents: Cat 4

Improper Usage

The risk level or exposure without taking into account the actions that management had taken or might take.

Inherent risk

Name the attack vector: Occurs when untrusted data is sent to an interpreter. The attacker can trick the interpreter into executing unintended commands or accessing unauthorized data. Injection flaws are prevalent and are often found in SQL and LDAP queries and OS commands.

Injection

Name the attack vector: Occurs when a developer exposes a reference to an internal implementation object. Attackers can manipulate these references to access unauthorized data.

Insecure Direct Object Reference

Types of Incidents: Cat 6

Investigation

Types of Incidents: Cat 3

Malicious Code

Name the attack vector: Attackers forge requests to access functionality without authentication

Missing function level access control

A router is at what layer of the OSI model

Network

port 110

POP3 post office protocol

____ are solutions to software programming and coding errors

Patches

Procedures

Provide details on how to comply with policies and standards

Approaches to cybersecurity: Risk-based

Relies on identifying the unique risk a particular organization faces and designing/implementing security controls to address that risk.

Port 25

SMTP Simple mail transfer Protocol

port 161, 162

SNMP Simple network management protocol

Types of Incidents: Cat 5

Scans/Probes/Attempted Access

Name the attack vector: If web applications do not properly secure sensitive data through the use of encryption, attackers may steal or modify sensitive data such as health records, credit cards, tax IDs and authentication credentials

Sensitive data exposure

Coordinates and manages user corrections

Session layer

Firewalls that only allow a connection to be made if the internal computer made a request to the external source

Stateful firewalls

What is the difference between stateful and stateless firewalls?

Stateful keep a record of the ongoing TCP connection or port numbers for a session. Stateless does not.

SCADA

Supervisory control and Data acquisition.

Port 69

TFTP Trivial file transfer protocol

Port 23

Telnet

A ________ is anything capable of acting against an asset in a manner that can cause harm.

Threat

Ensures that data are tranferred reliably in the correct sequence

Transport

Switches can be part of which 3 layers

Transport, Network, data link

the process of encapsulating one type of process inside of another

Tunneling.

Types of Incidents: Cat 1

Unauthorized Access

Name the attack vector: When untrusted data are used to determine the destination of web traffic, an attacker can redirect victims to phishing or malware sites

Unvalidated Redirect and Forward

The internet perimeter should: pick all that apply a) control user traffic bound to the internet b) identify and block anomalous traffic and malicious packets recognized as potential attacks. c)eliminate threats such as email spam, viruses and worms d)enforce filtering policies to block access to websites containing malware or questionable content e)track user behaviour to search for anomalies

a)control user traffic bound to the internet. b) identify and block anomalous traffic and malicious packets recognized as potential attacks. c)eliminate threats such as email spam, viruses and worms d) enforce filtering policies to block access to websites containing malware or questionable content. *** it should also provide protection for VPN WAN and WLAN****

adversarial vs non adversarial threats

adversarial= human mande threat non adversarial = error, malfunction or mishap

mediates between software applications and other layers of network service

application

the path or route used to gain access to the target asset is known as a ______

attack vector

Stateful inspection firewalls also known as a) dynamic route firewalls b) dynamic packet filtering c) dynamic application firewall

b) dynamic packet filtering

The amount of time allowed for the recovery of a business function or resource a) MTR b)RTO c) RPO

b) recovery time objective

Select all that apply. A business impact analysis (BIA) should identify: a. The circumstances under which a disaster should be declared. b. The estimated probability of the identified threats actually occurring. c. The efficiency and effectiveness of existing risk mitigation controls. d. A list of potential vulnerabilities, dangers and/or threats. e. Which types of data backups (full, incremental and differential) will be used.

b. the estimated probability of the identified threats actually occuring. c. The efficiency and effectiveness of the existing risk mitigation controls. d. a list of potential vulnerabilities, dangers and/or threats

Which of the following cybersecurity roles is charged with the duty of managing incidents and remediation? a. Board of directors b. Executive committee c. Cybersecurity management d. Cybersecurity practitioner

c. Cybersecurity managment

Divides data into frames that can be transported by the physical layer

datalink

Put the layers of concentric defense in depth into order a) respond b) delay c) detect

detect delay respond

Port number 7

echo

Phishing

email attack that attempts to convince a user that the originator is genuine, with the intention of stealing into for use in social engineering

Translates network addresses and routes data from sender to reciever

network layer

OSI

open systems interconnect model

Manages signals amoung network systems

physical

Formats, encrypts and compresses data

presentation layer

Link file

propagates copies of a worm

network worm

self-replicating code

Select all that apply. Which of the following statements about advanced persistent threats (APTs) are true? a. APTs typically originate from sources such as organized crime groups, activists or governments. b. APTs use obfuscation techniques that help them remain undiscovered for months or even years. c. APTs are often long-term, multi-phase projects with a focus on reconnaissance. d. The APT attack cycle begins with target penetration and collection of sensitive information. e. Although they are often associated with APTs, intelligence agencies are rarely the perpetrators of APT attacks.

A. APT's typically originate from sources such as organized crime groups, activists or governments. B. APT's use obfuscation techniques that help them remain undiscovered for months or ever years. C. APT's are often long-term, multi-phase projects with a focus on reconnaissance.

The number and types of layers needed for defense in depth are a function of: a. Asset value, criticality, reliability of each control and degree of exposure. b. Threat agents, governance, compliance and mobile device policy. c. Network configuration, navigation controls, user interface and VPN traffic. d. Isolation, segmentation, internal controls and external controls.

A. Asset value, criticality, reliability of each control and degree of exposure.

Choose three. Which types of risk are typically associated with mobile devices? a. Organizational risk b. Compliance risk c. Technical risk d. Physical risk e. Transactional risk

A. Organisational risk C. technical risk D. Physical Risk

Three common controls used to protect availablity. a) redundancy, backups and access control b. Encryption, file permissions and access controls. c. Access controls, logging and digital signatures. d. Hashes, logging and backups.

A. Redundancy, backups and access control

Smart devices, BYOD strategies and freely available applications and services are all examples of: a. The reorientation of technologies and services designed around the individual end user. b. The primacy of external threats to business enterprises in today's threat landscape. c. The stubborn persistence of traditional communication methods. d. The application layer's susceptibility to APTs and zero-day exploits

A. The reorientation of technologies and services designed around the individual end user.

Select all that apply. The Internet perimeter should: a. Detect and block traffic from infected internal end points. b. Eliminate threats such as email spam, viruses and worms. c. Format, encrypt and compress data. d. Control user traffic bound toward the Internet. e. Monitor and detect network ports for rogue activity.

A. detect and block traffic from infected internal end points. b. eliminate threats such as email spam, viruses and worms. d. control user traffic bound towards the Internet, e. monitor and detect network ports for rogue activity.

Protecting Digital Assets: Take appropriate action after learning of a security event. A.Respond B.Protect C.Recover D.Identify E.Detect

A.Respond

Which policy covers the following topics? -physical and logical access provisioning life cycle - least privilege/need to know - segregation of dutes - emergency access

Access Control Policy

Which of the three key cybersecurity concepts relates to: Redundancy, backups and access control

Availability

Security Perimeter is described as (pick 2) A) Data Centric B) Network Centric C) System Centric D) Information Centric

B) Network Centric C) System Centric

____________________ is defined as "a model for enabling convenient, on-demand network access to a shared pool of configurable resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management or service provider interaction." a. Software as a Service (SaaS) b. Cloud computing c. Big data d. Platform as a Service (PaaS)

B. Cloud Computing

System hardening should implement the principle of _________________________ or ______________________. a. Governance, compliance b. Least privilege, access control c. Stateful inspection, remote access d. Vulnerability assessment, risk mitigation

B. Least privilege, access control

Virtualization involves: a. The creation of a layer between physical and logical access controls. b. Multiple guests coexisting on the same server in isolation of one another. c. Simultaneous use of kernel mode and user mode. d. DNS interrogation, WHOIS queries and network sniffing.

B. Multiple guest coexisting on the same server in isolation of one another

Choose 3. According to the NIST framework which of the following are considered key functions necessary for the protection of digital assets? a. Encrypt b. Protect c. Investigate d. Recover e. Identify

B. Protect D.recover E. Identify

Select three. The chain of custody contains information regarding: a. Disaster recovery objectives, resources and personnel. b. Who had access to the evidence, in chronological order. c. Labor, union and privacy regulations. d. Proof that the analysis is based on copies identical to the original evidence. e. The procedures followed in working with the evidence.

B. Who had access to the evidence, in chronological order. D. Proof that the analysis is based on copies identical to the original evidence. E. The procedure followed in working with the evidence.

Protecting Digital Assets: Design safeguards to limit the impact of potential events on critical services and infrastructure. A.Respond B.Protect C.Recover D.Identify E.Detect

B.Protect

Who is responsible for Governance?

Board of directors and senior management.

Which element of an incident response plan involves obtaining and preserving evidence? a. Preparation b. Identification c. Containment d. Eradication

C. Containment

Vulnerability management begins with an understanding of cybersecurity assets and their locations, which can be accomplished by: a. Vulnerability scanning. b. Penetration testing. c. Maintaining an asset inventory. d. Using command line tools.

C.Maintaining an asset inventory

Which three elements of the current threat landscape have provided increased levels of access and connectivity, and therefore increased opportunities for cybercrime? a. Text messaging, Bluetooth technology and SIM cards b. Web applications, botnets and primary malware c. Financial gains, intellectual property and politics d. Cloud computing, social media and mobile computing

Cloud Computing, social media and mobile computing

Policies

Communicate required and prohibited activities and behaviours

the act of adhering to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations.

Compliance

Which of the three key cybersecurity concepts relates to: access controls, file permissions and encryption?

Confidentiality

Protecting Digital Assets: Use organisational understanding to minimize risk to systems, assets, data and capabilities. A.Respond B.Protect C.Recover D.Identify E.Detect

D. Identify

Arrange the steps of the incident response process into the correct order. a. Mitigation and recovery b. Investigation c. Postincident analysis d. Preparation e. Detection and analysis

D. Preparation B. Investigation E.Detection and analysis A. Mitigation and recovery C. Post incident analysis

Which of the following best states the role of encryption within an overall cybersecurity program? a. Encryption is the primary means of securing digital assets. b. Encryption depends upon shared secrets and is therefore an unreliable means of control. c. A program's encryption elements should be handled by a third-party cryptologist. d. Encryption is an essential but incomplete form of access control.

D.Encryption is an essential but incomplete form of access control.

Protecting Digital Assets: Put in order A.Respond B.Protect C.Recover D.Identify E.Detect

D.Identify B.Protect E.Detect A.Respond C.Recover

Protecting Digital Assets: Put in order A.Respond B.Protect C.Recover D.Identify E.Detect

D.Identify B.Protect E.Detect A.Respond C.Recover

NIST defines a(n) ________________ as a "violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices." a. Disaster b. Event c. Threat d. Incident

D.Incident

Put the steps of the penetration testing phase into the correct order. a. Attack b. Discovery c. Reporting d. Planning

D.Planning, B.Discovery, A.Attack, C.Reporting

A security architecture which emphasizes the protection of data regardless of its location

Data Centric

Protecting Digital Assets: Implement activities to identify the occurrence of a cybersecurity even A.Respond B.Protect C.Recover D.Identify E.Detect

E.Detect

HIPAA

Health Insurance Portability and Accounting Act

_______ includes many components such as directory services, authentication and authorization services, and user management capabilities such as provisioning and deprovisioning

Identity Management

Which plan is responsible for documented procedures and guidelines for - Criticality of incidents - Reporting and escalation processes - Recovery - recovery time objectives(RTO) for return to the trusted stated - investigation and perservation of process - testing and training -post incident meetings

Incident response plan

Which of the three key cybersecurity concepts relates to: logging, digital signatures, hashes, encryption and access control?

Integrity

Standards

Interpret policies in specific situations

________ also called malicious code, is software designed to gain access to targeted computer systems. steal info or disrupt computer operations.

Malware

In an attack, the container that delivers the exploit to the target is called?

Payload

PCIDSS

Payment Card Industry Data Security Standard

Which policy is responsible for: - executing regular background checks - acquiring info about key personnel -developing a succession plan for all key info sec positions - define and implement appropriate procedures for termination

Personnel Information Security Policy

______ communicates required and prohibited activities and behaviors

Policies

_______ provides details on how to comply with policies and standards.

Procedures

Guidelines

Provide general guidance on issues such as "what to do in particular circumstances." These are not requirements to be met, but are strongly recommended.

What are the goals of governance?

Provide strategic direction Ensure that objectives are achieved Ascertain whether risk is being managed appropriately Verify that the organization's resources are being used responsibly.

The core duty of cybersecurity is to identify, respond and manage ________ to an organization's digital assets.

Risk

The process by which an organization manages risk to acceptable levels.

Risk Management

_____ is a class of malware that hides the existence of other malware by modifying the underlying operating system

Rootkit

Which policy addresses the need to respond to incidents in a timely manner in order to recover business activities?

Security Incident Response Policy

Which policy is responsible for: -defining a infosec incident and a statement of how incidents will be handled. Requirements for establishing of the incident response team and creation of a tested incident response plan

Security Incident Response Policy

SQL injection

Specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean info from the database in ways not envisaged during application design.

_________ are used to interpret policies in specific situations

Standards

SCADA PLC

Supervisory control and data acquisition Programmable logic controllers

The __________________ layer of the OSI model ensures that data are transferred reliably in the correct sequence, and the ________________ layer coordinates and manages user connections. a. Presentation, data link b. Transport, session c. Physical, application d. Data link, network

Transport and session

backdoor

a means of regaining access to a compromised system by installing software or configuring existing software to enable remote access under attacker-defined conditions.

The internet perimeter should: pick all that apply a) route traffic between the enterprise and the internet b)prevent executables from being transferred through email attachments or HTTP responses. c) malware analysis d)monitor network ports for rogue activity e)detect and block traffic from infected end points

a) route traffic between the enterprise and the internet b) prevent executables from being transferred through email attachments or HTTP responses. d) monitor network ports for rogue activity e)detect and block traffic from infected end points.

Governance has several goals including: a. providing strategic direction b. ensuring that objectives are achieved c. verifying that organizational resources are being used appropriately d. directing and monitoring security activities. e.Ascertaining whether risk is being managed properly

a. provisioning strategic direction. b. ensuring that objective are achieved c. verifying that organizational resources are being used appropriately e. Ascertaining whether risk is being managed properly.

Choose three. There key benefits of the DMZ system are: a. DMZs are based on logical rather than physical connections. b. An intruder must penetrate three separate devices. c. Private network addresses are not disclosed to the Internet. d. Excellent performance and scalability as Internet usage grows. e. Internal systems do not have direct access to the Internet.

b. An intruder must penetrate three separate devices c. Private network addresses are not disclosed to the Internet. e. Internal systems do not have direct access to the internet

Viruses

code that can replicate itself and spread from one computer to another. It requires intervention or execution to replicate and/or cause damage

Which of the following is the best definition for cybersecurity? a. The process by which an organization manages cybersecurity risk to an acceptable level b. The protection of information from unauthorized access or disclosure c. The protection of paper documents, digital and intellectual property, and verbal or visual communications d. Protecting information assets by addressing threats to information that is processed, stored or transported by interworked information systems

d. Protecting information assets by addressing threats to information that is processed, stored or transported by internetworked information systems.

Generalized attack process, put in order a. create attack tools b. exploit and compromise c. Achieve results d. coordinate a campaign e. maintain a presence f. preform reconnaissance g. deliver malicious capabilities h. conduct an attack

f. Perform reconnaissance a. create attack tools g.deliver malicious capabilities b. exploit and compromise h. conduct and attack c. achieve results e. maintain a presence d. coordinate a campaign.

spoofing

faking the sending address of a transmission in order to gain illegal entry into a secure system.

spyware

gathers info about a person or org without their knowledge

cyberwarriors

hacktivists, cyberfighters are nationally motivated citizens who may act on behalf of a political party or against another political party that threatens them.

Approaches to cybersecurity: Ad Hoc

implements security with no particular rational or criteria

botnets

large automated and distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks such as ddos

Cross-site scripting

malicious scripts are injected into otherwise benign and trusted websites. Attacker uses a web app to send malicious code , generally in the form of a browser side script, to a different user.

trojan horse

malware that gains access to a targeted system by hiding within a genuine app.

Cybercriminals

motivated by profit.

Access control policy

provides proper access to internal and external stakeholders to accomplish business goals. examples: -number of access violations that exceed the amount allowed - amount of work disruption due to insufficient access rights - number of segregation of duties incidents or audit findings

Online social hackers

skilled in social engineering, these attackers are frequently involved in cyberbullying, identity theft and collection of other confidential info.

spear-phishing

social engineering techs are used to masquerade as a trusted party to obtain important info such as passwords from the victim

Generalized attack process: the adversary gathers info using a variety of techniques which may include: - sniffing or scanning the network perimeter - using open source discovery of organization info - running malware to identify potential targets

step 1 Perform reconnaissance

Generalized Attack process: The adversary crafts the tools needed to carry out a future attack which may include: -phishing or spear phishing attacks - crafting counterfeit websites or certificates - creating and operating false front orgs in inject malicious components into the supply chain

step 2 Create attack tools

Generalized attack process: the adversary inserts or installs whatever is needed to carry out the attack: - introducing malware - placing subverted individuals into privileged positions -installing sniffers or scanning devices on targeted network/system - inserting tampered hardware or critical components into organizational system or supply chain.

step 3 deliver malicious capabilities

Generalized Attack Process: The adversary takes advantage of info and systems in order to compromise them -split tunneling or gaining physical access to org. facilities -exfiltrating data or sensitive info -exploiting multitencany in a cloud enviroment - launching zero-day exploits

step 4 exploit and compromise

general attack process: coordinates attack tools or performs activities that interfere with org. fuctions. - Communication interception or wireless jamming -DoS or DDoS -remote interference with or physical attacks on org. facilities or infrastructure - session-hijacking or man-in-the-middle attacks.

step 5 conducting an attack.

general attack process: causes an adverse impact: -obtaining unauthorized access to systems and/or sensitive info - degrading org services or capabilities - creating, corrupting or deleting critical data

step 6 achieve results

general attack process: adversary continues to exploit and compromise the system -obfuscating actions or interfering with IDS - adapting cyberattacks in response to organizational security measures

step 7 maintaining a presence or set of capabilities

general attack process: coordinating a campaign against the org - multi-staged attacks - internal and external attacks - widespread and adaptive attacks

step 8 coordinate a campaign.

A _________ is a weakness in the design, implementation, operation or internal controls in a process that could be exploited to violate the system security

vulnerability

buffer overflow

when a program or process tries to store more data in a buffer (temp data storage area) that it was intended to hold. The data overflow into adjacent buffers, corrupting or overwriting valid data.