ISC2 Certified in Cybersecurity: Chapter 1
What controls make up the Security Controls?
1. Administrative Controls 2. Physical Controls 3. Technical Controls
An _____ is something in need of protection. A _____ is a gap or weakness in those protection efforts. A _____ is something or someone that aims to exploit a vulnerability to thwart protection efforts.
1. Asset 2. Vulnerability 3. Threat
Name some regulations.
1. Health Insurance Portability and Accountability Act (HIPAA) 2. General Data Protection Regulation (GDPR)
What are the 3 takeaways to remember about risk identification?
1. Identify risk to communicate it clearly 2. Employees at all levels of the organization are responsible for identifying risk. 3. Identify risk to protect against it.
Name some standards.
1. International Organization for Standardization (ISO) 2. National Institute of Standards and Technology (NIST) 3. Internet Engineering Task Force (IETF) 4. Institute of Electrical and Electronics Engineers (IEEE)
What are the four (ISC)2 Code of Ethics Canons?
1. Protect society, the common good, necessary public trust and confidence, and the infrastructure. 2. Act honorably, honest, justly, responsibly and legally. 3. Provide diligent and competent service to principles. 4. Advance and protect the profession.
What are the types of authentication?
1. Single-Factor Authentication (SFA) 2. Multi-Factor Authentication (MFA)
What are the common methods of authentication?
1. Something you know (Knowledge-Based) 2. Something you have (Token-Based) 3. Something you are (Characteristics-Based)
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. NIST SP 800-60 Vol 1 Rev 1
Criticality
Which of the following is NOT one of the four typical ways of managing risk? (D1, L1.2.1) A) Avoid B) Accept C) Mitigate D) Conflate
D) Conflate
Ports 1024-65,535 are commonly referred to as what?
Dynamic Ports
In 2016, the European Union passed this comprehensive legislation that addresses personal privacy, deeming it a individual human right?
General Data Protection Regulation (GDPR) GDPR applies to all organizations, foreign or domestic, doing business in the EU or any persons in the EU.
What are the port numbers and transport protocol for the following protocols? HTTP Telnet SMTP DNS FTP HTTPS
HTTP - Port 80 - TCP, UDP, SCTP Telnet - Port 23 - TCP SMTP - Port 25 - TCP DNS - Port 53, TCP, UDP FTP - Port 20 (Data) - TCP, SCTP FTP - Port 21 (Control or Program) - TCP, UDP, SCTP HTTPS - Port 443 - TCP, UDP, SCTP
In the United States personal health privacy is protected by HIPAA. What does HIPAA stand for?
Health Insurance Portability and Accountability Act (1996)
A term referring to information regarding one's health status.
Protected Health Information (PHI)
A method for risk analysis that is based on the assignment of a descriptor such as low medium or high. NISTIR 8286
Qualitative Risk Analysis
A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain. NISTIR 8286
Quantitative Risk Analysis
These are commonly issued in the form of laws, usually from government and typically carry financial penalties for noncompliance.
Regulations
What is taking no action to reduce the likelihood of a risk occurring?
Risk Acceptance
Process of identifying, estimating and prioritizing risks to an organization's operations, assets, individuals, other organizations and even the nation.
Risk Assessment
The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.
Risk Assessment
What is the decision to attempt to eliminate the risk entirely?
Risk Avoidance
What includes taking action to prevent or reduce the possibility of a risk event or its impact?
Risk Mitigation
What is the most common type of risk management?
Risk Mitigation
The level of risk an entity is willing to assume in order to achieve a potential desired result NIST SP 800-32
Risk Tolerance
What is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment?
Risk Transference
The determination of the best way to address an identified risk?
Risk Treatment
In the world of cyber, identifying _____ is not a one and done activity. It's a recurring process of identifying different possible _____, characterizing them and then estimating their potential for disrupting the organization.
Risks
What are the port numbers and transport protocol for the following protocols? SSH Kerberos POP3 IMAP MySQL RDP
SSH - Port 22 - TCP, UDP, SCTP Kerberos - Port 88 (Network Authentication System) - TCP, UDP Kerberos - Port 464 (Change/Set Password) - TCP, UDP POP3 - Port 110 - TCP IMAP - Port 143 - TCP, UDP MySQL - Port 3306 - TCP RDP - Port 3389 - TCP, UDP
The management operational and technical controls prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. FIPS PUB 199
Security Controls
What does SOC stand for?
Security Operations Center
What is considered a headquarters for an information security team?
Security Operations Center (SOC)
Where does an information security team monitor, detect, and analyze events on the network so they can prevent and resolve issues before they disrupt the business?
Security Operations Center (SOC)
_____ information is information that if improperly disclosed (confidentiality) or modified (integrity) would harm an organization or individual.
Sensitive
What is a measure of the importance assigned to information by its owner, or the purpose of denoting its need for protection? NIST SP 800-60 Vol 1 Rev 1
Sensitivity
Use of just one of the three available factors to carry out the authentication process is known as?
Single-Factor Authentication (SFA)
The ability of computers and robots to simulate human intelligence and behavior.
Artificial Intelligence (AI)
Anything of value that is owned by an organization. This includes both tangible items such as information systems and physical property, and intangible items such as intellectual property.
Assets
These are often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.
Standards
The condition an entity is at a point in time.
State
The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. NIST SP 800-27 Rev. A
System Integrity
_____ _____ refers to the maintenance of a known good configuration and expected operational function as the system processes the information.
System Integrity
_____ controls are security controls that computer systems and networks directly impact.
Technical
Security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.
Technical Controls
In modern organizations, many physical control systems are linked to what systems that may use badge readers connected to door locks?
Technical Controls (Logical Controls)
Something or someone that aims to exploit a vulnerability to gain unauthorized access is a _____?
Threat
An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.
Threat Actors
The means by which a threat actor carries out their objective
Threat Vector
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service. NIST SP 800-30 Rev 1
Threats
A physical object a user possesses and controls that is used to authenticate the user's identity. NIST IR 7711
Tokens
Something you have authentication methods.
Tokens, Memory Cards, Smart Cards
A gap or weakness in an organization's protection of its valuable assets, including information is a _____?
Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. NIST SP 800-30 Rev 1
Vulnerability
Ports 0-1,023 are commonly referred to as what?
Well-Known Ports
The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes.
Confidentiality
To define security, it has become common to use the CIA Triad. Define the CIA Triad.
Confidentiality Integrity Availability
Using two or more distinct instances of the three factors of authentication for identity verification is known as?
Multi-Factor Authentication (MFA)
Siobhan is deciding whether to make a purchase online; the vendor wants Siobhan to create a new user account, and is requesting Siobhan's full name, home address, credit card number, phone number, email address, the ability to send marketing messages to Siobhan, and permission to share this data with other vendors. Siobhan decides that the item for sale is not worth the value of Siobhan's personal information, and decides to not make the purchase. What kind of risk management approach did Siobhan make? (D1, L1.2.2) A) Avoidance B) Acceptance C) Mitigation D) Transfer
A) Avoidance
What is meant by non-repudiation? (D1, L1.1.1) A) If a user does something, they can't later claim that they didn't do it. B) Controls to protect the organization's reputation from harm due to inappropriate social media postings by employees, even if on their private accounts and personal time. C) It is part of the rules set by administrative controls. D) It is a security feature that prevents session replay attacks.
A) If a user does something, they can't later claim that they didn't do it.
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a: (D1, L1.3.1) A) Management/Administrative control B) Technical control C) Physical control D) Cloud control
A) Management/Administrative control
Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow? (D1, L1.4.2) A) The law B) The policy C) Any procedures the company has created for the particular activities affected by the law D) Lankesh should be allowed to use personal and professional judgment to make the determination of how to proceed
A) The law
Is it possible to avoid risk? (D1, L1.2.1) A) Yes B) No C) Sometimes D) Never
A) Yes
_____ controls are directives, guidelines or advisories aimed at the people within the organization.
Administrative
Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation.
Administrative Controls
Access control process that compares one or more factors of identification to validate that the identity claimed by a user or entity is known to the system.
Authentication
Access control process validating that the identity being claimed by a user or entity is known to the system by comparing one or more factors of identification.
Authentication
When users have stated their identity, it is necessary to validate that they are the rightful owners of that identity. This process of verifying or proving the user's identification is known as _____.
Authentication
The right or a permission that is granted to a system entity to access a system resource.
Authorization
Ensuring timely and reliable access to and use of information by authorized users.
Availability
What can be defined as timely and reliable access to information and the ability to use it by authorized users?
Availability
The options commonly used to respond to risk are?
Avoidance Acceptance Mitigation Transfer
A documented, lowest level of security configuration allowed by a standard or organization.
Baseline
Integrity of data or system can always be ascertained by comparing the _____ with the current _____.
Baseline and State If the two match, then the integrity of the data or the system is intact; if they two do not match, then the integrity of hte data or the system has been compromised.
Biological characteristics of an individual, such as a fingerprint, hadn't geometry, voice, or iris patterns.
Biometrics
Something you are authentication methods.
Biometrics, Measurable Characteristics
Malicious code that acts like a remote controlled robot for an attacker, with other Trojan and worm capabilities.
Bots
Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop. This document is an example of a ________. (D1, L1.4.1) A) Policy B) Standard C) Procedure D) Guideline
C) Procedure
While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do? (D1, L1.5.1) A) Nothing—each person is responsible for their own actions. B) Yell at the other candidate for violating test security. C) Report the candidate to (ISC)2. D) Call local law enforcement.
C) Report the candidate to (ISC)2.
Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission. According to the (ISC)2 Code of Ethics, to whom does Kristal ultimately owe a duty in this situation? (D1, L1.5.1) A) The governments of the countries where the company operates B) The company Kristal works for C) The users D) (ISC)2
C) The users
The chances that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. NIST SP 800-30 Rev 1
Probability
The National Institute of Standards and Technology defines _____ as the characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes. NIST SP 800-66
Confidentiality
These are detailed steps to complete a task that support departmental or organizational policies.
Procedures
The property that data has not been altered in an unauthorized manner. This covers data in storage, during processing and while in transit. NIST SP 800-27 Rev. A
Data Integrity
_____ _____ is the assurance that data has not been altered in an unauthorized manner.
Data Integrity
The magnitude of harm that could be caused by a threat's exercise of a vulnerability.
Impact
Name some types of threat actors?
Insider Outsider Nonpolitical Formal Entities (Business Competitors and Cybercriminals) Political Formal Entities (Terrorists, Nation-States, and Hacktivists) Technology (Bots, Artificial Intelligence)
The property that data has not been altered in an unauthorized manner.
Integrity
What measures the degree to which something is whole and complete, internally consistent and correct?
Integrity
The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.
Likelihood
A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.
Likelihood of Occurrence
Technical controls are sometimes referred to as what?
Logical Controls
Administrative controls are sometimes referred to as what?
Managerial Controls
The inability to deny taking an action, such as creating information, approving information, or sending and receiving a message.
Non-Repudiation
The inability to deny taking an action, such as sending an email message.
Non-Repudiation
Something you know authentication methods.
Passwords, Paraphrases, PIN (Personal Identification Number), Secret Code
A term pertaining to any data about an individual that could be used to identify them.
Personally Identifiable Information (PII)
_____ controls address process-based security needs using physical hardware devices, such as badge readers, architectural features of buildings and facilities, and specific security actions to be taken by people.
Physical
Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc.
Physical Controls
These are put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations.
Policies
The right of an individual to control the distribution of information about themselves.
Privacy
