(ISC)2 Certified in Cybersecurity - Exam Prep
Incident response teams must have personnel available _________.
24/7
What is a rootkit?
Answer: A software that is designed to hide its presence on a system, allowing an attacker to gain unauthorized access and control.
What is a security baseline configuration?
Answer: A standardized configuration for an organization's systems and applications that meets minimum security requirements.
What is a security classification system?
Answer: A system for categorizing information based on its sensitivity and confidentiality requirements.
What is a security event correlation system?
Answer: A system that analyzes security events from multiple sources to identify potential security threats.
What is a security information and event management (SIEM) system?
Answer: A system that collects and analyzes security events and alerts to detect and respond to security threats.
What is a security information management (SIM) system?
Answer: A system that collects, analyzes, and reports on security events and incidents.
What is a security access management (SAM) system?
Answer: A system that manages user access to an organization's systems and data.
What is a data loss prevention (DLP) system?
Answer: A system that monitors and prevents the unauthorized transmission of sensitive data outside of an organization's network.
What is a security key management system?
Answer: A system used to generate, distribute, and manage encryption keys.
What is a security audit?
Answer: A systematic evaluation of an organization's security controls and practices to ensure they are in compliance with industry standards and regulations.
What is a virtual private network (VPN)?
Answer: A technology that creates a secure and encrypted connection between two networks over the internet.
What technology provides the translation that assigns public IP addresses to privately addressed systems that wish to communicate on the Internet? A) TLS B) HTTP C) SSL D) NAT
D) NAT
The result of a cryptographic transformation of data which, when properly implemented, provides the services of origin authentication, data integrity, and signer non-repudiation. NIST SP 800-12 Rev. 1
Digital Signature
_________ restores normal operations as quickly as possible.
Disaster Recovery
RIPEMD produces _____ bit hashes. A) 128 B) 160 C) 256 D) 320 E) All of the above
E) All of the above
SHA-2 produces _____ bit hashes. A) 224 B) 256 C) 384 D) 512 E) All of the above
E) All of the above
Monitoring of outgoing network traffic.
Egress Monitoring
The total set of algorithms, processes, hardware, software, and procedures that taken together provide an encryption and decryption capability.
Encryption System
Any observable occurrence in a network or system. Source: NIST SP 800-61 Rev 2
Event
A reference to the process of applying secure configurations (to reduce the attack surface) and locking down various hardware, communications systems, and software, including operating system, web server, application server, application, etc. Hardening is normally performed based on industry guidelines and benchmarks, such as those provided by the Center for Internet Security (CIS).
Hardening
You are normally required to report security incidents to law enforcement if you believe a law may have been violated. True or False
False
What two factors are used to evaluate a risk?
Likelihood and Impact
We rank risks by _________ and _________.
Likelihood and impact
A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.
Likelihood of Occurrence
An operating system that is open source, making its source code legally available to end users.
Linux
_________ spreads demand across systems.
Load Balancing
A system irregularity that is identified when studying log entries which could represent events of interest for further surveillance.
Log Anomaly
Collecting and storing user activities in a log, which is a record of the events occurring within an organization's systems and networks. NIST SP 1800-25B.
Logging
What type of security control is designed to stop a security issue from occurring in the first place?
Preventive
_________ stop a security issue from occurring.
Preventive Control
_________ continues until the cost of addressing risks outweighs the benefit.
SPOF Analysis
An algorithm that uses the same key in both the encryption and the decryption processes.
Symmetric encryption
The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. Source: NIST SP 800-27 Rev. A
System Integrity
Types of Backup Media:
Tape backups, Disk-to-disk backups, Cloud backups
Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.
Technical Controls
_________ use technology to achieve control objectives.
Technical Controls
What is port 25 used for? A) SMTP B) HTTP C) HTTPS D) DNS
A) SMTP
Which TCP Flag indicates a connection needs to be opened? A) SYN B) FIN C) ACK D) RST
A) SYN
True or False A Routine Workflow is when an administrator disables accounts on a scheduled basis for planned departures. A) True B) False
A) True
True or False An IDS can detect SQL Injection attacks, malformed packets used to create a DoS, unusual login patterns outside of normal hours or geographic area, and botnet traffic. A) True B) False
A) True
True or False Ensure that vendor security policies are at least as stringent as your own. A) True B) False
A) True
True or False Full Tunnel VPN's allow all network traffic to leave a connected device and routes it through a VPN tunnel, regardless of its final destination. A) True B) False
A) True
True or False Hash Functions may fail if they are reversible or if they are not collision-resistant. A) True B) False
A) True
True or False Network segmentation is the most important control for embedded devices. A) True B) False
A) True
Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source. Source: NIST SP 800-30 Rev 1
Vulnerability
Weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source. Source: NIST SP 800-128.
Vulnerability
A wireless area network (WLAN) is a group of computers and devices that are located in the same vicinity, forming a network based on radio transmissions rather than wired connections. A Wi-Fi network is a type of WLAN.
WLAN
Defining the BCP Scope:
What business activities will the plan cover? What systems will it cover? What controls will it consider?
An operating system manufactured by Apple Inc. Used for mobile devices.
iOS
What port range is known as the "well-known" ports? A) 0 - 1,023 B) 0 - 1,000 C) 0 - 10,000 D) 0 - 65,535
A) 0 - 1,023
If two people want to use symmetric encryption to conduct a confidential conversation, how many keys do they need? (D5.1, L5.1.3) A) 1 B) 3 C) 8 D) none
A) 1
MD5 produces _____ bit hashes. A) 128 B) 256 C) 512 D) 1024
A) 128
Range for a Bluetooth network is what? A) 30 FT / 10 meters B) 25 FT / 8 meters C) 10 FT / 2 meters D) Unlimited
A) 30 FT / 10 meters
SSL/TLS VPNs work at the application layer (Layer 7) of the OSI model over TCP port _________. A) 443 B) 139 C) 8081 D) 445
A) 443
What port range is known as "dynamic" ports? A) 49,152 - 65,535 B) 10,000 - 65,535 C) 47,455 - 65,535 D) 36,712 - 65,535
A) 49,152 - 65,535
RJ-11 cables have how many pins? A) 6 B) 4 C) 8 D) 10
A) 6
What temperature range should be maintained in a data center? A) 64.4 F - 80.6 F B) 50 F - 85 F C) 32 F - 60 F D) 45 F - 90 F
A) 64.4 F - 80.6 F
What type of malware spreads under its own power? A) Worm B) Spyware C) Virus D) Trojan horse
A) Worm
TCP is a ________________________ oriented protocol. A) connection B) connectionless C) seamless D) universal
A) connection
What command may be used to determine the network path between two locations? A) tracert B) ping C) arp D) dig
A) tracert
A physical object a user possesses and controls that is used to authenticate the user's identity. Source: NISTIR 7711
Token
Internetworking protocol model created by the IETF, which specifies four layers of functionality: Link layer (physical communications), Internet Layer (network-to-network communication), Transport Layer (basic channels for connections and connectionless exchange of data between hosts), and Application Layer, where other protocols and user applications programs make use of network services.
Transport Control Protocol/Internet Protocol (TCP/IP) Model
A one-way spinning door or barrier that allows only one person at a time to enter a building or pass through an area.
Turnstile
What is a security maturity model?
Answer: A model that provides a framework for assessing an organization's security maturity and identifying areas for improvement.
What is a firewall?
Answer: A network security device that monitors and controls incoming and outgoing traffic based on a set of rules.
What is a security information exchange (SIE)?
Answer: A network that allows organizations to share security information and threat intelligence.
What is a security token?
Answer: A physical or digital device that is used to authenticate a user's identity for access to a system or application.
What is a security incident response communication plan?
Answer: A plan that outlines how communication will be handled during a security incident, including who will be notified, what information will be shared, and how communication will be managed.
What is a security risk management plan?
Answer: A plan that outlines the steps to be taken to identify, assess, and mitigate security risks to an organization's systems and data.
What is a bring your own device (BYOD) policy?
Answer: A policy that allows employees to use their personal devices for work purposes, with certain security requirements and restrictions.
What is a security information and event management (SIEM) retention policy?
Answer: A policy that specifies how long security event logs and data should be retained.
What is a secure development lifecycle (SDLC)?
Answer: A process for developing software that integrates security into every stage of the development process.
What is a security incident management process?
Answer: A process for managing security incidents from identification through resolution and reporting.
What is a security exception request process?
Answer: A process for requesting exceptions to an organization's security policies and procedures.
What is a security exception management process?
Answer: A process for reviewing and approving exceptions to an organization's security policies and procedures.
What is a risk assessment?
Answer: A process of identifying, analyzing, and evaluating risks to an organization's systems and data.
What is a vulnerability assessment?
Answer: A process of identifying, quantifying, and prioritizing security weaknesses in an organization's systems, applications, and networks.
What is a security awareness training program?
Answer: A program that educates employees on security best practices and potential threats to reduce the likelihood of security incidents.
What is a security vulnerability management program?
Answer: A program that identifies, prioritizes, and addresses security vulnerabilities in an organization's systems and applications.
What is a security patch management program?
Answer: A program that manages the process of identifying, testing, and deploying security patches to address vulnerabilities in an organization's systems and applications.
What is a secure socket layer (SSL)?
Answer: A protocol that provides secure communication over the internet by encrypting data between web servers and web browsers.
What is a security key exchange protocol?
Answer: A protocol used to exchange encryption keys securely between two parties.
What is a security information and event management (SIEM) correlation rule?
Answer: A rule that specifies criteria for correlating security events and alerts to detect and respond to security threats.
What is the difference between a security control and a security countermeasure?
Answer: A security control is a general term that refers to any measure or mechanism used to reduce risk, while a security countermeasure specifically refers to a measure that is implemented in response to a known threat.
What is the difference between a security incident and a security event?
Answer: A security event is any observable occurrence that has the potential to affect the security of an organization's systems or data, while a security incident is an event that has been confirmed as a security breach or compromise.
What is multi-factor authentication?
Answer: A security mechanism that requires users to provide more than one form of authentication, such as a password and a fingerprint, to gain access to a system.
What is a security token service (STS)?
Answer: A service that issues and manages security tokens used for authentication and authorization.
What is a secure coding practice?
Answer: A set of coding techniques and best practices that are designed to reduce the likelihood of security vulnerabilities in software.
What is a security baseline?
Answer: A set of minimum security requirements that must be met by an organization's systems and networks.
What is an access control list (ACL)?
Answer: A set of rules that determines which users or systems are allowed to access or interact with a particular resource.
What is a malware?
Answer: A software that is designed to cause harm or damage to a computer system, network, or data.
What is a security control objective?
Answer: A specific goal or requirement that a security control is designed to achieve.
What is a security information exchange format (STIX)?
Answer: A standard format for exchanging security information and threat intelligence.
What is a security content automation protocol (SCAP)?
Answer: A standardized approach to assessing and managing security vulnerabilities and configurations.
What is a risk management framework?
Answer: A structured approach to identifying, analyzing, and mitigating risks to an organization's systems and data.
What is a security incident response team (SIRT)?
Answer: A team responsible for responding to security incidents and managing the organization's incident response plan.
What is a security vulnerability scanner?
Answer: A tool that scans an organization's systems and networks for vulnerabilities.
What is a security log analysis tool?
Answer: A tool used to analyze logs of security events and actions to identify potential security threats.
What is the difference between a vulnerability assessment and a penetration test?
Answer: A vulnerability assessment is a non-intrusive evaluation of an organization's security posture, while a penetration test is an intrusive evaluation that attempts to exploit identified vulnerabilities.
What is the difference between a vulnerability disclosure program and a bug bounty program?
Answer: A vulnerability disclosure program is a formal process for reporting and addressing security vulnerabilities, while a bug bounty program is a program that rewards individuals for reporting vulnerabilities.
What is the difference between a vulnerability and a risk?
Answer: A vulnerability is a weakness in a system that can be exploited by an attacker, while a risk is the likelihood and potential impact of a vulnerability being exploited.
What is the difference between a vulnerability scan and a penetration test?
Answer: A vulnerability scan is a non-intrusive evaluation of an organization's systems and networks, while a penetration test is an intrusive evaluation that attempts to exploit identified vulnerabilities.
What is a zero-day vulnerability?
Answer: A vulnerability that is unknown to the software vendor and for which no patch or fix has been released.
What is a security posture assessment?
Answer: An assessment of an organization's overall security posture, including strengths, weaknesses, and areas for improvement.
What is a security control assessment?
Answer: An assessment of an organization's security controls to determine their effectiveness and compliance with industry standards and regulations.
What is a denial of service (DoS) attack?
Answer: An attack that attempts to make a server, network, or website unavailable by overwhelming it with traffic or requests.
What is a phishing attack?
Answer: An attack that attempts to trick individuals into revealing sensitive information, such as passwords or credit card numbers, by posing as a trustworthy entity.
What is a man-in-the-middle (MitM) attack?
Answer: An attack that intercepts communication between two parties to eavesdrop or modify the data being exchanged.
What is a security vulnerability exploit?
Answer: An attack that uses a vulnerability in an organization's systems or applications to gain unauthorized access or control.
What is a digital signature?
Answer: An electronic method of verifying the authenticity and integrity of a message or document.
What is a security information and event management (SIEM) correlation engine?
Answer: An engine that analyzes security events and alerts to detect and respond to security threats.
What is a security incident?
Answer: An event that could potentially threaten the confidentiality, integrity, or availability of an organization's information or systems.
What is a threat actor?
Answer: An individual or group that initiates a security threat, such as an attacker or hacker.
What is a security clearance investigation?
Answer: An investigation into an individual's background, character, and loyalty to determine their eligibility for a security clearance.
What is a certificate authority?
Answer: An organization that issues digital certificates that can be used to verify the identity of individuals, systems, or organizations.
What is the difference between confidentiality and privacy?
Answer: Confidentiality refers to the protection of sensitive information from unauthorized access, while privacy refers to an individual's right to control their personal information.
What is the CIA triad?
Answer: Confidentiality, Integrity, and Availability.
What is the most critical element of an organization's security program?
Answer: People
What is the difference between symmetric and asymmetric encryption?
Answer: Symmetric encryption uses the same key for both encryption and decryption, while asymmetric encryption uses a public key for encryption and a private key for decryption.
What is a security culture?
Answer: The collective beliefs, attitudes, and behaviors of an organization's employees towards security.
What is a security posture?
Answer: The overall level of security of an organization's systems, data, and operations.
What is the concept of defense in depth?
Answer: The principle of implementing multiple layers of security controls to protect an organization's systems and data.
What is the principle of least privilege?
Answer: The principle that users and processes should only be given the minimum level of access necessary to perform their duties.
What is encryption?
Answer: The process of converting plain text into an unreadable format to protect the confidentiality of the data.
What is a security policy lifecycle?
Answer: The process of developing, implementing, reviewing, and updating an organization's security policies and procedures.
What is a security incident response plan testing?
Answer: The process of testing an organization's security incident response plan to ensure it is effective and efficient.
What is a security incident response playbook testing?
Answer: The process of testing an organization's security incident response playbook to ensure it is effective and efficient.
What is a security control validation?
Answer: The process of testing and verifying the effectiveness of an organization's security controls.
What is social engineering?
Answer: The use of deception to manipulate individuals into divulging confidential information or performing actions that may not be in their best interest.
What is the role of a security manager?
Answer: To plan, implement, and manage an organization's security program.
What is the primary purpose of a security policy?
Answer: To provide guidance and direction for the organization's security program.
A computer responsible for hosting applications to user workstations. NIST SP 800-82 Rev.2
Application Server
A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.
Application programming interface (API)
_________ makes a single system resilient against technical failures.
Fault Tolerance
The internet protocol (and program) used to transfer files between hosts.
File Transfer Protocol (FTP)
(Revisit) What disaster recovery metric provides the targeted amount of time to restore a service after a failure?
RTO
A type of malicious software that locks the computer screen or files, thus preventing or limiting a user from accessing their system and data until money is paid.
Ransomware
Disaster Recovery Test types:
Read-through, Walk-through, Simulation, Parallel Test, Full interruption test
_________ ask each team member to review their role in the disaster recovery process and provide feedback.
Read-throughs
The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.
Technical Controls
3 Common Points of Failure in a system.
Power Supply, Storage Media, Networking
_________ Risk that remains in an organization after controls.
Residual Risk
The following are detection types for an IDS: 1. Signature Based Detection 2. Anomaly Base Detection 1. Also known as Behavior Based Detection 2. Also known as Heuristic Based Detection
1. Signature Based Detection 2. Anomaly Base Detection 1. Also known as Behavior Based Detection 2. Also known as Heuristic Based Detection
Disk Mirroring is which RAID level?
1
_________ provide structure during cybersecurity incidents.
Incident Response Plan
What is the minimum number of disk required to perform RAID level 5?
3
Disk striping with parity is which RAID level?
5 (uses 3 or more disks to store data)
What is the best way to protect against viruses? A) User Education B) Patching C) NIDS D) Fences
A) User Education
Triffid Corporation has a policy that all employees must receive security awareness instruction before using email; the company wants to make employees aware of potential phishing attempts that the employees might receive via email. What kind of control is this instruction? (D1, L1.3.1) A) Administrative B) Finite C) Physical D) Technical
A) Administrative
Triffid Corporation has a rule that all employees working with sensitive hardcopy documents must put the documents into a safe at the end of the workday, where they are locked up until the following workday. What kind of control is the process of putting the documents into the safe? (D1, L1.3.1) A) Administrative B) Tangential C) Physical D) Technical
A) Administrative
What is known as a ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction? A) Cloud Computing B) Hybrid Computing C) Server Farm D) Segregated Networks
A) Cloud Computing
Ludwig is a security analyst at Triffid, Inc. Ludwig notices network traffic that might indicate an attack designed to affect the availability of the environment. Which of the following might be the attack Ludwig sees? (D4.2 L4.2.1) A) DDOS (distributed denial of service) B) Spoofing C) Exfiltrating stolen data D) An insider sabotaging the power supply
A) DDOS (distributed denial of service)
What is port 53 used for? A) DNS B) FTPS C) HTTP D) RDP
A) DNS
During the offboarding process, administrators disable accounts and revoke authorizations at the appropriate time. What is this known as? A) Deprovisioning B) Provisioning C) Setup D) Installation
A) Deprovisioning
When data has reached the end of the retention period, it should be _____. (D5.1, L5.1.1) A) Destroyed B) Archived C) Enhanced D) Sold
A) Destroyed
A human guard monitoring a hidden camera could be considered a ______ control. (D3, L3.2.1) A) Detective B) Preventive C) Deterrent D) Logical
A) Detective
What do professionals call network traffic that exists between systems located in the data center? A) East-West Traffic B) Side-by-Side Traffic C) Local Traffic D) On Premise Traffic
A) East-West Traffic
________________________ use externally forced errors. A) Fault Injection Attacks B) Reverse Engineering C) SQL Injections D) XSS
A) Fault Injection Attacks
What are 4 types of VPN Endpoints? A) Firewalls, Routers, Servers, VPN Concentrators B) Computers, Switches, Hubs, Modems C) Firewalls, NID, HID, DMZ D) Switches, Routers, OpenVPN, NAS
A) Firewalls, Routers, Servers, VPN Concentrators
_____ combines symmetric cryptography and hashing. A) HMAC B) BMAC C) CMAC D) AMAC
A) HMAC (Hash-Based Message Authentication Code)
What is port 80 used for? A) HTTP B) HTTPS C) FTP D) RDP
A) HTTP
What is it known when a ping request is successfully received? A) ICMP Echo Reply B) ICMP Echo Response C) ICMP Echo Request D) ICMP Echo Init
A) ICMP Echo Reply
_________________ monitor network traffic for signs of malicious activity. A) IDS B) Firewall C) Anti-Virus D) Cameras
A) IDS
Which cloud service category allows customers to purchase servers/storage? A) IaaS B) PaaS C) SaaS D) TaaS
A) IaaS (Infrastructure as a Service)
What firewall rule receives traffic not explicitly allowed by a firewall rule, then that traffic must be blocked? A) Implicit Deny B) Explicit Deny C) Strict Deny D) Closed Deny
A) Implicit Deny (This is a default deny rule)
An attacker outside the organization attempts to gain access to the organization's internal files. This is an example of a(n) ______. (D2, L2.1.1) A) Intrusion B) Exploit C) Disclosure D) Publication
A) Intrusion
All of the following are typically perceived as drawbacks to biometric systems, except: (D3, L3.2.1) A) Lack of accuracy B) Potential privacy concerns C) Retention of physiological data past the point of employment D) Legality
A) Lack of accuracy
At what layer of the OSI model do cables exist? A) Layer 1 (Physical) B) Layer 2 (Data Link) C) Layer 3 (Network) D) Layer 4 (Transport)
A) Layer 1 (Physical)
What principle states that individuals should only have the minimum set of permissions necessary to carry out their job functions? A) Least privilege B) Two person control C) Job rotation D) Separation of privileges
A) Least privilege
Tekila works for a government agency. All data in the agency is assigned a particular sensitivity level, called a "classification." Every person in the agency is assigned a "clearance" level, which determines the classification of data each person can access. What is the access control model being implemented in Tekila's agency? (D3, L3.3.1) A) MAC (mandatory access control) B) DAC (discretionary access control) C) RBAC (role-based access control) D) FAC (formal access control)
A) MAC (mandatory access control)
_____________ provide security services for other organizations as a managed service. A) MSSPs B) CSSPs C) NSSPs D) RSSPs
A) MSSPs
______________ attacks exploit flaws in browsers and browser plugins. A) Man-in-the-Browser B) Man-in-the-Middle C) Man-in-the-Connection D) Man-in-the-Know
A) Man-in-the-Browser
What are the most stringent access control types? A) Mandatory Access Control (MAC) B) Role-Based Access Control (RBAC) C) Discretionary Access Control (DAC) D) None of the above
A) Mandatory Access Control (MAC)
What are the layer names for the TCP model? A) Network Interface, Internet, Transport, Application B) Transport, Session, Presentation, Application C) Data Link, Network, Transport, Presentation D) Physical, Data Link, Network, Session
A) Network Interface, Internet, Transport, Application
Which type of fire-suppression system is typically the safest for humans? (D4.3 L4.3.1) A) Water B) Dirt C) Oxygen-depletion D) Gaseous
A) Water
A system that collects transactional information and stores it in a record in order to show which users performed which actions is an example of providing ________. (D1, L1.1.1) A) Non-repudiation B) Multifactor authentication C) Biometrics D) Privacy
A) Non-repudiation
What do professionals call network traffic that exists between systems and systems on the internet? A) North-South Traffic B) Side-by-Side Traffic C) Local Traffic D) On Premise Traffic
A) North-South Traffic
Bluetooth devices create what type of networks? A) Personal Area Networks (PANs) B) Wide Area Networks (WANs) C) Mobile Area Networks (MANs) D) Wireless Local Area Networks (WLANs)
A) Personal Area Networks (PANs)
Nmap is an example of a _____ tool. A) Port scanning B) Web application vulnerability scanning C) Protocol analyzing D) Network vulnerability scanning
A) Port scanning
You encrypt with the _________ key and decrypt with the _________ key. A) Public, Private B) Private, Public
A) Public, Private
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees transferring from one department to another, getting promoted, or cross-training to new positions can get access to the different assets they'll need for their new positions, in the most efficient manner. Which method should Handel select? (D3, L3.3.1) A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Barbed wire
A) Role-based access controls (RBAC)
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees who are assigned to new positions in the company do not retain whatever access they had in their old positions. Which method should Handel select? (D3, L3.3.1) A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Logging
A) Role-based access controls (RBAC)
How does the TCP Threeway Handshake look? A) SYN > SYN/ACK > ACK B) ACK > SYN > ACK/SYN C) SYN > ACK > SYN/ACK D) SYN/ACK > ACK > SYN
A) SYN > SYN/ACK > ACK
What are the three cloud service categories? A) SaaS, IaaS, PaaS B) SaaS, MaaS, TaaS C) FaaS, EaaS, PaaS D) FaaS, MaaS, TaaS
A) SaaS, IaaS, PaaS
MSSPs may also be referred to as ____________. A) Security as a Service (SECaaS) B) Protection as a Service (PROaaS) C) Physical Security as a Service (PHSaaS) D) None of the above
A) Security as a Service (SECaaS)
_____________ firewalls track open connections. A) Stateful B) Stateless C) Semi-Stateful D) Semi-Stateless
A) Stateful (These are Modern Firewalls)
Which one of the following devices carries VLANs on a network? A) Switch B) Router C) Firewall D) Hub
A) Switch
In ______________ encryption you encrypt and decrypt with the same shared secret key. A) Symmetric B) Asymmetric
A) Symmetric
AES is ___________ and RSA is ____________. A) Symmetric, Asymmetric B) Asymmetric, Symmetric
A) Symmetric, Asymmetric
What is the risk associated with resuming full normal operations too soon after a DR effort? (D2, L2.3.1) A) The danger posed by the disaster might still be present B) Investors might be upset C) Regulators might disapprove D) The organization could save money
A) The danger posed by the disaster might still be present
The output of any given hashing algorithm is always _____. (D5.1, L5.1.3) A) The same length B) The same characters C) The same language D) Different for the same inputs
A) The same length
Attestation reviews formal approval documentation. A) True B) False
A) True
True or False A Emergency Workflow is when an administrator disables accounts immediately when a user is unexpectedly terminated. A) True B) False
A) True
True or False In-band (inline) IPS deployment mode sits in the path of network communications. A) True B) False
A) True
True or False MD5 is no longer a secure hashing algorithm. A) True B) False
A) True
True or False Out-of-band (passive) IPS deployment mode connects to a SPAN port on a switch. A) True B) False
A) True
True or False Pipes that contain water and are ready to deploy when a fire strikes is known as "Wet Pipe Systems". A) True B) False
A) True
True or False Split Tunnel VPN's allow only traffic destined for the corporate network and is sent through a VPN tunnel. Other traffic is routed directly over the internet. A) True B) False
A) True
True or False Split Tunnel VPN's provide users with a false sense of security. A) True B) False
A) True
True or False The security responsibility for IaaS platforms are separated into two categories: vendor is responsible for the hardware and data center, and the customer is responsible for the OS, application, and Data maintained. A) True B) False
A) True
True or False The security responsibility for PaaS platforms are separated into two categories: vendor is responsible for the hardware, OS, and data center, and the customer is responsible for the application and Data maintained. A) True B) False
A) True
True or False The security responsibility for SaaS platforms are separated into two categories: vendor is responsible for the hardware, OS, application, and data center, and the customer is responsible for just the Data maintained. A) True B) False
A) True
Vendors extend your organization's technology environment. If they handle data on your behalf, you should expect they execute the same degree of care that you would in your own operations. A) True B) False
A) True
Two people must enter sensitive areas together is known as what? A) Two Person Integrity B) Two Person Control
A) Two Person Integrity
_________ describe authorized uses of technology.
Acceptable Use Policies (AUP)
Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information. Source: OMB Circular A-130
Adequate Security
Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager.
Administrative Controls
_________ use processes to achieve control objectives.
Administrative Controls
Events with a negative consequence, such as system crashes, network packet floods, unauthorized use of system privileges, defacement of a web page or execution of malicious code that destroys data.
Adverse Events
What is a security operations center (SOC)?
Answer: A centralized team responsible for monitoring and responding to security incidents and events.
What is a security incident severity level?
Answer: A classification system used to categorize security incidents based on their potential impact and severity.
What is a security governance committee?
Answer: A committee responsible for overseeing an organization's security program and ensuring it aligns with business objectives.
What is a security content repository?
Answer: A database or storage system that contains security-related information and documentation.
What is a honeypot?
Answer: A decoy system that is designed to attract and detect unauthorized access attempts.
What is a DMZ?
Answer: A demilitarized zone, a network segment that is isolated from the internal network and is used to host servers that are accessible from the internet.
What is a security incident report?
Answer: A document that summarizes the details of a security incident, including the cause, impact, and response.
What is a security risk assessment report?
Answer: A document that summarizes the findings of a security risk assessment, including identified vulnerabilities and recommended security controls.
What is a security incident response playbook?
Answer: A documented plan that outlines the specific steps to be taken in response to different types of security incidents.
What is a security incident response plan?
Answer: A documented plan that outlines the steps to be taken in the event of a security incident.
What is a business continuity plan?
Answer: A documented plan that outlines the steps to be taken to maintain critical business operations in the event of a disruption or disaster.
What is a disaster recovery plan?
Answer: A documented plan that outlines the steps to be taken to restore systems and data after a disruption or disaster.
What is a security threat intelligence feed?
Answer: A feed of information about security threats, vulnerabilities, and attacks that can be used to inform an organization's security program.
What is a security governance framework?
Answer: A framework that outlines the policies, procedures, and processes for managing an organization's security program.
What is a security assessment framework?
Answer: A framework that provides guidelines and standards for conducting security assessments.
What is a security architecture framework?
Answer: A framework that provides guidelines and standards for designing and implementing a secure architecture for an organization's systems and applications.
What is a security information and event management (SIEM) dashboard?
Answer: A graphical display that provides a real-time view of an organization's security events and alerts.
What is a security breach notification law?
Answer: A law that requires organizations to notify individuals of a security breach that may have compromised their personal information.
What is a security clearance?
Answer: A level of authorization granted to an individual that allows them access to sensitive or classified information.
What is a security audit trail?
Answer: A log of security events and actions that can be used to track and investigate security incidents.
What is a security control?
Answer: A measure or mechanism that is implemented to reduce or mitigate a security risk.
The most essential representation of data (zero or one) at Layer 1 of the Open Systems Interconnection (OSI) model.
Bit
The ability of computers and robots to simulate human intelligence and behavior.
Artificial Intelligence
Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.
Asset
An algorithm that uses one key to encrypt and a different key to decrypt the input plaintext.
Asymmetric Encryption
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. NIST SP 1800-15B
Audit
RJ-45 (Ethernet Cables) connectors have how many pins? A) 6 B) 4 C) 8 D) 10
C) 8
Access control process validating that the identity being claimed by a user or entity is known to the system, by comparing one (single factor or SFA) or more (multi-factor authentication or MFA) factors of identification.
Authentication
The right or a permission that is granted to a system entity to access a system resource. NIST 800-82 Rev.2
Authorization
Ensuring timely and reliable access to and use of information by authorized users.
Availability
What goal of security is enhanced by a strong business continuity program?
Availability
What port range is known as the "registered" ports? A) 1,000 - 50,000 B) 1,024 - 49,151 C) 1,025 - 55,252 D) 1,215 - 48,565
B) 1,024 - 49,151
Which one of the following ports is not normally used by email systems? A) 25 B) 139 C) 110 D) 143
B) 139 - NetBIOS
SHA-1 produces _____ bit hashes. A) 128 B) 160 C) 256 D) 512
B) 160
How many components does Malware have? A) 1 B) 2 C) 4 D) 9
B) 2 1. Propagation Mechanism 2. Payload
If two people want to use asymmetric communication to conduct a confidential conversation, how many keys do they need? (D5.1, L5.1.2) A) 1 B) 4 C) 8 D) 11
B) 4
What is the minimum acceptable temperature for a data center? A) 80.6 degrees Fahrenheit B) 64.4 degrees Fahrenheit C) 72.4 degrees Fahrenheit D) 68.0 degrees Fahrenheit
B) 64.4 degrees Fahrenheit
Carol is browsing the Web. Which of the following ports is she probably using? (D4, L4.1.2) A) 12 B) 80 C) 247 D) 999
B) 80
Network Access Control (NAC) uses __________ authentication. A) 800.5x B) 802.1x C) 741.5x D) 850.2x
B) 802.1x
Which of the following is probably most useful at the perimeter of a property? (D3, L3.2.1) A) A safe B) A fence C) A data center D) A centralized log storage facility
B) A fence
A tool that monitors local devices to reduce potential threats from hostile software. (D4.2 L4.2.3) A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall
B) Anti-malware
In risk management concepts, a(n) _________ is something a security practitioner might need to protect. (D1, L1.2.1) A) Vulnerability B) Asset C) Threat D) Likelihood
B) Asset
In ______________ encryption you encrypt and decrypt with the same shared secret key. A) Symmetric B) Asymmetric
B) Asymmetric
_________________ algorithms use keypairs where each user gets a public key and a private key. A) Symmetric B) Asymmetric
B) Asymmetric
Keys used for ____________ encryption and decryption must be from the same pair. A) Symmetric B) Asymmetric
B) Asymmetric Example: Bob wants to send Alice an encrypted email. To do so, he takes Alice public key to encrypt the message and then Alice decrypts it using her private key.
What type of network is most often used to connect peripherals to computers and mobile devices? A) Wi-Fi B) Bluetooth C) WAN D) LAN
B) Bluetooth
What type of physical security control should always be disclosed to visitors when used? A) Fences B) Cameras C) Intrusion alarms D) Security guards
B) Cameras
The section of the IT environment that is closest to the external world; where we locate IT systems that communicate with the Internet. (D4.3 L4.3.3) A) VLAN B) DMZ C) MAC D) RBAC
B) DMZ
Zarma is an (ISC)² member and a security analyst for Triffid Corporation. One of Zarma's colleagues is interested in getting an (ISC)2 certification and asks Zarma what the test questions are like. What should Zarma do? (D1, L1.5.1) A) Inform (ISC)² B) Explain the style and format of the questions, but no detail C) Inform the colleague's supervisor D) Nothing
B) Explain the style and format of the questions, but no detail
True or False In a Replay Attack, the attacker can see the encoded credentials. A) True B) False
B) False
True or False SHA-1 is a secure hashing algorithm. A) True B) False
B) False
True or False? Business continuity planning is a reactive procedure that restores business operations after a disruption occurs. A) True B) False
B) False
True or False Authentication determines what an authorized user can do. A) True B) False
B) False Correct Answer: Authorization determines what an authenticated user can do.
Visitors to a secure facility need to be controlled. Controls useful for managing visitors include all of the following except: (D3, L3.2.1) A) Sign-in sheet/tracking log B) Fence C) Badges that differ from employee badges D) Receptionist
B) Fence
Which one of the following is not a characteristic of cloud computing? A) Ubiquitous B) Fixed C) On-demand D) Convenient
B) Fixed
What is port 443 used for? A) HTTP B) HTTPS C) FTP D) RDP
B) HTTPS
Decoy networks designed to attract attackers. A) LAN B) Honeynet C) Honeybowl D) Honeycombs
B) Honeynet
_____________________ block malicious activity automatically. A) IDS B) IPS C) Anti-Virus D) Biometrics
B) IPS
Glen is an (ISC)² member. Glen receives an email from a company offering a set of answers for an (ISC)² certification exam. What should Glen do? (D1, L1.5.1) A) Nothing B) Inform (ISC)² C) Inform law enforcement D) Inform Glen's employer
B) Inform (ISC)²
Which common cloud service model offers the customer the most control of the cloud environment? (D4.3 L4.3.2) A) Lunch as a service (LaaS) B) Infrastructure as a service (IaaS) C) Platform as a service (PaaS) D) Software as a service (SaaS)
B) Infrastructure as a service (IaaS)
The logical address of a device connected to the network or Internet. (D4.1 L4.1.1) A) Media access control (MAC) address B) Internet Protocol (IP) address C) Geophysical address D) Terminal address
B) Internet Protocol (IP) address
Network Border Firewalls have three different security zones, these are called: A) Private, Internal, Virtual B) Internet, DMZ, Internal C) Internet, VLAN, Local D) Internet, DMZ, Private
B) Internet, DMZ, Internal
Switches operate at which layers of the OSI model? (Pick two) A) Layer 1 (Physical) B) Layer 2 (Data Link) C) Layer 3 (Network) D) Layer 4 (Transport)
B) Layer 2 (Data Link) C) Layer 3 (Network)
Which of the following would be best placed in the DMZ of an IT environment? (D4.3 L4.3.3) A) User's workplace laptop B) Mail server C) Database engine D) SIEM log storage
B) Mail server
Cyril wants to ensure all the devices on his company's internal IT environment are properly synchronized. Which of the following protocols would aid in this effort? (D4, L4.1.2) A) FTP (File Transfer Protocol) B) NTP (Network Time Protocol) C) SMTP (Simple Mail Transfer Protocol) D) HTTP (Hypertext Transfer Protocol)
B) NTP (Network Time Protocol)
What are ports 137, 138, and 139 used for? A) SMB B) NetBIOS C) LDAP D) NTP
B) NetBIOS
Which cloud service category allows customers to purchase an app platform? A) IaaS B) PaaS C) SaaS D) TaaS
B) PaaS (Platform as a Service)
Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst. Yesterday, Siobhan got a parking ticket while shopping after work. What should Siobhan do? (D1, L1.5.1) A) Inform (ISC)² B) Pay the parking ticket C) Inform supervisors at Triffid D) Resign employment from Triffid
B) Pay the parking ticket
The senior leadership of Triffid Corporation decides that the best way to minimize liability for the company is to demonstrate the company's commitment to adopting best practices recognized throughout the industry. Triffid management issues a document that explains that Triffid will follow the best practices published by SANS, an industry body that addresses computer and information security. The Triffid document is a ______, and the SANS documents are ________. (D1, L1.4.2) A) Law, policy B) Policy, standard C) Policy, law D) Procedure, procedure
B) Policy, standard
By far, the most crucial element of any security instruction program. (D5.4, L5.4.1) A) Protect assets B) Preserve health and human safety C) Ensure availability of IT systems D) Preserve shareholder value
B) Preserve health and human safety
Which cloud deployment model exclusively uses dedicated cloud resources for a customer? A) Community cloud B) Private cloud C) Hybrid cloud D) Public cloud
B) Private cloud
The Triffid Corporation publishes a policy that states all personnel will act in a manner that protects health and human safety. The security office is tasked with writing a detailed set of processes on how employees should wear protective gear such as hardhats and gloves when in hazardous areas. This detailed set of processes is a _________. (D1, L1.4.1) A) Policy B) Procedure C) Standard D) Law
B) Procedure
After onboarding, administrators create authentication credentials and grant appropriate authorization. What is this known as? A) Deprovisioning B) Provisioning C) Setup D) Installation
B) Provisioning
What is the goal of an incident response effort? (D2, L2.1.1) A) No incidents ever happen B) Reduce the impact of incidents on operations C) Punish wrongdoers D) Save money
B) Reduce the impact of incidents on operations
What is the overall objective of a disaster recovery (DR) effort? (D2, L2.3.1) A) Save money B) Return to normal, full operations C) Preserve critical business functions during a disaster D) Enhance public perception of the organization
B) Return to normal, full operations
What access control type grants permissions to groups of people? A) Mandatory Access Control (MAC) B) Role-Based Access Control (RBAC) C) Discretionary Access Control (DAC) D) None of the above
B) Role-Based Access Control (RBAC)
What network device can connect together multiple networks? A) Switch B) Router C) AP D) Wireless controller
B) Router
What new authentication technology is introduced with Wi-Fi Protected Access v3 (WPA3)? A) Blockchain B) SAE C) RKIP D) Blowfish
B) SAE
_______ uses a completely different hash generation approach than SHA-2. A) SHA-1 B) SHA-3 C) SHA-4 D) SHA-5
B) SHA-3
What is port 22 used for? A) HTTP B) SSH C) FTP D) SMB
B) SSH
_________________ tricks browsers into using unencrypted communications. A) Spoofing B) SSL Stripping C) HTTP Masquerade D) Detour Attack
B) SSL Stripping
What TCP flag indicates that a packet is requesting a new connection? A) PSH B) SYN C) RST D) URG
B) SYN
Proper alignment of security policy and business goals within the organization is important because: (D5.3, L5.3.1) A) Security should always be as strict as possible B) Security policy that conflicts with business goals can inhibit productivity C) Bad security policy can be illegal D) Security is more important than business
B) Security policy that conflicts with business goals can inhibit productivity
Trina is a security practitioner at Triffid, Inc. Trina has been tasked with selecting a new product to serve as a security control in the environment. After doing some research, Trina selects a particular product. Before that product can be purchased, a manager must review Trina's selection and determine whether to approve the purchase. This is a description of: (D3, L3.1.1) A) Two-person integrity B) Segregation of duties C) Software D) Defense in depth
B) Segregation of duties
What type of malware prevention is most effective against known viruses? A) Behavior analysis B) Signature detection C) Anomaly detection D) Heuristic detection
B) Signature detection
___________ firewalls evaluate each connection independently. A) Stateful B) Stateless C) Semi-Stateful D) Semi-Stateless
B) Stateless
Tina is an (ISC)² member and is invited to join an online group of IT security enthusiasts. After attending a few online sessions, Tina learns that some participants in the group are sharing malware with each other, in order to use it against other organizations online. What should Tina do? (D1, L1.5.1) A) Nothing B) Stop participating in the group C) Report the group to law enforcement D) Report the group to (ISC)²
B) Stop participating in the group
In order for a biometric security to function properly, an authorized person's physiological data must be ______. (D3, L3.2.1) A) Broadcast B) Stored C) Deleted D) Modified
B) Stored
When Pritha started working for Triffid, Inc., Pritha had to sign a policy that described how Pritha would be allowed to use Triffid's IT equipment. What policy was this? (D5.3, L5.3.1) A) The organizational security policy B) The acceptable use policy (AUP) C) The bring-your-own-device (BYOD) policy D) The workplace attire policy
B) The acceptable use policy (AUP)
In risk management concepts, a(n) ___________ is something or someone that poses risk to an organization or asset. (D1, L1.2.1) A) Fear B) Threat C) Control D) Asset
B) Threat
Two people must jointly approve sensitive actions is known as what? A) Two Person Integrity B) Two Person Control
B) Two Person Control
What is known as a lightweight, connectionless protocol? A) TCP B) UDP C) RDP D) LDAP
B) UDP
Triffid, Inc., has deployed anti-malware solutions across its internal IT environment. What is an additional task necessary to ensure this control will function properly? (D4.2 L4.2.3) A) Pay all employees a bonus for allowing anti-malware solutions to be run on their systems B) Update the anti-malware solution regularly C) Install a monitoring solution to check the anti-malware solution D) Alert the public that this protective measure has been taken
B) Update the anti-malware solution regularly
Local Area Networks (LAN) are connected to what? A) WiFI B) WAN C) TAN D) MAN
B) WAN
What type of security policy normally describes how users may access business information with their own devices?
BYOD Policy
_________ provide a data "safety net"
Backups
A documented, lowest level of security configuration allowed by a standard or organization.
Baseline
_________ provide a configuration snapshot.
Baselines (track changes)
What term best describes making a snapshot of a system or application at a point in time for later comparison?
Baselining
Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns.
Biometric
Malicious code that acts like a remotely controlled "robot" for an attacker, with other Trojan and worm capabilities.
Bot
The loss of control, compromise, unauthorized disclosure, unauthorized acquisition or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for other than an authorized purpose. Source: NIST SP 800-53 Rev. 5
Breach
_________ cover use of personal devices with company information.
Bring Your Own Device (BYOD) Policies
Broadcast transmission is a one-to-many (one-to-everyone) form of sending internet traffic.
Broadcast
Actions, processes and tools for ensuring an organization can continue critical operations during a contingency.
Business Continuity (BC)
The documentation of a predetermined set of instructions or procedures that describe how an organization's mission/business processes will be sustained during and after a significant disruption.
Business Continuity Plan (BCP)
_________ the set of controls designed to keep a business running in the face of adversity, whether natural or man-made.
Business Continuity Planning (BCP)
An analysis of an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. Reference: https://csrc.nist.gov/glossary/term/business-impact-analysis
Business Impact Analysis (BIA)
_________ identifies and prioritizes risks.
Business Impact Assessment
The byte is a unit of digital information that most commonly consists of eight bits.
Byte
How many layers does the TCP model have? A) 2 B) 1 C) 4 D) 7
C) 4
What dew point range should be maintained in a data center? A) 64.4 F - 80.6 F B) 50 F - 85 F C) 41.9 - 50 F D) 45 F - 90 F
C) 41.9 - 50 F
Of the following, which would probably not be considered a threat? (D1, L1.2.1) A) Natural disaster B) Unintentional damage to the system caused by a user C) A laptop with sensitive data on it D) An external attacker trying to gain unauthorized access to the environment
C) A laptop with sensitive data on it
Temporary networks that may bypass security controls. A) Honeypot B) Honeynet C) Ad-Hoc Network D) Temporary LAN
C) Ad-Hoc Network
Data retention periods apply to ____ data. (D5.1, L5.1.1) A) Medical B) Sensitive C) All D) Secret
C) All
Trina and Doug both work at Triffid, Inc. Doug is having trouble logging into the network. Trina offers to log in for Doug, using Trina's credentials, so that Doug can get some work done. What is the problem with this? (D3, L3.3.1) A) Doug is a bad person B) If Trina logs in for Doug, then Doug will never be encouraged to remember credentials without assistance C) Anything either of them do will be attributed to Trina D) It is against the law
C) Anything either of them do will be attributed to Trina
___________ steal computing power, network bandwidth, and storage capacity. A) Blockchains B) Virus C) Botnets D) Spyware
C) Botnets
_______________ add a third-party security layer to the interactions that users have with other cloud services. A) Brokers B) Help Desk C) CASB (Cloud Access Security Brokers) D) ITASB (IT Access Security Brokers)
C) CASB (Cloud Access Security Brokers)
Wi-Fi Protected Access v2 (WPA2) adds security with _____________. A) ICMP B) PNP C) CCMP D) RMPT
C) CCMP
What set of principles uses the built environment to improve security? A) CSA B) NSA C) CPTED D) NIST
C) CPTED
At Parvi's place of work, the perimeter of the property is surrounded by a fence; there is a gate with a guard at the entrance. All inner doors only admit personnel with badges, and cameras monitor the hallways. Sensitive data and media are kept in safes when not in use. (D3, L3.1.1) A) Two-person integrity B) Segregation of duties C) Defense in depth D) Penetration testing
C) Defense in depth
What are access control system is flexible and is determined by file owners? (This access control is most common) A) Mandatory Access Control (MAC) B) Role-Based Access Control (RBAC) C) Discretionary Access Control (DAC) D) None of the above
C) Discretionary Access Control (DAC)
What is port 21 used for? A) HTTP B) SSH C) FTP D) SMB
C) FTP
_____________ alerts when a device leaves defined boundaries. A) NIDS B) Firewalls C) Geofencing D) Routers
C) Geofencing
_____________ adds user location information to logs. A) Caching B) Hashing C) Geotagging D) Stickies
C) Geotagging
What is it known when a ping request is successfully sent? A) ICMP Echo Reply B) ICMP Echo Response C) ICMP Echo Request D) ICMP Echo Init
C) ICMP Echo Request
What is port 143 used for? A) NetBIOS B) SSH C) IMAP D) SMTP
C) IMAP
Aphrodite is a member of (ISC)² and a data analyst for Triffid Corporation. While Aphrodite is reviewing user log data, Aphrodite discovers that another Triffid employee is violating the acceptable use policy and watching streaming videos during work hours. What should Aphrodite do? (D1, L1.5.1) A) Inform (ISC)² B) Inform law enforcement C) Inform Triffid management D) Nothing
C) Inform Triffid management
IPSec (Internet Protocol Security) operates at what layer of the OSI model? A) Layer 1 B) Layer 2 C) Layer 3 D) Layer 6
C) Layer 3 (Supports L2TP - Layer 2 Tunneling Protocol)
At what layer of the OSI model does data translation and encryption/decryption take place? A) Layer 1 (Physical) B) Layer 2 (Data Link) C) Layer 6 (Presentation) D) Layer 7 (Application)
C) Layer 6 (Presentation)
Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to assess a particular threat, and he suggests that the best way to counter this threat would be to purchase and implement a particular security solution. This is an example of _______. (D1, L1.2.2) A) Acceptance B) Avoidance C) Mitigation D) Transference
C) Mitigation
Gary is an attacker. Gary is able to get access to the communication wire between Dauphine's machine and Linda's machine and can then surveil the traffic between the two when they're communicating. What kind of attack is this? (D4.2 L4.2.1) A) Side channel B) DDOS C) On-path D) Physical
C) On-path
________ cloud computing uses a shared responsibility model. A) Private B) Hybrid C) Public D) Community
C) Public
Data _____ is data left behind on systems/media after normal deletion procedures have been attempted. (D5.1, L5.1.1) A) Fragments B) Packets C) Remanence D) Residue
C) Remanence
Document specific requirements that a customer has about any aspect of a vendor's service performance. A) DLR B) Contract C) SLR D) NDA
C) SLR (Service-Level Requirements)
At what stage of the TCP Threeway Handshake is the request to connect generated? A) ACK B) SYN/ACK C) SYN
C) SYN
Which cloud service category allows customers to purchase an entire app and have it built? A) IaaS B) PaaS C) SaaS D) TaaS
C) SaaS (Software as a Service)
Who dictates policy? (D5.3, L5.3.1) A) The security manager B) The Human Resources office C) Senior management D) Auditors
C) Senior management
A device typically accessed by multiple users, often intended for a single purpose, such as managing email or web pages. (D4.1 L4.1.1) A) Router B) Switch C) Server D) Laptop
C) Server
Which one of the following techniques is useful in preventing replay attacks? A) Man-in-the-middle B) Full disk encryption C) Session tokens D) Mobile device management
C) Session tokens
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules that merchants must follow if the merchants choose to accept payment via credit card. These rules describe best practices for securing credit card processing technology, activities for securing credit card information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2) A) Law B) Policy C) Standard D) Procedure
C) Standard
What is the piece of software running on a device that enables it to connect to a NAC-protected network? A) SNMP agent B) Authenticator C) Supplicant D) Authentication server
C) Supplicant
Wi-Fi Protected Access (WPA) changes keys with the ______________ Key Integrity Protocol (TKIP). A) Traditional B) Temporary C) Temporal D) Tailored
C) Temporal
Which of the following activities is usually part of the configuration management process, but is also extremely helpful in countering potential attacks? (D4.2 L4.2.3) A) Annual budgeting B) Conferences with senior leadership C) Updating and patching systems D) The annual shareholders' meeting
C) Updating and patching systems
Brad is configuring a new wireless network for his small business. What wireless security standard should he use? A) WPA B) WEP2 C) WPA2 D) WEP
C) WPA2
When should a business continuity plan (BCP) be activated? (D2, L2.2.1) A) As soon as possible B) At the very beginning of a disaster C) When senior management decides D) When instructed to do so by regulators
C) When senior management decides
_________ cover the documentation, approval, and rollback of technology changes.
Change Management Policies
_________ and _________ help ensure a stable operating environment.
Change and Configuration Management
_________ empty data centers stock with core equipment, network, and environmental controls but do not have servers. Relatively Inexpensive but can take weeks or even months to become operational.
Colt Site
A digit representing the sum of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.
Checksum
The altered form of a plaintext message so it is unreadable for anyone except the intended recipients. In other words, it has been turned into a secret.
Ciphertext
Classification identifies the degree of harm to the organization, its stakeholders or others that might result if an information asset is divulged to an unauthorized person, process or organization. In short, classification is focused first and foremost on maintaining the confidentiality of the data, based on the data sensitivity.
Classification
Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.
Classified or Sensitive Information
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST 800-145
Cloud computing
BCP in the cloud requires _________ between providers and customers.
Collaboration
An access control system that sets up user permissions based on roles.
Role-based access control (RBAC)
A system in which the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy and compliance considerations). It may be owned, managed and operated by one or more of the organizations in the community, a third party or some combination of them, and it may exist on or off premises. NIST 800-145
Community cloud
The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes. NIST 800-66
Confidentiality
_________ tracks specific device settings.
Configuration Management
A process and discipline used to ensure that the only changes made to a system are those that have been authorized and validated.
Configuration management
What are the initial response goals regarding Disaster Recovery?
Contain the Damage, Recover normal operations
During an incident response, what is the highest priority of first responders?
Containing the damage
BCP is also known as _________.
Continuity of Operations Planning (COOP)
An architectural approach to the design of buildings and spaces which emphasizes passive features to reduce the likelihood of criminal activity.
Crime Prevention through Environmental Design (CPTED)
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. NIST SP 800-60 Vol. 1, Rev. 1
Criticality
What security principle does a firewall implement with traffic when it does not have a rule that explicitly defines an action for that communication? A) Least privilege B) Separation of duties C) Informed consent D) Implicit deny
D) Implicit deny
Which of the following statements is true? (D3, L3.3.1) A) Logical access controls can protect the IT environment perfectly; there is no reason to deploy any other controls B) Physical access controls can protect the IT environment perfectly; there is no reason to deploy any other controls C) Administrative access controls can protect the IT environment perfectly; there is no reason to deploy any other controls D) It is best to use a blend of controls in order to provide optimum security
D) It is best to use a blend of controls in order to provide optimum security
The city of Grampon wants to ensure that all of its citizens are protected from malware, so the city council creates a rule that anyone caught creating and launching malware within the city limits will receive a fine and go to jail. What kind of rule is this? (D1, L1.4.1) A) Policy B) Procedure C) Standard D) Law
D) Law
At what layer of the OSI model does TCP and UDP exist? A) Layer 1 (Physical) B) Layer 2 (Data Link) C) Layer 3 (Network) D) Layer 4 (Transport)
D) Layer 4 (Transport)
One who performs cryptanalysis which is the study of mathematical techniques for attempting to defeat cryptographic techniques and/or information systems security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or of the algorithm itself.
Cryptanalyst
The study or applications of methods to secure or protect the meaning and content of messages, files, or other information, usually by disguise, obscuration, or other transformations of that content and meaning.
Cryptography
What network port is used for SSL/TLS VPN connections? A) 88 B) 80 C) 1521 D) 443
D) 443
How many possible ports are there on a network? A) 65,300 B) 1,000 C) 10,000 D) 65,535
D) 65,535
How many layers does the OSI model have? A) 2 B) 1 C) 4 D) 7
D) 7
Which of the following is a biometric access control mechanism? (D3, L3.2.1) A) A badge reader B) A copper key C) A fence with razor tape on it D) A door locked by a voiceprint identifier
D) A door locked by a voiceprint identifier
Which of the following is an example of a "something you are" authentication factor? (D1, L1.1.1) A) A credit card presented to a cash machine B) Your password and PIN C) A user ID D) A photograph of your face
D) A photograph of your face
Security needs to be provided to ____ data. (D5.1, L5.1.1) A) Restricted B) Illegal C) Private D) All
D) All
Which of these is the most important reason to conduct security instruction for all employees. (D5.4, L5.4.1) A) Reduce liability B) Provide due diligence C) It is a moral imperative D) An informed user is a more secure user
D) An informed user is a more secure user
Within the organization, who can identify risk? (D1, L1.2.2) A) The security manager B) Any security team member C) Senior management D) Anyone
D) Anyone
What type of lock always requires entering a code to enter the facility? A) Magnetic stripe card lock B) Proximity card lock C) Biometric lock D) Cipher lock
D) Cipher lock
Larry and Fern both work in the data center. In order to enter the data center to begin their workday, they must both present their own keys (which are different) to the key reader, before the door to the data center opens. Which security concept is being applied in this situation? (D3, L3.1.1) A) Defense in depth B) Segregation of duties C) Least privilege D) Dual control
D) Dual control
Intranet segments that are extended to business partners. A) Intranet B) Internet C) VPN D) Extranet
D) Extranet
Rachel recently investigated a security alert from her intrusion detection system and, after exhaustive research, determined that the alert was not the result of an intrusion. What type of error occurred? A) True positive B) False negative C) True negative D) False positive
D) False positive
A device that filters network traffic in order to enhance overall security/performance. (D4.1 L4.1.1) A) Endpoint B) Laptop C) MAC (media access control) D) Firewall
D) Firewall
A tool that filters inbound traffic to reduce potential threats. (D4.2 L4.2.3) A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall
D) Firewall
Network traffic originating from outside the organization might be admitted to the internal IT environment or blocked at the perimeter by a ________. (D3, L3.2.1) A) Turnstile B) Fence C) Vacuum D) Firewall
D) Firewall
Ricky would like to separate his network into three distinct security zones. Which one of the following devices is best suited to that task? A) IPS B) Router C) Switch D) Firewall
D) Firewall
Which of the following is not a typical benefit of cloud computing services? (D4.3 L4.3.2) A) Reduced cost of ownership/investment B) Metered usage C) Scalability D) Freedom from legal constraints
D) Freedom from legal constraints
Gary is unable to log in to the production environment. Gary tries three times and is then locked out of trying again for one hour. Why? (D3, L3.3.1) A) Gary is being punished B) The network is tired C) Users remember their credentials if they are given time to think about it D) Gary's actions look like an attack
D) Gary's actions look like an attack
Purchasing server instances and configuring them to run your own software is an example of what cloud deployment model? A) SecaaS B) PaaS C) SaaS D) IaaS
D) IaaS (Keyword: server)
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachis logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. Which security concept is being applied in this situation? (D3, L3.1.1) A) Defense in depth B) Layered defense C) Two-person integrity D) Least privilege
D) Least privilege
A VLAN is a _____ method of segmenting networks. (D4.3 L4.3.3) A) Secret B) Physical C) Regulated D) Logical
D) Logical
For which of the following systems would the security concept of availability probably be most important? (D1, L1.1.1) A) Medical systems that store patient data B) Retail records of past transactions C) Online streaming of camera feeds that display historical works of art in museums around the world D) Medical systems that monitor patient condition in an intensive care unit
D) Medical systems that monitor patient condition in an intensive care unit
___________ combines resources from two different public cloud vendors. A) Public B) Hybrid C) Community D) Multi-Cloud
D) Multi-Cloud
What is the most important control to apply to smart devices? A) Intrusion detection B) Application firewalls C) Wrappers D) Network segmentation
D) Network segmentation
Nessus is an example of a _____ tool. A) Port scanning B) Web application vulnerability scanning C) Protocol analyzing D) Network vulnerability scanning
D) Network vulnerability scanning
What is port 110 used for? A) DNS B) LDAP C) NetBIOS D) POP
D) POP
What is the most important goal of a business continuity effort? (D2, L2.2.1) A) Ensure all IT systems function during a potential interruption B) Ensure all business activities are preserved during a potential disaster C) Ensure the organization survives a disaster D) Preserve health and human safety
D) Preserve health and human safety
What is port 3389 used for? A) HTTPS B) SQL Server C) SMB D) RDP
D) RDP
An organization must always be prepared to ______ when applying a patch. (D5.2, L5.2.1) A) Pay for the updated content B) Buy a new system C) Settle lawsuits D) Rollback
D) Rollback
A tool that aggregates log data from multiple sources, and typically analyzes it and reports potential threats. (D4.2 L4.2.2) A) HIDS B) Anti-malware C) Router D) SIEM
D) SIEM
What type of agreement is used to define availability requirements for an IT service that an organization is purchasing from a vendor? A) ISA B) MOU C) BPA D) SLA
D) SLA (Service-Level Agreement)
A software firewall is an application that runs on a device and prevents specific types of traffic from entering that device. This is a type of ________ control. (D1, L1.3.1) A) Physical B) Administrative C) Passive D) Technical
D) Technical
What are RJ-11 cables used for? A) Computers B) Monitors C) Printers D) Telephone connections
D) Telephone connections
_________ describe how to protect sensitive information.
Data Handling Policies
The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing and while in transit. Source: NIST SP 800-27 Rev A
Data Integrity
System capabilities designed to detect and prevent the unauthorized use and transmission of information.
Data Loss Prevention (DLP)
The opposite process of encapsulation, in which bundles of data are unpacked or revealed.
De-encapsulation
The reverse process from encryption. It is the process of converting a ciphertext message back into plaintext through the use of the cryptographic algorithm and the appropriate key for decryption (which is the same for symmetric encryption, but different for asymmetric encryption). This term is also used interchangeably with the "deciphering."
Decryption
Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. Source: NIST SP 800-53 Rev 4
Defense in Depth
A technique of erasing data on disk or tape (including video tapes) that, when performed properly, ensures that there is insufficient magnetic remanence to reconstruct data.
Degaussing
The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.) Source: NIST SP 800-27 Rev A
Denial-of-Service (DoS)
_________ identify security issues requiring investigation.
Detective Control
_________ serve as important configuration artifacts.
Diagrams
_________ include all data modified since the last full backup.
Differential Backups
In information systems terms, the activities necessary to restore IT and communications services to an organization during and after an outage, disruption or disturbance of any kind or scale.
Disaster Recovery (DR)
The processes, policies and procedures related to preparing for recovery or continuation of an organization's critical business functions, technology infrastructure, systems and applications after the organization experiences a disaster. A disaster is when an organization's critical business function(s) cannot be performed at an acceptable level within a predetermined period following a disruption.
Disaster Recovery Plan (DRP)
_________ provide alternate data processing.
Disaster Recovery Sites
A certain amount of access control is left to the discretion of the object's owner, or anyone else who is authorized to control the object's access. The owner can determine who should have access rights to an object and what those rights should be. NIST SP 800-192
Discretionary Access Control (DAC)
This acronym can be applied to three interrelated elements: a service, a physical server and a network protocol.
Domain Name Service (DNS)
What is the Vendor Management Life Cycle? A) Vendor Selection B) Onboarding C) Monitoring D) Offboarding E) All of the above F) None of the above
E) All of the above
Enforcement of data hiding and code hiding during all phases of software development and operational use. Bundling together data and methods is the process of encapsulation; its opposite process may be called unpacking, revealing, or using other terms. Also used to refer to taking any set of data and packaging it or hiding it in another data structure, as is common in network protocols and encryption.
Encapsulation
To protect private information by putting it into a form that can only be read by people who have permission to do so.
Encrypt
The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.
Encryption
A particular attack. It is named this way because these attacks exploit system vulnerabilities.
Exploit
Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.
Firewalls
Backups == Recovery
For exam (Local and Technical Controls are the same)
In a fragment attack, an attacker fragments traffic in such a way that a system is unable to put data packets back together.
Fragment attack
_________ include a complete copy of all data.
Full Backups
_________ this switches primary operations to the alternate environment and can be very disruptive to business.
Full Interruption tests
What law applies to the use of personal information belonging to European Union residents?
GDPR
In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.
General Data Protection Regulation (GDPR)
_________ these are geographically distant, offer site resiliency, require manual transfer or site replication through SAN or VM and provide online or offline backups.
Offsite Storage
The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.
Governance
Which element of the security policy framework includes suggestions that are not mandatory?
Guidelines
_________ describe best practices.
Guidelines (recommendations/advice and compliance is not mandatory)
The physical parts of a computer and related devices.
Hardware
An algorithm that computes a numerical value (called the hash value) on a data file or electronic message that is used to represent that file or message and depends on the entire contents of the file or message. A hash function can be considered to be a fingerprint of the file or message. NIST SP 800-152
Hash Function
___________ is a one-way function that transforms a variable length input into a unique, fixed-length output.
Hash Function
The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data. Source CNSSI 4009-2015
Hashing
This U.S. federal law is the most important healthcare information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions while protecting the privacy of individual's health information. Other provisions address fraud reduction, protections for individuals with health insurance and a wide range of other healthcare-related activities. Est. 1996.
Health Insurance Portability and Accountability Act (HIPAA)
What type of control are we using if we supplement a single firewall with a second standby firewall ready to assume responsibility if the primary firewall fails?
High Availability
_________ uses multiple systems to protect against service failure.
High Availability
_________ fully operational data centers stock with equipment an data and are available at a moment's notice. Very expensive.
Hot Site
Disaster Recovery Facility Sites:
Hot Site, Cold Site, Warm Site
What type of disaster recovery site is able to be activated most quickly in the event of a disruption?
Hot site
A combination of public cloud storage and private cloud storage where some critical data resides in the enterprise's private cloud while other data is stored and accessible from a public cloud storage provider.
Hybrid cloud
The magnitude of harm that could be caused by a threat's exercise of a vulnerability.
Impact
An event that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits.
Incident
The mitigation of violations of security policies and recommended practices. Source: NIST SP 800-61 Rev 2
Incident Handling
The mitigation of violations of security policies and recommended practices. Source: NIST SP 800-61 Rev 2
Incident Response (IR)
The documentation of a predetermined set of instructions or procedures to detect, respond to and limit consequences of a malicious cyberattack against an organization's information systems(s). Source: NIST SP 800-34 Rev 1
Incident Response Plan (IRP)
_________ describe the policies and procedures governing cybersecurity incidents.
Incident Response Plans
Which type of backup includes only those files that have changes since the most recent full or incremental backup?
Incremental
_________ include all data modified since the last full or incremental backup.
Incremental Backups
The potential adverse impacts to an organization's operations (including its mission, functions and image and reputation), assets, individuals, other organizations, and even the nation, which results from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems.
Information Security Risk
The requirements for information sharing by an IT system with one or more other IT systems or applications, for information sharing to support multiple internal or external organizations, missions, or public programs. NIST SP 800-16
Information Sharing
The provider of the core computing, storage and network hardware and software that is the foundation upon which organizations can build and then deploy applications. IaaS is popular in the data center where software and servers are purchased as a fully outsourced service and usually billed on usage and how much of the resource is used.
Infrastructure as a Service (IaaS)
Monitoring of incoming network traffic.
Ingress Monitoring
_________ Initial Risk of an organization.
Inherent Risk
An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service. NIST SP 800-32
Insider Threat
IEEE is a professional organization that sets standards for telecommunications, computer engineering and similar disciplines.
Institute of Electrical and Electronics Engineers
The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose.
Integrity
What term describes risks that originate inside the organization?
Internal
The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies.
International Organization of Standards (ISO)
An IP network protocol standardized by the Internet Engineering Task Force (IETF) through RFC 792 to determine if a particular service or host is available.
Internet Control Message Protocol (ICMP)
The internet standards organization, made up of network designers, operators, vendors and researchers, that defines protocol standards (e.g., IP, TCP, DNS) through a process of collaboration and consensus. Source: NIST SP 1800-16B
Internet Engineering Task Force (IETF)
Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks. CNSSI 4009-2015
Internet Protocol (IPv4)
A security event, or combination of security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without authorization. Source: IETF RFC 4949 Ver 2
Intrusion
The highest priority of a first responder must be containing damage through _________.
Isolation
The use of multiple controls arranged in series to provide several consecutive controls to protect an asset; also called defense in depth.
Layered Defense
The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.
Likelihood
An automated system that controls an individual's ability to access one or more computer system resources, such as a workstation, network, application or database. A logical access control system requires the validation of an individual's identity through some mechanism, such as a PIN, card, biometric or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization. NIST SP 800-53 Rev.5.
Logical Access Control Systems
An attack where the adversary positions himself in between the user and the system so that he can intercept and alter data traveling between them. Source: NISTIR 7711
Man-in-the-Middle
Access control that requires the system itself to manage access controls in accordance with the organization's security policies.
Mandatory Access Control
An entrance to a building or an area that requires people to pass through two doors with only one door opened at a time.
Mantrap
A digital signature that uniquely identifies data and has the property such that changing a single bit in the data will cause a completely different message digest to be generated. NISTIR-8011 Vol.3
Message Digest
Part of a zero-trust strategy that breaks LANs into very small, highly localized zones using firewalls or similar technologies. At the limit, this places firewall at every connection point.
Microsegmentation
_________ is crucial to effective incident identification.
Monitoring
Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification.
Multi-Factor Authentication
_________ should be consulted when developing a plan.
NIST SP 800-61
The NIST is part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. NIST sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions.
National Institutes of Standards and Technology (NIST)
_________ use subjective ratings to evaluate risk likelihood and impact.
Qualitative Risk Assessment
The inability to deny taking an action such as creating information, approving information and sending or receiving a message.
Non-repudiation
Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. See subject. Source: NIST SP 800-53 Rev 4
Object
The software "master control application" that runs the computer. It is the first program loaded when the computer is turned on, and its main component, the kernel, resides in memory at all times. The operating system sets the standards for all application programs (such as the Web server) that run in the computer. The applications communicate with the operating system for most user interface and file management operations. NIST SP 800-44 Version 2
Operating System
Purposely sending a network packet that is larger than expected or larger than can be handled by the receiving system, causing the receiving system to fail unexpectedly.
Oversized Packet Attack
Representation of data at Layer 3 of the Open Systems Interconnection (OSI) model.
Packet
(Revisit) Which disaster recovery tests involve the actual activation of the DR site?
Parallel
_________ activate the disaster recovery environment but do not switch operations there.
Parallel tests
_________ cover password security practices.
Password Policies
A software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component. Source: ISO/IEC 19770-2
Patch
The systematic notification, identification, deployment, installation and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs. Source: CNSSI 4009
Patch Management
The primary action of a malicious code attack.
Payload
An information security standard administered by the Payment Card Industry Security Standards Council that applies to merchants and service providers who process credit or debit card transactions.
Payment Card Industry Data Security Standard (PCI DSS)
The National Institute of Standards and Technology, known as NIST, in its Special Publication 800-122 defines PII as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information."
Personally Identifiable Information (PII)
Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.
Physical Access Controls
Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.
Physical Controls
_________ impact the physical world.
Physical Controls
A message or data in its natural format and in readable form; extremely vulnerable from a confidentiality perspective.
Plaintext
The web-authoring or application development middleware environment that allows applications to be built in the cloud before they're deployed as SaaS assets.
Platform as a Service (PaaS)
_________ describe an organization's security expectations.
Policies (mandatory and approved at the highest level of an organization)
What four items belong to the security policy framework?
Policies, Standards, Guidelines, Procedures
The principle that users and programs should have only the minimum privileges necessary to complete their tasks. NIST SP 800-179
Principle of Least Privilege
_________ leads to strong incident response.
Prior Planning
The right of an individual to control the distribution of information about themselves.
Privacy
_________ cover the use of personally identifiable information.
Privacy Policies
The phrase used to describe a cloud computing platform that is implemented within the corporate firewall, under the control of the IT department. A private cloud is designed to offer the same features and benefits of cloud systems, but removes a number of objections to the cloud computing model, including control over enterprise and customer data, worries about security, and issues connected to regulatory compliance.
Private cloud
An information system account with approved authorizations of a privileged user. NIST SP 800-53 Rev. 4
Privileged Account
The chances, or likelihood, that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. Source: NIST SP 800-30 Rev. 1
Probability
_________ step-by-step instructions.
Procedures (not mandatory)
A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain. Source: NISTIR 8286
Quantitative Risk Analysis
_________ use objective numeric ratings to evaluate risk likelihood and impact.
Quantitative Risk Assessment
Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act).
Protected Health Information (PHI)
A set of rules (formats and procedures) to implement and control some type of association (that is, communication) between systems. NIST SP 800-82 Rev. 2
Protocols
The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. NIST SP 800-145
Public cloud
A method for risk analysis that is based on the assignment of a descriptor such as low, medium or high. Source: NISTIR 8286
Qualitative Risk Analysis
The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items). NIST SP 800-53 Rev. 4
Records
A practice based on the records life cycle, according to which records are retained as long as necessary, and then are destroyed after the appropriate time interval has elapsed.
Records Retention
_________ remediate security issues that have occurred.
Recovery Control
_________ is the amount of data to recover.
Recovery Point Objective (RPO)
_________ is the percentage of service to restore.
Recovery Service Level (RSL)
_________ is the amount of time to restore service.
Recovery Time Objective (RTO)
_________ protects against the failure of a single component.
Redundancy
Residual information remaining on storage media after clearing. NIST SP 800-88 Rev. 1
Remanence
The first stage of change management, wherein a change in procedure or product is sought by a stakeholder.
Request for change (RFC)
A possible event which can have a negative impact upon the organization.
Risk
Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.
Risk Acceptance
The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.
Risk Assessment
_________ identifies and triages risks.
Risk Assessment
Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.
Risk Avoidance
_________ changes business practices to make a risk irrelevant.
Risk Avoidance
The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.
Risk Management
A structured approach used to oversee and manage risk for an enterprise. Source: CNSSI 4009
Risk Management Framework
Putting security controls in place to reduce the possible impact and/or likelihood of a specific risk.
Risk Mitigation
_________ reduces the likelihood or impact of a risk.
Risk Mitigation
An organization's _________ is the set of risks that it faces.
Risk Profile
The level of risk an entity is willing to assume in order to achieve a potential desired result. Source: NIST SP 800-32. Risk threshold, risk appetite and acceptable risk are also terms used synonymously with risk tolerance.
Risk Tolerance
_________ is the level of risk an organization is willing to accept.
Risk Tolerance
Paying an external party to accept the financial impact of a given risk.
Risk Transference
Purchasing an insurance policy is an example of which risk management strategy?
Risk Transference
The determination of the best way to address an identified risk.
Risk Treatment
_________ analyzes and implements possible responses to control risk.
Risk Treatment
_________ are the combination of a threat and a vulnerability.
Risks
An instruction developed to allow or deny access to a system by comparing the validated identity of the subject to an access control list.
Rule
The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information. Source: FIPS PUB 199
Security Controls
_________ reduce the likelihood or impact of a risk and help identify issues.
Security Controls
The entirety of the policies, roles, and processes the organization uses to make security decisions in an organization.
Security Governance
_________ security solution that collects information from diverse sources, analyzes it for signs for security incidents and retains it for later use.
Security Incident and Event Management (SIEM)
A centralized organizational function fulfilled by an information security team that monitors, detects and analyzes events on the network or system to prevent and resolve issues before they result in business disruptions.
Security Operations Center
The practice of ensuring that an organizational process cannot be completed by a single person; forces collusion as a means to reduce insider threats. Also commonly known as Separation of Duties.
Segregation of Duties
A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection. Source: NIST SP 800-60 Vol 1 Rev 1
Sensitivity
The standard communication protocol for sending and receiving emails between senders and receivers.
Simple Mail Transport Protocol (SMTP)
_________ use a practice scenario to test the disaster recovery plan.
Simulations
_________ identifies and removes SPOFs.
Single Point of Failure Analysis
Use of just one of the three available factors (something you know, something you have, something you are) to carry out the authentication process being requested.
Single-Factor Authentication
_________ are types of full backups.
Snapshots and Images
Tactics to infiltrate systems via email, phone, text, or social media, often impersonating a person or agency in authority or offering a gift. A low-tech method would be simply following someone into a secure building.
Social engineering
Computer programs and associated data that may be dynamically written or modified during execution. NIST SP 80--37 Rev. 2
Software
The cloud customer uses the cloud provider's applications running within a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Derived from NIST 800-145
Software as a Service (SaaS)
Faking the sending address of a transmission to gain illegal entry into a secure system. CNSSI 4009-2015
Spoofing
_________ describe specific security controls and are often derived from policies.
Standards (mandatory)
The condition an entity is in at a point in time.
State
Incident Response Plans should include:
Statement of Purpose, Strategies and goals for incident response, Approach to incident response, Communication with other groups, Senior leadership approval
Generally an individual, process or device causing information to flow among objects or change to the system state. Source: NIST SP800-53 R4
Subject
Joe performs full backups every Sunday evening and incremental backups every weekday evening. His system fails on Friday morning. What backups does he restore?
Sunday's FULL backup (To establish a base), Monday, Tuesday, Wednesday, and Thursday incremental backups
Joe performs full backups every Sunday evening and differential backups every weekday evening. His system fails on Friday morning. What backups does he restore?
Sunday's FULL backup (To establish a base), Thursday's differential backup (To grab the latest data change)
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service. Source: NIST SP 800-30 Rev 1
Threat
An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.
Threat Actor
The means by which a threat actor carries out their objectives.
Threat Vector
_________ are methods used by attackers.
Threat Vectors
_________ are external forces that jeopardize security.
Threats
An operating system used in software development.
Unix
The process of creating, maintaining and deactivating user identities on a system.
User Provisioning
Hardening == Preventative
Virus == Detective
A virtual local area network (VLAN) is a logical group of workstations, servers, and network devices that appear to be on the same LAN despite their geographical distribution.
VLAN
A virtual private network (VPN), built on top of existing networks, that can provide a secure communications mechanism for transmission between networks.
VPN
Disaster Recovery Testing Goals:
Validate that the plan functions correctly, Identify necessary plan updates
_________ assigns numbers to each version.
Versioning
_________ gather the team together for a formal review of the disaster recovery plan.
Walk-throughs (aka Tabletop exercise)
_________ stock with all necessary equipment and data but are not maintained in a parallel fashion. Similar in expense to hot sites and can become operational in hours or days.
Warm Site
A computer that provides World Wide Web (WWW) services on the Internet. It includes the hardware, operating system, Web server software, and Web site content (Web pages). If the Web server is used internally and not by the public, it may be known as an "intranet server." NIST SP 800-44 Version 2
Web Server
Phishing attacks that attempt to trick highly placed officials or private individuals with sizable assets into authorizing large fund wire transfers to previously unknown entities.
Whaling Attack
The graphical user interface (GUI) for the Nmap Security Scanner, an open-source application that scans networks to determine everything that is connected as well as other information.
Zenmap
A previously unknown system vulnerability with the potential of exploitation without risk of detection or prevention because it does not, in general, fit recognized patterns, signatures or methods.
Zero Day
Removing the design belief that the network has any trusted space. Security is managed at each possible level, representing the most granular asset. Microsegmentation of workloads is a tool of the model.
Zero Trust