ITEC 433 midterm study guide

Phishing

An attack that sends an email or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information

In the NIST Cyber Risk Framework, the ____________________ would be at Tier 1

C suite execs (CISO not applicable because they report to CIO)

CIA

Confidentiality, Integrity, Availability

GLBA

Gramm-Leach-Bliley Act

The NIST Framework for Improving Critical Infrastructure has the following components:

Identify, protect, detect, respond, recover

SPII

Sensitive PII, loss of the information would result in substantial harm, embarrassment, inconvenience, or unfairness

A threat can impact an information systems via ___________________

Unauthorized access Modification of information Denial of service

Ransomeware

a type of malicious software designed to block access to a computer system until a sum of money is paid.

risk type:Business interruptions/disasters

an organization will experience loss of critical functions caused by natural or manmade disasters or hazards

risk type: compliance

an organization will fail to comply with laws, regulations, policies and procedures, standards of conduct, or other prescribed requirements or guidance

Which is not a common type of cyber attacker?

employee

risk management goal

maximize the output while minimizing the chance of unexpected outcomes

Attack types

ransomeware, phishing, malware, dos,etc

Risk response options

- Avoid - Mitigate - Share/Transfer - Accept

Early integration of security in the SDLC enables agencies to maximize return on investment through:

-Early identification and mitigation of security vulnerabilities and misconfigurations -Awareness of potential engineering challenges -Facilitation of informed executive decision making through comprehensive risk management in a timely manner.

Identity theft

A crime that involves someone pretending to be another person in order to steal money or obtain benefits

_________________________mitigation technique is used to standardize a minimum baseline with change management

Config. management

___________________________mitigation technique is used to standardize a minimum baseline with change management.

Configuration management

COBIT

Control Objectives for Information and Related Technology

policy vs law

Difference between policy and law: ignorance of a policy is an acceptable defense

avoidance risk response

Eliminate the source of the risk / eliminate expose of assets to the risk

T/F Access controls utilize the principle of most privilege and the principle of need to know.

False

T/F Every security incident results in a data breach.

False

T/F Losses occur when a vulnerability exposes a threat.

False

FERPA

Family Educational Rights and Privacy Act

FISMA

Federal Information Security Management Act

HIPPA

Health Insurance Portability and Accountability Act

Which is a way to reduce breach costs?

Incident Response Team Use of encryption Employee training Keep patches current

Managing risk requires _________________

Knowledge of threats Thinking outside the box Look for opportunities and capabilities

Which is not a component when implementing the Cyber Risk Management Framework (CRMF)

Level of effort is not risk and project dependent

risk management frameworks

NIST, COBIT, ISO

NIST

National Institute of Standards and Technology

PCI DSS

Payment Card Industry Data Security Standard

PII

Personally Identifiable Information. Information about individuals that can be used to trace a person's identity, such as a full name, birthdate, biometric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies.

Confidentiality is _________________________

Preventing unauthorized disclosure of information

Which is NOT a benefit of a Risk Management Framework

Provides a structured, rigid process for managing risk related to the operation of information systems

NIST documents for cyber risk management are identified by _________________________

SP 8-- - xx then the title

SOX

Sarbanes-Oxley Act

Integrity is ______________________________

To ensure the data is not modified or destroyed

share/transfer risk response

Transfers or shares the risk with another asset to minimize the impact

T/F Ransomware is often combined with phishing attack.

True

T/F A vulnerability is a weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.

True

T/F The goal of cyber security risk management is to ensure that the confidentiality, integrity, availability and accountability of the organization's resources are maintained at an acceptable level.

True

denial of service attack

a cyber attack in which an attacker sends a flood of data packets to the target computer, with the aim of overloading its resources

Enterprise Risk Management (ERM)

agency wide approach to addressing full spectrum of significant risks by considering the combined array of risks as an interrelated portfolio, not a silo

Risk Appetite

amount of risk that the organization is willing to accept given consideration of costs and benefits

Threats

any activity that represents a possible danger

Security Incident

any event that compromised the CIA of an info asset. A violation or imminent threat of violation of computer sec. policies, acceptable use policies, or standard sec. practices

Data breach

any incident that resulted in confirmed disclosure, not just exposure, to an unauthorized party

skimming

capture and recording of magnetic stripe data on the back of credit cards

Impact is the magnitude of harm that can be expect to result from ____________________________

consequence of a threat exercising a vulnerability

Impact

consequence of occurrence, penalty incurred if objective is not met

Which is not considered when evaluating mitigation techniques?

ease of implementation

unintentional threats

environmental, human error, accidents, equipment failures

T/F Threats can often be eliminated

false

T/F Access controls utilize the principle of most privilege and the principle of need to know.

false

T/F It is very important that a system be "framed" but it does not impact the cyber risk.

false

T/F Security requirements are a special set of requirements levied on an information system and are not part of the system development life cycle.

false

T/F The most effective risk management is to focus on cyber security risks in a silo

false

T/F enterprise Risk Management is a silo approach to addressing company risks.

false

risk type: financial

financial and economic risks including: market, credit, interest rate, currency, price and liquidity risks; risk associated with an organization's ability to raise capital or maintain access to capital, as well as contracting, accounting and disclosure issues

Intentional threats

greed, espionage, anger, desire to damage

5 core functions of risk management

identify, protect, detect, respond

When to use FERPA

in the case of student privacy, parents can access information when student is under the age of 18 but needs consent after that

_________________________ risk is the risk to an entity in the absence of any actions management might take to alter the risks' likelihood or impact.

inherent

Risk

likelihood that a loss will occur

risk profile

listing and assessment of the business's top risks

cyber security

managing the risks to sensitive data and critical resources, aims to ensure cia of the organizations resources are maintained at an acceptable level

physical data breach

physical theft of documents of equipment

mitigate risk response

reduce the vulnerability (likelihood or impact)

____________________________ risk is the risk that remains after controls are implemented.

residual

Loss

results in a compromise to business functions or assets that adversely affects the business

malware

software that is intended to damage or disable computers and computer systems.

Which is NOT an objective ore the Cyber Security Risk Management Framework (CRMF)?

support management of cyber security risk at only upper organization levels

accept risk response

take no action, accept the risk because it does not have a large impact

exploit

the act of taking advantage of a vulnerability resulting in a compromise to the system, app, or data

Residual risk

the risk that remains after management implements internal controls or some other response to risk

Inherent risk

the risk to an entity in the absence of any actions management might take to alter the risks likelihood or impact

USCERT mission

to provide response support and defense against cyber attacks for any federal civil executive branche of the gov. or sites with .gov domain name

Aggregate risk

total or cum. amount of exposure associated w specified risk

T/F The NIST 5 Core Core Cyber Security Functions map to the security controls found in NIS SP 800-53 R4.

true

T/F NIST has the authority through FISMA to develop the security risk framework for the federal government and contractors.

true

T/F Risk is the likelihood that a loss will occur

true

T/F A security incident is any event that compromised the confidentiality, integrity, or availability of an information asset.

true

T/F E-mail phishing is an attempt to trick someone in the workplace into giving out information using e-mail

true

T/F The NIST Cyber RIsk Framework is a multi-tiered approach from Tier 1 - Organizational to Tier 3 - Information systems

true

T/F When working with risk management, a control is the same thing as a mitigation.

true

electronic data breach

unauth. access on a system or network where customer data is hosted and stored

USCERT

united states computer emergency readiness team monitors the security of us networks and the internet responds to attacks

A ____________________ commonly spread through file sharing, web download, email attachments.

virus

Vulnerability

weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source

When to use PCI DSS

when making online transactions or using bank cards

When to use HIPPA

when using or disclosing personal health information

A ___________________________ can crawl through networks without human interaction.

worm