ITEC 433 midterm study guide
Phishing
An attack that sends an email or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information
In the NIST Cyber Risk Framework, the ____________________ would be at Tier 1
C suite execs (CISO not applicable because they report to CIO)
CIA
Confidentiality, Integrity, Availability
GLBA
Gramm-Leach-Bliley Act
The NIST Framework for Improving Critical Infrastructure has the following components:
Identify, protect, detect, respond, recover
SPII
Sensitive PII, loss of the information would result in substantial harm, embarrassment, inconvenience, or unfairness
A threat can impact an information systems via ___________________
Unauthorized access Modification of information Denial of service
Ransomeware
a type of malicious software designed to block access to a computer system until a sum of money is paid.
risk type:Business interruptions/disasters
an organization will experience loss of critical functions caused by natural or manmade disasters or hazards
risk type: compliance
an organization will fail to comply with laws, regulations, policies and procedures, standards of conduct, or other prescribed requirements or guidance
Which is not a common type of cyber attacker?
employee
risk management goal
maximize the output while minimizing the chance of unexpected outcomes
Attack types
ransomeware, phishing, malware, dos,etc
Risk response options
- Avoid - Mitigate - Share/Transfer - Accept
Early integration of security in the SDLC enables agencies to maximize return on investment through:
-Early identification and mitigation of security vulnerabilities and misconfigurations -Awareness of potential engineering challenges -Facilitation of informed executive decision making through comprehensive risk management in a timely manner.
Identity theft
A crime that involves someone pretending to be another person in order to steal money or obtain benefits
_________________________mitigation technique is used to standardize a minimum baseline with change management
Config. management
___________________________mitigation technique is used to standardize a minimum baseline with change management.
Configuration management
COBIT
Control Objectives for Information and Related Technology
policy vs law
Difference between policy and law: ignorance of a policy is an acceptable defense
avoidance risk response
Eliminate the source of the risk / eliminate expose of assets to the risk
T/F Access controls utilize the principle of most privilege and the principle of need to know.
False
T/F Every security incident results in a data breach.
False
T/F Losses occur when a vulnerability exposes a threat.
False
FERPA
Family Educational Rights and Privacy Act
FISMA
Federal Information Security Management Act
HIPPA
Health Insurance Portability and Accountability Act
Which is a way to reduce breach costs?
Incident Response Team Use of encryption Employee training Keep patches current
Managing risk requires _________________
Knowledge of threats Thinking outside the box Look for opportunities and capabilities
Which is not a component when implementing the Cyber Risk Management Framework (CRMF)
Level of effort is not risk and project dependent
risk management frameworks
NIST, COBIT, ISO
NIST
National Institute of Standards and Technology
PCI DSS
Payment Card Industry Data Security Standard
PII
Personally Identifiable Information. Information about individuals that can be used to trace a person's identity, such as a full name, birthdate, biometric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies.
Confidentiality is _________________________
Preventing unauthorized disclosure of information
Which is NOT a benefit of a Risk Management Framework
Provides a structured, rigid process for managing risk related to the operation of information systems
NIST documents for cyber risk management are identified by _________________________
SP 8-- - xx then the title
SOX
Sarbanes-Oxley Act
Integrity is ______________________________
To ensure the data is not modified or destroyed
share/transfer risk response
Transfers or shares the risk with another asset to minimize the impact
T/F Ransomware is often combined with phishing attack.
True
T/F A vulnerability is a weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.
True
T/F The goal of cyber security risk management is to ensure that the confidentiality, integrity, availability and accountability of the organization's resources are maintained at an acceptable level.
True
denial of service attack
a cyber attack in which an attacker sends a flood of data packets to the target computer, with the aim of overloading its resources
Enterprise Risk Management (ERM)
agency wide approach to addressing full spectrum of significant risks by considering the combined array of risks as an interrelated portfolio, not a silo
Risk Appetite
amount of risk that the organization is willing to accept given consideration of costs and benefits
Threats
any activity that represents a possible danger
Security Incident
any event that compromised the CIA of an info asset. A violation or imminent threat of violation of computer sec. policies, acceptable use policies, or standard sec. practices
Data breach
any incident that resulted in confirmed disclosure, not just exposure, to an unauthorized party
skimming
capture and recording of magnetic stripe data on the back of credit cards
Impact is the magnitude of harm that can be expect to result from ____________________________
consequence of a threat exercising a vulnerability
Impact
consequence of occurrence, penalty incurred if objective is not met
Which is not considered when evaluating mitigation techniques?
ease of implementation
unintentional threats
environmental, human error, accidents, equipment failures
T/F Threats can often be eliminated
false
T/F Access controls utilize the principle of most privilege and the principle of need to know.
false
T/F It is very important that a system be "framed" but it does not impact the cyber risk.
false
T/F Security requirements are a special set of requirements levied on an information system and are not part of the system development life cycle.
false
T/F The most effective risk management is to focus on cyber security risks in a silo
false
T/F enterprise Risk Management is a silo approach to addressing company risks.
false
risk type: financial
financial and economic risks including: market, credit, interest rate, currency, price and liquidity risks; risk associated with an organization's ability to raise capital or maintain access to capital, as well as contracting, accounting and disclosure issues
Intentional threats
greed, espionage, anger, desire to damage
5 core functions of risk management
identify, protect, detect, respond
When to use FERPA
in the case of student privacy, parents can access information when student is under the age of 18 but needs consent after that
_________________________ risk is the risk to an entity in the absence of any actions management might take to alter the risks' likelihood or impact.
inherent
Risk
likelihood that a loss will occur
risk profile
listing and assessment of the business's top risks
cyber security
managing the risks to sensitive data and critical resources, aims to ensure cia of the organizations resources are maintained at an acceptable level
physical data breach
physical theft of documents of equipment
mitigate risk response
reduce the vulnerability (likelihood or impact)
____________________________ risk is the risk that remains after controls are implemented.
residual
Loss
results in a compromise to business functions or assets that adversely affects the business
malware
software that is intended to damage or disable computers and computer systems.
Which is NOT an objective ore the Cyber Security Risk Management Framework (CRMF)?
support management of cyber security risk at only upper organization levels
accept risk response
take no action, accept the risk because it does not have a large impact
exploit
the act of taking advantage of a vulnerability resulting in a compromise to the system, app, or data
Residual risk
the risk that remains after management implements internal controls or some other response to risk
Inherent risk
the risk to an entity in the absence of any actions management might take to alter the risks likelihood or impact
USCERT mission
to provide response support and defense against cyber attacks for any federal civil executive branche of the gov. or sites with .gov domain name
Aggregate risk
total or cum. amount of exposure associated w specified risk
T/F The NIST 5 Core Core Cyber Security Functions map to the security controls found in NIS SP 800-53 R4.
true
T/F NIST has the authority through FISMA to develop the security risk framework for the federal government and contractors.
true
T/F Risk is the likelihood that a loss will occur
true
T/F A security incident is any event that compromised the confidentiality, integrity, or availability of an information asset.
true
T/F E-mail phishing is an attempt to trick someone in the workplace into giving out information using e-mail
true
T/F The NIST Cyber RIsk Framework is a multi-tiered approach from Tier 1 - Organizational to Tier 3 - Information systems
true
T/F When working with risk management, a control is the same thing as a mitigation.
true
electronic data breach
unauth. access on a system or network where customer data is hosted and stored
USCERT
united states computer emergency readiness team monitors the security of us networks and the internet responds to attacks
A ____________________ commonly spread through file sharing, web download, email attachments.
virus
Vulnerability
weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source
When to use PCI DSS
when making online transactions or using bank cards
When to use HIPPA
when using or disclosing personal health information
A ___________________________ can crawl through networks without human interaction.
worm