Lesson 1: Understanding Vulnerability Response, Handling, and Management

What is a risk management program?

A risk management program works to identify risks and determine how to minimize their likelihood or impact.

Implementing this, strictly, such as multifactor authentication, can reduce the attack surface significantly. Limiting access to sensitive data and systems reduces the risk of unauthorized access is known as what?

Access Control

Which policy dictates how work is completed during a maintenance window?

Change Management

What is STIGs?

Department of Defense (DoD) Security Technical Implementation Guides (STIGs) are hardening guides that are available to outline secure configurations in precise detail.

True or False. Critical security patches are best implemented during the next most convenient maintenance window.

False Critical patches should be implemented immediately.

True or False Cybersecurity operations are driven by technical implementers.

False Cybersecurity programs are driven by senior leadership via governance.

What does GRC stand for?

Governance, Risk, and Compliance

Define Operational Control.

Operational control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.

Systems, services, and protocols are discovered and characterized by analyzing network packet captures. What type of discovery technique does this describe?

Passive Discovery

What are produced by government teams and dictate how work tasks are performed?

Policies

What does SOC stand for?

Security Operations Center

What does SaaS stand for?

Software as a Service (SaaS)

Define Compensating Control.

Compensating control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

What is the name of the team that risk managers depend upon to assess whether work is being performed in accordance to policy?

Compliance Team

Define Reactive Maintenance.

Administrators perform reactive maintenance in response to a problem or an outage. Maintenance windows are generally associated with preventative maintenance tasks, as reactive maintenance typically cannot be delayed!

What is an Adversary Emulation?

An adversary emulation, seeks to mimic the actions of known threat actor groups. The MITRE ATT&CK® framework typically forms the basis of this type of assessment. After a threat assessment identifies threat actor groups, the ATT&CK framework provides details regarding their tactics, techniques, and procedures (TTPs). Emulating these TTPs helps assess whether existing protections are sufficient to stop attacks characteristic of the threat actor.

What is an Attack Surface?

An attack surface describes all potential pathways a threat actor could use to gain unauthorized access or control. Each piece of software, service, and every enabled protocol on an endpoint offers a unique opportunity for attack. Removing or disabling as many of these as possible can significantly reduce the number of (potentially) exploitable pathways into a system.

Conducting an inventory of all hardware and software assets and user accounts in the environment. Once identified, the team must determine which assets are essential for business operations and which can be removed is known as what?

Asset Inventory

What is being analyzed when all potential pathways a threat actor could use to gain unauthorized access or control of a system are identified and documented?

Attack Surface

What is the points at which a network or application receive external connections or inputs/outputs that are potential vectors to be exploited by a threat actor?

Attack Surface An attack surface describes all potential pathways a threat actor could use to gain unauthorized access or control.

What is a bug bounty program?

Bug bounties allow organizations to define areas of their environment they would like help protecting. The bug bounty identifies elements of the environment that are in scope for testing and the rewards available for reporting issues. This approach incentivizes offensive security professionals to assess controls on an ongoing basis and can also help identify unknown and undocumented vulnerabilities.

True or False. Systems should not be monitored during maintenance windows to avoid confusion.

False Monitoring should still occur, but be aware of what changes are anticipated during the maintenance window.

True or False. Advanced endpoint protection tools eliminate the need for operating system patching.

False Patching is needed in addition to these tools.

What does a GRC team do?

Governance, risk, and compliance (GRC) teams are responsible for creating and maintaining organizational policies used to direct the work of technical teams. Governance defines the organization's expectations of its employees and its approach to cybersecurity. Leadership teams are responsible for crafting effective responses by chaining policies and processes to reflect their objectives. Establishing governance, risk, and compliance (GRC) teams is a common strategy used to accomplish this goal. Governance team drive the company's direction and respond to risks. Decisions made by governance teams re grounded in the information provided by risk managers.

What is an effective patch management strategy?

It requires patch management software to be configured based on the risks associated with each system and its applications. Mission-critical systems need to be treated differently than less critical ones to support availability requirements. Desktops are often patched as quickly as possible after a brief testing phase

What is a maintenance window?

Maintenance windows enable preventative maintenance and consistent deployment of noncritical patches. All work planned during maintenance windows should comply with change management policies. Computers and devices are often restarted during maintenance windows, and various services are also modified, restarted, and added. Monitoring infrastructure must be able to correlate events like these to a scheduled maintenance window to adjust alert severity ratings.

The leadership teams would like to develop controls designed to provide oversight of various information systems. What type of control does this describe?

Managerial

Several standards and frameworks exist to help practitioners better understand practical control types. Name some of the examples.

NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations ISO 27001 Standards CIS Controls

What does NIST stand for?

National Institute of Standards and Technology

Dividing a network into smaller subnets can limit the damage an attacker can cause. When doing this, the breaches and infections can be more effectively contained, thereby reducing the attack surface is known as what?

Network Segmentation

A support manager is giving essential security training to the help desk. Which control class is the support manager implementing? A. Operational B. Technical C. Detective D. Managerial

Operational Operational controls are primarily implemented and executed by people (as opposed to systems). For example, security guards or training programs are examples of operational controls. Managerial controls primarily focus on the management of the information to include policies, procedures, and guidelines. Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. These are primarily executed by systems (hardware, software, or firmware). Detective controls are measures taken to detect and respond to incidents or vulnerabilities. These controls provide insight into anomalies or abnormal patterns in the environment.

Define Passive Discovery.

Passive discovery describes the methods used to identify systems, services, and protocols indirectly. Passive discovery, such as network packet capture, can reveal information about network-connected hosts, communications channels, protocols in use, and activity patterns. Passive discovery is beneficial as it leverages careful observation to show characteristics of network-connected software and devices.

What is Patch Management?

Patch management involves regularly monitoring, assessing, and updating an organization's software, such as operating systems, applications, and device drivers. Patch management aims to ensure organizations have the latest security updates and patches to protect their systems from potential vulnerabilities. It should also include a plan for applying these patches promptly and a backup plan in case of disruptions.

Define Proactive Maintenance.

Proactive maintenance is designed to prevent future issues or safely perform work that may impact system performance.

What is TTP?

Tactics, Techniques, and Procedures

A web application firewall identifies and records any attempted or successful intrusion to a log file. What category of control does this describe?

Technical

A security engineer installs a next-generation firewall on the perimeter of a network. This installation is an example of what type of security control class? A. Managerial B. Operational C. Detective D. Technical

Technical Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. The engineer would implement technical control as a system (hardware, software, or firmware). The managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. People primarily implement operational control rather than systems. For example, security guards and training programs are operational controls rather than technical controls. The detective control is a functional control that is not a security control class.

Define Technical Control.

Technical control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. Technical controls may also be described as logical controls.

What is a person or entity responsible fora n event that has been identified as a security incident or as a risk?

Threat Actor

What activity is focused on deconstructing a system to better understand the threats and exploits that might impact it?

Threat Modeling

What is Threat Modeling?

Threat modeling is the security process whereby potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. The process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system.

Which vulnerabilities should be addressed first?

Vulnerabilities with the highest severity and potential impact must be prioritized and addressed first, while those with lower severity and potential impact can be addressed later. It is also important to ensure that any high-severity vulnerabilities are escalated to all relevant stakeholders to ensure they are informed and can contribute to the response as necessary. Additionally, it is vital to have an established process for escalating vulnerabilities in case the severity of the vulnerability changes or the vulnerability is exploited before remediations are implemented.

What is a software repository?

A centralized storage location for software packages.

What are the four categories of risk responses?

1. Avoid 2. Accept 3. Mitigate 4. Transfer

Patch management can be what type of process?

Manual and/or Automated Processes

What is a penetration test?

A penetration test involves hiring a trusted offensive security expert to fill the role of an attacker, tasking them to exploit the environment and evaluate the effectiveness of existing protections. The penetration test includes a findings report crafted with details regarding identified weaknesses and recommended remediations.

A mission-critical system is offline at an organization due to a zero-day attack. The associated software vendor plans to release a patch to remediate the vulnerability. Which of the following are important patch management considerations for this scenario? (Select the three best options.) A. A patch test environment B. Immediate push delivery of critical security patches C. A specific team responsible for reviewing vendor-supplied newsletters and security patch bulletins D. A routine schedule for the rollout of noncritical patches

1. A patch test environment 2. Immediate push delivery of critical security patches 3. A specific team responsible for reviewing vendor-supplied newsletters and security patch bulletins A patch test environment where technicians can install, test, and analyze urgent and important patches before deployment into production would be a vital consideration for this scenario. The organization should immediately push delivery of critical security patches at the earliest availability when mission-critical services are in question. A specific team or person responsible for reviewing vendor-supplied newsletters and security patch bulletins is necessary for this type of event. While creating a routine schedule for the rollout of noncritical patches has merit, it does not illustrate important patch management considerations in this example. A security analyst would address noncritical patches at a later time.

Name some of the important patch management considerations.

1. An individual or task-specific team responsible for reviewing vendor-supplied newsletters and security patch bulletins. 2. Mechanisms to patch operating systems and all applications running on it, regardless of application vendor. 3. Patch management principles that incorporate cloud resources. 4. Assigning updates into urgent, important, and noncritical categories. 5. A patch test environment where urgent and important patches can be installed and tested and analyzed prior to deployment into production. 6. Detailed logging designed to support monitoring and troubleshooting of patch deployment activities. 7. A method to evaluate firmware updates prior to deployment 8. Immediate push delivery of critical security patches. 9. A routine schedule for the rollout of noncritical patches.

What are some methods commonly incorporated to reduce the attack surface?

1. Asset Inventory 2. Access Control 3. Patching and Updating 4. Network Segmentation 5. Removing Unnecessary Components 6. Employee Training

What does SLO stand for?

Service Level Objectives

An engineer is considering appropriate risk responses using threat modeling. They are trying to understand which threat actors are in scope for their organization. How does threat modeling identify the principal risks and tactics, techniques, and procedures (TTPs) for which their system may be susceptible? (Select the three best options.) A. By evaluating the system from an attacker's point of view B. By evaluating a system from a neutral perspective C. Through using tools such as diagrams D. By analyzing the system from the defender's perspective

1. By evaluating the system from an attacker's point of view 2. Through using tools such as diagrams 3. By analyzing the system from the defender's perspective Threat modeling identifies the principal risks and tactics, techniques, and procedures (TTPs) for which a system may be susceptible through evaluating systems from an attacker's point of view. Diagrams can show how a security analyst can deconstruct a system into its functional parts to analyze each area for potential weaknesses. Analyzing systems from a defender's perspective is another way that threat modeling identifies the principal risks and tactics, techniques, and procedures (TTPs) to which a system may be susceptible. Evaluating systems from a neutral perspective is not a method used in threat modeling.

Name two hardening guides?

1. Center for Internet Security Benchmarks 2. DoD STIGs (Department of Defense Security Technical Implementation Guides

What are some examples of Configuration Management tools?

1. Chef 2. Puppet 3. Ansible 4. Terraform

What are some common security related SLOs?

1. Mean Time to Detect (MTTD) 2. Mean Time to Recover (MTTR) 3. Time to Patch

The most advanced adversaries typically focus on whom?

1. Military 2. Federal-level Government Agencies 3. High-Tech Companies 4. Large Financial Institutions

What are some of the different control types?

1. Preventative 2. Detective 3. Corrective 4. Compensating 5. Responsive

What are the two categories of maintenance tasks?

1. Reactive 2. Proactive

What are the three classes of controls?

1. Technical 2. Operational 3. Managerial

A support team is preparing for an upcoming maintenance window. What tasks should the support team accomplish during the proactive maintenance windows? (Select the three best options.) A. Restore critical services B. Test patches before deployment C. Restart devices D. Analyze events

1. Test patches before deployment 2. Restart devices 3. Analyze events Testing patches before deployment ensures that they won't cause issues when they're applied to the live environment. Devices often restart during maintenance windows, and various services are also modified, restarted, and added. Analysis of events occurring during maintenance is essential, as an attacker might try to avoid detection by performing actions during these times. Knowing what will happen in a maintenance window is critical to help discern between authorized and unauthorized events. The support team would not restore critical services following an outage during a proactive maintenance window. This is a task in reactive maintenance. Maintenance windows are generally associated with preventative maintenance tasks, as reactive maintenance typically cannot have delays.

The US Cybersecurity & Infrastructure Security Agency (CISA) identified that what percentage of successful cyberattacks start with a phishing email?

90%

Define Centralized Configuration Management System.

A centralized configuration management system allows an administrator to define device configuration settings on a management server and then push the settings to endpoints in an automated way.

Control over endpoint configuration is the role of what?

Centralized configuration Management Systems

Define Change Management Rollbacks.

Change management rollback is the process of undoing a system's changes to restore the system to an earlier, pre-change state. Rollbacks can be performed manually or automatically, depending on the system, and are done to return a system to its previous state.

What tool allows administrators to centrally create and enforce software settings?

Configuration Management

Near real-time visibility into device configurations enables what?

Continuous Compliance Monitoring

An organization recently had an attack that resulted in system data loss. The system administrator must now restore the system with a data backup. What functional security control was the system administrator able to implement? A. Preventative B. Responsive C. Corrective D. Compensating

Corrective The system administrator used a corrective control after the attack. A good example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Responsive controls serve to direct corrective actions enacted after the organization confirms the incident. They often document these actions in a playbook. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

Define Corrective Control.

Corrective control acts to eliminate or reduce the impact of an intrusion event. A corrective control is used after an attack. A good example is a backup system that can restore data that was damaged during an intrusion. Another example is a patch management system that acts to eliminate the vulnerability exploited during the attack.

What is a CoA Matrix?

Course of Action (CoA) matrix maps security controls to known adversary tools and tactics, matching your cybersecurity defensive capabilities to the offensive capabilities of potential cyber adversaries.

What does CISA stand for?

Cybersecurity and Infrastructure Security Agency (CISA)

What are cybersecurity SLOs?

Cybersecurity service-level objectives (SLOs) are the standards that organizations and their leadership must meet to ensure the security of their network. These objectives help measure and assess how well security operations protect the organization's assets and assure its customers and stakeholders that systems and data are safe and secure.

A security analyst reviews a firewall log's source IP addresses to investigate an attack. These logs are a representation of what type of functional security control? A. Corrective B. Detective C. Compensating D. Preventative

Detective The detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Logs provide one of the best examples of detective-type controls. A good example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

Define Detective Control.

Detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Logs provide one of the best examples of detective-type controls.

Define Edge Discovery.

Edge discovery seeks to define the "edge" of the network fully. It is easy to assume that the edge is composed only of Internet-facing servers. The edge is instead composed of every device with Internet connectivity. Assuming that attacks will occur from the Internet, anything accessible to it must be considered as part of the edge.

What can help reduce the attack surface by raising awareness of the potential risks and the importance of security measures. This can help employees recognize and report potential security threats, reducing the likelihood of successful attacks.

Employee Training

A cyber security consultant is examining security control classes for an Infrastructure as a Service (IaaS) provider. The classes measure how effectively assets are protected. Which security control class would the consultant examine to gain oversight of the information system? A. Technical B. Managerial C. Operational D. Detective

Managerial The managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. The consultant would implement technical controls as a system (hardware, software, or firmware). The consultant would primarily implement operational control rather than systems. For example, security guards and training programs are operational controls rather than technical controls. The detective control is a functional control that is not a security control class.

Define Managerial Control.

Managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.

Describe attack surface management.

Managing the attack surface means maintaining awareness of exposed services and ensuring they operate securely per organizational policy. Maintaining awareness necessitates continuous discovery and routine evaluation of configurations to ensure they are secure and working as intended. The most attack-prone area of an organization's infrastructure is the edge, which includes any services exposed to the Internet. Attack surface management describes the methods used to continuously monitor an environment to quickly identify changes to its attack surface. This type of monitoring seeks to continuously locate shadow-IT and other unknown devices, weak or default passwords, misconfigurations, missing patches, and many other items of concern.

Why should you patch test?

Patch testing aims to determine whether a software patch creates problems with the organization's unique mix of hardware, software, and configuration settings. Patch testing should primarily involve testing a patch on a single isolated system to determine whether a patch causes problems, such as software crashes or system instability. Additionally, testing should validate that issues addressed by the software patch work as expected—for example, a patch successfully removes a vulnerability. A common way to test a patch is by setting up a non-production environment hosting like-for-like mission-critical applications, including enterprise applications and networking systems (where available). Doing this allows patches to be deployed by infrastructure teams, validated by software support staff, and assessed by security teams before deployment into the production environment. Additionally, vulnerability scans should verify that patches only resolve vulnerabilities and do not introduce any new ones!

Regularly patching and updating software and firmware can prevent attackers from exploiting known vulnerabilities. Patching should be performed via automated patch management systems is known as what?

Patching and Updating

What are ways for an organization to assess its attack surface and identify vulnerabilities?

Penetration Test and Adversary Emulation Both techniques supplement attack surface management and help improve an organization's security posture. Penetration testing involves simulating an attack on an organization's network to identify vulnerabilities and weaknesses. The goal is to identify the most vulnerable components within an organization's environment and determine how an attacker could exploit them. The penetration test results are then used to prioritize risk mitigation efforts and reduce the attack surface. Adversary emulation, on the other hand, involves simulating a real-world cyber attack by an actual adversary to assess an organization's defenses. This technique involves a more comprehensive and realistic simulation of a targeted attack. The goal is to identify gaps and weaknesses in an organization's security infrastructure that a known threat actor typically targets. Doing so helps the organization improve its ability to detect and respond to specific attacks associated with the threat actor instead of generalized attacks used in penetration testing.

A system administrator is hardening a newly provisioned server with software patches and security updates. What functional security control is the system administrator performing? A. Detective B. Preventative C. Corrective D. Compensating

Preventative Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Implementing software patches and security updates are examples of preventative controls. The detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. A good example of a corrective control is a backup system that can restore data damaged during an intrusion. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

Define Preventative Control.

Preventative control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Access control lists (ACL) configured on firewalls and file system objects are preventative-type controls. Antimalware software also acts as a preventative control, by blocking processes identified as malicious from executing. Directives and standard operating procedures (SOPs) can be thought of as administrative versions of preventative controls.

Removing hardware or software components reduces the attack surface. By removing software, the organization eliminates a pathway that attackers can exploit is known as what?

Removing Unnecessary Components

After identifying that a port scan was performed on an internal database system, a security analyst performs a series of well-defined steps to further investigate the issue. What type of control objective does this describe?

Responsive

A large corporation's security operations center (SOC) team is processing a recent incident. The team refers to a playbook for guidance about the incident. What type of functional security control does the playbook represent? A. Corrective B. Preventative C. Responsive D. Compensating

Responsive Responsive controls serve to direct corrective actions enacted after the SOC team confirms the incident. The team often documents these actions in a playbook. An example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

Define Responsive Control.

Responsive controls serve to direct corrective actions enacted after an incident has been confirmed. In a Security Operations Center (SOC), responsive controls might include several very well-defined actions to be taken by an analyst after identifying a specific issue. These actions are often documented in a playbook.

A CEO of a small corporation has decided to continue using a legacy system despite security concerns. This is an example of which risk management principle? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

Risk Acceptance Risk acceptance means the company continues to operate without change after they evaluate an identified risk item, such as using a legacy system despite security concerns. The risk item could be in relation to software, hardware, or existing processes. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.

Risk ____________________ requires that activities with high levels of risk are stopped.

Risk Avoidance

An IT director reviews a cyber security audit and learns that an old accounting server is significantly out of compliance. Rather than attempting repairs, the director concludes that decommissioning the server is the safest course of action. What is the risk management principle the IT director is following? A. Risk acceptance B. Risk mitigation C. Risk avoidance D. Risk transference

Risk Avoidance The IT director is electing to follow risk avoidance because of the risk and cost of bringing the server into compliance. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover that a software application has numerous high-severity security vulnerabilities. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.

A systems administrator runs a scan on an application server and finds several vulnerabilities. The issues are not severe, and patches are available in each instance. The administrator decided to install the available patches. What risk management principle did they demonstrate? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transference

Risk Mitigation The system administrator is practicing risk mitigation by installing the patches and reducing the vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.

The legal affairs team of an international conglomerate elects to assign certain risks to a third party. Which risk management principle are they implementing? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

Risk Transference Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. The risk item could be in relation to software, hardware, or existing processes. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe.

What is risk acceptance?

Risk acceptance is the determining that a risk is within the organization's appetite and no countermeasures other than ongoing monitoring is needed. Continuing to operate without change after evaluating an identified risk item.

What is risk avoidance?

Risk avoidance is the practice of ceasing activity that presents risk. Stop doing an activity that is risk-bearing.

What does risk managers do?

Risk managers look to compliance teams to help identify if observed business practices align with established rules.

What is risk mitigation?

Risk mitigation is the reducing of risk to fit within an organization's willingness to accept risk. Reducing exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe.

What is risk transference?

Risk transference is the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.

A system administrator is performing patchwork on their organization's system. The administrator realizes the maintenance window will close before they complete the patchwork. What action must the administrator take to abide by the change management policy? A. Rollback to the system's previous state B. Rollout earlier patches C. Rollback to a system's initial state D. Rollout system patches

Rollback to the system's previous state Change management policy dictates that patching must finish quickly enough to accommodate rollback plans if trouble occurs—without overrunning the maintenance window. Change management rollback is the process of undoing a system's changes to restore the system to an earlier, pre-change state. The appropriate terminology for a rollout of earlier patches is rollback. The organization performs rollouts during a maintenance window when they implement new patches. Rolling back to a system's initial state is possible but unadvisable because of security concerns. Simply rolling back to the previous state is the best course of action. Rolling out system patches is a task performed during open maintenance windows. Patch management teams rely on maintenance windows to complete patch rollouts.

What is a SOC?

Security Operations Center (SOC) is the location where security professionals monitor and protect critical information assets in an organization. SOCs depend upon well-established, incident-handling practices and clearly defined responses.

Define Security Control.

Security controls can help protect an organization's valuable assets and data from unauthorized access, theft, and destruction when implemented correctly. They help reduce risk by minimizing the attack surface and addressing vulnerabilities. Security controls can include technical measures, such as firewalls and encryption, and nontechnical measures, such as employee training and awareness.