Week 2
Physical social engineering:
An attack in which a threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location
Computer virus:
Malicious code written to interfere with computer operations and cause damage to data and software
What were the key impacts of the Equifax breach? Select two answers. - The significant financial consequences of a breach became more apparent. - Millions of customers' PII was stolen. - Phishing became illegal due to significant public outcry. - Developers were able to track illegal copies of software and prevent pirated licenses.
The key impacts of the Equifax breach were that millions of customers' PII were stolen and that the significant financial consequences of a breach became more apparent.
Authentication:
The process of verifying who someone is
Which of the following threats are most likely to occur in the event of a phishing attack? Select all that apply. - Employees inadvertently revealing sensitive data - Theft of the organization's hardware - Malicious software being deployed - Overtaxing systems with too many internal emails
Employees inadvertently revealing sensitive data Malicious software being deployed
Fill in the blank: Examples of security _____ include security and risk management and security architecture and engineering. - assets - domains - data - networks
Examples of security domains include security and risk management and security architecture, and engineering
Virus:
refer to "computer virus"
Fill in the blank: A computer virus is malicious _____ that interferes with computer operations and causes damage. - code - sequencing - formatting - hardware
A computer virus is a malicious code that interferes with computer operations and causes damage. A virus is a type of malware.
Spear phishing:
A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source
Social engineering:
A manipulation technique that exploits human error to gain private information, access, or valuables
Physical attack:
A security incident that affects not only digital but also physical environments where the incident is deployed
Adversarial artificial intelligence (AI):
A technique that manipulates artificial intelligence (AI) and machine learning (ML) technology to conduct attacks more efficiently
USB baiting:
An attack in which a threat actor strategically leaves a malware USB stick for an employee to find and install to unknowingly infect a network
Cryptographic attack:
An attack that affects secure forms of communication between a sender and intended recipient
Supply-chain attack:
An attack that targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed
Password attack:
An attempt to access password secured devices, systems, networks, or data
Hacker:
Any person or group who uses computers to gain unauthorized access to data
Fill in the blank: A _____ is malicious code written to interfere with computer operations and cause damage to data. - software breach - spyware attack - computer virus - business disruption
Computer virus
Which of the following tasks may be part of the identity and access management domain? Select all that apply. - Controlling physical assets - Conducting security control testing - Ensuring users follow established policies - Setting up an employee's access keycard
Controlling physical assets Ensuring users follow established policies Setting up an employee's access keycard
What historical event resulted in one of the largest known thefts of sensitive data, including social security numbers and credit card numbers? - Morris worm - Equifax breach - Brain virus - LoveLetter attack
Equifax breach
Fill in the blank: Social engineering is a manipulation technique that exploits _____ error to gain access to private information. - network - human - computer - coding
Human
Which of the following tasks may be part of the asset security domain? Select all that apply. - Securing digital and physical assets - Proper disposal of digital assets - Ensuring users follow established policies - Data storage and maintenance
Securing digital and physical assets Proper disposal of digital assets Data storage and maintenance
A security professional receives an alert that an unknown device has connected to their organization's internal network. They follow policies and procedures to quickly stop the potential threat. Which domain does this scenario describe? - Security operations - Asset security - Security and risk management - Identity and access management
Security Operations
A security professional is researching compliance and the law in order to define security goals. Which domain does this scenario describe? - Identity and access management - Security assessment and testing - Security and risk management - Security architecture and engineering
Security and risk management
A security professional is optimizing data security by ensuring that effective tools, systems, and processes are in place. Which domain does this scenario describe? - Security architecture and engineering - Identity and access management - Communication and network security - Security and risk management
Security architecture and engineering
Which domain involves conducting, collecting, and analyzing data, as well as conducting security audits to monitor for risks, threats, and vulnerabilities? - Communication and network security - Identity and access management - Security and risk management - Security assessment and testing
Security assessment and testing
Social engineering, such as phishing, is a manipulation technique that relies on computer error to gain private information, access, or valuables. - True - False
Social engineering, such as phishing, is a manipulation technique that relies on human error (not computer error) to gain private information, access, or valuables.
Malware:
Software designed to harm devices or networks
Your supervisor asks you to audit the human resources management system at your organization. The objective of your audit is to ensure the system is granting appropriate access permissions to current human resources administrators. Which security domain is this audit related to? - Software development security - Security operations - Identity and access management - Security assessment and testing
This is related to security assessment and testing, which often involves regular audits of user permissions to ensure employees and teams have the correct level of access.
Why is it useful to understand the eight CISSP security domains? Select two answers. - To improve your communication skills - To develop programming skills - To better understand your role within an organization - To identify potential career opportunities
Understanding the eight CISSP security domains can help you identify potential career opportunities and better understand your organizational role.
Watering hole attack:
A type of attack when a threat actor compromises a website frequently visited by a specific group of user
Social media phishing:
A type of attack where a threat actor collects detailed information about their target on social media sites before initiating the attack
Business Email Compromise (BEC):
A type of phishing attack where a threat actor impersonates a known source to obtain financial advantage
What is one way that the Morris worm helped shape the security industry? - It prevented the development of illegal copies of software. - It made organizations more aware of the significant financial impact of security incidents. - It led to the development of computer emergency response teams. - It inspired threat actors to develop new types of social engineering attacks.
The Morris worm helped shape the security industry because it led to the development of computer emergency response teams.
Vishing:
The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source
Phishing:
The use of digital communications to trick people into revealing sensitive data or deploying malicious software
A security professional is responsible for ensuring that company servers are configured to securely store, maintain, and retain SPII. These responsibilities belong to what security domain? - Asset security - Communication and network security - Security and risk management - Security architecture and engineering
These responsibilities are part of the asset security domain. This domain focuses on managing and securing digital and physical assets.