.02 RG Vocab Information Security & Risk Management

Question 1

Confidentiality

Answer 1

preserves authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information.

Question 2

Integrity

Answer 2

guards against improper information modification or destruction, ensuring
information nonrepudiation and authenticity.

Question 3

Availability

Answer 3

ensures timely and reliable access to and use of information.

Question 4

NIST Identify

Answer 4

Asset management, business environment, governance, risk assessment,
risk management strategy

Question 5

NIST Protect

Answer 5

Access control, awareness training, data security, information protection
processes and procedures, maintenance, protective technology

Question 6

NIST Detect

Answer 6

Anomalies and events, security continuous monitoring, detection processes

Question 7

NIST Respond

Answer 7

Response planning, communications, analysis, mitigation, improvements

Question 8

NIST Recover

Answer 8

Recovery planning, improvements, communications

Question 9

RML Categorize

Answer 9

Classify the system and information processed, stored, and transmitted based
on impact analysis

Question 10

RML Focus 1

Answer 10

Inform organizational risk management processes and tasks by determining the
adverse impact on organizational operations and assets, individuals, other organizations, and
the nation concerning the loss of confidentiality, integrity, and availability of organizational
systems and the information processed, stored, and transmitted by those systems.

Question 11

RML Select

Answer 11

Choose an initial set of controls for the system and tailor the controls as needed to
reduce risk to an acceptable level based on an assessment of risk.

Question 12

RML Focus 2

Answer 12

Select, tailor, and document the controls necessary to protect the information system
and organization commensurate with the risk to organizational operations and assets,
individuals, other organizations, and the nation.

Question 13

RML Implement

Answer 13

: Identify and activate the necessary controls and describe how they are
employed within the system and its operating environment

Question 14

RML Focus 3

Answer 14

Initiate the controls in the security and privacy plans for the system and the
organization and document the specific details of the control implementation in a baseline
configuration.

Question 15

RML Assess

Answer 15

: Evaluate the controls to determine if they are implemented correctly, operating as
intended, and producing the desired outcomes concerning satisfying the security and privacy
requirements.

Question 16

RML Focus 4

Answer 16

Determine if the controls selected for implementation are implemented correctly,
operating as intended, and producing the desired outcome concerning meeting the security
and privacy requirements for the system and the organization.

Question 17

RML Authorize

Answer 17

Certify and enable the system or common controls based on determining that
the risk to organizational operations and assets, individuals, other organizations, and the
nation is acceptable.

Question 18

RML Focus 5

Answer 18

Provide organizational accountability by requiring a senior management official to
determine if the security and privacy risk (including risk to the supply chain) to organizational
operations and assets, individuals, other organizations, or the nation based on the operation
of a system or the use of common controls is acceptable.

Question 19

Monitor

Answer 19

Observe the system and the associated controls on an ongoing basis, including
assessing control effectiveness, documenting changes to the system and environment of
operation, conducting risk assessments and impact analyses, and reporting the security and
privacy posture of the system.

Question 20

RML Focus 6

Answer 20

Maintain an ongoing situational awareness about the security and privacy posture of
the information system and the organization in support of risk management decisions.

Question 21

Incident

Answer 21

is a security event that compromises an information asset’s integrity, confidentiality,
or availability.

Question 22

Breach

Answer 22

is an incident that results in the confirmed disclosure—not just potential
exposure—of data to an unauthorized party.

Question 23

Assets

Answer 23

depend on the type of organization; for example, a bank’s asset is its money while the
assets of a software company are in its computer code

Question 24

Vulnerabilities

Answer 24

exist in both software and hardware. The discovery of such vulnerabilities is
only a matter of time.

Question 25

Exploitation

Answer 25

is the sse of a vulnerability to gain access to an organization.

Question 26

Risk

Answer 26

is the level of impact on organizational operations (including mission, functions, image,
or reputation), organizational assets, or individuals resulting from the operation of an
information system, given the potential impact of a threat and the likelihood of that threat
occurring.

Question 27

Threat

Answer 27

is any circumstance or event that can adversely impact organizational operations
(including mission, functions, image, or reputation), organizational assets, or individuals
through an information system via unauthorized access, destruction, disclosure, modification
of information, and denial of service; also, the potential for a threat source to successfully
exploit a particular information system vulnerability.

Question 28

Pen-test

Answer 28

also known as penetration testing, is the method of employing hacker tools and
techniques to evaluate security and implemented controls. Another way of understanding a
pen test is to discover both known and unknown vulnerabilities.

Question 29

Confidentiality

Answer 29

preserves authorized restrictions on information access and disclosure,
including the means of protecting personal privacy and proprietary information.

Question 30

Integrity

Answer 30

guards against improper information modification or destruction, including
ensuring information nonrepudiation and authenticity.

Question 31

Availability

Answer 31

ensures timely and reliable access to and use of information

Question 32

Defense-in-Depth

Answer 32

is an information security strategy integrating people, technology, and
operations capabilities to establish variable barriers across multiple layers and dimensions of
the organization.

Question 33

Security controls

Answer 33

include safeguards, measures, or steps taken to avoid, transfer, mitigate,
reduce, or share the risks to organizational assets.

Question 34

Exposure

Answer 34

is the combination of the likelihood and the impact levels of risk.

Question 35

Red Team

Answer 35

is a group of people authorized and organized to emulate a potential adversary’s
attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s
objective is to improve enterprise cybersecurity by demonstrating the impacts of successful
attacks and what works for the defenders (i.e., the Blue Team) in an operational environment.
Also known as the Cyber Red Team.

Question 36

Blue Team

Answer 36

is a group responsible for defending an enterprise’s use of information systems
by maintaining its security posture against a group of mock attackers (i.e., the Red Team).
Typically the Blue Team and its supporters must defend against real or simulated attacks 1)
over a significant period; 2) in a representative operational context (e.g., as part of an
operational exercise); and 3) according to rules established and monitored with the help of a
neutral group refereeing the simulation or exercise (i.e., the White Team).

Question 37

Pentest

Answer 37

is a method of testing where testers target individual binary components or the
application as a whole to determine whether intra- or intercomponent vulnerabilities can be
exploited to compromise the application, its data, or its environmental resources.

Question 38

Malware

Answer 38

is hardware, firmware, or software intentionally included or inserted into a system
for a harmful purpose.

Question 39

Rogue access point

Answer 39

is an unauthorized access point connected to a network.

Question 40

Ransomware

Answer 40

disables the victim’s access to data until a ransom is paid. (e.g., Ryuk)

Question 41

Fileless malware

Answer 41

changes files native to the OS (e.g., Astaroth).

Question 42

Spyware

Answer 42

collects user activity data without the user’s knowledge (e.g., DarkHotel)

Question 43

Adware

Answer 43

serves unwanted advertisements (e.g., Fireball types of malware and their
characteristics).

Question 44

Trojans

Answer 44

disguise themselves as desirable code (e.g., Emotet).

Question 45

Worms

Answer 45

spread through a network by replicating themselves (e.g., Stuxnet).

Question 46

Rootkits

Answer 46

give hackers remote control of a victim’s device (e.g., Zacinlo).

Question 47

Keyloggers

Answer 47

monitor a user’s keystrokes (e.g., Olympic Vision).

Question 48

Bots

Answer 48

launch a broad flood of attacks (e.g., Echobot).

Question 49

Mobile malware

Answer 49

infects mobile devices (e.g., Triada)

Question 50

Malware

Answer 50

is a broad term used to describe malicious software, including spyware,
ransomware, viruses, and worms. Malware breaches a network through a vulnerability,
typically when a user clicks a dangerous link or email attachment that installs risky software.
Once inside the system, malware can do the following:
● Block access to key components of the network (ransomware).
● Install malware or additional harmful software.
● Covertly obtain information by transmitting data from the hard drive (spyware).
● Disrupt certain components and render the system inoperable.

Question 51

Phishing

Answer 51

involves sending fraudulent communications that appear to come from a
reputable source, usually through email. The goal is to steal sensitive data like credit card and
login information or install malware on the victim’s machine. Phishing is an increasingly
common cyberthreat.

Question 52

On-Path attacks

Answer 52

are also known as eavesdropping attacks, which occur when attackers
insert themselves into a two-party transaction. Once the attackers interrupt the traffic, they
can filter and steal data.
The following are two common points of entry for On-Path attacks:
1. Attackers can insert themselves between a visitor’s device and the network on
unsecured public Wi-Fi. Without knowing, the visitor passes all information through
the attacker.
2. Once the malware has breached a device, an attacker can install software to process
all of the victim’s information.

Question 53

Denial of Service attacks

Answer 53

lood systems, servers, or networks with traffic to exhaust
resources and bandwidth. As a result, the system is unable to fulfill legitimate requests.
Attackers can also use multiple compromised devices to launch this type of attack. It may
also be known as a Distributed Denial of Service (DDoS) attack.

Question 54

SQL injection

Answer 54

is a Structured Query Language (SQL) injection that occurs when an attacker
inserts malicious code into a server that uses SQL and forces the server to reveal information
it normally would not. An attacker may carry out a SQL injection by simply submitting
malicious code into a vulnerable website search box. Learn how to defend against SQL
injection attacks.

Question 55

Zero-day exploits

Answer 55

hit after a network vulnerability is announced but before a patch or solution is implemented. Attackers target the disclosed vulnerability during this window of time. Zero-day vulnerability threat detection requires constant awareness.

Question 56

DNS tunneling

Answer 56

utilizes the Domain Name System (DNS) protocol to communicate non-DNS
traffic over port 53. DNS tunneling sends HTTP and other protocol traffic over DNS. There are
various legitimate reasons to utilize DNS tunneling. However, there are also malicious
motivations for using DNS tunneling virtual private network (VPN) services. This tactic is used
to disguise outbound traffic like DNS, concealing data typically shared through an internet
connection. DNS requests are manipulated to exfiltrate data from a compromised system to
the attacker’s infrastructure for malicious use. It can also be used for command and control
callbacks from the attacker’s infrastructure to a compromised system.

Question 57

RT Accept

Answer 57

Risk is accepted, and no measures are implemented to reduce its probability or
impact.

Question 58

RT Avoid

Answer 58

Choose operations that do not lend themselves to a particular risk (e.g., relocating a
factory from a region prone to a particular natural disaster to one that is not prone to that
disaster).

Question 59

RT Mitigate

Answer 59

Implement controls to reduce the probability and impact of the threat/risk
materializing.

Question 60

RT Share

Answer 60

Engage others in the operations, so multiple parties assume the risk.

Question 61

RT Transfer

Answer 61

Through the purchase of insurance, an organization can transfer risk to another
party.

Question 62

Payment Card Industry - Data Security Standard (PCI-DSS)

Answer 62

The Payment Card Industry
(PCI) has a Data Security Standard (DSS) with penalties for noncompliance by vendors. It is
one of the most popular industry standards. If a company utilizes any payment card for any
operation, it is a must for the selected service provider to be PCI-DSS compliant.

Question 63

The Health Insurance Portability and Accountability Act (HIPAA)

Answer 63

This congressional
act specifies and requires data privacy and protection for medical information

Question 64

California Consumer Privacy Act (CCPA)

Answer 64

This act extends privacy protections to the
internet. Under CCPA, consumers may request and access the personally identifiable
information (PII) data stored by companies. Businesses are required to provide a notice to
consumers before their data can be sold.

Question 65

General Data Protection Regulation (GDPR)

Answer 65

This regulation was adopted during March
2014 to replace European Union (EU) privacy directive 95/46/EC (EU, n.d.). GDPR is one of the
toughest privacy and security laws passed by the EU. Its reach extends to any organization
collecting and using data related to people within its member countries. Violators of the
GDPR face harsh fines.

Question 66

IRL Computer security incident

Answer 66

is a violation or imminent threat of violation of computer
security policies, acceptable use policies, or standard security practices.

Question 67

IRL An event

Answer 67

is any observable occurrence in a system or network. Events include a user
connecting to a file share, a server receiving a request for a webpage, a user sending email,
or a firewall blocking a connection attempt. Adverse events have negative consequences,
such as system crashes, packet floods, unauthorized use of system privileges, unauthorized
access to sensitive data, and execution of malware that destroys data.

Question 68

IRL Central incident response team

Answer 68

handles incidents throughout the organization

Question 69

IRL Distributed incident response team

Answer 69

may be one of several teams within an organization
with responsibility for a particular logical or physical segment of the organization.

Question 70

IRL Coordinating team

Answer 70

is an incident response team that provides advice to other teams
without having authority over those teams.

Question 71

PoIR preparation

Answer 71

By establishing its incident response capability, an organization is ready
to respond to incidents and prevent incidents by ensuring that systems, networks, and
applications are sufficiently secure. Although the incident response team is not
typically responsible for incident prevention, it is fundamental to the success of
incident response programs.

Question 72

PoIR Detection and analysis

Answer 72

Organizations need to be focused on being prepared to
handle incidents that use common attack vectors. Different types of incidents merit
different response strategies; knowing and preparing for common attack vectors is
very important to success.

Question 73

PoIR Containment and eradication

Answer 73

With a focus on minimizing the impact of an
incident, containment and eradication strategies provide time for developing a tailored
remediation plan. An essential part of containment is decision-making (e.g., shutting
down a system, disconnecting it from a network, disabling certain functions).

Question 74

PoIR PostIncident activity

Answer 74

: Learning and improving from an incident improves an
organization’s preparedness for the next attack. Documenting lessons learned and
plans for future action and response plan updates are important postincident
activities.

Question 75

Intrusion detection

Answer 75

The first tier of an incident response team often assumes
responsibility for intrusion detection. The team generally benefits because it should be
poised to analyze incidents more quickly and accurately, based on its knowledge of
intrusion detection technologies.

Question 76

Advisory distribution

Answer 76

A team may issue advisories regarding new vulnerabilities
and threats within the organization. Automated methods should be used whenever
appropriate to disseminate information; for example, the National Vulnerability
Database (NVD) provides information via XML and RSS feeds when new vulnerabilities
are added. Advisories are often necessary when new threats emerge, such as a
high-profile social or political event (e.g., a celebrity wedding) that attackers are likely to
leverage in their social engineering. Only one group within the organization should
distribute computer security advisories to avoid duplicated effort and conflicting
information.

Question 77

Education and awareness

Answer 77

Education and awareness are resource multipliers—the
more the users and technical staff know about detecting, reporting, and responding to
incidents, the less drain there should be on the incident response team. This
information can be communicated through many means: workshops, websites,
newsletters, posters, and even stickers on monitors and laptops.

Question 78

Information sharing

Answer 78

Incident response teams often participate in information
sharing groups, such as information sharing and analysis centers (ISACs) or regional
partnerships. Accordingly, incident response teams often manage the organization’s
incident information-sharing efforts, such as aggregating information related to
incidents, sharing that information with other organizations, and ensuring that
pertinent information is shared within the enterprise.

Question 79

Research

Answer 79

entails anticipating, defeating, and actively countering emerging cyberthreats using
expert insights, innovative approaches/technologies, and investigative practices to protect
the confidentiality, integrity, and availability of information and information systems.