Professer Messer Practice Tests Flash Cards
Security Controls Non-repudiation AAA Zero Trust Gap Analysis Physical security Deception and Disruption Change Management Technical Change Management Public Key Infrastructure Encrypting Data Key Exchange Encryption Technologies Obfuscation Hashing and Digital Signatures Blockchain Technology Certificates
Directive
Directive control types are guidelines offered to help direct a subject towards security compliance. Training users on the proper storage of sensitive files would be an example of a directive control.
Compensating
A compensating control can’t prevent an attack, but it can provide an alternative when an attack occurs. For example, a compensating control would include the re-imaging of a compromised server.
Deterrent
A deterrent discourages an intrusion attempt, but it doesn’t directly prevent the access. An application splash screen or posted warning sign would be categorized as a deterrent.
Data owner
The data owner is accountable for specific data, so this person is often a senior officer of the organization
Data controller
A data controller manages the processing of the data. For example, a payroll department would be a data controller, and a payroll servicing company would be the data processor.
Data steward
The data steward manages access rights to the data. In this example, the IT team would be the data steward.
Data processor
The data processor is often a third-party that processes data on behalf of the data controller.
OSINT
OSINT (Open Source Intelligence) describes the process of obtaining information from open sources such as social media sites, corporate websites, online forums, and other publicly available locations.
Exfiltration
Exfiltration describes the theft of data by an attacker.
Active reconnaissance
Active reconnaissance would show some evidence of data gathering.
For example, performing a ping scan or DNS query wouldn’t exploit a vulnerability, but it would show that someone was gathering information.
Escalation scripting
Scripting and automation can provide methods to automate or orchestrate the escalation response when a security issue is detected.
Log aggregation
Log aggregation provides a method of centralizing evidence and log files for reporting and future analysis. The aggregated log does not inherently provide a response to a security event.
Vulnerability scan
A vulnerability scan will identify any known vulnerabilities that may be associated with a system. However, a vulnerability scan will not identify real-time infections or automate the response.
Due care
Due care describes a duty to act honestly and in good faith. Due diligence is often associated with third-party activities, and due care tends to refer to internal activities.
Statement of work
A statement of work is often used during a professional services engagement to detail a list of specific tasks to complete. In this example, all of the work is part of an internal audit and does not include any mention of third-party professional services.
Acceptance
Risk acceptance is a business decision that places the responsibility of the risky activity on the organization itself.
Mitigation
If the organization was to purchase additional backup facilities and update their backup processes to include offline backup storage, they would be mitigating the risk of a ransomware infection.
Transference
Purchasing insurance to cover a risky activity is a common method of transferring risk from the organization to the insurance company.
Risk-avoidance
To avoid the risk of ransomware, the organization would need to completely disconnect from the Internet and disable all methods that ransomware might use to infect a system. This risk response technique would most likely not apply to ransomware.
SCAP
The SCAP (Security Content Automation Protocol) is used as a common protocol across multiple security tools. SCAP is not used to provide an encrypted tunnel between two locations.
Exposure factor
An exposure factor describes a loss of value to the organization. For example, a network throughput issue might limit access to half of the users, creating a 50% exposure factor. A completely disabled service would calculated as a 100% exposure factor.
Risk tolerance
Risk tolerance describes the amount of risk that would be acceptable to an organization. For example, an organization may tolerate the risk involved with a delay so that patches can be tested prior to deployment.
Environmental variables
An environmental variable is considered when prioritizing patches and security responses. For example, a device in the production network environment will probably have priority over the devices in a test lab environment.
ICS
ICS (Industrial Control Systems) devices are large industrial systems and usually involve manufacturing equipment or power generation equipment. A time clock would not be categorized as an ICS.
NetFlow logs
NetFlow information can provide a summary of network traffic, application usage, and details of network conversations. The NetFlow logs will show all conversations from this device to any others in the network.
Embedded system
An embedded system often does not provide access to the OS and may not provide a method of upgrading the system firmware.
TPM
TPM (Trusted Platform Module) is part of a computer’s motherboard, and it’s specifically designed to assist and protect with cryptographic functions. Full disk encryption (FDE) can use the burned-in TPM keys to verify the local device hasn’t changed, and there are security features in the TPM to prevent brute-force or dictionary attacks against the full disk encryption login credentials.
Incident Response Plan
Preparation - The preparation phase includes all of the work prior to the incident. This may include collecting hardware, installing software, gathering documentation, and managing incident response policies.
Detection - The detection phase includes any method of identifying and determining an incident may be actively occurring. This process also includes identifying a legitimate threat and not a false positive.
Analysis - The analysis phase provides detailed evidence for a security incident. Alarms, alerts, reports, and other feedback can be categorized as analysis.
Containment - Once an incident has been identified, it’s important to prevent the potential spread of any malicious code.
Eradication - Removing any malicious software and patching any vulnerabilities would be part of the eradication process.
Recovery -The recovery phase often includes rebuilding systems and replacing any compromised data.
Lessons learned - After the event is over, it’s useful to document the process and discuss how the incident response process could be more efficient if a similar event occurs in the future.
