(2) Play It Safe: Manage Security Risks Flashcards
Fill in the blank: The _____ domain is focused on access and authorization to keep data secure by making sure that users follow established policies to control and manage assets.
asset security
communication and network security
security operations
identity and access management
identity and access management
The identity and access management domain is focused on access and authorization to keep data secure by making sure that users follow established policies to control and manage assets.
What is the focus of the security and risk management domain?
Optimize data security by ensuring effective processes are in place
Define security goals and objectives, risk mitigation, compliance, business continuity, and regulations
Manage and secure wireless communications
Secure physical networks and wireless communications
Define security goals and objectives, risk mitigation, compliance, business continuity, and regulations
The focus of the security and risk management domain is defining security goals and objectives, risk mitigation, compliance, business continuity, and regulations.
In which domain would a security professional conduct security control testing; collect and analyze data; and perform security audits to monitor for risks, threats, and vulnerabilities?
Identity and access management
Communication and network engineering
Security assessment and testing
Security architecture and engineering
Security assessment and testing
In the security assessment and testing domain, a security professional conducts security control testing; collects and analyzes data; and performs security audits to monitor for risks, threats, and vulnerabilities.
Fill in the blank: The _____ domain concerns conducting investigations and implementing preventive measures.
asset security
security operations
software development security
communications and networking engineering
security operations
The security operations domain concerns conducting investigations and implementing preventative measures.
What is a vulnerability?
Any circumstance or event that can negatively impact assets
An organization’s ability to manage its defense of critical assets and data and react to change
Anything that can impact the confidentiality, integrity, or availability of an asset
A weakness that can be exploited by a threat
A weakness that can be exploited by a threat
Fill in the blank: Information protected by regulations or laws is a _____. If it is compromised, there is likely to be a severe negative impact on an organization’s finances, operations, or reputation.
high-risk asset
new-risk asset
low-risk asset
medium-risk asset
high-risk asset
Information protected by regulations or laws is a high-risk asset. If it is compromised, there is likely to be a severe negative impact on an organization’s finances, operations, or reputation.
What are the key impacts of threats, risks, and vulnerabilities? Select three answers.
Damage to reputation
Identity theft
Employee retention
Financial damage
Damage to reputation
Identity theft
Financial damage
Fill in the blank: The steps in the Risk Management Framework (RMF) are prepare, _____, select, implement, assess, authorize, and monitor.
categorize
communicate
reflect
produce
categorize
The steps in the RMF are prepare, categorize, select, implement, assess, authorize, and monitor. In the categorize step, security professionals develop risk-management processes and tasks.
Fill in the blank: Security posture refers to an organization’s ability to react to change and manage its defense of _____ and critical assets.
data
domains
consequences
gaps
data
Which of the following examples are key focus areas of the security and risk management domain? Select three answers.
Store data properly
Follow legal regulations
Maintain business continuity
Mitigate risk
Follow legal regulations
Maintain business continuity
Mitigate risk
How does business continuity enable an organization to maintain everyday productivity?
By exploiting vulnerabilities
By ensuring return on investment
By outlining faults to business policies
By establishing risk disaster recovery plans
By establishing risk disaster recovery plans
Fill in the blank: According to the concept of shared responsibility, employees can help lower risk to physical and virtual security by _____. Select two answers.
recognizing and reporting security concerns
limiting their communication with team members
taking an active role
meeting productivity goals
recognizing and reporting security concerns
taking an active role
A security analyst researches ways to improve access and authorization at their business. Their primary goal is to keep data secure. Which security domain does this scenario describe?
Identity and access management
Asset security
Communication and network security
Security assessment and testing
Identity and access management
Which of the following activities may be part of establishing security controls? Select three answers.
Implement multi-factor authentication
Evaluate whether current controls help achieve business goals
Monitor and record user requests
Collect and analyze security data regularly
Implement multi-factor authentication
Evaluate whether current controls help achieve business goals
Collect and analyze security data regularly
Fill in the blank: The software development security domain involves the use of the software development ___, which is an efficient process used by teams to quickly build software products and services.
lifecycle
functionality
staging
operations
lifecycle
Which of the following statements accurately describe risk? Select all that apply.
A high-risk asset is any information protected by regulations or laws.
Another way to think of risk is the likelihood of a threat occurring.
If compromised, a low-risk asset would have a severe negative impact on an organization’s ongoing reputation.
If compromised, a medium-risk asset may cause some damage to an organization’s ongoing operations.
A high-risk asset is any information protected by regulations or laws.
Another way to think of risk is the likelihood of a threat occurring.
If compromised, a medium-risk asset may cause some damage to an organization’s ongoing operations.
A business experiences an attack. As a result, its critical business operations are interrupted and it faces regulatory fines. What type of consequence does this scenario describe?
Financial
Identity
Reputation
Practical
Financial
Fill in the blank: In the Risk Management Framework (RMF), the _____ step might involve implementing a plan to change password requirements in order to reduce requests to reset employee passwords.
authorize
prepare
categorize
implement
implement
How do security frameworks enable security professionals to help mitigate risk?
They are used to establish laws that reduce a specific security risk.
They are used to create unique physical characteristics to verify a person’s identity.
They are used to establish guidelines for building security plans.
They are used to refine elements of a core security model known as the CIA triad.
They are used to establish guidelines for building security plans.
Security frameworks are used to establish guidelines for building security plans that enable security professionals to help mitigate risk.
Competitor organizations are the biggest threat to a company’s security.
True
False
True
People are the biggest threat to a company’s security. This is why educating employees about security challenges is essential for minimizing the possibility of a breach.
Fill in the blank: Security controls are safeguards designed to reduce _____ security risks.
broadscale
specific
general
public
specific
Security controls are safeguards designed to reduce specific risks.
A security analyst works on a project designed to reduce the risk of vishing. They develop a plan to protect their organization from attackers who could exploit biometrics. Which type of security control does this scenario describe?
Encryption
Ciphertext
Classification
Authentication
Authentication
This describes authentication, which is the process of implementing controls to verify who someone or something is before granting access to specific resources within a system.
What is the CIA triad?
A foundational security model used to set up security policies and systems
A mandatory security framework involving the selection of appropriate controls
A set of security controls used to update systems and networks
Ongoing validation processes involving all employees in an organization
A foundational security model used to set up security policies and systems
The CIA triad is a foundational security model used to set up security policies and systems. The core principles of the model are confidentiality, integrity, and availability.
Which element of the CIA triad specifies that only authorized users can access specific information?
Confidentiality
Confirmation
Integrity
Access
Confidentiality
Confidentiality specifies that only authorized users can access specific information.
A security analyst discovers that certain data is inaccessible to authorized users, which is preventing these employees from doing their jobs efficiently. The analyst works to fix the application involved in order to allow for timely and reliable access. Which element of the CIA triad does this scenario describe?
Applicability
Capacity
Integrity
Availability
Availability
This scenario describes availability. Availability specifies that data is accessible to authorized users.
Fill in the blank: According to the CIA triad, _____ refers to ensuring that an organization’s data is verifiably correct, authentic, and reliable.
Integrity
Accuracy
Credibility
Availability
Integrity
According to the CIA triad, integrity refers to ensuring that an organization’s data is verifiably correct, authentic, and reliable.
What is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)?
A set of security controls that help analysts determine what to do if a data breach occurs
Standards, guidelines, and best practices that organizations follow voluntarily in order to manage cybersecurity risk
A collection of security principles focused on maintaining confidentiality, integrity, and availability
A required business framework for ensuring security updates and repairs are successful
Standards, guidelines, and best practices that organizations follow voluntarily in order to manage cybersecurity risk
The NIST CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
Fill in the blank: The five core functions that make up the CSF are: identify, protect, detect, _____, and recover.
reevaluate
reflect
regulate
respond
respond
The five core functions that make up the CSF are: identify, protect, detect, respond, and recover.
Fill in the blank: The CSF _____ function relates to monitoring systems and devices in an organization’s internal network to help security teams manage potential cybersecurity risks and their effects.
protect
identify
respond
recover
identify
The CSF identify function relates to monitoring systems and devices in an organization’s internal network to help security teams manage potential cybersecurity risks and their effects.
What does a security analyst’s work involve during the CSF recover function?
Return affected systems back to normal operation
Protect an organization through the implementation of employee training
Contain, neutralize, and analyze security incidents
Pinpoint threats and improve monitoring capabilities
Return affected systems back to normal operation
During the recover function, a security analyst’s work involves returning affected systems back to normal operation.
A security analyst disables certain software features to reduce the potential vulnerabilities that an attacker could exploit at their organization. Which OWASP security principle does this scenario describe?
Minimize the attack surface
Defense in depth
Fix security issues correctly
Separation of duties
Minimize the attack surface
This scenario describes minimizing the attack surface.
Fill in the blank: A security _____ is a review of an organization’s security controls, policies, and procedures against a set of expectations.
survey
classification
audit
examination
audit
A security audit is a review of an organization’s security controls, policies, and procedures against a set of expectations.
A security professional closely examines their organization’s network, then evaluates potential risks to the network. Their goal is to ensure internal safeguards and processes are effective. What security concept does this scenario describe?
Controls assessment
Communicating results
Security recommendations
Compliance regulations
Controls assessment
This scenario describes a controls assessment. A controls assessment involves closely reviewing an organization’s existing assets, then evaluating potential risks to those assets in order to ensure internal controls and processes are effective.
A security professional is asked to communicate the results of an internal security audit to stakeholders. What should be included in that communication? Select three answers.
A list of questions for stakeholders to answer
A list of risks and compliance requirements that need to be addressed
A recommendation about how to improve the organization’s security posture
A summary of the audit’s scope and goals
A list of risks and compliance requirements that need to be addressed
A recommendation about how to improve the organization’s security posture
A summary of the audit’s scope and goals
When communicating the results of an internal audit to stakeholders, the communication should include a summary of the audit’s scope and goals; a list of risks and compliance requirements that need to be addressed; and a recommendation about how to improve the organization’s security posture.
What does a security professional use to create guidelines and plans that educate employees about how they can help protect the organization?
Security posture
Security hardening
Security audit
Security framework
Security framework
Fill in the blank: A security professional uses _____ to verify that an employee has permission to access a resource.
admission
authorization
integrity
encryption
authorization
What type of social engineering attack attempts to exploit biometrics?
Spear phishing
Cryptographic attack
Vishing
Whaling
Vishing
You work as a security analyst for a community organization that has large amounts of private data. Which core principle of the CIA triad do you use to ensure private information is kept safe?
Integrity
Availability
Confidentiality
Consistency
Confidentiality
Which of the following statements accurately describe the CSF? Select all that apply.
The identify function of the CSF involves managing cybersecurity risk and its effects on an organization’s people and assets.
The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
The protect function of the CSF involves returning affected systems back to normal operation.
Implementing improvements to a security process is part of the respond function of the CSF.
The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
Implementing improvements to a security process is part of the respond function of the CSF.
A security team has just finished addressing a recent security incident. They now conduct tests to ensure that all of their repairs were successful. Which OWASP principle does this scenario describe?
Separation of duties
Principle of least privilege
Fix security issues correctly
Minimize attack surface area
Fix security issues correctly
What are some of the primary objectives of an internal security audit? Select all that apply.
Help security teams correct compliance issues
Enable security teams to assess controls
Limit traffic on an organization’s firewall
Identify any security gaps or weaknesses within an organization
Help security teams correct compliance issues
Enable security teams to assess controls
Identify any security gaps or weaknesses within an organization
Fill in the blank: The planning elements of an internal security audit include establishing scope and _____, then conducting a risk assessment.
goals
limitations
compliance
controls
goals
A security analyst performs an internal security audit. They determine that the organization needs to install surveillance cameras at various store locations. What are they working to establish?
Technical controls
Administrative controls
Communication controls
Physical controls
Physical controls
What information is typically communicated to stakeholders after completion of an internal security audit? Select three answers.
Results and recommendations
A summary of the scope
Questions about specific controls
A list of existing risks
Results and recommendations
A summary of the scope
A list of existing risks
Which log source records events related to websites, emails, and file shares, as well as password and username requests?
Network
Receiving
Server
Firewall
Server
Server logs record events related to websites, emails, and file shares. They include actions such as login requests, password and username requests, as well as the ongoing use of these services.
Fill in the blank: A security information and _____ management (SIEM) tool is an application that collects and analyzes log data to monitor critical activities in an organization.
employee
emergency
event
efficiency
event
A security information and event management (SIEM) tool is an application that collects and analyzes log data to monitor critical activities in an organization. SIEM tools index and minimize the scope of logs a security professional should manually review and analyze.
A security professional evaluates a software application by reviewing key technical attributes including response time, availability, and failure rate. What are they using to assess performance?
Models
Metrics
Cloud tools
Index standards
Metrics
They are using metrics. Metrics are key technical attributes including response time, availability, and failure rate, which are used to assess the performance of a software application. SIEM dashboards can be customized to display relevant metrics.
Fill in the blank: SIEM tools must be configured and _____ to meet each organization’s unique security needs.
customized
centralized
reviewed
indexed
customized
SIEM tools must be configured and customized to meet each organization’s unique security needs.
A security team wants some of its services to be hosted on the internet instead of local devices. However, they also need to maintain physical control over certain confidential data. What type of SIEM solution should they select?
Self-hosted
Hybrid
Remote
Cloud-hosted
Hybrid
They should select a hybrid solution. Hybrid solutions use a combination of both self- and cloud-hosted SIEM tools to leverage the benefits of the cloud while maintaining physical control over confidential data.
Security information and event management (SIEM) tools provide dashboards that help cybersecurity professionals organize and focus their security efforts.
True
False
True
SIEM tools provide dashboards that help cybersecurity professionals organize and focus their security efforts. This allows analysts to reduce risk by identifying, analyzing, and remediating the highest priority items in a timely manner.
Fill in the blank: A _____ SIEM tool is specifically designed to take advantage of cloud computing capabilities including availability, flexibility, and scalability.
cloud-native
cloud-local
cloud-hardware
cloud-infrastructure
cloud-native
A cloud-native SIEM tool, such as Chronicle, is specifically designed to take advantage of cloud computing capabilities including availability, flexibility, and scalability.
What are the different types of SIEM tools? Select three answers.
Self-hosted
Cloud-hosted
Hybrid
Physical
Self-hosted
Cloud-hosted
Hybrid
Which of the following statements correctly describe logs? Select three answers.
A record of connections between devices and services on a network is part of a network log.
SIEM tools rely on logs to monitor systems and detect security threats.
A record of events related to employee logins and username requests is part of a server log.
Actions such as username requests are recorded in a network log.
A record of connections between devices and services on a network is part of a network log.
SIEM tools rely on logs to monitor systems and detect security threats.
A record of events related to employee logins and username requests is part of a server log.
What are some of the key benefits of SIEM tools? Select three answers.
Automatic updates customized to new threats and vulnerabilities
Store all log data in a centralized location
Monitor critical activities in an organization
Provide visibility
Store all log data in a centralized location
Monitor critical activities in an organization
Provide visibility
Fill in the blank: To assess the performance of a software application, security professionals use _____, including response time, availability, and failure rate.
metrics
logs
SIEM tools
dashboards
metrics
A security team chooses to implement a SIEM tool that they will install, operate, and maintain using their own physical infrastructure. What type of tool are they using?
Cloud-hosted
Self-hosted
Hybrid
Log-hosted
Self-hosted
You are a security professional, and you want to save time by using a SIEM tool that will be managed by a provider and only be accessible through the internet. What type of tool do you choose?
IT-hosted
Self-hosted
Hybrid
Cloud-hosted
Cloud-hosted
Fill in the blank: SIEM tools are used to search, analyze, and _____ an organization’s log data to provide security information and alerts in real-time.
separate
retain
release
modify
retain
A security analyst receives an alert about hundreds of login attempts from unusual geographic locations within the last few minutes. What can the analyst use to review a timeline of the login attempts, locations, and time of activity?
A network protocol analyzer (packet sniffer)
A playbook
An operating system
A SIEM tool dashboard
A SIEM tool dashboard
Fill in the blank: The wide exposure and immediate access to the source code of open-source tools makes it _____ likely that issues will occur.
less
equally
more
very
less
In the event of a security incident, when would it be appropriate to refer to an incident response playbook?
Throughout the entire incident
Only prior to the incident occurring
At least one month after the incident is over
Only when the incident first occurs
Throughout the entire incident
In the event of a security incident, it is appropriate to refer to an incident response playbook throughout the entire incident. An incident response playbook is a guide with six phases used to help mitigate and manage security incidents from beginning to end.
Fill in the blank: During the _____ phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.
coordination
containment
preparation
detection and analysis
detection and analysis
During the detection and analysis phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.
In which incident response playbook phase would a security team document an incident to ensure that their organization is better prepared to handle future security events?
Eradication and recovery
Coordination
Post-incident activity
Containment
Post-incident activity
In the post-incident activity phase, a security team documents an incident to ensure that their organization is better prepared to handle future incidents.
What is the relationship between SIEM tools and playbooks?
Playbooks collect and analyze data, then SIEM tools guide the response process.
Playbooks detect threats and generate alerts, then SIEM tools provide the security team with a proven strategy.
They work together to predict future threats and eliminate the need for human intervention.
They work together to provide a structured and efficient way of responding to security incidents.
They work together to provide a structured and efficient way of responding to security incidents.
SIEM tools and playbooks work together to provide a structured and efficient way of responding to security incidents.
Playbooks are permanent, best-practice documents, so a security team should not make changes to them.
True
False
False
Playbooks are living documents, so a security team will make frequent changes, updates, and improvements to address new threats and vulnerabilities.
A business recently experienced a security breach. Security professionals are currently restoring the affected data using a clean backup that was created before the incident. What playbook phase does this scenario describe?
Containment
Eradication and recovery
Post-incident activity
Detection and analysis
Eradication and recovery
This scenario describes eradication and recovery. This phase involves removing the incident’s artifacts and restoring the affected environment to a secure state.
Fill in the blank: Once a security incident is resolved, security analysts perform various post-incident activities and _____ efforts with the security team.
preparation
detection
coordination
eradication
coordination
Once a security incident is resolved, security analysts perform various post-incident activities and coordination efforts with the security team. Coordination involves reporting incidents and sharing information based on established standards.
Which action can a security analyst take when they are assessing a SIEM alert?
Analyze log data and related metrics
Isolate an infected network system
Restore the affected data with a clean backup
Create a final report
Analyze log data and related metrics
An action that a security analyst can take when they are assessing a SIEM alert is to analyze log data and related metrics. This helps in identifying why the alert was generated by the SIEM tool and determining if the alert is valid.
Which of the following statements accurately describe playbooks? Select three answers.
A playbook can be used to respond to an incident
A playbook is an essential tool used in cybersecurity.
A playbook is used to develop compliance regulations.
A playbook improves efficiency when identifying and mitigating an incident.
A playbook can be used to respond to an incident
A playbook is an essential tool used in cybersecurity.
A playbook improves efficiency when identifying and mitigating an incident.
What does a security team do when updating and improving a playbook? Select all that apply.
Refine response strategies for future incidents
Discuss ways to improve security posture
Improve antivirus software performance
Consider learnings from past security incidents
Refine response strategies for future incidents
Discuss ways to improve security posture
Consider learnings from past security incidents
Fill in the blank: Incident response playbooks outline processes for communication and ______ of a security breach.
documentation
implementation
iteration
concealment
documentation
A security analyst reports to stakeholders about a security breach. They provide details based on the organization’s established standards. What phase of an incident response playbook does this scenario describe?
Preparation
Detection and analysis
Eradication and recovery
Coordination
Coordination
Which phase of an incident response playbook is primarily concerned with preventing further damage and reducing the immediate impact of a security incident?
Preparation
Post-incident activity
Containment
Detection and analysis
Containment
Fill in the blank: During the post-incident activity phase, organizations aim to enhance their overall _____ by determining the incident’s root cause and implementing security improvements.
security posture
security audit
user experience
employee engagement
security posture
A security analyst wants to set the foundation for successful incident response. They outline roles and responsibilities of each security team member. What phase of an incident response playbook does this scenario describe?
Post-incident activity
Detection and analysis
Preparation
Containment
Preparation
In what ways do SIEM tools and playbooks help security teams respond to an incident? Select all that apply.
SIEM tools analyze data.
SIEM alerts provide security teams with specific steps to identify and respond to security incidents.
SIEM alerts inform security teams of potential threats.
SIEM tools and playbooks work together to provide an efficient way of handling security incidents.
SIEM tools analyze data.
SIEM alerts inform security teams of potential threats.
SIEM tools and playbooks work together to provide an efficient way of handling security incidents.
