5.1/5.2

Question 1

automation

Answer 1

involves generating a single task to run automatically without any human intervention

Automation could involve sending alerts to a security
information and event management (SIEM) system,
dynamically triggering a serverless function at a cloud
provider, or adding a record to a database when a
batch job is run

Question 2

Orchestration

Answer 2

involves managing several or many
automated tasks or processes

Question 3

orchestration (info)

Answer 3

As opposed to focusing on one task, orchestration combines all the individual tasks

Orchestration occurs with various technologies, applications, containers, datasets, middleware,
systems, and more

Question 4

User and resource provisioning

Answer 4

Most modern
enterprises have tightly integrated Joiner and Mover
onboarding and provisioning processes that involve
automation between human resources, legal,
directory services, identity management (IdM), and
inventory engines

Question 5

Guardrails

Answer 5

Cloud providers use JSON policies and Infrastructure as Code (IaC) to enforce least privilege policies and separation of duties to remove
certain application programming interface (API) calls from privileged groups and users

Question 6

Security group firewalls

Answer 6

are layer 3/5 stateful packet
filters applied to either subnets or virtual instances
in hypervisors or cloud

Question 7

Ticket creation and escalation

Answer 7

as part of a service
desk deployment will run scripts and automated
workflow:
* Software-defined networks (SD-LAN, SD-WAN, SDMAN)

Question 8

benefits of automation

Answer 8

• Efficiency and productivity
• Time savings
• Enforcing baselines
• Standard infrastructure configurations
• Secure scalability
• Employee retention
• Reaction time
• Force multiplier

Question 9

single point of failure (SPOF)

Answer 9

is a flaw in the design, configuration, or implementation
of the automation solution:
* If the automation solution is not redundant and
reliable, one loses the overall benefits

Question 10

goals of incident response

Answer 10

Prevent the spread
Reduce the immediate impact
Protect and maintain ongoing operations
Support forensics, e-discovery, and
continuity of operations
Provide after-action reports and lessons learned

Question 11

readication

Answer 11

Potentially unwanted programs (PUPs) can be eradicated by
advanced antivirus and antimalware suites

Question 12

testing incident response

Answer 12

Plan review (read-through)
Tabletop
Walk-through (exercise)
Simulation
Parallel
Full interruption

Question 13

Plan review (read-through):

Answer 13

• Group discussion, plan auditing, and Delphi and
  brainstorming sessions with stakeholders

Question 14

Tabletop:

Answer 14

• Documented plans, diagrams, and logical
  and virtual walk-throughs to eliminate gaps/errors

Question 15

Walk-through (exercise):

Answer 15

• Planned rehearsals and drills
• Performed in stages and by department/building only
• Should find additional gaps to those found during
  plan review and tabletop exercises

Question 16

Simulation:

Answer 16

• Focus on specific scenarios and areas
• Use real business continuity plan (BCP) and disaster
  recovery plan (DRP) resources (recovery sites)
  and teams (swarm simulations)
• Test snapshot recovery and hot spares
• May be the highest-level test that most
  organizations conduct

Question 17

Parallel:

Answer 17

• Conduct a real-world drill while still operating
  business
• Is more resource-intensive than simulations

Question 18

Full interruption:

Answer 18

• Conduct real-world drill while ceasing business
  activities
• Is cost-prohibitive for most organizations

Question 19

Root cause analysis (RCA)

Answer 19

defined as a collective term that describes a wide range of approaches, tools, and techniques
used to uncover causes of problems

a function of the Problem Management IT
service practice

Question 20

root cause

Answer 20

is defined as a factor that introduced a non-conformance in an application, service, or
system

Question 21

RCA steps

Answer 21

define the problem
collect data
identify possible causal factors
identify the root causes
recommend and implement solutions

Question 22

threat hunters

Answer 22

aka “hunt teams”

Involve groups of cyber investigators aggressively
seeking out threats on a network or system

Are often compliance or regulatory auditors

Question 23

cyber kill chain

Answer 23

the succession of steps and phases used during a structured external or internal cyberattack

It is used by penetration testers and threat-hunting teams to better understand advanced persistent threats from exploits and malware attacks

Question 24

why perform digital forensics?

Answer 24

• Laws have been violated
• Organizational policies have been violated
• Systems have been attacked
• Data and identity have been breached
• Intellectual property has been exfiltrated
• Privileged insiders are suspected of crimes
• It is the next incident response phase (root cause
  analysis/problem management)

Question 25

E-discovery

Answer 25

is innovative technology that has
emerged over the last decade to lower the risks and costs associated with big data, especially in litigation
and internal corporate and government investigations

Question 26

The e-discovery process includes four phases:

Answer 26

• Identifying and collecting documents
• Sorting through data by relevance
• Creating production sets
• Managing data

Question 27

order of volatility

Answer 27

1. CPU and its cache
2. Kernel statistics, tables, and caches
3. Memory (RAM)
4. Temporary file systems and swap/slack space
5. Disk drives and volumes
6. Attached removable drives
7. Logged data to a remote location
8. Copies of data to archived media/cloud

Question 28

processing forensic evidence

Answer 28

• Detect encrypted files and volumes
• Discover compressed files and folders
• Perform validation and pattern matching
• Leverage regular expressions and metacharacters in forensic kits
• Filter for suspected user data
• Filter security identifiers (SIDs) on shared systems for privacy reasons
• Perform discovery of hidden data in slack space
• Extract only meaningful data
• Conduct traces and calibrated estimates to determine suspect(s)

Question 29

chain of custody

Answer 29

ensures that the integrity of collected evidence remains intact in its original state

Question 30

two important things of chain custody:

Answer 30

date and time the evidence is collected and the location of artifacts

Question 31

chain of custody involves:

Answer 31

strict procedures for collecting,
handling, and tagging evidence

Provides a history and timeline of
evidence handling

Question 32

chain of custody maintains, provides and prohibits what?

Answer 32

• Maintains evidence integrity
• Provides accountability
• Prohibits tampering

Question 33

legal hold

Answer 33

a process that an organization uses
to retain all forms of pertinent data and information when it reasonably expects some type of litigation against it, or some need for future utility in a court of law

Question 34

forensic reporting

Answer 34

Should have as much information as necessary but not a “data overload”

May need to express in simpler terms or have different reports for different target audiences
* Provide electronic and physical documents of all findings
* Meet with proper authorities and possibly prepare to offer expert testimony
* Provide any needed clarification
* Identify overall impact on business and recommend any countermeasures
* Answer who, what, when, and how – important for court and other proceedings

Question 35

data source logs

Answer 35

firewall
application
endpoint
OS-specific
IPS/IDS
network

Question 36

firewall

Answer 36

can provide traffic data in layer 2
frames up to deep packet application inspection
using different outputs

Question 37

application

Answer 37

for email, web, SharePoint, file,
directory, database servers, and more

Question 38

endpoint

Answer 38

such as Palo Alto Cortex XDR

Question 39

OS-specific

Answer 39

security logs from Windows, UNIX,
Linux, macOS, Solaris

Question 40

IPS/IDS

Answer 40

logs, alerts, dumps, traps, informs

Question 41

network

Answer 41

from infrastructure device, security
appliances, database activity monitors, and more

Question 42

SOAR allows organizations to simplify and aggregate
security operations in three core areas:

Answer 42

• Threat and vulnerability management
• Incident response
• Security operations automation

Question 43

Security automation involves:

Answer 43

performing securityrelated tasks without the need for human
intervention

• It includes defensive detection, response, and
  remediation, or offensive vulnerability assessment
  and penetration testing

Question 44

These categories are then mapped to three types of playbooks for SOAR:

Answer 44

• Manual (series of manual tasks)
• Semi-automated (hybrid of automated and manual subtasks)
• Fully-automated (completely automated)

Question 45

(SOAR) Four types of automation:

Answer 45

• Defensive (anything that tries to prevent the threat or risk)
• Forensic (anything that tries to retrieve additional evidence)
• Offensive (anything proactive that tries to investigate an asset)
• Deception (anything that retrieves or adjusts deception tools)

Question 46

(SOAR) Three different categories of action:

Answer 46

• Enrichment (adding additional configuration management database
  (CMDB) or environment data)
• Escalation (email, ticket escalation, Simple Notification Service (SNS),
  chat/messaging communication)
• Mitigation (the modification of device configuration)

Question 47

security practitioner

Answer 47

must align all security
functions to a business’s strategy, value proposition, charters, goals, mission, and objectives

This alignment must permeate through all organizational processes including governance, steering committee charters, and corporate
initiatives to name a few

Question 48

Security governance typically focuses on three
attributes or characteristics:

Answer 48

• Authority
• Decision-making
• Accountability

Question 49

Security governance

Answer 49

as the rules
that protect the assets and continuity of an
organization

It includes mission statements, charters, declarations of value propositions, policies, standards, and procedures

Question 50

Security governance activities

Answer 50

• Creating a risk register (ledger)
• Aligning security strategy with organizational goals
• Publishing all compliance and regulatory requirements
• Performing a vital role in risk assessment and management:
• Offering guidance into acquiring security controls to reduce risk
• Tracking and recording all compliance and remediation initiatives
• Documenting stakeholder interactions and reporting related
  workflows

Question 51

centralized governance

Answer 51

the higher positions of
management, such as executives and/or the C-suite,
hold the decision-making authority:

• It relies heavily on top-down decision-making

Question 52

decentralized governance

Answer 52

management distributes the decision-making authority throughout the organization:

• Decisions are made closer to the source of action and information
• It is used in flatter, more projectized organizations

Question 53

Board governance defines the roles and
responsibilities of board members and executives in
the form of a:

Answer 53

• Working board
• Governing board
• Advisory board

Question 54

board of directors (BOD)

Answer 54

the governing body of an organization or company, whose members are
elected by shareholders (in the case of public
companies)

** Every public company must have a board of directors

Question 55

The duties of the board of directors include:

Answer 55

setting strategy, overseeing executive management, and protecting the interests
of shareholders, bondholders, and other
stakeholders

Question 56

steering committee

Answer 56

a group of key
organizational stakeholders that makes determinations regarding an organization’s priorities
or order of business, and manages its operations
general counsel

Question 57

goal of a steering committee is to:

Answer 57

oversee and
support a project from the management level

Question 58

Information Security Committee exists to:

Answer 58

offer recommendations to executive management and
team leads concerning security efforts undertaken

Question 59

Cybersecurity and Infrastructure Security Agency (CISA)

Answer 59

leads the national effort to understand, manage, and reduce risk to
our cyber and physical infrastructure

Question 60

United States Customs and Border Protection (CBP)

Answer 60

has the
mission to keep terrorists and their weapons out of the U.S.
along with securing trade and travel while enforcing regulations,
including immigration and drug laws

Question 61

Office of Homeland Security Situational Awareness (OSA)

Answer 61

provides operations coordination, information sharing,
situational awareness, common operating picture, and executes
the DHS Secretary’s responsibilities across the homeland
security enterprise

Question 62

Office of Intelligence and Analysis (I&A)

Answer 62

assists the Homeland
Security Enterprise with the timely intelligence and information
it needs to keep the homeland safe, secure, and resilient

Question 63

Physical and logical asset owners may:

Answer 63

• Determine the classification level
• Conduct labeling and tagging
• Grant additional shares and rights

Question 64

Custodians (controllers)

Answer 64

• They should maintain the assets from a technical and operational perspective
• Custodians often interact directly with owner stakeholders and answer to executive managers (C-suite)
  responsible for

Question 65

custodians often responsible for:

Answer 65

ensuring confidentiality,
integrity, authenticity, availability and non-repudiation of assets

Question 66

stewards

Answer 66

• Will manage assets from a business perspective
• May interface with other departments such as legal,
  human resources, mobile application, and digital asset managers
• Are more likely to deal directly with internal and external customers and stakeholders

Question 67

stewards ensure:

Answer 67

compliance (standards and controls)
and data quality

Question 68

officers are responsible for:

Answer 68

due diligence and adherence to
security governance

• They will often answer to steering committees and various boards
  such as the BOD

Question 69

Regulatory compliance

Answer 69

describes the actions an organization takes to comply with those rules and policies as part of its operations

Question 70

best practices and guidelines are

Answer 70

e like standards, but
are more flexible and not usually mandatory

Question 71

standards allow:

Answer 71

information technology staff to
be consistent and systematic

Question 72

Standards specify:

Answer 72

use of specific technologies
in a uniform way, because no one individual
practitioner can know everything

Question 73

standards help to provide:

Answer 73

consistency in the enterprise,
because it is unreasonable to support multiple
versions of hardware and software unless
necessary

usually mandatory

Question 74

policies establish:

Answer 74

a general framework within which to work and a guiding direction to take in the future

Question 75

The function of a policy is to:

Answer 75

classify guiding
principles, direct behavior, and offer stakeholder
guidance and a security control implementation
roadmap

Question 76

Sanctioned policy:

Answer 76

• The policy has the support of executive
  management
• It requires visible participation and action,
  ongoing communication and championing,
  investment, and prioritization

Question 77

Applicable policy:

Answer 77

• The policy is applicable to the organization
• Strategically, the information security policy must support the guiding principles and goals of the organization
• Tactically, it must be relevant to those who must comply

Question 78

Realistic policy:

Answer 78

• The policy can be effectively executed
• Policies must represent the actual environment in
  which they will be deployed
• Information security policies and procedures should only express what is achievable
• If the policy is to advance the organization’s guiding
  principles, one can also assume that a positive
  outcome is anticipated

Question 79

A policy should never:

Answer 79

set up constituents for
failure but instead should offer a clear track for
success

Question 80

Flexible policy:

Answer 80

• The policy can accommodate change and be adapted if necessary
• An adaptable information security policy recognizes that information security is not a static, point-in-time endeavor, but rather an ongoing
  process designed to support the organizational mission

Question 81

Comprehensive policy:

Answer 81

• The policy scope includes all relevant parties - it is inclusive

Question 82

An information security policy must consider:

Answer 82

• Organization objectives
• International law
• Cultural norms of its employees
• Business partners, suppliers, and customers
• Environmental impacts
• Global cyber threats

Question 83

Enforceable policy:

Answer 83

• The policy is statutory and is enforced
• Enforceable means that administrative, physical, or
  technical controls can be put in place to support the
  policy
• Compliance can be measured and, if necessary,
  appropriate sanctions applied

Question 84

Enforcement stages should be well-documented:

Answer 84

• Verbal reprimand
• Written warning
• Punitive actions
• Temporary suspension
• Permanent termination
• Legal actions

Question 85

Standard and policy examples:

Answer 85

• Password
• Access control
• Physical security
• Encryption
• Information security
• Business continuity
• Disaster recovery
• Incident response
• Software development life cycle (SDLC)
• Change management
• Acceptable Use Policy (AUP)

Question 86

Acceptable Use Policy (AUP)

Answer 86

Identifies how employees are expected to
use resources in the organization

Question 87

AUP defines rules of behavior/code of conduct:

Answer 87

• Use proper and acceptable language
• Avoid illegal activities
• Avoid disturbing or disrupting other
  systems
• Do not reveal personal information
• Do not reveal confidential information

Question 88

Sample AUP categories

Answer 88

• Mobile device policy
• Virtual private network (VPN)/software-defined
  perimeter (SDP) usage
• Operating systems and software
• Social media
• Removable media
• Augmented reality
• Personal cloud storage
• Clean desk

Question 89

Procedures

Answer 89

usually required and are the lowest level of the policy chain

Procedure documents are longer and more
detailed than standards and guidelines documents

Question 90

Standard operating procedure (SOP)

Answer 90

Are step-by-step instructions that define how workers carry out routine tasks

Question 91

SOP can greatly improve:

Answer 91

• Efficiency
• Quality
• Performance
• Communication
• Compliance with regulations

Question 92

SOP considerations

Answer 92

-Offer all the steps needed to complete the
process
-Describe the purpose and limits of
procedures
-Clarify concepts and terminology
-Consider health and safety issues
-List the location of all necessary supplemental resources

Question 93

change management practice (change control practice)

Answer 93

reduces risk in security
policy by delivering a systematic approach to assess and manage proposed and subsequent changes

Question 94

what three changes does change control practice help?

Answer 94

• Normal changes (passwords)
• Standard changes (lap tops replaced)
• Emergency changes (RFC, service desk)

Question 95

what does change control practice assure?

Answer 95

that changes are carefully assessed for
possible impacts on project scope, schedule, and resources, allowing for informed decisions

Question 96

onboarding (provisioning)

Answer 96

Provides assets, guidance, knowledge, skills, and
behavior needed for associated job roles:

• Videos, printed material, computer-based training
  (CBT), lectures, formal and informal meetings, and
  mentors