601-650 Flashcards
Which of the following has been implemented when a host-based firewall on a legacy Linux system allows connections from only specific internal IP addresses?
A. Compensating control
B. Network segmentation
C. Transfer of risk
D. SNMP traps
A. Compensating control
Community : A (64%, B 36%)
Here’s why:
Compensating Control: This is a security measure that is implemented to satisfy the requirements of a security policy that cannot be met with the primary control. In this case, allowing connections only from specific internal IP addresses serves as a compensating control to enhance security on a legacy system that may not support more modern security measures. Network Segmentation: This involves dividing a network into smaller segments or subnetworks to improve security and manageability. While controlling access based on IP addresses can be part of network segmentation, the described scenario is specifically about a host-based firewall, not the overall network architecture. Transfer of Risk: This refers to shifting the risk to another party, often through insurance or outsourcing. Implementing a host-based firewall rule does not transfer risk; it mitigates risk. SNMP Traps: Simple Network Management Protocol (SNMP) traps are notifications sent from a network device to a management system, indicating a significant event. They are not related to firewall rules or access control.
Therefore, the implementation of specific internal IP address allowances in a host-based firewall on a legacy Linux system is best described as a Compensating Control.
(Brain dump: B. Network segmentation )
An attacker tricks a user into providing confidential information. Which of the following describes this form of malicious reconnaissance?
A. Phishing
B. Social engineering
C. Typosquatting
D. Smishing
B. Social engineering
Here’s why:
Phishing: Phishing is a specific type of social engineering attack where the attacker sends fraudulent emails or messages that appear to come from a legitimate source, with the aim of tricking the user into providing confidential information. While phishing is a subset of social engineering, the broader term is more applicable to the general act of tricking users. Social Engineering: This encompasses a wide range of manipulative tactics used to deceive individuals into divulging confidential information. It can include phishing, pretexting, baiting, and other methods where the attacker exploits human psychology. Typosquatting: Typosquatting involves registering domain names that are similar to legitimate websites, often relying on common typing errors made by users. It aims to deceive users into visiting the malicious website but does not directly involve tricking users into providing information through direct interaction. Smishing: Smishing is a form of phishing that involves sending fraudulent SMS (text) messages to trick users into providing confidential information. It is a specific type of social engineering attack using SMS.
Given that the question refers to the broader concept of tricking a user into providing confidential information, Social Engineering is the most accurate answer.
A large bank with two geographically dispersed data centers is concerned about major power disruptions at both locations. Every day each location experiences very brief outages that last for a few seconds. However, during the summer a high risk of intentional under-voltage events that could last up to an hour exists, particularly at one of the locations near an industrial smelter. Which of the following is the best solution to reduce the risk of data loss?
A. Dual supply
B. Generator
C. PDU
D. Daily backups
B. Generator
Here’s why:
Dual Supply: Having a dual power supply ensures redundancy in the power source, but if both sources are affected by the same power disruptions or intentional under-voltage events, this solution alone may not be sufficient. Generator: A generator can provide a reliable backup power source during extended power outages or intentional under-voltage events. This ensures that critical systems can continue to operate for longer periods, thereby reducing the risk of data loss. PDU (Power Distribution Unit): While a PDU helps in distributing power to multiple devices efficiently, it does not address the issue of power outages or under-voltage events. Daily Backups: While daily backups are essential for data recovery and minimizing data loss, they do not prevent disruptions in real-time operations or data loss that can occur between backups during extended power outages.
Given the scenario with frequent brief outages and the high risk of longer intentional under-voltage events, implementing a Generator would provide continuous power during these disruptions, thereby ensuring the operation of data centers and reducing the risk of data loss.
Which of the following examples would be best mitigated by input sanitization?
A. script > alert (“Warning!”); < /script
B. nmap -p- 10.11.1.130
C. Email message: “Click this link to get your free gift card.”
D. Browser message: “Your connection is not private.”
A. alert(“Warning!”);
Here’s why:
alert("Warning!");: This is an example of a Cross-Site Scripting (XSS) attack, where malicious scripts are injected into web pages viewed by other users. Input sanitization can effectively prevent such attacks by ensuring that any user-provided input is properly encoded and does not contain executable code. nmap -p- 10.11.1.130: This is a command used for network scanning. While it represents a potential security risk, it is more related to network security and should be mitigated through network access controls and monitoring rather than input sanitization. Email message: "Click this link to get your free gift card.": This example represents a phishing attack. Mitigating phishing typically involves user education, email filtering, and anti-phishing technologies rather than input sanitization. Browser message: "Your connection is not private.": This message indicates a potential issue with an SSL/TLS certificate or a man-in-the-middle attack. Addressing this issue involves ensuring proper SSL/TLS configurations and certificate management, not input sanitization.
Therefore, input sanitization is most directly applicable to mitigating the risks associated with the alert(“Warning!”); example.
An organization would like to store customer data on a separate part of the network that is not accessible to users on the mam corporate network. Which of the following should the administrator use to accomplish this goal?
A. Segmentation
B. Isolation
C. Patching
D. Encryption
A. Segmentation
Here’s why:
Segmentation: Network segmentation involves dividing a network into smaller, distinct subnetworks or segments. By doing this, an administrator can isolate customer data on a separate network segment that is not accessible from the main corporate network, thereby enhancing security and reducing the risk of unauthorized access. Isolation: While similar to segmentation, isolation typically refers to completely separating systems to ensure they have no connectivity. While effective, it is often more extreme and less flexible than segmentation, which allows for controlled and secure interactions between segments if needed. Patching: Patching involves updating software to fix vulnerabilities and improve security. While important for maintaining the security of systems, patching does not address the specific need to separate and restrict access to customer data within the network. Encryption: Encryption protects data by making it unreadable to unauthorized users. While crucial for data security, especially for data at rest and in transit, it does not solve the issue of network access control and separation of data storage.
Therefore, Segmentation is the best approach to achieve the goal of storing customer data on a separate part of the network that is not accessible to users on the main corporate network.
(Brain dump : B. Isolation)
A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing?
A. Cross-site scripting
B. Buffer overflow
C. Jailbreaking
D. Side loading
C. Jailbreaking
Here’s why:
Cross-site scripting (XSS): This vulnerability involves injecting malicious scripts into web pages viewed by other users. It is not directly related to modifying the operating system on mobile devices. Buffer overflow: This vulnerability occurs when more data is written to a buffer than it can hold, potentially leading to arbitrary code execution. While serious, it is not specifically addressed by prohibiting modifications to the operating system on mobile devices. Jailbreaking: Jailbreaking is the process of removing restrictions imposed by the operating system on mobile devices, typically to allow the installation of unauthorized applications or modifications. Prohibiting modifications to the operating system directly addresses the risk of jailbreaking, which can expose devices to security vulnerabilities and malicious software. Side loading: Side loading refers to installing applications on a device from unofficial sources outside of the official app store. While related to security, it is not directly about modifying the operating system itself, but rather about how applications are installed.
Therefore, the organization is addressing the vulnerability of Jailbreaking by adding this clause to its AUP.
A company is expanding its threat surface program and allowing individuals to security test the company’s internet-facing application. The company will compensate researchers based on the vulnerabilities discovered.
Which of the following best describes the program the company is setting up?
A. Open-source intelligence
B. Bug bounty
C. Red team
D. Penetration testing
B. Bug bounty
Here’s why:
Open-source intelligence (OSINT): OSINT involves collecting and analyzing publicly available information to identify potential security threats. It does not typically involve compensating individuals for discovering specific vulnerabilities in an application. Bug bounty: A bug bounty program invites individuals, often external security researchers, to test the company's applications for vulnerabilities. The company compensates these researchers based on the vulnerabilities they discover and report. This description matches the scenario provided. Red team: A red team consists of security professionals who simulate real-world attacks to test the defenses of an organization. While red teaming is a comprehensive security testing approach, it is usually conducted by an internal or contracted team rather than through an open program with external participants. Penetration testing: Penetration testing involves authorized, simulated attacks on a system to identify security weaknesses. Penetration tests are typically conducted by hired security professionals or specialized firms, not through an open call to external researchers with compensation based on discovered vulnerabilities.
Therefore, the program described in the scenario is a Bug bounty program.
An organization experiences a cybersecurity incident involving a command-and-control server. Which of the following logs should be analyzed to identify the impacted host? (Choose two.)
A. Application
B. Authentication
C. Error
D. Network
E. Firewall
F. System
(Community DE 63%, DF 19%, BD 19%)
Network logs (Option D): These logs can help identify network connections to the command-and-control server and provide information about source IP addresses (the impacted host) and destination IP addresses (the command-and-control server).
Firewall logs (Option E): Firewall logs also track network traffic and can provide valuable information about source and destination IP addresses, helping identify the impacted host and its communication with the command-and-control server.
Chat GPT :
D. Network
E. Firewall
Here’s why:
Network Logs: These logs contain information about network traffic, including connections made to and from internal and external IP addresses. Analyzing network logs can help identify communications between the impacted host and the command-and-control server. Firewall Logs: Firewall logs record allowed and blocked network traffic. These logs can provide insights into unauthorized or suspicious connections to external IP addresses associated with the C2 server, helping to pinpoint the affected host.
The other options are less relevant in this context:
Application Logs: These logs track events related to specific applications, which might not directly reveal communication with a C2 server unless the application itself is compromised. Authentication Logs: These logs track login attempts and authentication events. While useful for identifying unauthorized access, they are less likely to directly reveal communication with a C2 server. Error Logs: These logs capture errors and warnings generated by various systems and applications. They are not typically focused on network activity or communications. System Logs: These logs include a variety of system-level events and operations. While they can be useful for understanding overall system activity, they are less likely to directly indicate communications with a C2 server compared to network and firewall logs.
Therefore, Network and Firewall logs are the most relevant for identifying the impacted host in a command-and-control server incident.
An administrator assists the legal and compliance team with ensuring information about customer transactions is archived for the proper time period. Which of the following data policies is the administrator carrying out?
A. Compromise
B. Retention
C. Analysis
D. Transfer
E. Inventory
B. Retention
Here’s why:
Compromise: This term generally refers to a security incident where data has been accessed or altered without authorization. It is not related to archiving information for a specific time period. Retention: Data retention policies define how long different types of data should be kept before being deleted or archived. Ensuring that customer transaction information is archived for the proper time period is directly related to data retention. Analysis: Data analysis involves examining data to extract useful information and insights. This does not involve archiving data for specific time periods. Transfer: Data transfer policies govern the movement of data between locations or systems. This is not directly related to the archiving of data for compliance purposes. Inventory: Data inventory involves keeping a catalog of all data assets within an organization. While important for understanding what data exists, it does not address how long data should be kept or archived.
Therefore, the administrator is carrying out a Retention policy by ensuring information about customer transactions is archived for the proper time period.
Which of the following are the MOST likely vectors for the unauthorized or unintentional inclusion of vulnerable code in a software company’s final software releases? (Choose two.)
A. Unsecure protocols
B. Use of penetration-testing utilities
C. Weak passwords
D. Included third-party libraries
E. Vendors/supply chain
F. Outdated anti-malware software
D. Included third-party libraries
E. Vendors/supply chain
Here’s why:
Unsecure protocols: While using insecure protocols can lead to vulnerabilities, they are not typically vectors for the inclusion of vulnerable code in software releases themselves. They are more related to communication security. Use of penetration-testing utilities: These tools are used to test for vulnerabilities, not introduce them. While improper use could expose vulnerabilities, they are not a primary vector for including vulnerable code in final software releases. Weak passwords: Weak passwords are a security risk for unauthorized access but are not directly related to the inclusion of vulnerable code in software releases. Included third-party libraries: Using third-party libraries is a common practice in software development. However, these libraries can contain vulnerabilities or malicious code that can be unintentionally included in the final software release. Vendors/supply chain: The software supply chain involves multiple vendors and sources that contribute to the final product. Vulnerabilities or malicious code can be introduced through these external entities, either intentionally or unintentionally. Outdated anti-malware software: While having outdated anti-malware software can increase the risk of infection and attacks, it is not directly related to the inclusion of vulnerable code in software releases.
Therefore, the most likely vectors are Included third-party libraries and Vendors/supply chain.
An organization has a growing workforce that is mostly driven by additions to the sales department. Each newly hired salesperson relies on a mobile device to conduct business. The Chief Information Officer (CIO) is wondering if the organization may need to scale down just as quickly as it scaled up. The CIO is also concerned about the organization’s security and customer privacy. Which of the following would be BEST to address the CIO’s concerns?
A. Disallow new hires from using mobile devices for six months.
B. Select four devices for the sales department to use in a CYOD model.
C. Implement BYOD for the sales department while leveraging the MDM.
D. Deploy mobile devices using the COPE methodology.
(Brain dump: C. Implement BYOD for the sales department while leveraging the MDM.)
(Community : C 78%, D 17%)
BYOD (Bring Your Own Device) allows employees to use their own mobile devices for work, which can reduce costs and increase productivity. MDM software can be used to manage and secure the devices, ensuring that they are compliant with policies and that sensitive data is protected.
(ChatGPT)
D. Deploy mobile devices using the COPE (Corporate-Owned, Personally-Enabled) methodology.
Here’s why COPE is a suitable choice:
COPE Methodology: COPE allows the organization to maintain control over the mobile devices while still enabling flexibility for employees to use them for both work and personal purposes. This model ensures that the devices are owned and managed by the organization, which enhances security and privacy controls. Security and Privacy: With COPE, the organization can enforce security policies and configurations on the devices, ensuring they meet compliance requirements and protect customer data. This approach mitigates risks associated with using personal devices (BYOD) or random device selection (CYOD). Scalability: COPE provides scalability because the organization can manage a fleet of corporate-owned devices more effectively as the workforce grows or shrinks. It allows for streamlined provisioning, management, and decommissioning of devices as needed.
Comparatively:
Disallowing new hires from using mobile devices for six months (Option A) may hinder productivity and isn’t scalable or sustainable in a modern business environment where mobility is essential. Selecting four devices for the sales department in a Choose Your Own Device (CYOD) model (Option B) could limit flexibility and might not address security concerns as effectively as COPE. Implementing Bring Your Own Device (BYOD) for the sales department (Option C) introduces more security risks due to the diversity of devices and potential lack of control over employee-owned devices, even with Mobile Device Management (MDM).
Therefore, deploying mobile devices using the COPE methodology is the best option to balance security, privacy, scalability, and flexibility for the growing sales department within the organization.
A company has limited storage space available and an online presence that cannot be down for more than four hours. Which of the following backup methodologies should the company implement to allow for the FASTEST database restore time in the event of a failure, while being mindful of the limited available storage space?
A. Implement full tape backups every Sunday at 8:00 p.m. and perform nightly tape rotations.
B. Implement differential backups every Sunday at 8:00 p.m. and nightly incremental backups at 8:00 p.m.
C. Implement nightly full backups every Sunday at 8:00 p.m.
D. Implement full backups every Sunday at 8:00 p.m. and nightly differential backups at 8:00 p.m.
D. Implement full backups every Sunday at 8:00 p.m. and nightly differential backups at 8:00 p.m.
Here’s why this option is the most suitable:
Full Backups: Performing full backups every Sunday ensures that a complete copy of the database is captured weekly. This serves as a baseline for recovery operations. Nightly Differential Backups: Differential backups capture all changes made since the last full backup. They are faster to perform and require less storage space compared to full backups. In the event of a failure, restoring from a full backup followed by the latest differential backup allows for faster recovery compared to incremental backups. Fastest Restore Time: With this approach, the company can restore the database by first restoring the last full backup and then applying the latest differential backup. This minimizes the restore time because only the changes since the last full backup need to be applied. Limited Storage Space: While full backups consume more storage space, performing them weekly and complementing them with nightly differentials strikes a balance between storage requirements and recovery speed. Incremental backups, as in option B, would require applying all incremental backups since the last full backup during a restore, potentially lengthening the restore time compared to differential backups.
Therefore, option D (full backups every Sunday and nightly differential backups) is the best choice for achieving the fastest database restore time while managing limited storage space effectively.
A startup company is using multiple SaaS and IaaS platforms to stand up a corporate infrastructure and build out a customer-facing web application. Which of the following solutions would be BEST to provide security, manageability, and visibility into the platforms?
A. SIEM
B. DLP
C. CASB
D. SWG
C. CASB (Cloud Access Security Broker)
Here’s why CASB is the most appropriate choice:
Security: CASB solutions are specifically designed to provide security controls and policies for cloud applications and services. They enable the enforcement of security policies such as data encryption, access control, and threat protection across multiple cloud platforms. Manageability: CASB solutions offer centralized visibility and management of cloud services. They provide insights into user activities, data usage patterns, and potential security threats across all integrated cloud platforms. Visibility: CASB solutions enhance visibility by monitoring and auditing activities across SaaS and IaaS platforms. They provide detailed logs and reports that help identify compliance issues, anomalous behavior, and unauthorized access attempts.
Comparatively:
SIEM (Security Information and Event Management) solutions focus on aggregating and analyzing security event data from various sources across an organization's IT infrastructure. While valuable for overall security monitoring, they may not provide specific controls or visibility tailored for cloud applications and services. DLP (Data Loss Prevention) solutions are crucial for protecting sensitive data by monitoring and preventing its unauthorized disclosure. While important, DLP primarily focuses on data protection rather than managing and securing cloud services. SWG (Secure Web Gateway) solutions are used for controlling and securing web traffic, including enforcing security policies for web browsing and filtering malicious content. However, SWG solutions are not designed to provide comprehensive security and management capabilities for cloud applications and services.
Therefore, CASB would be the best solution to provide security, manageability, and visibility into the SaaS and IaaS platforms used by the startup company.
Which of the following technical controls is BEST suited for the detection and prevention of buffer overflows on hosts?
A. DLP
B. HIDS
C. EDR
D. NIPS
(Community : C 82% , B 18%)
C. “…buffer overflows on hosts.” EDR is the Endpoint Detection and Response. HIDS can not prevent any buffer overflows.
ChatGPT
C. EDR (Endpoint Detection and Response)
Here’s why EDR is the most appropriate choice:
Endpoint Detection and Response (EDR): EDR solutions are designed to monitor and analyze endpoint activities in real time. They can detect suspicious behaviors, including those indicative of buffer overflow attacks, by monitoring system calls, process executions, and memory usage. Buffer Overflows: Buffer overflows occur when a program writes data beyond the allocated buffer size, potentially leading to code execution or crashes that attackers can exploit. EDR solutions can detect abnormal memory usage patterns and unauthorized changes to memory segments, which are indicative of buffer overflow attempts.
Comparatively:
DLP (Data Loss Prevention) focuses on preventing the unauthorized transmission of sensitive data and is not specifically designed to detect or prevent buffer overflow attacks. HIDS (Host-based Intrusion Detection System) can detect unauthorized access or changes to files, but it may not provide the detailed behavioral analysis needed to detect and prevent buffer overflows. NIPS (Network Intrusion Prevention System) is oriented towards monitoring network traffic and preventing network-based attacks, such as DDoS or network-based exploits, rather than detecting and preventing buffer overflows on individual hosts.
Therefore, EDR is the best technical control suited for the detection and prevention of buffer overflows on hosts, due to its capabilities in real-time monitoring, behavioral analysis, and response to endpoint activities.
A consultant is configuring a vulnerability scanner for a large, global organization in multiple countries. The consultant will be using a service account to scan systems with administrative privileges on a weekly basis, but there is a concern that hackers could gain access to the account and pivot throughout the global network.
Which of the following would be BEST to help mitigate this concern?
A. Create different accounts for each region, each configured with push MFA notifications.
B. Create one global administrator account and enforce Kerberos authentication.
C. Create different accounts for each region, limit their logon times, and alert on risky logins.
D. Create a guest account for each region, remember the last ten passwords, and block password reuse.
(Brain dump : C. Create different accounts for each region, limit their logon times, and alert on risky logins.)
Community : (C 70%, A 30%)
C - it’s a service account, can’t MFA
ChatGPT
A. Create different accounts for each region, each configured with push MFA notifications.
Here’s why this option is the most effective:
Multiple Accounts: By creating separate accounts for each region, the organization limits the scope of access. Compromising one account would not grant access to systems in other regions, thereby reducing the potential impact of a breach. MFA (Multi-Factor Authentication) with Push Notifications: Enforcing MFA adds an additional layer of security beyond just a password. Push notifications enhance security by requiring a user to approve access attempts on their mobile device, reducing the risk of unauthorized access even if the account credentials are compromised. Regional Segmentation: Limiting accounts to specific regions helps contain potential breaches and reduces the attack surface across the global network.
Comparatively:
Option B (Create one global administrator account and enforce Kerberos authentication) increases the risk because compromising this single global account would provide unrestricted access across all regions. Option C (Create different accounts for each region, limit their logon times, and alert on risky logins) is better than having a single global account but does not explicitly address the need for multi-factor authentication, which is highly effective in preventing unauthorized access. Option D (Create a guest account for each region, remember the last ten passwords, and block password reuse) focuses on password management rather than access control and does not address the need for separate accounts with regional segmentation and MFA.
Therefore, Option A (Create different accounts for each region, each configured with push MFA notifications) is the best choice to mitigate the concern of unauthorized access to the vulnerability scanner service account and potential pivoting throughout the global network.
While troubleshooting a firewall configuration, a technician determines that a “deny any” policy should be added to the bottom of the ACL. The technician updates the policy, but the new policy causes several company servers to become unreachable. Which of the following actions would prevent this issue?
A. Documenting the new policy in a change request and submitting the request to change management
B. Testing the policy in a non-production environment before enabling the policy in the production network
C. Disabling any intrusion prevention signatures on the “deny any” policy prior to enabling the new policy
D. Including an “allow any” policy above the “deny any” policy
B. Testing the policy in a non-production environment before enabling the policy in the production network.
Here’s why this option is the most appropriate:
Testing in Non-Production Environment: Before implementing any major changes, especially ones involving a "deny any" policy which blocks all traffic, it is crucial to test the changes in a controlled, non-production environment. This allows the technician to observe any unintended consequences, such as servers becoming unreachable, without impacting live services. Change Management: While documenting the change request (Option A) and submitting it to change management are important steps for maintaining documentation and accountability, they do not directly prevent the immediate impact on production servers. Testing in a non-production environment provides an opportunity to identify and resolve issues before they affect live services. Disabling Intrusion Prevention Signatures (Option C) is not relevant in this context as it pertains to a different security control and does not address the root cause of the servers becoming unreachable due to the "deny any" policy. Including an "allow any" policy above the "deny any" policy (Option D) would negate the effect of the "deny any" policy and compromise security, as it would allow all traffic regardless of ACL rules.
Therefore, testing the policy in a non-production environment (Option B) is the most effective action to take to prevent the issue of servers becoming unreachable while troubleshooting firewall configurations. This approach ensures that changes are validated and any unintended consequences are addressed before applying them in a production network.
A network technician is installing a guest wireless network at a coffee shop. When a customer purchases an item, the password for the wireless network is printed on the receipt so the customer can log in. Which of the following will the technician MOST likely configure to provide the highest level of security with the least amount of overhead?
A. WPA-EAP
B. WEP-TKIP
C. WPA-PSK
D. WPS-PIN
C. WPA-PSK (Wi-Fi Protected Access - Pre-Shared Key)
Here’s why WPA-PSK is the most suitable choice:
Ease of Configuration: WPA-PSK is straightforward to configure and manage. The same pre-shared key (password) is used for all clients accessing the guest wireless network, which aligns with the requirement of printing the password on receipts for customers. Security: While WEP (Wired Equivalent Privacy) and WPS (Wi-Fi Protected Setup) are less secure and have known vulnerabilities, WPA-PSK provides stronger security through encryption and authentication mechanisms. It ensures that unauthorized users cannot easily access the network without the shared key. Overhead: WPA-PSK does not require additional infrastructure or server-side configuration (unlike WPA-EAP, which involves a RADIUS server for authentication), making it a low-overhead solution suitable for a coffee shop environment.
Comparatively:
WPA-EAP (Wi-Fi Protected Access - Extensible Authentication Protocol) involves a more complex setup with a RADIUS server and provides individualized credentials for each user, which is more suitable for enterprise environments rather than a coffee shop setting. WEP-TKIP (Wired Equivalent Privacy - Temporal Key Integrity Protocol) is an outdated protocol with significant security weaknesses and should not be used for securing modern wireless networks. WPS-PIN (Wi-Fi Protected Setup - Personal Identification Number) is a simplified method for connecting devices to a wireless network but is also vulnerable to attacks and not suitable for providing the highest level of security.
Therefore, WPA-PSK is the best choice to provide a balance of security, ease of configuration, and minimal overhead for securing the guest wireless network at the coffee shop.
Which of the following ISO standards is certified for privacy?
A. ISO 9001
B. ISO 27002
C. ISO 27701
D. ISO 31000
C. ISO 27701
Here’s why:
ISO 27701: This standard specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It is an extension to ISO 27001 (Information Security Management System) and ISO 27002 (Code of practice for information security controls), focusing specifically on privacy management. ISO 9001: This standard pertains to quality management systems and does not specifically address privacy management. ISO 27002: This standard provides guidelines and best practices for information security controls, but it does not focus exclusively on privacy management. ISO 31000: This standard provides principles and guidelines for risk management, applicable across various organizational contexts, but it does not specifically address privacy management.
Therefore, ISO 27701 is the ISO standard that is certified for privacy, as it specifically deals with Privacy Information Management Systems (PIMS) and extends the requirements of ISO 27001 to include privacy controls.
An organization suffered an outage, and a critical system took 90 minutes to come back online. Though there was no data loss during the outage, the expectation was that the critical system would be available again within 60 minutes. Which of the following is the 60-minute expectation an example of?
A. MTBF
B. RPO
C. MTTR
D. RTO
D. RTO (Recovery Time Objective)
Here’s why:
Recovery Time Objective (RTO): RTO is the targeted duration within which a business process or system must be restored after a disruption (such as an outage or failure) in order to avoid unacceptable consequences. In this case, the organization expected the critical system to be back online within 60 minutes to meet business continuity requirements. Mean Time Between Failures (MTBF): MTBF refers to the average time between failures of a system or component. It measures reliability rather than recovery time. Recovery Point Objective (RPO): RPO specifies the maximum tolerable amount of data loss in time before a disruption. It focuses on data recovery rather than system recovery time. Mean Time to Repair (MTTR): MTTR measures the average time taken to repair a failed component or system and restore it to normal operational status. It is related to the time spent repairing a system during an outage rather than the overall recovery time objective.
Therefore, RTO accurately describes the expectation of having the critical system back online within 60 minutes after the outage, aligning with business continuity and operational requirements.
A security analyst needs to be proactive in understanding the types of attacks that could potentially target the company’s executives. Which of the following intelligence sources should the security analyst review?
A. Vulnerability feeds
B. Trusted automated exchange of indicator information
C. Structured threat information expression
D. Industry information-sharing and collaboration groups
D. Industry information-sharing and collaboration groups
Here’s why this option is the most appropriate:
Industry Information-Sharing and Collaboration Groups: These groups facilitate the exchange of threat intelligence and best practices among organizations within the same industry or sector. They often provide timely information about emerging threats, attack trends, and specific targeting tactics observed in the industry. This can help the security analyst stay informed about potential threats targeting executives and tailor defenses accordingly.
Comparatively:
Vulnerability Feeds (Option A) primarily provide information about software vulnerabilities and patches rather than specific threat intelligence related to targeted attacks on executives. Trusted Automated Exchange of Indicator Information (Option B) refers to automated systems that share indicators of compromise (IOCs) and threat data between trusted entities. While useful for detecting known threats, it may not focus specifically on executive-level threats. Structured Threat Information Expression (STIX) (Option C) is a standardized language for expressing threat information but does not in itself provide intelligence specific to executive-level attacks.
Therefore, industry information-sharing and collaboration groups are the most relevant intelligence sources for the security analyst to understand and mitigate potential threats targeting the company’s executives effectively.