Chapter 1: Security Principles

Question 1

Understanding and prioritizing risks, using governance and elements to lead and organize the cybersecurity operation

Answer 1

Risk Management

Question 2

Secret of information with asset being protected

Answer 2

Confidentiality

Question 3

Provide confidentiality

Answer 3

Access Controls

Question 4

Another method of confidentiality that makes data unreadable except to authorized persons

Answer 4

Cryptography

Question 5

Ensures data is not changed by unauthorized users. Hashes are used for protection.

Answer 5

Integrity

Question 6

Attacks known as DoS Attacks

Answer 6

Availability

Question 7

Make sure a website is able to operate for their customers

Answer 7

Availability

Question 8

Something you know (password)

Answer 8

Type 1 Verification

Question 9

Something you have (smart card)

Answer 9

Type 2 Verfiication

Question 10

Something you are (biometric fingerprint)

Answer 10

Type 3 Verification

Question 11

Refers to the measure of the information security, verifies the (CIA) of data and assets

Answer 11

Information Assurance

Question 12

Gather as much information as possible to carry out attack

Answer 12

Conduct Research (Cyberattack Step 1)

Question 13

Identify organization’s info assets and vulnerabilities that can be exploited

Answer 13

Identity Targets (Cyberattack Step 2)

Question 14

Attacker designs and executes the attack while gaining unauthorized access to the enterprise

Answer 14

Exploit Targets (Cyberattack Step 3)

Question 15

Gain deeper access and attack more, resulting in stealing personal info and credit card data

Answer 15

Do Bad Things (Cyberattack Step 4)

Question 16

Compromise of confidentiality

Answer 16

Stealing Data

Question 17

Compromise of integrity

Answer 17

Modifying Data

Question 18

Compromise of availability

Answer 18

Destroying data/disrupting environment

Question 19

First step an organization will take to understand threats, discipline of how an organization chooses & implements the right level of security protecting the organization.

In business environment, they protect assets and threats from occurring in a risk management process, deciding on how much to spend on security based on tolerance for risk

Answer 19

Risk Management

Question 20

Where setting up improper file permissions/configure admin accounts w/default passwords

Answer 20

Misconfigured Devices

Question 21

One of the weakest links in cybersecurity

Answer 21

Human vulnerabilities

Question 22

Potentially damaging event with exploitation of a vulnerability

Answer 22

Threat

Question 23

Attempt to destroy or disrupt a computer system or network

Answer 23

Cyberattacks

Question 24

Attempts to influence a person to do something that may not be in their best interest

Answer 24

Social Engineering

Question 25

Exploit vulnerabilities

Answer 25

Threat Actors

Question 26

Likelihood that a vulnerability could be exploited and the corresponding impact of such an event

Answer 26

Risk

Question 27

Potential that a security breach can occur

Answer 27

Risk Exposure

Question 28

Anything that’s put in place to mitigate a risk

Answer 28

Countermeasure

Question 29

Makes decisions about how much and what kind of security is needed based on threats and risks most likely to face

Answer 29

Risk Management Process

Question 30

Someone(s) who’s responsible for risk

Answer 30

The Chief of Security or Chief Information Security Officer

Question 31

Identifies potential threats the organization may face. Each asset is identified, cataloged and described in a database

Answer 31

Risk Identification (framing the risk)

Question 32

Exact info to be gathered during the risk management process. Using quantitative risk assessment and qualitative risk assessment.

Answer 32

Risk Assessment (understanding the risk)

Question 33

Handles specific risks and recommendations are made to the decision making authority “management”. Regarding the best way to give an asset or organization as a whole.

Answer 33

Risk Treatment (taking action on what to do about risks)

Question 34

Assigns numerical or financial values to assets with factors with numerical weights. Includes labor and materials costs or estimates from outside vendors to determine asset value.

Answer 34

Quantitative Risk Assessment

Question 35

Potential value of loss for single threat event like a cyberattack or single physical break-in.

Answer 35

Single Loss Expectancy (SLE)

Question 36

Cost of asset or assets that are subject to event. Can be the replacement cost of the asset or be if the asset were lost, downtime and costs from loss of business.

Answer 36

Asset Value (AV)

Question 37

The percentage of loss, likely to occur for subject events. A threat can be a fire and the asset is the entire datacenter, it may be 40% as an estimate for potential loss if predicted as a significant loss. Should be backed up by data, research, or documented.

Answer 37

Exposure Factor (EF)

Question 38

An element of time, used to predict potential value of a loss on an annual basis.

Answer 38

Annualized Loss Expectancy (ALE)

Question 39

Estimates how many times the event is estimated to occur in a given year. An analysis allows an organization to predict loss in terms of dollar amounts for particular events on an annual basis.

Answer 39

Annualized Rate of Occurrence (ARO)

Question 40

Non-numerical terms using ratings and priorities. Require information about assets, threats, vulnerabilities and probabilities of different events. It ranks the seriousness of each threat and the effectiveness of controls and countermeasures.

Answer 40

Qualitative Risk Assessment

Question 41

Making it somebody else’s problem. Most common form is to buy insurance.

Answer 41

Risk Transfer

Question 42

Acceptable levels the organizations can live with the risk and take their chances. Willing to accept due to its unlikeliness or high cost of mitigation.

Answer 42

Risk Accept

Question 43

Stops related activity or shutting down a system entirely. Best to stop an activity that’s too risky. Example is the software applications have known flaws or vulnerabilities.

Answer 43

Risk Avoid

Question 44

Reduce the risk by putting in a control or countermeasure.

Answer 44

Risk Mitigate

Question 45

Defines strategies the entire organization or specific subset meets organizational goals and objectives

Answer 45

Governance

Question 46

Subset of organization governance focused on developing strategies to oversee security program with goals and objectives of organization

Answer 46

Security Governance

Question 47

Typically established by a governmental body or similar agency that specify requirements that are legally enforceable. Are often specific to a certain region, industry or data type.

Answer 47

Laws and Regulations

Question 48

U.S. federal agencies and contractors who handle federal data to implement minimum information security requirements. Managed by National Institute of Standards and Technology (NIST).

Answer 48

Federal Information Security Management Act of 2002 (FISMA)

Question 49

Process of ensuring alignment with applicable laws, regulations, external standards, ethical conduct and other organizational goals and objectives

Answer 49

Compliance

Question 50

Documents developed and published by external standard organizations with the development of security program elements

Answer 50

Standards

Question 51

Independent international standard development organization that develops and publishes best practice standards on information technology and information security

Answer 51

International Standards of Organization (ISO)

Question 52

U.S. agency that publishes free standards and best practice frameworks on information technology and cybersecurity

Answer 52

National Institute of Standards and Technology (NIST)

Question 53

Professional organization that develops and maintains a large portfolio of standards for information technology, telecommunications and computer networking

Answer 53

Institute of Electrical and Electronics Engineers (IEEE)

Question 54

Develops technical standards around Internet protocols, network management and other technical specifications

Answer 54

Internet Engineering Task Force (IETF)

Question 55

Create standards and best practices for cloud security for service providers and customers

Answer 55

Cloud Security Alliance (CSA)

Question 56

A governance element used by many organizations for things such as vulnerability management plan, business continuity plan or incident response plan

Answer 56

Plan