Chapter 4: Securing a Corporate Network Flashcards
At the company where you lead the cybersecurity team, a junior analyst misunderstands risk evaluation. You begin explaining how risk evaluation is performed by assessing probability and impact. You end with explaining the main purpose of risk evaluation as a balance between which of the following factors? (Choose two.)
A. Value of a risk
B. Potential cost of a risk
C. Cost of the control to mitigate the risk
D. Potential annual revenue lost
E. Probability of a risk occurring
A and C are correct. The purpose of risk evaluation is to strike a balance between the determined value of a risk and the determined cost of whatever control is used to mitigate the risk.
B, D, and E are incorrect. B is incorrect because the potential cost of a realized risk is only part of the risk value. D is incorrect because annualized loss expectancy is one factor of quantitatively calculating risk, along with rate of occurrence. E is incorrect because probability is just part of the risk value.
What levels of company management can provide authorization to conduct penetration testing? (Choose all that apply.)
A. Director of IT security.
B. Chief executive officer or a similar senior executive.
C. Owner(s) of the data.
D. Most senior cybersecurity analyst.
E. Approval is optional until testing results show a need for further analysis.
B and C are correct. Typically in a medium- to large-sized company, a senior executive or the CEO would be aware of and sanction the penetration testing. In much smaller or private environments, the owner of the data, as the most senior person, can make the decision. In any case, strict rules of engagement would be key to approval.
A, D, and E are incorrect. A is incorrect because the IT security director is not senior enough to accept liability for possible negative impacts from testing. Similarly, D is incorrect because the role of senior cybersecurity analyst is not senior enough. E is incorrect because approval is absolutely necessary. Without approval, penetration testing is unethical, if not illegal.
Guidelines are to be drawn up prior any penetration testing can begin, and they determine the exact nature and scope of the testing. What are these guidelines called?
A. Penetration TTP (Tactics, Techniques, and Procedures) document
B. ROE (rules of engagement)
C. Scope and Invoicing document
D. Discovery
B is correct. Having the rules of engagement (ROE) is an absolute necessity before beginning any phase of a penetration test. The ROE determine what is within bounds, out of bounds, with whom to communicate, and so on. Most importantly, the approved rules of engagement function as your “get out of jail free” card, considering that without them, the penetration test is likely illegal.
A, C, and D are incorrect. A is incorrect because TTP does not reference a standard document, but instead refers to the general techniques and processes of conducting the test. C is incorrect because there is no standard document called a “Scope
and Invoicing” document. D is incorrect because discovery is an early phase of a penetration test, not some procedural document.
The company CEO recently came back from a conference about cybersecurity. He learned that operational control reviews are important to conduct from time to time. The CEO even offered the following answers as ideas to review. Select from the following ideas which are applicable for an operational control review. (Choose all that apply.) A. Intrusion detection system B. RADIUS authentication server C. Security awareness training D. Acceptable use policy
C and D are correct. Both the security awareness training and the acceptable use policy (AUP) are examples of operational controls. Operational controls, also called administrative or policy controls, are security controls put into practice from business processes or policies and standards.
A and B are incorrect. A is incorrect because an IDS is an example of a technical control. B is incorrect because the RADIUS server is also a technical control.
The company has employed the same encryption methods for a considerably long time. As a new security analyst, you question the effectiveness and strength of the encryption. What is the best recommendation for how to proceed?
A. Conduct a technical control review of encryption as a technical control.
B. Conduct an operational control review of encryption as an operational control.
C. Perform a risk assessment of the encryption strength.
D. Perform a vulnerability assessment of a server and the data now encrypted.
A is correct. Encryption is a technical control. Conducting a technical control review is the best course of action when the long-term effectiveness of a technical control comes into question.
B, C, and D are incorrect. B is incorrect because encryption is a technical control, not an operation control. C is incorrect because performing a risk assessment is important, but is only part of a technical control review. D is incorrect because performing a vulnerability assessment of the encryption in use might not produce a valid representation of the encryption’s effectiveness.
The idea of examining a finished product in order to determine what its parts are and how they work together is called what? A. Process isolation B. Sandboxing C. Reverse engineering D. Risk evaluation
C is correct. Taking a finished product apart in order to determine what its parts are
and how they work is called reverse engineering.
A, B, and D are incorrect. A is incorrect because process isolation speaks to quarantining a running process, not breaking it down into its components. B is incorrect because sandboxing refers to isolating a system from the network as a form of containment. D is incorrect because risk evaluation is about measuring a risk’s impact and probability.
A company hires an outside penetration testing team. A scope is agreed upon, dictating what systems may be involved and what systems may not. The penetration team proceeds with its tasks, all the way up to exploitation, when suddenly a production server is knocked offline. With the possible exception of the authorization, what aspect of penetration testing is now the most critical? A. Reconnaissance B. Exploitation C. Communication D. Reporting
C is correct. Communication is critically important for a penetration test, especially
during a crisis, as described.
A, B, and D are incorrect. A is incorrect because reconnaissance is performed at the beginning of the penetration test and is not appropriate when a production system fails. B is incorrect because exploitation was done just before the production system failed. D is incorrect because reporting is performed after the test is completed, when management can be calmly informed of the results.
The act of using a one-way function to create a unique, fixed-length value from a variable-length file or string of data is called what? A. Fingerprinting or hashing B. Decomposition C. Qualitative analysis D. Reverse engineering
A is correct. The process to take a string of data or any file of any length through a one-way function to produce a unique fixed-length value is called fingerprinting or hashing.
B, C, and D are incorrect. B is incorrect because decomposition refers to the principle of deconstructing something into its parts. C is incorrect because qualitative analysis refers to a subjective form of evaluating risks. D is incorrect because reverse engineering, performed by decomposition, means taking a finished product and learning what its made of as well as how it works.
Reverse engineering is done on counterfeit hardware, but what is far more often the object being taken apart? A. OEM hardware B. Software or malware C. Applications developed in-house D. Sandboxed network devices
B is correct. The typical object being reverse engineered is a piece of software that’s
suspected to be or identified as malware.
A, C, and D are incorrect. A is incorrect because OEM hardware is highly likely to be genuine and not counterfeit. C is incorrect because applications developed in-house might not always be perfect, but it’s unlikely that they are compromised. D is incorrect because a network device, whether sandboxed or not, is unlikely to be taken apart under suspicion of being Trojaned or compromised.
During an extensive review of military assets, a cybersecurity analyst discovered that at
least one piece of hardware was counterfeit. Although there were no issues that made the counterfeit hardware seem suspicious, there remains a question about expected quality and unknown hidden “features.” It was later revealed that the hardware was purchased from a different manufacturer than the one normally used. What is the primary issue at fault here?
A. OEM documentation
B. Trusted foundry
C. Poorly executed technical control review
D. Source authenticity
D is correct. The primary issue is an absence of source authenticity, or assurance that
the source of the asset is reputable and authentic.
A, B, and C are incorrect. A is incorrect because OEM documentation describes the documentation from the original equipment manufacturer. B is incorrect because trusted foundry is a U.S. government program that inspects and approves a manufacturer as authentic. C is incorrect because the problem was discovered by an “extensive hardware review,” which leads one to think the review was at least somewhat successful.
At the conclusion of a penetration test, what phase involves communicating to management about the results and lessons learned? A. Exploitation B. Reporting C. Authorization D. Lateral Movement
B is correct. The phase of penetration testing that involves communicating results and lessons learned to management is called reporting.
A, C, and D are incorrect. A is incorrect because the exploitation phase involves manipulating the discovered weaknesses in target systems. C is incorrect because authorization involves gaining executive support and approval for conducting the penetration test. D is incorrect because lateral movement refers to compromising systems “laterally” from the originally compromised system.
On what type (or types) of training exercises do red, blue, and white teams perform?
A. Tabletop Exercises
B. Tabletop and live-fire Exercises
C. Live-fire exercises and Tactics, Techniques, and Procedural
D. Live-fire exercises
B is correct. The teams referred to as “red,” “blue,” and “white” are used during both live-fire exercises and table-top exercises.
A, C, and D are incorrect. A is incorrect because teams are involved in more than just tabletop exercises. Tabletop exercises are an organized event with various roles involved to test out procedures. The tabletop exercises are intended for people to work through a simulated event as a “dry run.” C is incorrect because “Tactics, Techniques, and Procedural” is not a form of exercise. D is incorrect because teams perform for more than just live-fire exercises.
In live-fire exercises, three teams play different roles. The first team performs as the exercise moderator, documenting and evaluating the progress of the other two teams. The second team functions as attackers, reconnoitering and exploiting the corporate environment. Finally, the third team is composed of the “good guys,” protecting the environment and countering the activities of the second team. When these teams perform together, this exercise can produce a great deal of lessons learned and actions (hopefully) to better protect the network. From the following answers, select the team color order associated with the respective teams described. A. White, blue, red B. Red, blue, white C. Blue, white, red D. White, red, blue E. Red, white, blue F. Blue, red, white
D is correct. The correct team color order is white, red, and blue (that is, the moderators, attackers, and defenders, respectively).
A, B, C, E, and F are incorrect. All other color arrangements apart from “white, red, and blue” are incorrect. The moderators are referred to as the “white team.” The attackers are referred to as the “red team,” and the defenders (or “good guys”) are referred to as the “blue team.”
When a company is ready to challenge its cybersecurity team in order to determine its strengths and weaknesses, as well as to identify through a “live-fire” exercise what risks should be addressed next, the company would sanction a what? A. Penetration testing B. Security awareness training C. Risk evaluation D. Hardware review
A is correct. Penetration testing is the process whereby a company seeks to test and
challenge its cybersecurity team with a simulated attack.
B, C, and D are incorrect. B is incorrect because security awareness training is an operational control to minimize risk. C is incorrect because risk evaluation is the measuring of a risk. D is incorrect because hardware review is hardly a challenge, but instead something the cybersecurity team may perform as part of a technical control review.
Both qualitative analysis and quantitative analysis are approaches to evaluate what aspects of a risk? (Choose two.)
A. Potential monetary loss to the company
B. Likelihood of the risk occurring
C. Severity of impact of the realized risk
D. Material exposure
B and C are correct. The likelihood of a risk occurring and the impact severity are the
two aspects of any risk.
A and D are incorrect. A is incorrect because potential monetary loss is a quantitative factor of risk evaluation. D is incorrect because material exposure can be considered another form of potential loss.