Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CYSA+ Questions > Chapter 4: Securing a Corporate Network > Flashcards

Chapter 4: Securing a Corporate Network Flashcards

1
Q

At the company where you lead the cybersecurity team, a junior analyst misunderstands risk evaluation. You begin explaining how risk evaluation is performed by assessing probability and impact. You end with explaining the main purpose of risk evaluation as a balance between which of the following factors? (Choose two.)
A. Value of a risk
B. Potential cost of a risk
C. Cost of the control to mitigate the risk
D. Potential annual revenue lost
E. Probability of a risk occurring

A

A and C are correct. The purpose of risk evaluation is to strike a balance between the determined value of a risk and the determined cost of whatever control is used to mitigate the risk.

B, D, and E are incorrect. B is incorrect because the potential cost of a realized risk is only part of the risk value. D is incorrect because annualized loss expectancy is one factor of quantitatively calculating risk, along with rate of occurrence. E is incorrect because probability is just part of the risk value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What levels of company management can provide authorization to conduct penetration testing? (Choose all that apply.)
A. Director of IT security.
B. Chief executive officer or a similar senior executive.
C. Owner(s) of the data.
D. Most senior cybersecurity analyst.
E. Approval is optional until testing results show a need for further analysis.

A

B and C are correct. Typically in a medium- to large-sized company, a senior executive or the CEO would be aware of and sanction the penetration testing. In much smaller or private environments, the owner of the data, as the most senior person, can make the decision. In any case, strict rules of engagement would be key to approval.

A, D, and E are incorrect. A is incorrect because the IT security director is not senior enough to accept liability for possible negative impacts from testing. Similarly, D is incorrect because the role of senior cybersecurity analyst is not senior enough. E is incorrect because approval is absolutely necessary. Without approval, penetration testing is unethical, if not illegal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Guidelines are to be drawn up prior any penetration testing can begin, and they determine the exact nature and scope of the testing. What are these guidelines called?
A. Penetration TTP (Tactics, Techniques, and Procedures) document
B. ROE (rules of engagement)
C. Scope and Invoicing document
D. Discovery

A

B is correct. Having the rules of engagement (ROE) is an absolute necessity before beginning any phase of a penetration test. The ROE determine what is within bounds, out of bounds, with whom to communicate, and so on. Most importantly, the approved rules of engagement function as your “get out of jail free” card, considering that without them, the penetration test is likely illegal.

A, C, and D are incorrect. A is incorrect because TTP does not reference a standard document, but instead refers to the general techniques and processes of conducting the test. C is incorrect because there is no standard document called a “Scope
and Invoicing” document. D is incorrect because discovery is an early phase of a penetration test, not some procedural document.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q 
The company CEO recently came back from a conference about cybersecurity. He learned that operational control reviews are important to conduct from time to time. The CEO even offered the following answers as ideas to review. Select from the following ideas which are applicable for an operational control review. (Choose all that apply.)
A. Intrusion detection system
B. RADIUS authentication server
C. Security awareness training
D. Acceptable use policy
A

C and D are correct. Both the security awareness training and the acceptable use policy (AUP) are examples of operational controls. Operational controls, also called administrative or policy controls, are security controls put into practice from business processes or policies and standards.

A and B are incorrect. A is incorrect because an IDS is an example of a technical control. B is incorrect because the RADIUS server is also a technical control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The company has employed the same encryption methods for a considerably long time. As a new security analyst, you question the effectiveness and strength of the encryption. What is the best recommendation for how to proceed?
A. Conduct a technical control review of encryption as a technical control.
B. Conduct an operational control review of encryption as an operational control.
C. Perform a risk assessment of the encryption strength.
D. Perform a vulnerability assessment of a server and the data now encrypted.

A

A is correct. Encryption is a technical control. Conducting a technical control review is the best course of action when the long-term effectiveness of a technical control comes into question.

B, C, and D are incorrect. B is incorrect because encryption is a technical control, not an operation control. C is incorrect because performing a risk assessment is important, but is only part of a technical control review. D is incorrect because performing a vulnerability assessment of the encryption in use might not produce a valid representation of the encryption’s effectiveness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q 
The idea of examining a finished product in order to determine what its parts are and how they work together is called what?
A. Process isolation
B. Sandboxing
C. Reverse engineering
D. Risk evaluation
A

C is correct. Taking a finished product apart in order to determine what its parts are
and how they work is called reverse engineering.

A, B, and D are incorrect. A is incorrect because process isolation speaks to quarantining a running process, not breaking it down into its components. B is incorrect because sandboxing refers to isolating a system from the network as a form of containment. D is incorrect because risk evaluation is about measuring a risk’s impact and probability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q 
A company hires an outside penetration testing team. A scope is agreed upon, dictating what systems may be involved and what systems may not. The penetration team proceeds with its tasks, all the way up to exploitation, when suddenly a production server is knocked offline. With the possible exception of the authorization, what aspect of penetration testing is now the most critical?
A. Reconnaissance
B. Exploitation
C. Communication
D. Reporting
A

C is correct. Communication is critically important for a penetration test, especially
during a crisis, as described.

A, B, and D are incorrect. A is incorrect because reconnaissance is performed at the beginning of the penetration test and is not appropriate when a production system fails. B is incorrect because exploitation was done just before the production system failed. D is incorrect because reporting is performed after the test is completed, when management can be calmly informed of the results.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q 
The act of using a one-way function to create a unique, fixed-length value from a variable-length file or string of data is called what?
A. Fingerprinting or hashing 
B. Decomposition
C. Qualitative analysis 
D. Reverse engineering
A

A is correct. The process to take a string of data or any file of any length through a one-way function to produce a unique fixed-length value is called fingerprinting or hashing.

B, C, and D are incorrect. B is incorrect because decomposition refers to the principle of deconstructing something into its parts. C is incorrect because qualitative analysis refers to a subjective form of evaluating risks. D is incorrect because reverse engineering, performed by decomposition, means taking a finished product and learning what its made of as well as how it works.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q 
Reverse engineering is done on counterfeit hardware, but what is far more often the object being taken apart?
A. OEM hardware
B. Software or malware
C. Applications developed in-house
D. Sandboxed network devices
A

B is correct. The typical object being reverse engineered is a piece of software that’s
suspected to be or identified as malware.

A, C, and D are incorrect. A is incorrect because OEM hardware is highly likely to be genuine and not counterfeit. C is incorrect because applications developed in-house might not always be perfect, but it’s unlikely that they are compromised. D is incorrect because a network device, whether sandboxed or not, is unlikely to be taken apart under suspicion of being Trojaned or compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

During an extensive review of military assets, a cybersecurity analyst discovered that at
least one piece of hardware was counterfeit. Although there were no issues that made the counterfeit hardware seem suspicious, there remains a question about expected quality and unknown hidden “features.” It was later revealed that the hardware was purchased from a different manufacturer than the one normally used. What is the primary issue at fault here?
A. OEM documentation
B. Trusted foundry
C. Poorly executed technical control review
D. Source authenticity

A

D is correct. The primary issue is an absence of source authenticity, or assurance that
the source of the asset is reputable and authentic.

A, B, and C are incorrect. A is incorrect because OEM documentation describes the documentation from the original equipment manufacturer. B is incorrect because trusted foundry is a U.S. government program that inspects and approves a manufacturer as authentic. C is incorrect because the problem was discovered by an “extensive hardware review,” which leads one to think the review was at least somewhat successful.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q 
At the conclusion of a penetration test, what phase involves communicating to management about the results and lessons learned?
A. Exploitation
B. Reporting 
C. Authorization
D. Lateral Movement
A

B is correct. The phase of penetration testing that involves communicating results and lessons learned to management is called reporting.

A, C, and D are incorrect. A is incorrect because the exploitation phase involves manipulating the discovered weaknesses in target systems. C is incorrect because authorization involves gaining executive support and approval for conducting the penetration test. D is incorrect because lateral movement refers to compromising systems “laterally” from the originally compromised system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

On what type (or types) of training exercises do red, blue, and white teams perform?
A. Tabletop Exercises
B. Tabletop and live-fire Exercises
C. Live-fire exercises and Tactics, Techniques, and Procedural
D. Live-fire exercises

A

B is correct. The teams referred to as “red,” “blue,” and “white” are used during both live-fire exercises and table-top exercises.

A, C, and D are incorrect. A is incorrect because teams are involved in more than just tabletop exercises. Tabletop exercises are an organized event with various roles involved to test out procedures. The tabletop exercises are intended for people to work through a simulated event as a “dry run.” C is incorrect because “Tactics, Techniques, and Procedural” is not a form of exercise. D is incorrect because teams perform for more than just live-fire exercises.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q 
In live-fire exercises, three teams play different roles. The first team performs as the exercise moderator, documenting and evaluating the progress of the other two teams.
The second team functions as attackers, reconnoitering and exploiting the corporate environment. Finally, the third team is composed of the “good guys,” protecting the environment and countering the activities of the second team. When these teams perform together, this exercise can produce a great deal of lessons learned and actions (hopefully) to better protect the network. From the following answers, select the team color order associated with the respective teams described.
A. White, blue, red
B. Red, blue, white
C. Blue, white, red
D. White, red, blue
E. Red, white, blue
F. Blue, red, white
A

D is correct. The correct team color order is white, red, and blue (that is, the moderators, attackers, and defenders, respectively).

A, B, C, E, and F are incorrect. All other color arrangements apart from “white, red, and blue” are incorrect. The moderators are referred to as the “white team.” The attackers are referred to as the “red team,” and the defenders (or “good guys”) are referred to as the “blue team.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q 
When a company is ready to challenge its cybersecurity team in order to determine its strengths and weaknesses, as well as to identify through a “live-fire” exercise what risks should be addressed next, the company would sanction a what?
A. Penetration testing
B. Security awareness training
C. Risk evaluation
D. Hardware review
A

A is correct. Penetration testing is the process whereby a company seeks to test and
challenge its cybersecurity team with a simulated attack.

B, C, and D are incorrect. B is incorrect because security awareness training is an operational control to minimize risk. C is incorrect because risk evaluation is the measuring of a risk. D is incorrect because hardware review is hardly a challenge, but instead something the cybersecurity team may perform as part of a technical control review.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Both qualitative analysis and quantitative analysis are approaches to evaluate what aspects of a risk? (Choose two.)
A. Potential monetary loss to the company
B. Likelihood of the risk occurring
C. Severity of impact of the realized risk
D. Material exposure

A

B and C are correct. The likelihood of a risk occurring and the impact severity are the
two aspects of any risk.

A and D are incorrect. A is incorrect because potential monetary loss is a quantitative factor of risk evaluation. D is incorrect because material exposure can be considered another form of potential loss.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following are valid concerns when considering the timing of penetration testing? (Choose all that apply.)
A. Availability of the defenders to react to attacks
B. Impact on business operations during normal hours
C. Availability of executive management for reporting
D. Size and scope of the penetration test

A

A, B, and D are correct. The timing of a penetration test is guided by several factors. The most important of those factors are the size and scope of the test, the availability of the cybersecurity staff, and the potential impact on production systems.

C is incorrect. Reporting to the executive management would occur at the conclusion of the penetration test. The reporting meeting is likely to be held weeks after the penetration exercise has been completed, to allow time for preparing the report.

17
Q

An organization owns systems that are to be probed during a penetration test. Some
of the systems intended for testing are production systems containing protected health information (PHI). What aspect of penetration testing is most in jeopardy of breaking the law due to regulatory compliance?
A. Timing
B. Scope
C. Exploitation
D. Reconnaissance

A

B is correct. The scope of the penetration testing is largely defined by which systems are to be tested, and which systems are not to be tested. The system containing PHI cannot be included within the scope of to-be-tested systems. If penetration testers were to successfully probe for and exfiltrate healthcare information, it would be in violation of federal law.

A, C, and D are incorrect. A is incorrect because the timing is not an issue with regard to the servers containing PHI. C is incorrect because exploitation isn’t the aspect of testing that permitted the systems to be included. D is incorrect because reconnaissance might be helpful in determining the contents of the PHI server. However, the problem of scope is more directly at fault.

18
Q 
From all the penetration testing phases listed, select the phase that can be described as the riskiest and one where the situation can turn into a crisis most quickly.
A. Reconnaissance
B. Exploitation
C. Timing
D. Report to management
E. Scope
A

B is correct. The process of exploitation during a penetration test can be and often is quite risky. Penetration testers plan and prepare as much as possible for such events, but occasionally systems can give unanticipated responses. This is why authorization is of paramount importance.

A, C, D, and E are incorrect. A is incorrect because reconnaissance is quite benign, save for the risk of being discovered by cybersecurity team members unaware of the authorized test. C is incorrect because timing is hardly risky, except to proceed carefully but efficiently through the exploitation phase with minimal effect on business operations. D is incorrect because reporting to management is not quite as risky as exploitation. E is incorrect because scope is not risky at all, unless it is ill-conceived to begin with.

19
Q

Cybersecurity analyst Hank is conducting a risk assessment of the personnel data on an HR server. Obviously, any breach in confidentiality of that data would carry a critical impact. However, the server is hardened and maintained by junior analysts Walt and Jessie. Given the rating of “unlikely” for the likelihood of a confidentiality breach, what is the overall risk rating? (Refer to Figure 4-1.)
A. B. C. D.
The risk rating cannot be calculated. Low.
Medium.
High.

A

C is correct. Given that the impact of a data breach is evaluated as “critical” and the likelihood is “unlikely,” the overall risk rating is “medium.”

A, B, and D are incorrect. A is incorrect because the overall risk rating can be determined from the provided impact and likelihood risk factors of “critical” and “unlikely,” respectively. B and D are incorrect because the overall risk rating is “medium.”

20
Q

Regarding the same server, a significant rise in utilization has prompted cybersecurity analyst Hank to investigate personally. To his surprise, illegal crypto-mining software
is discovered running on the server. Given the nature of the software, its unauthorized installation, and its unknown origin, Hank immediately assesses that the critical data is at least likely to be jeopardized in a confidentiality breach. What is the overall risk rating now? (Refer to Figure 4-1.)
A. The risk rating cannot be calculated.
B. Low.
C. Medium.
D. High.

A

D is correct. Given that the likelihood has risen from “unlikely” to at least “likely,”
with the impact evaluated as “critical,” the overall risk rating is now “high.”

A, B, and C are incorrect. A is incorrect because the overall risk rating can be determined from the provided impact and likelihood risk factors of “critical” and “likely,” respectively. B and C are incorrect because the overall risk rating is “high.”

CYSA+ Questions (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions