Course 2 - Play it Safe: Manage Security Risks Flashcards

1
Q

The web is actually an interlinked network of online content that’s made up of three layers: _____ _______ and ___________.

A

the surface web, the deep web, and the dark web.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
1
Q

The ____________ is the layer that most people use. It contains content that can be accessed using a web browser.

A

surface web

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The _________ generally requires authorization to access it. An organization’s intranet is an example of the deep web, since it can only be accessed by employees or others who have been granted access.

A

deep web

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The _____________ can only be accessed by using special software. The dark web generally carries a negative connotation since it is the preferred web layer for criminals because of the secrecy that it provides.

A

dark web

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Now, let’s discuss three key impacts of threats, risks, and vulnerabilities.

A

1.financial impact.—– When an organization’s assets are compromised by an attack, such as the use of malware, the financial consequences can be significant for a variety of reasons. These can include interrupted production and services, the cost to correct the issue, and fines if assets are compromised because of non-compliance with laws and regulations.

2.identity theft——- Organizations must decide whether to store private customer, employee, and outside vendor data, and for how long. Storing any type of sensitive data presents a risk to the organization. Sensitive data can include personally identifiable information, or PII, which can be sold or leaked through the dark web. That’s because the dark web provides a sense of secrecy and threat actors may have the ability to sell data there without facing legal consequences.

3.organization’s reputation———- A solid customer base supports an organization’s mission, vision, and financial goals. An exploited vulnerability can lead customers to seek new business relationships with competitors or create bad press that causes permanent damage to an organization’s reputation. The loss of customer data doesn’t only affect an organization’s reputation and financials, it may also result in legal penalties and fines. Organizations are strongly encouraged to take proper security measures and follow certain protocols to prevent the significant impact of threats, risks, and vulnerabilities. By using all the tools in their toolkit, security teams are better prepared to handle an event such as a ransomware attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the 7 steps in the RMF

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

RMF - Step one

A

PREPARE

Prepare refers to activities that are necessary to manage security and privacy risks before a breach occurs. As an entry-level analyst, you’ll likely use this step to monitor for risks and identify controls that can be used to reduce those risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

RMF - Step Two

A

CATEGORIZE

categorize, which is used to develop risk management processes and tasks. Security professionals then use those processes and develop tasks by thinking about how the confidentiality, integrity, and availability of systems and information can be impacted by risk. As an entry-level analyst, you’ll need to be able to understand how to follow the processes established by your organization to reduce risks to critical assets, such as private customer information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

RMF - Step Three

A

SELECT

Select means to choose, customize, and capture documentation of the controls that protect an organization. An example of the select step would be keeping a playbook up-to-date or helping to manage other documentation that allows you and your team to address issues more efficiently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

RMF - Step Four

A

IMPLEMENT

Implement security and privacy plans for the organization. Having good plans in place is essential for minimizing the impact of ongoing security risks. For example, if you notice a pattern of employees constantly needing password resets, implementing a change to password requirements may help solve this issue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

RMF - Step Five

A

ASSESS

Assess means to determine if established controls are implemented correctly. An organization always wants to operate as efficiently as possible. So it’s essential to take the time to analyze whether the implemented protocols, procedures, and controls that are in place are meeting organizational needs. During this step, analysts identify potential weaknesses and determine whether the organization’s tools, procedures, controls, and protocols should be changed to better manage potential risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

RMF - Step Six

A

AUTHORIZE

Authorize means being accountable for the security and privacy risks that may exist in an organization. As an analyst, the authorization step could involve generating reports, developing plans of action, and establishing project milestones that are aligned to your organization’s security goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

RMF - Step Seven

A

MONITOR

Monitor means to be aware of how systems are operating. Assessing and maintaining technical operations are tasks that analysts complete daily. Part of maintaining a low level of risk for an organization is knowing how the current systems support the organization’s security goals. If the systems in place don’t meet those goals, changes may be needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Allows attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data.

A

Server-side request forgery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Insufficient logging and monitoring capabilities that result in attackers exploiting vulnerabilities without the organization knowing it

A

Security logging and monitoring failures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication request.

A

PetitPotam

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code.

A

Log4Shell

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person’s identity. Netlogon is a service that ensures a user’s identity before allowing access to a website’s location.

A

ZeroLogon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means a threat actor can complete a user authentication process to deploy malicious code from a remote location.

A

ProxyLogon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Anything that can impact the confidentiality, integrity, or availability of an asset

A

Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

An organization’s ability to manage its defense of critical assets and data and react to change

A

Security posture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach

A

Risk mitigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security

A

Shared responsibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

An organization’s ability to maintain their everyday productivity by establishing risk disaster recovery plans

A

Business continuity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

________________ are guidelines used for building plans to help mitigate risks and threats to data and privacy, such as social engineering attacks and ransomware.

A

Security frameworks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

___________ are used to reduce specific risks

A

controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

_______________ are safeguards designed to reduce specific security risks. In this video, we’ll discuss three common types of controls: encryption, authentication, and authorization.

A

Security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

____________ is the process of converting data from a readable format to an encoded format. Typically, _________ involves converting data from plaintext to ciphertext. Ciphertext is the raw, encoded message that’s unreadable to humans and computers. Ciphertext data cannot be read until it’s been decrypted into its original plaintext form. __________ is used to ensure confidentiality of sensitive data, such as customers’ account information or social security numbers.

A

Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Another control that can be used to protect sensitive data is ____________. ___________ is the process of verifying who someone or something is. A real-world example of __________ is logging into a website with your username and password. This basic form of __________ proves that you know the username and password and should be allowed to access the website. More advanced methods of ___________, such as multi-factor ______________, or MFA, challenge the user to demonstrate that they are who they claim to be by requiring both a password and an additional form of authentication, like a security code or biometrics, such as a fingerprint, voice, or face scan.

A

Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

____________ are unique physical characteristics that can be used to verify a person’s identity. Examples of ___________ are a fingerprint, an eye scan, or a palm scan.

A

Biometrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Another very important security control is ____________. _____________ refers to the concept of granting access to specific resources within a system. Essentially, ___________ is used to verify that a person has permission to access a resource. As an example, if you’re working as an entry-level security analyst for the federal government, you could have permission to access data through the deep web or other internal data that is only accessible if you’re a federal employee.

A

Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

_______________ are guidelines used for building plans to help mitigate risk and threats to data and privacy. ____________ support organizations’ ability to adhere to compliance laws and regulations. For example, the healthcare industry uses ____________ to comply with the United States’ Health Insurance Portability and Accountability Act (HIPAA), which requires that medical professionals keep patient information safe.

A

Security frameworks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

___________ are safeguards designed to reduce specific security risks. Security controls are the measures organizations use to lower risk and threats to data and privacy. For example, a __________ that can be used alongside frameworks to ensure a hospital remains compliant with HIPAA is requiring that patients use multi-factor authentication (MFA) to access their medical records. Using a measure like MFA to validate someone’s identity is one way to help mitigate potential risks and threats to private data.

A

Security controls

33
Q

Examples of physical controls:

A

Gates, fences, and locks

Security guards

Closed-circuit television (CCTV), surveillance cameras, and motion detectors

Access cards or badges to enter office spaces

34
Q

Examples of technical controls:

A

Firewalls

MFA

Antivirus software

35
Q

Examples of administrative controls:

A

Separation of duties

Authorization

Asset classification

36
Q

______________ is the idea that only authorized users can access specific assets or data. In an organization, confidentiality can be enhanced through the implementation of design principles, such as the principle of least privilege. The principle of least privilege limits users’ access to only the information they need to complete work-related tasks. Limiting access is one way of maintaining the confidentiality and security of private data.

A

Confidentiality

37
Q

____________ is the idea that the data is verifiably correct, authentic, and reliable. Having protocols in place to verify the authenticity of data is essential. One way to verify data integrity is through
cryptography, which is used to transform data so unauthorized parties cannot read or tamper with it (NIST, 2022). Another example of how an organization might implement integrity is by enabling encryption, which is the process of converting data from a readable format to an encoded format. Encryption can be used to prevent access and ensure data, such as messages on an organization’s internal chat platform, cannot be tampered with.

A

Integrity

38
Q

_____________ is the idea that data is accessible to those who are authorized to use it. When a system adheres to both availability and confidentiality principles, data can be used when needed. In the workplace, this could mean that the organization allows remote employees to access its internal network to perform their jobs. It’s worth noting that access to data on the internal network is still limited, depending on what type of access employees need to do their jobs. If, for example, an employee works in the organization’s accounting department, they might need access to corporate accounts but not data related to ongoing development projects.

A

Availability

39
Q

The CSF consists of five important core functions….

A

identify, protect, detect, respond, and recover

40
Q

OWASP - Open Web Application Security Project

A

Minimize attack surface area:
Attack surface refers to all the potential vulnerabilities a threat actor could exploit.

Principle of least privilege:
Users have the least amount of access required to perform their everyday tasks.

Defense in depth:
Organizations should have varying security controls that mitigate risks and threats.

Separation of duties:
Critical actions should rely on multiple people, each of whom follow the principle of least privilege.

Keep security simple:
Avoid unnecessarily complicated solutions. Complexity makes security difficult.

Fix security issues correctly:
When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful.

Establish secure defaults
This principle means that the optimal security state of an application is also its default state for users; it should take extra work to make the application insecure.

Fail securely
Fail securely means that when a control fails or stops, it should do so by defaulting to its most secure option. For example, when a firewall fails it should simply close all connections and block all new ones, rather than start accepting everything.

Don’t trust services
Many organizations work with third-party partners. These outside partners often have different security policies than the organization does. And the organization shouldn’t explicitly trust that their partners’ systems are secure. For example, if a third-party vendor tracks reward points for airline customers, the airline should ensure that the balance is accurate before sharing that information with their customers.

Avoid security by obscurity
The security of key systems should not rely on keeping details hidden. Consider the following example from OWASP (2016):

The security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.

41
Q

_____________ are related to the human component of cybersecurity. They include policies and procedures that define how an organization manages data, such as the implementation of password policies.

A

Administrative controls

42
Q

_______________ are hardware and software solutions used to protect assets, such as the use of intrusion detection systems, or IDS’s, and encryption.

A

Technical controls

43
Q

_________________ refer to measures put in place to prevent physical access to protected assets, such as surveillance cameras and locks.

A

Physical controls

44
Q

entry-level analysts might be tasked with classifying controls into the following categories:

A

administrative controls

technical controls

physical controls

45
Q

A _______________is a review of an organization’s security controls, policies, and procedures against a set of expectations. Audits are independent reviews that evaluate whether an organization is meeting internal and external criteria. Internal criteria include outlined policies, procedures, and best practices. External criteria include regulatory compliance, laws, and federal regulations.

A

security audit

46
Q

An audit should:

A

List assets that will be assessed (e.g., firewalls are configured correctly, PII is secure, physical assets are locked, etc.)

Note how the audit will help the organization achieve its desired goals

Indicate how often an audit should be performed

Include an evaluation of organizational policies, protocols, and procedures to make sure they are working as intended and being implemented by employees

Complete a risk assessment

A risk assessment is used to evaluate identified organizational risks related to budget, controls, internal processes, and external standards (i.e., regulations).

Conduct the audit

When conducting an internal audit, you will assess the security of the identified assets listed in the audit scope.

Create a mitigation plan

A mitigation plan is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture.

Communicate results to stakeholders

The end result of this process is providing a detailed report of findings, suggested improvements needed to lower the organization’s level of risk, and compliance regulations and standards the organization needs to adhere to.

47
Q

A ___________ is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture.

A

mitigation plan

48
Q

The pathways attackers use to penetrate security defenses

A

Attack vectors

49
Q

The process of verifying who someone is

A

Authentication

50
Q

Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations consider risk when setting up systems and security policies

A

Confidentiality, integrity, availability (CIA) triad

51
Q

A NIST core function related to identifying potential security incidents and improving monitoring capabilities to increase the speed and efficiency of detections

A

Detect

52
Q

The unique physical characteristics that can be used to verify a person’s identity

A

Biometrics

53
Q

A unified framework for protecting the security of information systems within the U.S. federal government

A

National Institute of Standards and Technology (NIST) Special Publication (S.P.) 800-53:

54
Q

A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

A

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

55
Q

A _____________ is an application that collects and analyzes log data to monitor critical activities in an organization. __________ offer real-time monitoring and tracking of security event logs. The data is then used to conduct a thorough analysis of any potential security threat, risk, or vulnerability identified. ____________ have many dashboard options. Each dashboard option helps cybersecurity team members manage and monitor organizational data. However, currently, _________ require human interaction for analysis of security events.

A

SIEM tool

56
Q

__________________ is a collection of applications, tools, and workflows that uses automation to respond to security events.

A

Security orchestration, automation, and response (SOAR)

57
Q

______________________ are common SIEM tools that many organizations use to help protect their data and systems.

A

Splunk Enterprise, Splunk Cloud, and Chronicle

58
Q

__________ is a data analysis platform and ________ Enterprise provides SIEM solutions. _________ Enterprise is a self-hosted tool used to retain, analyze, and search an organization’s log data to provide security information and alerts in real-time. ________ Cloud is a cloud-hosted tool used to collect, search, and monitor log data. _________ Cloud is helpful for organizations running hybrid or cloud-only environments, where some or all of the organization’s services are in the cloud.

A

Splunk

59
Q

____________ is a cloud-native tool designed to retain, analyze, and search data. ___________ provides log monitoring, data analysis, and data collection. Like cloud-hosted tools, cloud-native tools are also fully maintained and managed by the vendor. But cloud-native tools are specifically designed to take full advantage of cloud computing capabilities such as availability, flexibility, and scalability.

A

Chronicle

60
Q

___________is an open-source operating system that is widely used. It allows you to tailor the operating system to your needs using a command-line interface. An operating system is the interface between computer hardware and the user. It’s used to communicate with the hardware of a computer and manage software applications.

There are multiple versions of Linux that exist to accomplish specific tasks. ________ and its command-line interface will be discussed in detail, later in the certificate program.

A

Linux

61
Q

__________ is an open-source network analysis and threat detection software. Network analysis and threat detection software is used to inspect network traffic to identify suspicious behavior and generate network data logs. The detection software finds activity across users, computers, or Internet Protocol (IP) addresses to help uncover potential threats, risks, or vulnerabilities.

____________ was developed by the Open Information Security Foundation (OISF). OISF is dedicated to maintaining open-source use of the ___________ project to ensure it’s free and publicly available. __________ is widely used in the public and private sector, and it integrates with many SIEM tools and other security tools. __________ will also be discussed in greater detail later in the program.

A

Suricata

62
Q

The __________________ is designed for security operations centers (SOCs). It displays the last 24 hours of an organization’s notable security-related events and trends and allows security professionals to determine if security infrastructure and policies are performing as designed. Security analysts can use this dashboard to monitor and investigate potential threats in real time, such as suspicious network activity originating from a specific IP address.

A

security posture dashboard

63
Q

The ____________________ analyzes and monitors the overall health of the organization over time. This helps security teams improve security measures that reduce risk. Security analysts might use this dashboard to provide high-level insights to stakeholders, such as generating a summary of security incidents and trends over a specific period of time.

A

executive summary dashboard

64
Q

The _______________ allows analysts to identify suspicious patterns that can occur in the event of an incident. It assists by highlighting higher risk items that need immediate review by an analyst. This dashboard can be very helpful because it provides a visual timeline of the events leading up to an incident.

A

incident review dashboard

65
Q

The _________________ helps analysts identify risk for each risk object (e.g., a specific user, a computer, or an IP address). It shows changes in risk-related activity or behavior, such as a user logging in outside of normal working hours or unusually high network traffic from a specific computer. A security analyst might use this dashboard to analyze the potential impact of vulnerabilities in critical assets, which helps analysts prioritize their risk mitigation efforts.

A

risk analysis dashboard

66
Q

__________ is a cloud-native SIEM tool from Google that retains, analyzes, and searches log data to identify potential security threats, risks, and vulnerabilities. Chronicle allows you to collect and analyze log data according to:

A specific asset

A domain name

A user

An IP address

Chronicle provides multiple dashboards that help analysts monitor an organization’s logs, create filters and alerts, and track suspicious domain names.

Review the following Chronicle dashboards and their purposes:

A

Chronicle

67
Q

The _________________ highlights recent alerts. It identifies suspicious domain names in logs, known as indicators of compromise (IOCs). Each result is labeled with a confidence score to indicate the likelihood of a threat. It also provides a severity level that indicates the significance of each threat to the organization. A security analyst might use this dashboard to monitor login or data access attempts related to a critical asset—like an application or system—from unusual locations or devices.

A

enterprise insights dashboard

68
Q

The __________________ shows the number of event logs, log sources, and success rates of data being processed into Chronicle. A security analyst might use this dashboard to ensure that log sources are correctly configured and that logs are received without error. This helps ensure that log related issues are addressed so that the security team has access to the log data they need.

A

data ingestion and health dashboard

69
Q

The _________________ indicates the top threats, risks, and vulnerabilities to the organization. Security professionals use this dashboard to observe domain names, IP addresses, and device IOCs over time in order to identify trends. This information is then used to direct the security team’s focus to the highest priority threats. For example, security analysts can use this dashboard to search for additional activity associated with an alert, such as a suspicious user login from an unusual geographic location.

A

IOC matches dashboard

70
Q

The ________________ displays a high-level summary of information related to the organization’s data ingestion, alerting, and event activity over time. Security professionals can use this dashboard to access a timeline of security events—such as a spike in failed login attempts— to identify threat trends across log sources, devices, IP addresses, and physical locations.

A

main dashboard

71
Q

The __________________ provides statistics related to incidents with the highest occurrences, severities, and detections over time. Security analysts can use this dashboard to access a list of all the alerts triggered by a specific detection rule, such as a rule designed to alert whenever a user opens a known malicious attachment from an email. Analysts then use those statistics to help manage recurring incidents and establish mitigation tactics to reduce an organization’s level of risk.

A

rule detections dashboard

72
Q

The __________________ provides information about user access behavior across the organization. Security analysts can use this dashboard to access a list of all user sign-in events to identify unusual user activity, such as a user signing in from multiple locations at the same time. This information is then used to help mitigate threats, risks, and vulnerabilities to user accounts and the organization’s applications.

A

user sign in overview dashboard

73
Q

Key technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application

A

Metrics

74
Q

The interface between computer hardware and the user

A

Operating system (OS)

75
Q

incident response playbook 1/6

The first phase is ___________. Organizations must prepare to mitigate the likelihood, risk, and impact of a security incident by documenting procedures, establishing staffing plans, and educating users. Preparation sets the foundation for successful incident response. For example, organizations can create incident response plans and procedures that outline the roles and responsibilities of each security team member.

A

preparation

76
Q

incident response playbook 2/6

The second phase is _____________. The objective of this phase is to detect and analyze events using defined processes and technology. Using appropriate tools and strategies during this phase helps security analysts determine whether a breach has occurred and analyze its possible magnitude.

A

detection and analysis

77
Q

incident response playbook 3/6

The third phase is ___________. The goal of containment is to prevent further damage and reduce the immediate impact of a security incident. During this phase, security professionals take actions to contain an incident and minimize damage. Containment is a high priority for organizations because it helps prevent ongoing risks to critical assets and data.

A

containment

78
Q

incident response playbook 4/6

The fourth phase in an incident response playbook is ____________. This phase involves the complete removal of an incident’s artifacts so that an organization can return to normal operations. During this phase, security professionals eliminate artifacts of the incident by removing malicious code and mitigating vulnerabilities. Once they’ve exercised due diligence, they can begin to restore the affected environment to a secure state. This is also known as IT restoration.

A

eradication and recovery

79
Q

incident response playbook 5/6

The fifth phase is ______________. This phase includes documenting the incident, informing organizational leadership, and applying lessons learned to ensure that an organization is better prepared to handle future incidents. Depending on the severity of the incident, organizations can conduct a full-scale incident analysis to determine the root cause of the incident and implement various updates or improvements to enhance its overall security posture.

A

post-incident activity

80
Q

incident response playbook 6/6

The sixth and final phase in an incident response playbook is _____________. Coordination involves reporting incidents and sharing information, throughout the incident response process, based on the organization’s established standards. Coordination is important for many reasons. It ensures that organizations meet compliance requirements and it allows for coordinated response and resolution.

A

coordination

81
Q

incident response playbook

A
  1. preparation

2.detection and analysis

  1. containment
  2. eradication and recovery
  3. post-incident activity
  4. coordination