Course 2 - Play it Safe: Manage Security Risks

Question 1

The web is actually an interlinked network of online content that’s made up of three layers: _____ _______ and ___________.

Answer 1

the surface web, the deep web, and the dark web.

Question 1

The ____________ is the layer that most people use. It contains content that can be accessed using a web browser.

Answer 1

surface web

Question 2

The _________ generally requires authorization to access it. An organization’s intranet is an example of the deep web, since it can only be accessed by employees or others who have been granted access.

Answer 2

deep web

Question 3

The _____________ can only be accessed by using special software. The dark web generally carries a negative connotation since it is the preferred web layer for criminals because of the secrecy that it provides.

Answer 3

dark web

Question 4

Now, let’s discuss three key impacts of threats, risks, and vulnerabilities.

Answer 4

1.financial impact.—– When an organization’s assets are compromised by an attack, such as the use of malware, the financial consequences can be significant for a variety of reasons. These can include interrupted production and services, the cost to correct the issue, and fines if assets are compromised because of non-compliance with laws and regulations.

2.identity theft——- Organizations must decide whether to store private customer, employee, and outside vendor data, and for how long. Storing any type of sensitive data presents a risk to the organization. Sensitive data can include personally identifiable information, or PII, which can be sold or leaked through the dark web. That’s because the dark web provides a sense of secrecy and threat actors may have the ability to sell data there without facing legal consequences.

3.organization’s reputation———- A solid customer base supports an organization’s mission, vision, and financial goals. An exploited vulnerability can lead customers to seek new business relationships with competitors or create bad press that causes permanent damage to an organization’s reputation. The loss of customer data doesn’t only affect an organization’s reputation and financials, it may also result in legal penalties and fines. Organizations are strongly encouraged to take proper security measures and follow certain protocols to prevent the significant impact of threats, risks, and vulnerabilities. By using all the tools in their toolkit, security teams are better prepared to handle an event such as a ransomware attack.

Question 5

What are the 7 steps in the RMF

Answer 5

Question 6

RMF - Step one

Answer 6

PREPARE

Prepare refers to activities that are necessary to manage security and privacy risks before a breach occurs. As an entry-level analyst, you’ll likely use this step to monitor for risks and identify controls that can be used to reduce those risks.

Question 7

RMF - Step Two

Answer 7

CATEGORIZE

categorize, which is used to develop risk management processes and tasks. Security professionals then use those processes and develop tasks by thinking about how the confidentiality, integrity, and availability of systems and information can be impacted by risk. As an entry-level analyst, you’ll need to be able to understand how to follow the processes established by your organization to reduce risks to critical assets, such as private customer information.

Question 8

RMF - Step Three

Answer 8

SELECT

Select means to choose, customize, and capture documentation of the controls that protect an organization. An example of the select step would be keeping a playbook up-to-date or helping to manage other documentation that allows you and your team to address issues more efficiently.

Question 9

RMF - Step Four

Answer 9

IMPLEMENT

Implement security and privacy plans for the organization. Having good plans in place is essential for minimizing the impact of ongoing security risks. For example, if you notice a pattern of employees constantly needing password resets, implementing a change to password requirements may help solve this issue.

Question 10

RMF - Step Five

Answer 10

ASSESS

Assess means to determine if established controls are implemented correctly. An organization always wants to operate as efficiently as possible. So it’s essential to take the time to analyze whether the implemented protocols, procedures, and controls that are in place are meeting organizational needs. During this step, analysts identify potential weaknesses and determine whether the organization’s tools, procedures, controls, and protocols should be changed to better manage potential risks.

Question 11

RMF - Step Six

Answer 11

AUTHORIZE

Authorize means being accountable for the security and privacy risks that may exist in an organization. As an analyst, the authorization step could involve generating reports, developing plans of action, and establishing project milestones that are aligned to your organization’s security goals.

Question 12

RMF - Step Seven

Answer 12

MONITOR

Monitor means to be aware of how systems are operating. Assessing and maintaining technical operations are tasks that analysts complete daily. Part of maintaining a low level of risk for an organization is knowing how the current systems support the organization’s security goals. If the systems in place don’t meet those goals, changes may be needed.

Question 13

Allows attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data.

Answer 13

Server-side request forgery

Question 14

Insufficient logging and monitoring capabilities that result in attackers exploiting vulnerabilities without the organization knowing it

Answer 14

Security logging and monitoring failures

Question 15

PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication request.

Answer 15

PetitPotam

Question 16

Allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code.

Answer 16

Log4Shell

Question 17

A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person’s identity. Netlogon is a service that ensures a user’s identity before allowing access to a website’s location.

Answer 17

ZeroLogon

Question 18

A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means a threat actor can complete a user authentication process to deploy malicious code from a remote location.

Answer 18

ProxyLogon

Question 19

Anything that can impact the confidentiality, integrity, or availability of an asset

Answer 19

Risk

Question 20

An organization’s ability to manage its defense of critical assets and data and react to change

Answer 20

Security posture

Question 21

Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach

Answer 21

Risk mitigation

Question 22

The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security

Answer 22

Shared responsibility

Question 23

An organization’s ability to maintain their everyday productivity by establishing risk disaster recovery plans

Answer 23

Business continuity

Question 24

________________ are guidelines used for building plans to help mitigate risks and threats to data and privacy, such as social engineering attacks and ransomware.

Answer 24

Security frameworks

Question 25

___________ are used to reduce specific risks

Answer 25

controls

Question 26

_______________ are safeguards designed to reduce specific security risks. In this video, we’ll discuss three common types of controls: encryption, authentication, and authorization.

Answer 26

Security controls

Question 27

____________ is the process of converting data from a readable format to an encoded format. Typically, _________ involves converting data from plaintext to ciphertext. Ciphertext is the raw, encoded message that’s unreadable to humans and computers. Ciphertext data cannot be read until it’s been decrypted into its original plaintext form. __________ is used to ensure confidentiality of sensitive data, such as customers’ account information or social security numbers.

Answer 27

Encryption

Question 28

Another control that can be used to protect sensitive data is ____________. ___________ is the process of verifying who someone or something is. A real-world example of __________ is logging into a website with your username and password. This basic form of __________ proves that you know the username and password and should be allowed to access the website. More advanced methods of ___________, such as multi-factor ______________, or MFA, challenge the user to demonstrate that they are who they claim to be by requiring both a password and an additional form of authentication, like a security code or biometrics, such as a fingerprint, voice, or face scan.

Answer 28

Authentication

Question 29

____________ are unique physical characteristics that can be used to verify a person’s identity. Examples of ___________ are a fingerprint, an eye scan, or a palm scan.

Answer 29

Biometrics

Question 30

Another very important security control is ____________. _____________ refers to the concept of granting access to specific resources within a system. Essentially, ___________ is used to verify that a person has permission to access a resource. As an example, if you’re working as an entry-level security analyst for the federal government, you could have permission to access data through the deep web or other internal data that is only accessible if you’re a federal employee.

Answer 30

Authorization

Question 31

_______________ are guidelines used for building plans to help mitigate risk and threats to data and privacy. ____________ support organizations’ ability to adhere to compliance laws and regulations. For example, the healthcare industry uses ____________ to comply with the United States’ Health Insurance Portability and Accountability Act (HIPAA), which requires that medical professionals keep patient information safe.

Answer 31

Security frameworks

Question 32

___________ are safeguards designed to reduce specific security risks. Security controls are the measures organizations use to lower risk and threats to data and privacy. For example, a __________ that can be used alongside frameworks to ensure a hospital remains compliant with HIPAA is requiring that patients use multi-factor authentication (MFA) to access their medical records. Using a measure like MFA to validate someone’s identity is one way to help mitigate potential risks and threats to private data.

Answer 32

Security controls

Question 33

Examples of physical controls:

Answer 33

Gates, fences, and locks

Security guards

Closed-circuit television (CCTV), surveillance cameras, and motion detectors

Access cards or badges to enter office spaces

Question 34

Examples of technical controls:

Answer 34

Firewalls

MFA

Antivirus software

Question 35

Examples of administrative controls:

Answer 35

Separation of duties

Authorization

Asset classification

Question 36

______________ is the idea that only authorized users can access specific assets or data. In an organization, confidentiality can be enhanced through the implementation of design principles, such as the principle of least privilege. The principle of least privilege limits users’ access to only the information they need to complete work-related tasks. Limiting access is one way of maintaining the confidentiality and security of private data.

Answer 36

Confidentiality

Question 37

____________ is the idea that the data is verifiably correct, authentic, and reliable. Having protocols in place to verify the authenticity of data is essential. One way to verify data integrity is through
cryptography, which is used to transform data so unauthorized parties cannot read or tamper with it (NIST, 2022). Another example of how an organization might implement integrity is by enabling encryption, which is the process of converting data from a readable format to an encoded format. Encryption can be used to prevent access and ensure data, such as messages on an organization’s internal chat platform, cannot be tampered with.

Answer 37

Integrity

Question 38

_____________ is the idea that data is accessible to those who are authorized to use it. When a system adheres to both availability and confidentiality principles, data can be used when needed. In the workplace, this could mean that the organization allows remote employees to access its internal network to perform their jobs. It’s worth noting that access to data on the internal network is still limited, depending on what type of access employees need to do their jobs. If, for example, an employee works in the organization’s accounting department, they might need access to corporate accounts but not data related to ongoing development projects.

Answer 38

Availability

Question 39

The CSF consists of five important core functions….

Answer 39

identify, protect, detect, respond, and recover

Question 40

OWASP - Open Web Application Security Project

Answer 40

Minimize attack surface area:
Attack surface refers to all the potential vulnerabilities a threat actor could exploit.

Principle of least privilege:
Users have the least amount of access required to perform their everyday tasks.

Defense in depth:
Organizations should have varying security controls that mitigate risks and threats.

Separation of duties:
Critical actions should rely on multiple people, each of whom follow the principle of least privilege.

Keep security simple:
Avoid unnecessarily complicated solutions. Complexity makes security difficult.

Fix security issues correctly:
When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful.

Establish secure defaults
This principle means that the optimal security state of an application is also its default state for users; it should take extra work to make the application insecure.

Fail securely
Fail securely means that when a control fails or stops, it should do so by defaulting to its most secure option. For example, when a firewall fails it should simply close all connections and block all new ones, rather than start accepting everything.

Don’t trust services
Many organizations work with third-party partners. These outside partners often have different security policies than the organization does. And the organization shouldn’t explicitly trust that their partners’ systems are secure. For example, if a third-party vendor tracks reward points for airline customers, the airline should ensure that the balance is accurate before sharing that information with their customers.

Avoid security by obscurity
The security of key systems should not rely on keeping details hidden. Consider the following example from OWASP (2016):

The security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.

Question 41

_____________ are related to the human component of cybersecurity. They include policies and procedures that define how an organization manages data, such as the implementation of password policies.

Answer 41

Administrative controls

Question 42

_______________ are hardware and software solutions used to protect assets, such as the use of intrusion detection systems, or IDS’s, and encryption.

Answer 42

Technical controls

Question 43

_________________ refer to measures put in place to prevent physical access to protected assets, such as surveillance cameras and locks.

Answer 43

Physical controls

Question 44

entry-level analysts might be tasked with classifying controls into the following categories:

Answer 44

administrative controls

technical controls

physical controls

Question 45

A _______________is a review of an organization’s security controls, policies, and procedures against a set of expectations. Audits are independent reviews that evaluate whether an organization is meeting internal and external criteria. Internal criteria include outlined policies, procedures, and best practices. External criteria include regulatory compliance, laws, and federal regulations.

Answer 45

security audit

Question 46

An audit should:

Answer 46

List assets that will be assessed (e.g., firewalls are configured correctly, PII is secure, physical assets are locked, etc.)

Note how the audit will help the organization achieve its desired goals

Indicate how often an audit should be performed

Include an evaluation of organizational policies, protocols, and procedures to make sure they are working as intended and being implemented by employees

Complete a risk assessment

A risk assessment is used to evaluate identified organizational risks related to budget, controls, internal processes, and external standards (i.e., regulations).

Conduct the audit

When conducting an internal audit, you will assess the security of the identified assets listed in the audit scope.

Create a mitigation plan

A mitigation plan is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture.

Communicate results to stakeholders

The end result of this process is providing a detailed report of findings, suggested improvements needed to lower the organization’s level of risk, and compliance regulations and standards the organization needs to adhere to.

Question 47

A ___________ is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture.

Answer 47

mitigation plan

Question 48

The pathways attackers use to penetrate security defenses

Answer 48

Attack vectors

Question 49

The process of verifying who someone is

Answer 49

Authentication

Question 50

Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations consider risk when setting up systems and security policies

Answer 50

Confidentiality, integrity, availability (CIA) triad

Question 51

A NIST core function related to identifying potential security incidents and improving monitoring capabilities to increase the speed and efficiency of detections

Answer 51

Detect

Question 52

The unique physical characteristics that can be used to verify a person’s identity

Answer 52

Biometrics

Question 53

A unified framework for protecting the security of information systems within the U.S. federal government

Answer 53

National Institute of Standards and Technology (NIST) Special Publication (S.P.) 800-53:

Question 54

A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Answer 54

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

Question 55

A _____________ is an application that collects and analyzes log data to monitor critical activities in an organization. __________ offer real-time monitoring and tracking of security event logs. The data is then used to conduct a thorough analysis of any potential security threat, risk, or vulnerability identified. ____________ have many dashboard options. Each dashboard option helps cybersecurity team members manage and monitor organizational data. However, currently, _________ require human interaction for analysis of security events.

Answer 55

SIEM tool

Question 56

__________________ is a collection of applications, tools, and workflows that uses automation to respond to security events.

Answer 56

Security orchestration, automation, and response (SOAR)

Question 57

______________________ are common SIEM tools that many organizations use to help protect their data and systems.

Answer 57

Splunk Enterprise, Splunk Cloud, and Chronicle

Question 58

__________ is a data analysis platform and ________ Enterprise provides SIEM solutions. _________ Enterprise is a self-hosted tool used to retain, analyze, and search an organization’s log data to provide security information and alerts in real-time. ________ Cloud is a cloud-hosted tool used to collect, search, and monitor log data. _________ Cloud is helpful for organizations running hybrid or cloud-only environments, where some or all of the organization’s services are in the cloud.

Answer 58

Splunk

Question 59

____________ is a cloud-native tool designed to retain, analyze, and search data. ___________ provides log monitoring, data analysis, and data collection. Like cloud-hosted tools, cloud-native tools are also fully maintained and managed by the vendor. But cloud-native tools are specifically designed to take full advantage of cloud computing capabilities such as availability, flexibility, and scalability.

Answer 59

Chronicle

Question 60

___________is an open-source operating system that is widely used. It allows you to tailor the operating system to your needs using a command-line interface. An operating system is the interface between computer hardware and the user. It’s used to communicate with the hardware of a computer and manage software applications.

There are multiple versions of Linux that exist to accomplish specific tasks. ________ and its command-line interface will be discussed in detail, later in the certificate program.

Answer 60

Linux

Question 61

__________ is an open-source network analysis and threat detection software. Network analysis and threat detection software is used to inspect network traffic to identify suspicious behavior and generate network data logs. The detection software finds activity across users, computers, or Internet Protocol (IP) addresses to help uncover potential threats, risks, or vulnerabilities.

____________ was developed by the Open Information Security Foundation (OISF). OISF is dedicated to maintaining open-source use of the ___________ project to ensure it’s free and publicly available. __________ is widely used in the public and private sector, and it integrates with many SIEM tools and other security tools. __________ will also be discussed in greater detail later in the program.

Answer 61

Suricata

Question 62

The __________________ is designed for security operations centers (SOCs). It displays the last 24 hours of an organization’s notable security-related events and trends and allows security professionals to determine if security infrastructure and policies are performing as designed. Security analysts can use this dashboard to monitor and investigate potential threats in real time, such as suspicious network activity originating from a specific IP address.

Answer 62

security posture dashboard

Question 63

The ____________________ analyzes and monitors the overall health of the organization over time. This helps security teams improve security measures that reduce risk. Security analysts might use this dashboard to provide high-level insights to stakeholders, such as generating a summary of security incidents and trends over a specific period of time.

Answer 63

executive summary dashboard

Question 64

The _______________ allows analysts to identify suspicious patterns that can occur in the event of an incident. It assists by highlighting higher risk items that need immediate review by an analyst. This dashboard can be very helpful because it provides a visual timeline of the events leading up to an incident.

Answer 64

incident review dashboard

Question 65

The _________________ helps analysts identify risk for each risk object (e.g., a specific user, a computer, or an IP address). It shows changes in risk-related activity or behavior, such as a user logging in outside of normal working hours or unusually high network traffic from a specific computer. A security analyst might use this dashboard to analyze the potential impact of vulnerabilities in critical assets, which helps analysts prioritize their risk mitigation efforts.

Answer 65

risk analysis dashboard

Question 66

__________ is a cloud-native SIEM tool from Google that retains, analyzes, and searches log data to identify potential security threats, risks, and vulnerabilities. Chronicle allows you to collect and analyze log data according to:

A specific asset

A domain name

A user

An IP address

Chronicle provides multiple dashboards that help analysts monitor an organization’s logs, create filters and alerts, and track suspicious domain names.

Review the following Chronicle dashboards and their purposes:

Answer 66

Chronicle

Question 67

The _________________ highlights recent alerts. It identifies suspicious domain names in logs, known as indicators of compromise (IOCs). Each result is labeled with a confidence score to indicate the likelihood of a threat. It also provides a severity level that indicates the significance of each threat to the organization. A security analyst might use this dashboard to monitor login or data access attempts related to a critical asset—like an application or system—from unusual locations or devices.

Answer 67

enterprise insights dashboard

Question 68

The __________________ shows the number of event logs, log sources, and success rates of data being processed into Chronicle. A security analyst might use this dashboard to ensure that log sources are correctly configured and that logs are received without error. This helps ensure that log related issues are addressed so that the security team has access to the log data they need.

Answer 68

data ingestion and health dashboard

Question 69

The _________________ indicates the top threats, risks, and vulnerabilities to the organization. Security professionals use this dashboard to observe domain names, IP addresses, and device IOCs over time in order to identify trends. This information is then used to direct the security team’s focus to the highest priority threats. For example, security analysts can use this dashboard to search for additional activity associated with an alert, such as a suspicious user login from an unusual geographic location.

Answer 69

IOC matches dashboard

Question 70

The ________________ displays a high-level summary of information related to the organization’s data ingestion, alerting, and event activity over time. Security professionals can use this dashboard to access a timeline of security events—such as a spike in failed login attempts— to identify threat trends across log sources, devices, IP addresses, and physical locations.

Answer 70

main dashboard

Question 71

The __________________ provides statistics related to incidents with the highest occurrences, severities, and detections over time. Security analysts can use this dashboard to access a list of all the alerts triggered by a specific detection rule, such as a rule designed to alert whenever a user opens a known malicious attachment from an email. Analysts then use those statistics to help manage recurring incidents and establish mitigation tactics to reduce an organization’s level of risk.

Answer 71

rule detections dashboard

Question 72

The __________________ provides information about user access behavior across the organization. Security analysts can use this dashboard to access a list of all user sign-in events to identify unusual user activity, such as a user signing in from multiple locations at the same time. This information is then used to help mitigate threats, risks, and vulnerabilities to user accounts and the organization’s applications.

Answer 72

user sign in overview dashboard

Question 73

Key technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application

Answer 73

Metrics

Question 74

The interface between computer hardware and the user

Answer 74

Operating system (OS)

Question 75

incident response playbook 1/6

The first phase is ___________. Organizations must prepare to mitigate the likelihood, risk, and impact of a security incident by documenting procedures, establishing staffing plans, and educating users. Preparation sets the foundation for successful incident response. For example, organizations can create incident response plans and procedures that outline the roles and responsibilities of each security team member.

Answer 75

preparation

Question 76

incident response playbook 2/6

The second phase is _____________. The objective of this phase is to detect and analyze events using defined processes and technology. Using appropriate tools and strategies during this phase helps security analysts determine whether a breach has occurred and analyze its possible magnitude.

Answer 76

detection and analysis

Question 77

incident response playbook 3/6

The third phase is ___________. The goal of containment is to prevent further damage and reduce the immediate impact of a security incident. During this phase, security professionals take actions to contain an incident and minimize damage. Containment is a high priority for organizations because it helps prevent ongoing risks to critical assets and data.

Answer 77

containment

Question 78

incident response playbook 4/6

The fourth phase in an incident response playbook is ____________. This phase involves the complete removal of an incident’s artifacts so that an organization can return to normal operations. During this phase, security professionals eliminate artifacts of the incident by removing malicious code and mitigating vulnerabilities. Once they’ve exercised due diligence, they can begin to restore the affected environment to a secure state. This is also known as IT restoration.

Answer 78

eradication and recovery

Question 79

incident response playbook 5/6

The fifth phase is ______________. This phase includes documenting the incident, informing organizational leadership, and applying lessons learned to ensure that an organization is better prepared to handle future incidents. Depending on the severity of the incident, organizations can conduct a full-scale incident analysis to determine the root cause of the incident and implement various updates or improvements to enhance its overall security posture.

Answer 79

post-incident activity

Question 80

incident response playbook 6/6

The sixth and final phase in an incident response playbook is _____________. Coordination involves reporting incidents and sharing information, throughout the incident response process, based on the organization’s established standards. Coordination is important for many reasons. It ensures that organizations meet compliance requirements and it allows for coordinated response and resolution.

Answer 80

coordination

Question 81

incident response playbook

Answer 81

1. preparation

2.detection and analysis

3. containment
4. eradication and recovery
5. post-incident activity
6. coordination