CYBER SECURITY

Question 1

CIA TRIAD

Answer 1

CONFIDENTIALITY
INTEGRITY
AVAILABILITY

Question 2

CONFIDENTIALITY

Answer 2

Can actors who should not have access to the system or information access the system or information?

Question 3

INTEGRITY

Answer 3

Can the data or the system be modified in some way that is not intended?

Question 4

AVAILABILITY

Answer 4

Are the data or the system accessible when and how they are intended to be?

Question 5

OFFENSIVE SECURITY

Question 6

DEFENSIVE SECURITY

Question 7

TRY HARDER MINDSET

Answer 7

If my attack or defense fails, it represents a truth about my current skills/processes/configurations/approach as much as it is a truth about the system.

If my attack or defense fails, this allows me to learn something new, change my approach, and do something differently.

Question 8

CYBER SECURITY CHALLENGES

Answer 8

INVOLVES MALICIOUS AND INTELLIGENT ACTORS (OPPONENTS)

INVOLVES REASONING UNDER UNCERTAINTY

Question 9

SECURITY MINDSET

Answer 9

FIRST INTRODUCED BY BRUCE SCHNEIER

encourages a constant questioning of how one can attack (or defend) a system. If we can begin to ask this question automatically when encountering a novel idea, machine, system, network, or object, we can start noticing a wide array of recurring patterns.

Question 10

GROWTH MINDSET

Answer 10

encourages the belief that mental ability is flexible and adaptable and that one can grow their capacity to learn over time

Question 11

RISK

Answer 11

A simple way to define risk is to consider two axes: the probability that a negative event will occur, and the impact on something we value if such an event happens. This definition allows us to conceptualize risks via four quadrants:

Low-probability, low impact events
Low-probability, high impact events
High-probability, low impact events
High-probability, high impact events

Question 12

THREAT

Answer 12

Threat is something that poses risk to an asset we care about protecting. Not all threats are human; if our network depends on the local electricity grid, a severe lightning storm could be a threat to ongoing system operations.

Question 13

VULNERABILITY

Answer 13

For a threat to become an actual risk, the target being threatened must be vulnerable in some manner.

A vulnerability is a flaw that allows a threat to cause harm. Not all flaws are vulnerabilities.

In computer programs, vulnerabilities occur when someone who interacts with the program can achieve specific objectives that are unintended by the programmer.

Question 14

EXPLOIT

Answer 14

In computer programs, vulnerabilities occur when someone who interacts with the program can achieve specific objectives that are unintended by the programmer. When these objectives provide the user with access or privileges that they aren’t supposed to have, and when they are pursued deliberately and maliciously, the user’s actions become an exploit.

Question 15

RISK CONSIDERATION QUESTIONS

Answer 15

How likely is it that a particular attack might happen?

What would be the worst possible outcome if the attack occurs?

Question 16

CVSS

Answer 16

COMMON VULNERABILITY SCORING SYSTEM

Question 17

EXPLOIT (NOUN)

Answer 17

As a noun, an exploit is a procedure for abusing a particular vulnerability

Question 18

EXPLOIT (VERB)

Answer 18

As a verb, to exploit a vulnerability is to perform the procedure that reliably abuses it.

Question 19

ATTACK SURFACE

Answer 19

DESCRIBES ALL THE POINTS OF CONTACT ON OUR SYSTEM OR NETWORK THAT COULD BE VULNERABLE TO EXPLOITATION

Question 20

ATTACK VECTOR

Answer 20

SPECIFIC VULNERABILITY AND EXPLOITATION COMBINATION THAT CAN FURTHER A THREAT ACTORS OBJECTIVES.

Question 21

THREAT ACTOR CLASSIFICATION

Answer 21

HIGH LEVEL CLASSIFICATION:
INDIVIDUAL
GROUP
INSIDER
NATION STATE

Question 22

INDIVIDUAL MALICIOUS ACTOR

Answer 22

Individual Malicious Actors: On the most superficial level, anyone attempting to do something that they are not supposed to do fits into this category. In cybersecurity, malicious actors can explore digital tactics that are unintended by developers, such as authenticating to restricted services, stealing credentials, and defacing websites.

Question 23

MALICIOUS GROUP

Answer 23

Malicious Groups: When individuals band together to form groups, they often become stronger than their individual group members.

Malicious groups can have any number of goals but are usually more purposeful, organized, and resourceful than individuals. Thus, they are often considered to be one of the more dangerous threat actors.

Question 24

INSIDER THREAT

Answer 24

Insider Threats: Perhaps one of the most dangerous types of threat actors, an insider threat is anyone who already has privileged access to a system and can abuse their privileges to attack it. Often, insider threats are individuals or groups of employees or ex-employees of an enterprise that become motivated to harm it in some capacity.

Question 25

NATION STATES

Answer 25

Nation States: Although international cyber politics, cyber war, and digital intelligence are vast subjects and significantly beyond the scope of this Module, we should recognize that some of the most proficient, resourceful, and well-financed operators of cyber attacks exist at the nation-state level within many different countries across the globe.

Question 26

SOCIAL ENGINEERING

Answer 26

attacks where an attacker persuades or manipulates human victims to provide them with information or access that they shouldn’t have.

Question 27

PHISHING

Answer 27

Phishing is usually done in broad sweeps. Phishing strategy is usually performed by sending a malicious communication to as many people as possible, increasing the likelihood of a victim clicking a link or otherwise doing something that would compromise security.

Question 28

SPEAR-PHISHING

Question 29

VISHING

Question 30

SMS-ISHING

Question 31

RANSOMWARE

Question 32

CREDENTIAL ABUSE

Question 33

AUTHENTICATION BYPASS

Question 34

ZERO TRUST SECURITY MODEL

Answer 34

Zero Trust is a security model that assumes that all users, devices, and networks are untrusted and must be verified before access is granted. It is based on the idea that organizations should not trust any user, device, or network, even if they are inside the organization’s network.

Question 35

PRINCIPLE OF LEAST PRIVILEGE

Answer 35

Each user and program should operate using the fewest privileges possible.

Question 36

DEFENSE IN DEPTH

Answer 36

involves multiple layers of security controls to protect an organization’s assets
The goal of Defense-in-Depth is to create a secure environment that is resilient to attack and can quickly detect and respond to any security incidents. By implementing multiple layers of security, organizations can reduce the risk of a successful attack and minimize the damage caused by any successful attack.

Question 37

OPEN SECURITY

Answer 37

focuses on the need for developers to be aware of the security implications of their code and to take steps to ensure that their code is secure. This includes using secure coding practices, testing for vulnerabilities, and using secure development tools. Security-in-the-Open also encourages developers to collaborate with security experts to ensure that their code is secure.

Question 38

SHIFT LEFT SECURITY

Question 39

SECURITY STRATEGIES

Answer 39

24/7 vigilance
Threat modeling
Table top discussions
Continuous training on tactics, processes, and procedures
Continuous automated patching
Continuous supply chain verification
Secure coding and design
Daily log reviews
Multiple layers of well-implemented Security Controls

Question 40

ADMINISTRATIVE SEGMENTATION

Answer 40

To defeat internal threats and threats that have acquired valid credentials or authentication capability, we must segment controls so that no single authority can bypass all controls. To accomplish this, we may need to split controls between application teams and administrators, or split access for administration between multiple administrators

Question 41

SHAMIR’S SECRET SHARING (SSS)

Answer 41

SSS is used to secure a secret in a distributed form, most often to secure encryption keys. The secret is split into multiple shares, which individually do not give any information about the secret.

Question 42

THREAT MODELING

Answer 42

Threat modeling describes taking data from real-world adversaries and evaluating those attack patterns and techniques against our people, processes, systems, and software. It is important to consider how the compromise of one system in our network might impact others.

Question 43

THREAT INTELLIGENCE

Answer 43

Threat Intelligence is data that has been refined in the context of the organization: actionable information that an organization has gathered via threat modeling about a valid threat to that organization’s success. Information isn’t considered threat intelligence unless it results in an action item for the organization. The existence of an exploit is not threat intelligence; however, it is potentially useful information that might lead to threat intelligence

Question 44

TACTICS TECHNIQUES AND PROCEDURES
(TTPs)

Question 45

BUSINESS CONTINUITY PLANNING
(BCP)

Question 46

TABLE TOP TACTICTS

Question 47

CONTINUOUS PATCHING

Question 48

CONTINUOUS SUPPLY CHAIN VERIFICATION

Question 49

SOFTWARE BILL OF MATERIALS
(SBOM)

Answer 49

Utilizing a software bill of materials (SBOM) as a way to track dependencies automatically in the application build process greatly helps us evaluate supply chain tampering. If we identify the software dependencies, create an SBOM with them, and package the container and SBOM together in a cryptographically-verifiable way, then we can verify the container’s SBOM signature before loading it into production.

Question 50

SLEEPER MALWARE

Answer 50

Sleeper malware is software that is inactive while on a system for some time, potentially weeks before it starts taking action.

Question 51

ENCRYPTION

Question 52

PERSONAL IDENTIFIABLE INFORMATION
(PII)

Question 53

TLS

Question 54

EPHEMERAL ENCRYPTION

Question 55

LOGGING

Question 56

CHAOS TESTING

Question 57

DISASTER RECOVERY

Question 58

CHAOS ENGINEERING

Question 59

HIPPA

Question 60

FERPA

Answer 60

Family Educational Rights and Privacy Act of 1974 (FERPA) is a United States federal law regulating the privacy of learners’ education records. This law sets limits upon the disclosure and use of these records without parents’ or learners’ consent. Some instances where schools are permitted to disclose these records are school transfers, cases of health or safety emergencies, and compliance with a judicial order.

Question 61

GLBA

Answer 61

Gramm-Leach-Bliley Act (GLBA), enacted by the United States Congress in 1999, establishes several requirements that financial institutions must follow to protect consumers’ financial information. This law requires that institutions describe how they use and share information and allow individuals to opt-out in certain cases.

Question 62

PHI

Answer 62

PROTECTED HEALTH INFORMATION

Question 63

PRIVACY RULE

Question 64

SECURITY RULE FOR E-PHI

Answer 64

three classes of safeguards that must be in place:

administrative (having a designated security official
a security management process, periodic assessments, etc.)
physical (facility access control, device security), and technical (access control, transmission security, audit abilities, etc.).

Question 65

GDPR

Answer 65

General Data Protection Regulation (GDPR) is a law adopted by the European Union in 2016 that regulates data privacy and security. It applies to the private sector and most public sector entities that collect and process personal data. It provides individuals with a wide set of rights over their data including the well-known “right to be forgotten” and other rights related to notifications of data breaches and portability of data between providers.

GDPR outlines a strict legal baseline for processing personal data. For example, personal data may be processed only if the data subject has given consent, to comply with legal obligations, to perform certain tasks in the public interest, or for other “legitimate interests”. For businesses that process data on a large scale or for whom data processing is a core operation, a data protection officer - who is responsible for overseeing data protection - must be appointed.

GDPR also establishes an independent supervisory authority to audit and enforce compliance with these regulations and administer punishment for non-compliance. The fines for violating these regulations are very high: a maximum of 20 million Euros or 4% of revenue (whichever is higher), plus any additional damages that individuals may seek.

One unique aspect of GDPR is that it applies to any entity collecting or processing data related to people in the European Union, regardless of that entity’s location. At the time of its adoption, it was considered the most strict data privacy law in the world and has since become a model for several laws and regulations enacted around the globe.

Question 66

CCPA

Answer 66

California Consumer Privacy Act of 2018 (CCPA) is a Californian law granting residents of the state certain privacy rights concerning personal information held by for-profit businesses.
the “right to know”
The “right to opt-out”
the “right to delete”

Question 67

KEY DISCLOSURE LAWS

Answer 67

Key disclosure laws are laws that compel the disclosure of cryptographic keys or passwords under specific conditions. This is typically done as part of a criminal investigation when seeking evidence of a suspected crime.

Question 68

RIPA

Answer 68

REGULATIONS OF INVESTIGATORY POWERS ACT OF 2000

Question 69

RIGHT TO OPT OUT

Answer 69

allows consumers to request that their personal information not be sold, something that must, with few exceptions, be approved

Question 70

RIGHT TO KNOW

Answer 70

requires businesses to disclose to consumers, upon request, what personal information has been collected, used, and sold about them, and why.

Question 71

RIGHT TO DELETE

Answer 71

which allows consumers to request that businesses delete collected personal information

Question 72

MITRE ATT&CK FRAMEWORK

Question 73

MITRE DEFEND FRAMEWORK

Question 74

CYBER KILL CHAIN

Question 75

RECONNAISSANCE PHASE

Question 76

WEAPONIZATION PHASE

Question 77

DELIVERY PHASE

Question 78

EXPLOITATION PHASE

Question 79

INSTALLATION STAGE

Question 80

COMMAND AND CONTROL PHASE

Question 81

ACTIONS ON OBJECTIONS PHASE

Question 82

FEDRAMP

Question 83

NIST

Answer 83

NATIONAL INSTITUTE FOR STANDARDS AND TECHNOLOGY

Question 84

NIST FRAMEWORK COMPONENTS

Answer 84

CORE
IMPLEMENTATION TIERS
PROFILES

Question 85

FRAMEWORK CORE
CATEGORIES

Answer 85

5 HIGH LEVEL FUNCTIONS

Question 86

FRAMEWORK IMPLEMENTATION TIER

Answer 86

the degree to which an organization’s Cybersecurity practices satisfy the outcome described by the subcategories of the Framework Core
4 TIERS
Tiers:
partial (the least degree),
risk-informed,
Repeatable,
Adaptive.

Question 87

FRAMEWORK PROFILES

Answer 87

relationship between the present implementation of an organization’s cybersecurity activities (Current Profile) and their desired outcome (Target Profile).

This is determined by the organization’s business objectives, requirements, controls, and risk appetite

Question 88

PCI DSS

Answer 88

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

Question 89

PCI DSS DEFINITION

Answer 89

an information security standard, first published in 2004, for organizations handling customer payment data for several major credit card companies. It is managed by the Payment Card Industry Standards Council. Its purpose is to ensure that payment data is properly secured to reduce the risk of credit card fraud. As with other frameworks, PCI DSS consists of several requirements and an organization’s compliance must be assessed annually.

Question 90

PCI DSS REQUIREMENTS

Answer 90

Most of these requirements resemble other industry best practices regarding network and system security, access control, vulnerability management, monitoring, etc. For example, Requirement 2 prohibits the use of vendor-supplied defaults for system passwords and other security-related parameters. Other requirements are credit-card-specific formulations of other familiar best practices. For example, Requirement 3 outlines what types of credit card data can be stored and how it must be protected.

Question 91

CIS

Answer 91

CENTER FOR INTERNET SECURITY

Question 92

CIS TOP 18

Answer 92

CIS Top 18: The Center for Internet Security (CIS) Critical Security Controls, also known as CIS Controls, is a set of 18 (previously 20) recommended controls intended to increase an organization’s security posture. While not laws or regulations, these controls pertain to areas that regulations are concerned with, including data protection, access control management, continuous vulnerability management, malware detection, and more.

Question 93

CIS CONTROLS

Answer 93

set of 18 (previously 20) recommended controls intended to increase an organization’s security posture.

Question 94

IMPLEMENTATION GROUPS

Answer 94

These controls are divided into safeguards (previously known as sub-controls), which, in turn, are grouped into three implementation groups (IG1, IG2, IG3) intended to help prioritize safeguard implementation.

Question 95

IG1

Answer 95

IG1 consists of controls that are considered the minimum standard for information security meant to protect against the most common attacks and should be implemented by every organization. They are typically implemented by small businesses with limited IT expertise that manage data of low sensitivity.

Question 96

IG3

Answer 96

IG3, which consists of all safeguards, is typically implemented by organizations with dedicated cybersecurity experts managing sensitive data that may be subject to oversight.

Question 96

IG2

Answer 96

IG2 is composed of additional safeguards that are meant to apply to more complex organizations, typically those with multiple departments and staff dedicated to managing IT infrastructure with more sensitive customer and proprietary data