Dion Review

Question 1

Isolation

Answer 1

Isolation is a mitigation technique that can help prevent malware from spreading from one system or process to another by limiting their interaction and communication. Isolation involves sandboxing or simply disconnecting an infected system. This prevents potentially malicious programs or scripts from accessing the rest of the system or network. Isolation is most important when malware is on the system.

Question 2

Data Controller

Answer 2

The data controller is the entity that determines the purposes, conditions, and means of processing personal data. They make decisions about how and why data is processed.

While data owners are responsible for the data’s classification and ensuring it meets organizational policies, they do not typically decide on the purposes and means of data processing.

Question 3

Exposure Factor

Answer 3

The exposure factor is an estimate of the potential damage to an asset if a given threat exploits a vulnerability, and it is not directly connected to the asset’s total value or frequency of threat events. An exposure factor of 100% suggests that a security incident or threat event would render the asset entirely unusable or worthless. Exposure factor is usually expressed as a percentage representing the portion of the asset’s value likely to be lost in an incident.

Question 4

Threat Scope Reduction

Answer 4

Threat scope reduction refers to the proactive steps and strategies taken to reduce the potential areas of attack within a system or network. By limiting the avenues that attackers can exploit, organizations can more effectively secure their assets.

Question 5

Chain of Custody

Answer 5

Chain of Custody is the process of securing and preserving evidence related to a security incident for potential use in legal proceedings. When handling digital evidence, it is crucial to maintain a clear and documented Chain of Custody. This ensures that the evidence is collected, stored, and transferred in a way that maintains its integrity and authenticity, making it admissible and reliable in legal proceedings.

Question 6

Infrastructure Diversification

Answer 6

Diversifying infrastructure ensures that organizations are not overly reliant on a single data center, network, or platform. By distributing their assets and systems across multiple locations or platforms, they can significantly reduce the risk of total service disruption if one component fails.

Question 7

Risk Identification

Answer 7

Risk identification is the proactive process of recognizing and recording potential threats that could adversely affect an organization.

Threat intelligence involves the collection and analysis of information about current and potential attacks that threaten the security of an organization but does not directly refer to the broader process of risk identification.

Question 8

Attribute-Based Access Control (ABAC)

Answer 8

In an ABAC system, access permissions are dynamically evaluated based on various user attributes, such as job role, department, location, and time of access. The system combines these attributes to make access control decisions, allowing for more fine-grained and context-aware access control.

Question 9

Security Content Automation Protocol (SCAP)

Answer 9

The Security Content Automation Protocol (SCAP) is a set of specifications that standardize the format and nomenclature for communicating security configuration information and software flaws. SCAP is a checklist that helps enterprises improve their cybersecurity posture.

Its main functionality lies in strengthening the security of systems via a standardized approach to maintaining system security, aiding in automating the process of detecting vulnerabilities, managing configurations, and maintaining compliance with regulatory standards.

Question 10

Client-Based Software

Answer 10

Client-based software is software that runs on the user’s computer and requires installation and configuration. It may have vulnerabilities that can be exploited by attackers if not updated or patched regularly.

Question 11

Agentless Software

Answer 11

Agentless software is software that does not require installation or configuration on the user’s computer. It runs on a remote server and communicates with the user’s computer via a web browser or other interface.

Question 12

Time-of-Use (TOU)

Answer 12

A Time-of-use (TOU) vulnerability arises when there’s an opportunity for an attacker to manipulate a resource after its creation but before its use by an application.

Question 13

Service-Level Agreement (SLA)

Answer 13

The Service-Level Agreement (SLA) is the document that precisely defines the agreed-upon service levels and performance metrics that the vendor is expected to meet. It outlines the specific services to be provided, performance expectations, response times, and remedies for not meeting the agreed-upon levels.

Question 14

Detection Phase of Incident Response Plan

Answer 14

Identifying and classifying incidents based on severity and impact is typically part of the “Detection” phase of the incident response process. It involves recognizing that an incident has occurred and understanding its potential implications.

Question 15

Preparation Phase of Incident Response Plan

Answer 15

The Preparation phase in the incident response process involves activities such as developing an incident response plan, defining roles and responsibilities of the incident response team, and conducting regular training and drills. These preparations ensure that the organization is ready to respond effectively and efficiently to any potential security incidents.

Question 16

Enumeration (Hardware/Software/Data Management)

Answer 16

In the context of hardware, software, and data asset management, enumeration refers to a comprehensive process that involves assigning unique identifiers, access controls, and attributes to each asset. This practice aims to establish granular control over access permissions, ensuring that only authorized users can interact with the assets. Enumeration plays a crucial role in maintaining the confidentiality, integrity, and availability of data by preventing unauthorized access and facilitating proper resource management.

Question 17

Horizontal Password Attack

Answer 17

In a horizontal password attack, an attacker targets multiple accounts by trying a few common passwords across them. It’s a method to bypass account lockout policies that would trigger if too many failed attempts are made on a single account.

Question 18

What type of wireless connection is best for ensuring reliable and secure communications between multiple branch offices?

Answer 18

Cellular connections are the best choice for secure and reliable communication between branch offices.
Cellular connections use GSM (Global System for Mobile Communications) or CDMA (Code Division Multiple Access) technologies to provide wireless communication between devices. Cellular connections are more secure than Wi-Fi or Bluetooth because they use encryption and authentication mechanisms to protect the data. Cellular connections also have a high bandwidth and can support a large number of devices at a time.

Bluetooth connections are not designed for long-distance communication. Bluetooth connections use short-range radio waves to connect devices within a few meters of each other. Bluetooth connections also have a low bandwidth and can only support a small number of devices at a time.

Satellite connections have higher latency and lower bandwidth than cellular connections. Satellite connections use orbiting satellites to transmit data, which can cause delays and signal loss due to atmospheric conditions and interference. Satellite connections also have a high cost and require specialized equipment to access them.

Question 19

Security Officer

Answer 19

The security officer, also known as the Chief Information Security Officer (CISO) or Information Security Manager, is a senior-level role responsible for leading and overseeing the organization’s information security program. They are tasked with defining, implementing, and enforcing information security policies and procedures throughout the organization. The security officer collaborates with various stakeholders, including management, IT teams, and compliance personnel, to ensure that security measures align with the organization’s objectives and industry best practices.

Question 20

Control Plane (Zero Trust Model)

Answer 20

The Control Plane within the Zero Trust model is fundamentally responsible for deciding on access based on policies and threats, which is a dynamic and multifaceted task. While it does consider user behavior as part of its decision-making process, employing security decisions based on user behavior is only one aspect of its function.

Question 21

Federation

Answer 21

A federated network is a network model in which a number of separate networks or locations share resources (such as network services and gateways) via a central management framework that enforces consistent configuration and policies. By employing federation, companies can leverage single sign-on across multiple domains or organizations.

Question 22

Extended Detection and Response (XDR)

Answer 22

Implementing XDR gives the ability to integrate and correlate security data from various sources, such as endpoints, network, and cloud environments. By doing so, XDR can detect and respond to sophisticated, multi-vector cyber threats more effectively. While XDR may contribute to enforcing security policies, its primary role is to detect and respond to multi-vector cyber threats across the IT environment. While some XDR solutions may include features for software updates and patch management, the primary focus of XDR is not on updating and patching software on endpoints. XDR’s primary purpose is to enhance threat detection and response capabilities. One of the main advantages of EDRs is that they provide real-time monitoring and reporting of attacks.

XDR works best in situations where company security data is spread across a number of applications and tools.

Question 23

Golden Image

Answer 23

A golden image is a template for a virtual machine, virtual desktop, server or hard disk drive. A golden image ensures consistency and saves time by providing a standardized configuration for each VM deployed.

Question 24

Concurrent Session Usage

Answer 24

Concurrent session usage is an indicator of malicious activity that shows that an attacker or malware has compromised an account and is using it simultaneously with the legitimate user, creating multiple sessions from different locations or devices.

Question 25

What is the purpose of internal and external compliance reporting?

Answer 25

External compliance reporting is crafted to meet mandatory disclosures and inform external stakeholders such as regulators and shareholders about the company’s compliance status at a high level. Internal compliance reporting is designed to give detailed insights to internal stakeholders like executives and security analysts, assisting in strategic planning and operational improvements.

Question 26

Total Cost of Ownership (TCO)

Answer 26

The TCO (Total Cost of Ownership) not only includes the initial purchase price of the tool but also the ongoing expenses related to maintenance, updates, and other associated costs over its lifecycle.

While ROI (Return on Investment) evaluates the profitability or benefit of a particular investment, it doesn’t primarily focus on the entire financial impact over a tool’s lifecycle.

Question 27

DKIM (Domain Keys Identified Mail)

Answer 27

Implementing DKIM enables organizations to sign emails originating from their domain cryptographically. This allows receivers to verify that an email claiming to be from the domain genuinely is.

Question 28

Sender Policy Framework (SPF)

Answer 28

SPF (Sender Policy Framework) is valuable in identifying which servers are authorized to send emails on behalf of a domain.

Question 29

Data Custodian

Answer 29

A data custodian is typically an individual or entity responsible for managing the system where the data is stored. The data custodian would be unlikely to be analyzing data.

Question 30

Data Processor

Answer 30

A data processor is an entity that processes personal data on behalf of the data controller.

Question 31

UI (CVSS)

Answer 31

The UI (User Interaction) metric specifies whether an attack can be executed solely by the attacker or if it necessitates user involvement to succeed.

Question 32

PR (CVSS)

Answer 32

The Privileges Required (PR) metric measures the level of privileges an attacker must have to exploit the vulnerability.

Question 33

False Positive

Answer 33

A False Positive is a security alert that incorrectly identifies a legitimate action as a potential threat.

Additionally, a False Positive refers to a situation where a legitimate action is mistakenly identified as a threat and may lead to unnecessary alarms and investigation efforts.

Question 34

Sophistication

Answer 34

Sophistication refers to the intricacy and advancement of a threat actor’s tactics, techniques, and procedures. More sophisticated threat actor groups possess customized attack tools and have access to skilled personnel, such as strategists and hackers.

Capability pertains to a threat actor’s ability to devise new exploits and tools, but it doesn’t necessarily denote the intricacy/complexity of their methods.

Question 35

Data Owner

Answer 35

The Data Owner is accountable for the data’s security and compliance with the organization’s strategic objectives.

Question 36

Adaptive Identity

Answer 36

Adaptive Identity allows for more flexible and dynamic access control by using contextual data to make dynamic access control decisions. For example, the system might grant access to a sensitive resource based on the user’s location or the time of day.

Question 37

Resource Reuse (Virtualization)

Answer 37

Resource Reuse in the context of Virtualization is a type of vulnerability that involves accessing or modifying data or communications from other virtual machines by exploiting the shared CPU between them. It can allow an attacker to execute malicious code or commands on other virtual machines.

Question 38

Known Environment Penetration Test

Answer 38

Penetration testing in a known environment means that a significant amount of information has been given to the tester. This can include passwords, usernames, and other information.

Question 39

What is the most important security implication when splitting a large application into microservices?

Answer 39

As applications are broken down into microservices, each service might need specific access controls, potentially complicating the permissions landscape.

Question 40

What piece of information about a file is not typically included in its metadata?

Answer 40

Metadata does NOT normally include the file’s extension.

Question 41

Why is employee retention good for the security of an organization?

Answer 41

Employee retention means that the organization can retain experienced staff who have gained valuable institutional knowledge and expertise in managing security automation and orchestration.

Question 42

ECC

Answer 42

ECC (Elliptic Curve Cryptography) is a form of public key cryptography based on the algebraic structure of elliptic curves over finite fields primarily used for digital signatures and key exchanges.

Question 43

Screen-locking Ransomware

Answer 43

Screen-locking Ransomware intimidates users by locking them out of their device and displaying threatening messages.

Some indicators for this type of ransomware include messages suggesting that a computer was locked by the police or computers being replaced with shell program that makes it appear as if files are inaccessible.

Question 44

What is the main danger that comes from Shadow IT?

Answer 44

Shadow IT can introduce security risks because the unauthorized system or device may provide attackers with a way to gain access to an otherwise secure system.

Question 45

What is the format for a CVE identifier?

Answer 45

A CVE identifier follows a format of “CVE” followed by a year and a sequence of numbers. An example of a valid CVE identifier is:

CVE-2022-12345

Question 46

SRTP

Answer 46

SRTP (Secure Real-time Transport Protocol) provides encryption, message authentication, and integrity for voice communications over IP (VoIP). It’s designed to protect Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) traffic.

Question 47

Side Loading

Answer 47

Side Loading is the process of installing applications on a mobile device from sources other than the official app store (a website), which can allow unauthorized applications to be installed.

Question 48

Homomorphic Encryption

Answer 48

Homomorphic Encryption allows data to be processed without being decrypted, effectively securing data-in-use. Computations can be performed on the encrypted data directly, and the results, when decrypted, match as if the operations were done on the plaintext.

Question 49

What are the implications of using the CSP root account for daily logon activity?

Answer 49

Using the root user for daily cloud tasks is a high-risk practice because it gives complete control over all resources in the cloud account, making it a lucrative target for attackers.

Question 50

Continuous Risk Assessment

Answer 50

Continuous Risk Assessment involves ongoing and real-time monitoring of risks as part of the organization’s daily operations. It aims to quickly identify and address emerging risks. While it is beneficial, it may not specifically involve periodic assessments at regular intervals.

Question 51

Infrastructure Monitoring

Answer 51

Infrastructure Monitoring is focused on ensuring the foundational IT components, like servers, data centers, and networking equipment, are both functional and secure.

This is different from Systems Monitoring which evaluates the hardware, operating systems, and the essential services that applications run on but not the broader foundational structures of IT.

Question 52

SASE

Answer 52

SASE (Secure Access Service Edge) combines network security and WAN capabilities in a single cloud-based service, making it an ideal solution for ensuring secure and reliable access to data and applications irrespective of user/device location.

Question 53

What term refers to the expected frequency of occurrence of a specific risk within a given time frame?

Answer 53

Probability refers to the expected frequency of occurrence of a specific risk within a given time frame.

Likelihood is a qualitative term used to express the chance of a risk occurring, typically described in terms of low, medium, or high.

Question 54

Which email security technique specifically utilizes email certificates to authenticate and safeguard email content?

Answer 54

S/MIME (Secure Multipart Internet Message Extensions) leverages email certificates to both sign and encrypt email content, ensuring both authenticity and confidentiality.

Question 55

End-of-Life Vulnerability

Answer 55

End-of-life refers to hardware that is no longer supported by the manufacturer, often leading to unpatched and exploitable vulnerabilities.

Legacy hardware denotes older systems or components still in use, which can be vulnerable, but doesn’t necessarily mean they are unsupported or at their end-of-life.

Question 56

What is “Acquisition” in the context of incident response?

Answer 56

Acquisition involves identifying and gathering evidence related to the security incident. This may include collecting logs from affected systems, taking disk images, or other procedures to catalogue everything that may be used as evidence in a court proceeding.

Question 57

Does Continuous Integration slow down or speed up the development process?

Answer 57

In fact, continuous integration speeds up the development process. By integrating the work often, problems are discovered early and can be fixed immediately, preventing them from slowing down the project in the later stages. The practice of making frequent commits and running automated tests means that errors are detected sooner.

Question 58

What is the best tool for agentless security monitoring/alerting?

Answer 58

SIEM tools are essential for consolidating and analyzing logs and alerts from various sources within an environment. These tools are known for their agentless capabilities, where they can collect and process logs without needing a dedicated agent on the source system, providing flexibility in diverse infrastructure setups.

While an IDS can detect malicious activities, it typically requires agents or sensors to capture traffic or system activities.

Question 59

Probability vs. Likelihood

Answer 59

Probability is a quantitative measure, usually expressed as a number between 0 and 1, or as a percentage, indicating the statistical likelihood of a risk event.

Likelihood is used in qualitative risk analysis to subjectively describe how probable a risk event is, often expressed in terms such as “low,” “medium,” or “high.” Likelihood also ties the likelihood to a specific time frame, unlike probability.

Question 60

Which US act requires federal agencies to develop security policies for computer systems that process confidential information?

Answer 60

Computer Security Act (1987)

Question 61

Hardening

Answer 61

Hardening techniques are techniques that can help you reduce the exposure of systems and devices to potential attacks by disabling unused features and services. Hardening techniques involve removing unnecessary features and services, changing default settings, and applying security configurations to systems and devices.

Hardening techniques do not typically involve installing endpoint protection software.

Question 62

What happens when a file is quarantined during an alert response?

Answer 62

When a file is quarantined, it is isolated, ensuring the user, or possibly any user, cannot access it. This can be achieved by encrypting the file or moving it to a designated quarantine zone in the file system.

Question 63

Are complexity rules a good method of enforcing password security?

Answer 63

In the past, complexity rules were seen as a useful way to improve password management. However, in current NIST guidelines, complexity rules are seen as counter-productive. Users are more likely to write down complex passwords because they are difficult to remember. Letting users create long, strong passwords that they can remember is a better practice.

Question 64

What is the purpose of an integrated penetration test?

Answer 64

Integrated penetration tests are intended to gauge the success of an organization’s security training.

Integrated tests provide a comprehensive evaluation, covering various security domains from physical infrastructure to software applications and network configurations, ensuring a multi-faceted approach to uncovering potential vulnerabilities.

Question 65

Workforce Multiplier

Answer 65

The workforce multiplier refers to the ability to scale and amplify the effectiveness of the security team by combining the efforts of human professionals with automation and orchestration. This combination allows the organization to handle a larger volume of security tasks and incidents, thus enhancing their security capabilities.

Question 66

Degaussing

Answer 66

Degaussing exposes hard disks to powerful electromagnets, disrupting data storage patterns. However, not all types of drives, like SSDs and optical media, can be degaussed, limiting its applicability.

Question 67

Trusted Platform Module (TPM)

Answer 67

TPM is a hardware-based storage system that contains keys, digital certificates, hashed passwords, and many other types of information used for authentication.

It is typically embedded on device motherboards or CPUs that use Windows operating systems.