Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISM Review 2023 > Domain 2: Information Risk Management (30%) > Flashcards

Domain 2: Information Risk Management (30%) Flashcards

1
Q

What are Threats, Vulnerabilities, and Risks

A

Before we move too deeply into the risk assessment process, let’s define a few important terms that we’ll use during our discussion:

Threats are any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of our information or information systems.
Vulnerabilities are weaknesses in our systems or controls that could be exploited by a threat.
Risks occur at the intersection of a vulnerability and a threat that might exploit that vulnerability. A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability without a corresponding threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is an enterprise risk management (ERM) program for?

A

enterprise risk management (ERM) program, organizations take a formal approach to risk analysis that begins with identifying risks, continues with determining the severity of each risk, and then results in adopting one or more risk management strategies to address each risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the Risk Identification process?

A

The risk identification process requires identifying the threats and vulnerabilities that exist in your operating environment. These risks may come from a wide variety of sources ranging from malicious hackers to hurricanes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are some of the different categories of risk facing organizations?

A

External risks are those risks that originate from a source outside the organization. This is an extremely broad category of risk, including cybersecurity adversaries, malicious code, and natural disasters, among many other types of risk.
Internal risks are those risks that originate from within the organization. They include malicious insiders, mistakes made by authorized users, equipment failures, and similar risks.
Multiparty risks are those that impact more than one organization. For example, a power outage to a city block is a multiparty risk because it affects all of the buildings on that block. Similarly, the compromise of an SaaS provider’s database is a multiparty risk because it compromises the information of many different customers of the SaaS provider.
Legacy systems pose a unique type of risk to organizations. These outdated systems often do not receive security updates, and cybersecurity professionals must take extraordinary measures to protect them against unpatchable vulnerabilities.
Intellectual property (IP) theft risks occur when a company possesses trade secrets or other proprietary information that, if disclosed, could compromise the organization’s business advantage.
Software compliance/licensing risks occur when an organization licenses software from a vendor and intentionally or accidentally runs afoul of usage limitations that expose the customer to financial and legal risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk Calculation

A

Not all risks are equal. Returning to the example of a pedestrian on the street, the risk of being hit by a bicycle is far more worrisome than the risk of being struck down by a meteor. That makes intuitive sense, but let’s explore the underlying thought process that leads to that conclusion. It’s a process called risk calculation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When we evaluate any risk, we do so by using two different factors?

A

The likelihood of occurrence, or probability, that the risk will occur. We might express this as the percentage of chance that a threat will exploit a vulnerability over a specified period of time, such as within the next year.
The magnitude of the impact that the risk will have on the organization if it does occur. We might express this as the financial cost that we will incur as the result of a risk, although there are other possible measures.
Using these two factors, we can assign each risk a conceptual score by combining the probability and the magnitude. This leads many risk analysts to express the severity of a risk using this formula:

Risk Severity = Likelihood × Impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are Risk Assessments?

A

Risk assessments are a formalized approach to risk prioritization that allows organizations to conduct their reviews in a structured manner. Risk assessments follow two different analysis methodologies:

Quantitative risk assessments use numeric data in the analysis, resulting in assessments that allow the very straightforward prioritization of risks.
Qualitative risk assessments substitute subjective judgments and categories for strict numerical analysis, allowing the assessment of risks that are difficult to quantify.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Quantitative Risk Assessment
Most quantitative risk assessment processes follow a similar methodology that includes the following steps:

A

Determine the asset value (AV) of the asset affected by the risk. This asset value (AV) is expressed in dollars, or other currency, and may be determined by using the cost to acquire the asset, the cost to replace the asset, or the depreciated cost of the asset, depending on the organization’s preferences.

Determine the likelihood that the risk will occur. Risk analysts consult subject matter experts and determine the likelihood that a risk will occur in a given year. This is expressed as the number of times the risk is expected to happen each year and is described as the annualized rate of occurrence (ARO). A risk that is expected to occur twice a year has an ARO of 2.0, whereas a risk that is expected once every one hundred years has an ARO of 0.01.
Determine the amount of damage that will occur to the asset if the risk materializes. This is known as the exposure factor (EF) and is expressed as the percentage of the asset expected to be damaged. The exposure factor of a risk that would completely destroy an asset is 100 percent, whereas a risk that would damage half of an asset has an EF of 50 percent.

Calculate the single loss expectancy. The single loss expectancy (SLE) is the amount of financial damage expected each time this specific risk materializes. It is calculated by multiplying the AV by the EF.

Calculate the annualized loss expectancy. The annualized loss expectancy (ALE) is the amount of damage expected from a risk each year. It is calculated by multiplying the SLE and the ARO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Qualitative Risk Assessment

A

Quantitative techniques work very well for evaluating financial risks and other risks that can be clearly expressed in numeric terms. Many risks, however, do not easily lend themselves to quantitative analysis. For example, how would you describe reputational damage, public health and safety, or employee morale in quantitative terms? You might be able to draw some inferences that tie these issues back to financial data, but the bottom line is that quantitative techniques simply aren’t well suited to evaluating these risks.

Qualitative risk assessment techniques seek to overcome the limitations of quantitative techniques by substituting subjective judgment for objective data. Qualitative techniques still use the same probability and magnitude factors to evaluate the severity of a risk but do so using subjective categories. For example, Figure 3.2 shows a simple qualitative risk assessment that evaluates the probability and magnitude of several risks on a subjective Low/Medium/High scale. Risks are placed on this chart based on the judgments made by subject matter experts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a SUPPLY CHAIN ASSESSMENT?

A

When evaluating the risks to your organization, don’t forget about the risks that occur based on third-party relationships. You rely on many different vendors to protect the confidentiality, integrity, and availability of your data. Performing vendor due diligence is a crucial security responsibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Reassessing Risk

A

Reassessing Risk
Risk assessment is not a one-time project—it is an ongoing process. A variety of internal and external factors change over time, modifying existing risk scenarios and creating entirely new potential risks. For example, if a new type of attacker begins targeting organizations in your industry, that is a new risk factor that should prompt a reassessment of risk. Similarly, if you enter a new line of business, that also creates new potential risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Risk Treatment and Response

A

With a completed risk assessment in hand, organizations can then turn their attention to addressing those risks. Risk treatment is the process of systematically responding to the risks facing an organization. The risk assessment serves two important roles in the risk management process:

The risk assessment provides guidance in prioritizing risks so that the risks with the highest probability and magnitude are addressed first.
Quantitative risk assessments help determine whether the potential impact of a risk justifies the costs incurred by adopting a specific risk management approach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Risk mitigation is?

A

Risk mitigation is the process of applying security controls to reduce the probability and/or magnitude of a risk. Risk mitigation is the most common risk management strategy, and the vast majority of the work of security professionals revolves around mitigating risks through the design, implementation, and management of security controls. Many of these controls involve engineering tradeoffs between functionality, performance, and security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How many controls can yuou apply for risk mitigation?

A

When you choose to mitigate a risk, you may apply one security control or a series of security controls. Each of those controls should reduce the probability that the risk will materialize, the magnitude of the risk should it materialize, or both the probability and magnitude.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk Avoidance is?

A

Risk avoidance is a risk management strategy by which we change our business practices to completely eliminate the potential that a risk will materialize. Risk avoidance may initially seem like a highly desirable approach. After all, who wouldn’t want to eliminate the risks facing their organization?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Risk Transference?

A

Risk transference shifts some of the impact of a risk from the organization experiencing the risk to another entity. The most common example of risk transference is purchasing an insurance policy that covers a risk. When purchasing insurance, the customer pays a premium to the insurance carrier. In exchange, the insurance carrier agrees to cover losses from risks specified in the policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is Risk Acceptance?

A

Risk acceptance is the final risk management strategy, and it boils down to deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk. A risk acceptance approach may be warranted if the cost of mitigating a risk is greater than the impact of the risk itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

inherent risk

A

The inherent risk facing an organization is the original level of risk that exists before implementing any controls. Inherent risk takes its name from the fact that it is the level of risk inherent in the organization’s business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

residual risk

A

The residual risk is the risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk appetite

A

An organization’s risk appetite is the level of risk that the organization is willing to accept as a cost of doing business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

CONTROL RISK

A

The world of public accounting brings us the concept of control risk. Control risk is the risk that arises from the potential that a lack of internal controls within the organization will cause a material misstatement in the organization’s financial reports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is Risk Reporting?

A

As risk managers work to track and manage risks, they must communicate their results to other risk professionals and business leaders. The risk register is the primary tool that risk management professionals use to track risks facing the organization. Figure 3.4 shows an excerpt from a risk register used to track IT risks in higher education.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Disaster recovery planning (DRP)

A

The discipline of developing plans to recover operations as quickly as possible in the face of a disaster.
The disaster recovery planning process creates a formal, broad disaster recovery plan for the organization and, when required, develops specific functional recovery plans for critical business functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Business impact analysis (BIA)

A

A formal process designed to identify the mission-essential functions within an organization and facilitate the identification of the critical systems that support those functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Business impact analysis (BIA)

A

The business impact analysis (BIA) is a formal process designed to identify the mission-essential functions within an organization and facilitate the identification of the critical systems that support those functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Four core metrics are used in the BIA process are?

A

MTBF, RTTO, RPPO, and MTTR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Single points of failure

A

These are systems, devices, or other components that, if they fail, would cause an outage. For example, if a server only has one power supply, the failure of that power supply would bring down the server, making it a single point of failure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Privacy

A

Cybersecurity professionals are responsible for protecting the confidentiality, integrity, and availability of all information under their care.
This includes personally identifiable information (PII) that, if improperly disclosed, would jeopardize the privacy of one or more individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Privacy notice

A

Organizations seeking to codify their privacy practices may adopt a privacy notice that outlines their privacy commitments. In some cases, laws or regulations may require that organizations adopt a privacy notice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Sensitive Information Inventory

A

Organizations often deal with many different types of sensitive and personal information. The first step in managing this sensitive data is developing an inventory of the types of data maintained by the organization and the places where it is stored, processed, and transmitted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What should Organizations include in the types of information in their inventory:

A

Personally identifiable information (PII) includes any information that uniquely identifies an individual person, including customers, employees, and third parties.

Protected health information (PHI) includes medical records maintained by health-care providers and other organizations that are subject to the Health Insurance Portability and Accountability Act (HIPAA).

Financial information includes any personal financial records maintained by the organization.

Government information maintained by the organization may be subject to other rules, including the data classification requirements discussed in the next section.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What should the data owner do to protect their data in the organization?

A

One of the most important things that we can do to protect our data is to create clear data ownership policies and procedures. Using this approach, the organization designates specific senior executives as the data owners for different data types. For example, the vice president of Human Resources might be the data owner for employment and payroll data, whereas the vice president for Sales might be the data owner for customer information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What do DATA PROTECTION OFFICERS do?

A

Organizations should identify a specific individual who bears overall responsibility for carrying out the organization’s data privacy efforts. This person, often given the title of chief privacy officer, bears the ultimate responsibility for data privacy and must coordinate across functional teams to achieve the organization’s privacy objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What do data retention standards do?

A

At the end of the lifecycle, the organization should implement data retention standards that guide the end of the data lifecycle. Data should be kept for only as long as it remains necessary to fulfill the purpose for which it was originally collected. At the conclusion of its lifecycle, data should be securely destroyed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is purpose limitation?

A

Although information remains within the care of the organization, the organization should practice purpose limitation. This means that information should be used only for the purpose that it was originally collected and that was consented to by the data subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is data minimization?

A

At the early stages of the data lifecycle, organizations should practice data minimization, where they collect the smallest possible amount of information necessary to meet their business requirements. Information that is not necessary should either be immediately discarded or, better yet, not collected in the first place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the difference between a data owner and a data steward?

A

Data controllers are the entities who determine the reasons for processing personal information and direct the methods of processing that data. This term is used primarily in European law, and it serves as a substitute for the term data owner to avoid a presumption that anyone who collects data has an ownership interest in that data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What is a data custodian?

A

Data custodians are individuals or teams who do not have controller or stewardship responsibility but who are responsible for the secure safekeeping of information. For example, a data controller or data steward might delegate responsibility for securing PII to an information security team. In that case, the information security team serves as a data custodian.

39
Q

What are 3 different data obfuscation technologies

A

Hashing uses a hash function to transform a value in our dataset to a corresponding hash value. If we apply a strong hash function to a data element, we may replace the value in our file with the hashed value.
Tokenization replaces sensitive values with a unique identifier using a lookup table. For example, we might replace a widely known value, such as a student ID, with a randomly generated 10-digit number. We’d then maintain a lookup table that allows us to convert those back to the student ID if we need to determine someone’s identity. Of course, if you use this approach, you need to keep the lookup table secure!

Data masking partially redacts sensitive information by replacing some or all sensitive fields with blank characters. For example, we might replace all but the last four digits of a credit card number with Xs or asterisks to render the card number unreadable.

40
Q

Privacy and Data Breach Notification

A

In the unfortunate event of a data breach, the organization should immediately activate its cybersecurity incident response plan. The details of this incident response plan are discussed thoroughly in Chapter 8, “Incident Response,” and should include procedures for the notification of key personnel and escalation of serious incidents.

Organizations may also have a responsibility under national and regional laws to make public notifications and disclosures in the wake of a data breach. This responsibility may be limited to notifying the individuals involved or, in some cases, may require notification of government regulators and/or the news media.

41
Q

How can you classify cybersecurity Threats?

A

Internal vs. External We most often think about the threat actors who exist outside our organizations: competitors, criminals, and the curious. However, some of the most dangerous threats come from within our own environments. We’ll discuss the insider threat later in this chapter.

Level of Sophistication/Capability Threat actors vary greatly in their level of cybersecurity sophistication and capability. As we explore different types of threat actors in this chapter, we’ll discuss how they range from the unsophisticated script kiddie simply running code borrowed from others to the advanced persistent threat (APT) actor exploiting vulnerabilities discovered in their own research labs and unknown to the security community.

Resources/Funding Just as threat actors vary in their sophistication, they also vary in the resources available to them. Highly organized attackers sponsored by criminal syndicates or national governments often have virtually limitless resources, whereas less organized attackers may simply be hobbyists working in their spare time.

Intent/Motivation Attackers also vary in their motivation and intent. The script kiddie may simply be out for the thrill of the attack, whereas competitors may be engaged in highly targeted corporate espionage. Nation-states seek to achieve political objectives; criminal syndicates often focus on direct financial gain.

42
Q

describe the different types of cybersecurity adversaries:

A
  • White-hat hackers, also known as authorized attackers, are those who act with authorization and seek to discover security vulnerabilities with the intent of correcting them. White-hat attackers may either be employees of the organization or contractors hired to engage in penetration testing.
    • Black-hat hackers, also known as unauthorized attackers, are those with malicious intent. They seek to defeat security controls and compromise the confidentiality, integrity, or availability of information and systems for their own, unauthorized, purposes.

** Gray-hat hackers, also known as semi-authorized attackers, are those who fall somewhere between white- and black-hat hackers. They act without proper authorization, but they do so with the intent of informing their targets of any security vulnerabilities.

43
Q

Script Kiddies

A

The term script kiddie is a derogatory term for people who use hacking techniques but have limited skills. Often such attackers rely almost entirely on automated tools they download from the Internet. These attackers often have little knowledge of how their attacks actually work, and they are simply seeking convenient targets of opportunity.

44
Q

Hacktivists

A

Hacktivists use hacking techniques to accomplish some activist goal. They might deface the website of a company whose policies they disagree with. Or they might attack a network due to a political issue. The defining characteristic of hacktivists is that they believe they are motivated by the greater good even if their activity violates the law.

45
Q

Criminal Syndicates

A

Organized crime appears in any case where there is money to be made, and cybercrime is no exception. The ranks of cybercriminals include links to traditional organized crime families in the United States, outlaw gangs, the Russian Mafia, and even criminal groups organized specifically for the purpose of engaging in cybercrime.

46
Q

What are advanced persistent threats?

A

advanced persistent threats (APTs) to describe a series of attacks that they first traced to sources connected to the Chinese military. In subsequent years, the security community discovered similar organizations linked to the government of virtually every technologically advanced country.

The term APT tells you a great deal about the attacks themselves. First, they use advanced techniques, not simply tools downloaded from the Internet. Second, the attacks are persistent, occurring over a significant period of time. In some cases, the attacks continue for years as attackers patiently stalked their targets, awaiting the right opportunity to strike.

The APT attacks that Mandiant reported are emblematic of nation-state attacks. They tend to be characterized by highly skilled attackers with significant resources. A nation has the labor force, time, and money to finance ongoing, sophisticated attacks.

47
Q

ZERO-DAY ATTACKS

A

APT attackers often conduct their own security vulnerability research in an attempt to discover vulnerabilities that are not known to other attackers or cybersecurity teams. After they uncover a vulnerability, they do not disclose it but rather store it in a vulnerability repository for later use.

Attacks that exploit these vulnerabilities are known as zero-day attacks. Zero-day attacks are particularly dangerous because they are unknown to product vendors, and therefore, no patches are available to correct them. APT actors who exploit zero-day vulnerabilities are often able to easily compromise their targets.

48
Q

Insider attacks

A

Insider attacks occur when an employee, contractor, vendor, or other individual with authorized access to information and systems uses that access to wage an attack against the organization. These attacks are often aimed at disclosing confidential information, but insiders may also seek to alter information or disrupt business processes.

An insider might be of any skill level. They could be a script kiddie or very technically skilled. Insiders may also have differing motivations behind their attacks. Some are motivated by certain activist goals, whereas others are motivated by financial gain. Still others may simply be upset that they were passed over for a promotion or slighted in some other manner.

49
Q

THE THREAT OF SHADOW IT

A

Dedicated employees often seek to achieve their goals and objectives through whatever means allows them to do so. Sometimes, this involves purchasing technology services that aren’t approved by the organization. For example, when file sharing and synchronization services first came on the market, many employees turned to personal Dropbox accounts to sync work content between their business and personal devices.

50
Q

Removable Media can be used as a threat vector by?

A

Attackers also commonly use removable media, such as USB drives, to spread malware and launch their attacks.

51
Q

Cloud as a threat vector?

A

Cloud services can also be used as an attack vector. Attackers routinely scan popular cloud services for files with improper access controls, systems that have security flaws, or accidentally published API keys and passwords.

52
Q

What are Third party risks from the supply chain that could affect an organization?

A

Third-Party Risks
Sophisticated attackers may attempt to interfere with an organization’s IT supply chain, gaining access to devices at the manufacturer or while the devices are in transit from the manufacturer to the end user. Tampering with a device before the end user receives it allows attackers to insert backdoors that grant them control of the device once the customer installs it on their network. This type of third-party risk is difficult to anticipate and address.

53
Q

What is Threat Data and Intelligence?
.

A

Threat intelligence is the set of activities and resources available to cybersecurity professionals seeking to learn about changes in the threat environment. Building a threat intelligence program is a crucial part of any organization’s approach to cybersecurity. If you’re not familiar with current threats, you won’t be able to build appropriate defenses to protect your organization against those threats. Threat intelligence information can also be used for predictive analysis to identify likely risks to the organization.

54
Q

What can you learn about your org by EXPLORING THE DARK WEB?

A

The dark web is a network run over standard Internet connections but using multiple layers of encryption to provide anonymous communication. Hackers often use sites on the dark web to share information and sell credentials and other data stolen during their attacks.

Threat intelligence teams should familiarize themselves with the dark web and include searches of dark web marketplaces for credentials belonging to their organization or its clients. The sudden appearance of credentials on dark web marketplaces likely indicates that a successful attack took place and requires further investigation.

55
Q

Know how threat intelligence provides organizations with valuable insight into the threat landscape.

A

Security teams may leverage threat intelligence from public and private sources to learn about current threats and vulnerabilities. They may seek out detailed indicators of compromise and perform predictive analytics on their own data. Threat intelligence teams often supplement open source and closed source intelligence that they obtain externally with their own research.

56
Q

Be able to explain how attackers exploit different vectors to gain initial access to an organization?

A

Attackers may attempt to gain initial access to an organization remotely over the Internet, through a wireless connection, or by attempting direct physical access. They may also approach employees over email or social media. Attackers may seek to use removable media to trick employees into unintentionally compromising their networks, or they may seek to spread exploits through cloud services. Sophisticated attackers may attempt to interfere with an organization’s supply chain.

57
Q

What is risk appetite?

A

Risk appetite is best described as the amount of different types of risk a firm is willing to accept to achieve its objectives. Organizations recognize that they cannot remove all risks from their business. We exist in a world full of risks; achieving our business goals requires accepting some of those risks while taking actions to mitigate, avoid or transfer other risks.

The task facing ERM programs is determining which risks fit within the organization’s risk appetite and which require additional controls before they are acceptable. You can think of an organization’s risk appetite as its risk capacity – the maximum residual risk that the organization will accept after controls are put in place.

58
Q

What is risk tolerance?

A

Risk tolerance is the amount of acceptable deviation from an organization’s risk appetite. While risk appetite is a broad, strategic philosophy that guides an organization’s risk management efforts, risk tolerance is a much more tactical concept that identifies the risk associated with a specific initiative and compares it to the organization’s risk appetite. You can think of an organization’s risk tolerance for a specific initiative as that organization’s willingness to accept the risk that remains after all relevant controls are put in place.

59
Q

What is the relationship between risk appetite and risk tolerance?

A

Risk Appetite refers to the level of risk an organization or individual is willing to accept in pursuit of its objectives. It is a strategic consideration and often reflects an organization’s willingness to take risks for potential rewards. This is influenced by factors like business goals, market conditions, and organizational culture [1].

Risk Tolerance is the specific amount of risk that an organization or individual is capable of absorbing before it begins to negatively impact its ability to meet its objectives. It is more focused on the operational and financial capacity to withstand adverse events. Risk tolerance is determined by factors such as financial resources, available safeguards, and the nature of the risks involved [2].

In summary, risk appetite sets the strategic boundary for risk-taking based on goals and ambitions, while risk tolerance defines the practical limits of risk exposure based on operational and financial capabilities. Balancing these two factors is crucial for effective risk management in any context.

https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2022/risk-appetite-vs-risk-tolerance-what-is-the-difference

60
Q

How do risk identification and assessment help organizations prioritize cybersecurity efforts.

A

Cybersecurity analysts try to identify all of the risks facing their organization and then conduct a business impact analysis to assess the potential degree of risk based on the probability that it will occur and the magnitude of the potential effect on the organization. This work allows security professionals to prioritize risks and communicate risk factors to others in the organization.

61
Q

Know that vendors are a source of external risk.

A

Organizations should conduct their own systems assessments as part of their risk assessment practices, but they should conduct supply chain assessments as well. Performing vendor due diligence reduces the likelihood that a previously unidentified risk at a vendor will negatively impact the organization. Hardware source authenticity techniques verify that hardware was not tampered with after leaving the vendor’s premises.

62
Q

What are the risk management strategies that organizations may adopt?

A

Risk avoidance strategies change business practices to eliminate a risk. Risk mitigation techniques reduce the probability or magnitude of a risk. Risk transference approaches move some of the risk to a third party. Risk acceptance acknowledges the risk and continues normal business operations despite the presence of the risk.

63
Q

How does disaster recovery planning build resiliency?

A

Disaster recovery plans activate when an organization experiences a natural or human-made disaster that disrupts normal operations. The disaster recovery plan helps the organization quickly recover its information and systems and resume normal operations.

64
Q

What are the privacy controls that protect personal information?

A

Organizations handling sensitive personal information should develop privacy programs that protect that information from misuse and unauthorized disclosure. The plan should cover personally identifiable information (PII), protected health information (PHI), financial information, and other records maintained by the organization that might impact personal privacy.

65
Q

Two defining characteristics of malware related to propagation and payload are:

A

Propagation: Malware is designed to spread from one computer system to another. This can happen through a variety of means, such as email attachments, malicious websites, or removable storage devices.
Payload: The payload is the malicious code that malware executes once it has infected a computer system. The payload can cause a variety of damage, such as stealing data, corrupting files, or disrupting operations.
Propagation and payload are two of the most important characteristics of malware because they define how malware spreads and what it does once it has infected a computer system.

Propagation is how malware gets from one computer system to another. The most common propagation mechanisms are:

Email attachments: Malware is often attached to emails and sent to unsuspecting users. When the user opens the attachment, the malware is installed on their computer system.
Malicious websites: Malware can also be spread through malicious websites. When a user visits a malicious website, the malware is automatically downloaded and installed on their computer system.
Removable storage devices: Malware can also be spread through removable storage devices such as USB drives and external hard drives. When the removable storage device is inserted into a computer system, the malware is installed on the computer system.
Payload is the malicious code that malware executes once it has infected a computer system. The payload can cause a variety of damage, such as:

Stealing data: Malware can be used to steal sensitive data such as passwords, credit card numbers, and social security numbers.
Corrupting files: Malware can be used to corrupt or delete files on a computer system. This can disrupt operations and make it difficult or impossible for the user to access their data.
Disrupting operations: Malware can be used to disrupt operations on a computer system. For example, malware can be used to launch denial-of-service attacks, which can make a computer system or network unavailable to users.
Malware can be a very serious threat to computer systems and networks. It is important to take steps to protect your systems from malware, such as using antivirus software, keeping your software up to date, and being careful about what files you download and open.

66
Q

How can you prevent malware from infecting your systems?

A

There are a number of things you can do to prevent malware from infecting your systems, including:

Use antivirus software: Antivirus software can scan your files and downloads for malware and remove it. Make sure to keep your antivirus software up to date so that it can detect the latest malware threats.
Keep your software up to date: Software developers often release security updates to patch vulnerabilities that malware can exploit. Make sure to install these updates as soon as they are available.
Be careful about what files you download and open: Only download files from trusted sources, and be careful about opening email attachments from unknown senders. If you are unsure whether a file is safe, do not open it.
Enable strong passwords and multi-factor authentication: Strong passwords and multi-factor authentication can make it more difficult for attackers to gain access to your systems.
Use a firewall: A firewall can help to protect your systems from unauthorized access.
Educate your employees: Train your employees on how to identify and avoid malware threats.
In addition to these general tips, there are a number of other things you can do to protect your systems from malware, depending on your specific environment. For example, you may want to implement a content filtering solution to block access to malicious websites, or you may want to deploy a network intrusion detection system (NIDS) to monitor your network for suspicious activity.

By taking these steps, you can help to protect your systems from malware and other cyber threats.

67
Q

What are the different types of malware that can affect a computer

A

here are many different types of malware that can infect a computer, but some of the most common include:

Viruses: Viruses are self-replicating programs that can attach themselves to other programs and spread to other computers.
Worms: Worms are similar to viruses, but they do not need to attach themselves to other programs to spread. Worms can exploit vulnerabilities in software or operating systems to spread to other computers.
Trojan horses: Trojan horses are disguised as legitimate programs, but once they are installed on a computer they can perform malicious actions such as stealing data or corrupting files.
Spyware: Spyware is designed to collect information about a user’s activities without their knowledge or consent. Spyware can be used to steal sensitive data such as passwords, credit card numbers, and social security numbers.
Adware: Adware is a type of malware that displays unwanted advertisements on a user’s computer. Adware can be annoying, but it is generally not considered to be as dangerous as other types of malware.
Ransomware: Ransomware is a type of malware that encrypts a user’s files and demands a ransom payment to decrypt them. Ransomware can be a very serious threat, as it can make it impossible for a user to access their data.
Cryptojacking malware: Cryptojacking malware uses a computer’s resources to mine cryptocurrency without the user’s knowledge or consent. Cryptojacking malware can slow down a computer’s performance and increase its energy consumption.
Bootkits: Bootkits are a type of malware that infects a computer’s firmware or bootloader. This gives the malware a high level of persistence and makes it difficult to remove.
Rootkits: Rootkits are a type of malware that hides itself from the operating system and other security software. This makes rootkits very difficult to detect and remove.

68
Q

What are backdoors and logic bombs?

A

Backdoors

A backdoor is a secret way into a computer system or network that is not intended to be used by authorized users. Backdoors can be created by software developers or system administrators, or they can be installed by malware.

Backdoors can be used for a variety of malicious purposes, such as:

Stealing data
Launching attacks against other systems
Disrupting operations
Installing malware
Logic bombs

A logic bomb is a type of malware that is triggered by a specific event, such as a date, time, or action. Once triggered, a logic bomb can perform a variety of malicious actions, such as:

Deleting files
Corrupting data
Disrupting operations
Launching attacks against other systems
Logic bombs are often used by criminals to extort money from their victims. For example, a criminal might install a logic bomb on a company’s network that is triggered to detonate on a specific date, unless the company pays a ransom.

How to protect yourself from backdoors and logic bombs

There are a number of things you can do to protect yourself from backdoors and logic bombs, including:

Keep your software up to date. Software developers often release security updates to patch vulnerabilities that can be exploited by attackers to create backdoors or install logic bombs.
Use strong passwords and multi-factor authentication. Strong passwords and multi-factor authentication can make it more difficult for attackers to gain access to your systems.
Use a firewall. A firewall can help to protect your systems from unauthorized access.
Be careful about what files you download and open. Only download files from trusted sources, and be careful about opening email attachments from unknown senders. If you are unsure whether a file is safe, do not open it.
Educate yourself and your employees about backdoors and logic bombs. Train your employees on how to identify and avoid these threats.
By taking these steps, you can help to protect your systems from backdoors, logic bombs, and other cyber threats.

69
Q

Which of the following is a common command-and-control mechanism for botnets?

A

IRC

70
Q

Cryptolocker is an example of what type of malicious software?

A

Ransomware

71
Q

Which malware can spread without any user interaction?

A

Worm

72
Q

How can you prevent insider threats?

A

Principle of least privilege

Separation of duties

Rotation of duties

Mandatory vacations

Conduct background checks on employees. Background checks can help to identify potential insider threats, such as employees with a history of financial problems or criminal activity.

Implement strong security policies and procedures. These policies and procedures should cover a variety of topics, such as password management, data protection, and access control.
Educate employees on security best practices. Employees should be trained on how to identify and avoid insider threats.
Monitor employee behavior. Organizations should monitor employee behavior for signs of suspicious activity, such as unauthorized access to data or attempts to exfiltrate data.
Here are some additional tips for preventing insider threats:

Create a culture of trust and respect. Employees should feel comfortable reporting suspicious activity to their managers without fear of retaliation.
Provide employees with opportunities for advancement and development. Employees who are happy and satisfied with their jobs are less likely to become insider threats.
Have a plan in place to respond to insider threats. This plan should include procedures for investigating and responding to insider incidents.

73
Q

wha is cyber threat intelligence, how do you know if it’s useful?

A

Cyber threat intelligence (CTI) is information about existing or emerging threats that can be used to inform decisions about cybersecurity. CTI can come from a variety of sources, including the following:

  • Open-source intelligence (OSINT): OSINT is information that is publicly available, such as news articles, social media posts, and public records.
  • Closed-source intelligence (CSINT): CSINT is information that is not publicly available, such as government intelligence reports and private sector research reports.
  • Human intelligence (HUMINT): HUMINT is information that is collected from human sources, such as interviews and eyewitness accounts.

To determine whether CTI is useful, it is important to consider the following factors:
Accuracy: The CTI should be accurate and up-to-date.
Relevance: The CTI should be relevant to the organization’s specific needs and environment.
Timeliness: The CTI should be provided in a timely manner so that the organization can take action to mitigate the threat.
Actionability: The CTI should be actionable, meaning that it should provide the organization with specific information about how to mitigate the threat.
CTI can be a valuable tool for organizations of all sizes to improve their cybersecurity posture. By using CTI to identify, understand, and mitigate cyber threats, organizations can reduce the risk of being successfully attacked.

Here are some examples of useful CTI:
* Indicators of compromise (IOCs): IOCs are specific pieces of evidence that can indicate that a system has been compromised. IOCs can include things like IP addresses, file hashes, and malware signatures.
* Threat actor profiles: Threat actor profiles provide information about the motivations, tactics, and techniques of specific threat actors. This information can help organizations to develop more effective mitigation strategies.
* Threat reports: Threat reports provide information about specific threats, such as malware campaigns or vulnerabilities. Threat reports can help organizations to understand the risks associated with these threats and to take steps to mitigate them.

74
Q

why is threat information useful like STIX?

A

STIX is also useful because it is a standardized format for sharing threat information. This makes it easier for organizations to share threat information with each other and with security vendors. It also makes it easier for security vendors to develop products and services that can consume STIX data.

Threat information like STIX is useful because it can help organizations to:
* Identify and prioritize threats: STIX can help organizations to identify and prioritize the threats that they face. This information can be used to allocate resources and develop mitigation strategies.
* Detect and respond to attacks: STIX can help organizations to detect and respond to attacks more quickly and effectively. STIX can provide information about indicators of compromise (IOCs), threat actor tactics, techniques, and procedures (TTPs), and malware campaigns. This information can be used to develop detection rules and to investigate and respond to incidents.
* Raise awareness and educate employees: STIX can be used to raise awareness of cyber threats and to educate employees on how to protect themselves and the organization. STIX can provide information about common threats, phishing attacks, and social engineering techniques. This information can be used to develop training programs and to create a more security-conscious culture.
*
Here are some specific examples of how STIX can be used to improve cybersecurity:
An organization can use STIX to develop a list of IP addresses and domains that are known to be malicious. This list can be used to configure firewalls to block traffic from these sources.
An organization can use STIX to develop detection rules for known malware campaigns. These rules can be used to detect and respond to malware infections more quickly and effectively.
An organization can use STIX to train employees on common cyber threats. For example, STIX can be used to create phishing simulations that teach employees how to identify and avoid phishing attacks.
Overall, STIX is a valuable tool for organizations of all sizes to improve their cybersecurity posture. By using STIX to share and consume threat information, organizations can reduce the risk of being successfully attacked.

75
Q

What type of website does the attacker use when waging a watering hole attack?

A

Attackers typically use websites that are frequently visited by their intended victims when waging a watering hole attack. These websites may include:

Industry-specific websites: Attackers may target websites that are popular with members of a specific industry. For example, an attacker targeting the financial industry may target websites such as financial news websites or online banking portals.
Government websites: Attackers may also target government websites, especially websites that provide sensitive information or services.
Social media websites: Social media websites are also popular targets for watering hole attacks, as they are frequently visited by a large number of people.
Popular news websites: Popular news websites can also be targeted, as they are likely to be visited by a wide range of people.
Attackers will often target websites that have vulnerabilities, such as SQL injection vulnerabilities or cross-site scripting (XSS) vulnerabilities. These vulnerabilities can allow the attacker to inject malicious code into the website, which can then be executed when the victim visits the website.

Once the attacker has injected malicious code into the website, they can use it to redirect the victim to a malicious website or to download malware to the victim’s computer. The attacker may also use the malicious code to steal the victim’s personal information or login credentials.

Organizations can protect themselves from watering hole attacks by educating their employees about the risks and by implementing security measures such as web filtering and firewalls. Organizations should also keep their software up to date and patch any known vulnerabilities.

Here are some tips for staying safe from watering hole attacks:

Be careful about what websites you visit. Only visit websites that you trust and that are from reputable sources.
Keep your software up to date. Software updates often include security patches that can help to protect you from known vulnerabilities.
Use a web filter and firewall. A web filter can block access to malicious websites, and a firewall can help to protect your computer from unauthorized access.
Be careful about what links you click on. Do not click on links in emails or on websites unless you are sure that they are safe.
If you are concerned that you may have visited a compromised website, you should scan your computer for malware and change your passwords.

75
Q

Dan is engaging in a password cracking attack where he uses precomputed hash values. What type of attack is Dan waging?

A

Dan is waging a rainbow table attack. A rainbow table attack is a type of password cracking attack that uses precomputed hash values. Rainbow tables are large tables that contain precomputed hash values for common passwords and variations of common passwords.

To perform a rainbow table attack, the attacker first needs to obtain a copy of a rainbow table. Rainbow tables are available for download online, or they can be generated by the attacker.

Once the attacker has a rainbow table, they can use it to crack the passwords of users whose passwords have been hashed using the same hashing algorithm as the rainbow table. The attacker simply needs to compare the hashed passwords of the users to the precomputed hash values in the rainbow table. If there is a match, the attacker has cracked the password.

Rainbow table attacks can be very effective, but they are also very resource-intensive. Rainbow tables can be very large, and it can take a long time to generate a rainbow table for a complex hashing algorithm.

Rainbow table attacks can be mitigated by using strong passwords and by using a strong hashing algorithm. A strong hashing algorithm is one that is difficult to reverse. Salting passwords is another effective way to protect against rainbow table attacks. Salting passwords involves adding a random string of characters to the password before it is hashed. This makes it more difficult for attackers to find a match in a rainbow table.

Organizations can also protect themselves from rainbow table attacks by using multi-factor authentication (MFA). MFA requires users to provide two or more factors of authentication, such as a password and a one-time code from a mobile app. This makes it more difficult for attackers to gain access to accounts, even if they have cracked the user’s password.

75
Q

What type of packet do participating systems send during a Smurf attack?

A

The participating systems in a Smurf attack send ICMP Echo Request packets to the victim. ICMP Echo Request packets, also known as ping packets, are used to test the reachability of a host on a network.

To perform a Smurf attack, the attacker first needs to identify a group of vulnerable hosts on the internet. These hosts are typically devices that have been infected with malware or that have been misconfigured.

The attacker then sends ICMP Echo Request packets to the vulnerable hosts with the spoofed IP address of the victim as the source address. This causes the vulnerable hosts to send ICMP Echo Reply packets to the victim.

The victim is flooded with ICMP Echo Reply packets, which can overwhelm the victim’s network and cause it to become unavailable.

Smurf attacks can be mitigated by filtering ICMP Echo Request packets at the network perimeter. Organizations should also keep their devices up to date and patch any known vulnerabilities. Additionally, organizations should consider using a firewall or other security solution to protect their networks from Smurf attacks.

Here are some additional tips for protecting your network from Smurf attacks:
Use a firewall to block ICMP Echo Request packets from unknown sources.
Keep your devices up to date and patch any known vulnerabilities.
Use a network intrusion detection system (NIDS) to monitor your network for Smurf attack activity.
Educate your employees about Smurf attacks and how to avoid them.
If you believe that your network is under attack, you should contact your IT department or a security professional immediately.

75
Q

hat is a watering hole attack?

A

Attackers typically use websites that are frequently visited by their intended victims when waging a watering hole attack. These websites may include:

Industry-specific websites: Attackers may target websites that are popular with members of a specific industry. For example, an attacker targeting the financial industry may target websites such as financial news websites or online banking portals.
Government websites: Attackers may also target government websites, especially websites that provide sensitive information or services.
Social media websites: Social media websites are also popular targets for watering hole attacks, as they are frequently visited by a large number of people.
Popular news websites: Popular news websites can also be targeted, as they are likely to be visited by a wide range of people.
Attackers will often target websites that have vulnerabilities, such as SQL injection vulnerabilities or cross-site scripting (XSS) vulnerabilities. These vulnerabilities can allow the attacker to inject malicious code into the website, which can then be executed when the victim visits the website.

Once the attacker has injected malicious code into the website, they can use it to redirect the victim to a malicious website or to download malware to the victim’s computer. The attacker may also use the malicious code to steal the victim’s personal information or login credentials.

Organizations can protect themselves from watering hole attacks by educating their employees about the risks and by implementing security measures such as web filtering and firewalls. Organizations should also keep their software up to date and patch any known vulnerabilities.

Here are some tips for staying safe from watering hole attacks:

Be careful about what websites you visit. Only visit websites that you trust and that are from reputable sources.
Keep your software up to date. Software updates often include security patches that can help to protect you from known vulnerabilities.
Use a web filter and firewall. A web filter can block access to malicious websites, and a firewall can help to protect your computer from unauthorized access.
Be careful about what links you click on. Do not click on links in emails or on websites unless you are sure that they are safe.
If you are concerned that you may have visited a compromised website, you should scan your computer for malware and change your passwords.

76
Q

how do session tokens prevent replay attacks?

A

Session tokens prevent replay attacks by being unique and time-bound. Each session token is generated randomly and is only valid for a limited period of time. This means that even if an attacker intercepts a session token, they will not be able to use it to impersonate the user after it has expired.

Session tokens are typically stored in cookies or HTTP headers. When a user logs in to a website, the website generates a session token and stores it in the user’s browser. The browser then sends the session token in the HTTP header of every subsequent request to the website. The website verifies the session token before processing the request.

If the session token is invalid or expired, the website will deny the request. This prevents attackers from replaying captured session tokens to gain unauthorized access to user accounts.

In addition to preventing replay attacks, session tokens can also be used to prevent session hijacking attacks. Session hijacking is a type of cyberattack in which an attacker steals a user’s session token and uses it to impersonate the user.

Session tokens can help to prevent session hijacking attacks by being difficult to steal. Session tokens are typically stored in cookies or HTTP headers, which are encrypted and difficult to access without the user’s knowledge.

Session tokens are an important security measure for protecting user accounts and preventing replay and session hijacking attacks.

77
Q

A social engineer calls an administrative assistant in your organization and obtains her password by threatening her that her boss’ account will be deleted if she does not provide the password to assist with troubleshooting. What type of attack is the social engineer using?

A

The social engineer is using a type of attack called pretexting. Pretexting is a social engineering technique in which the attacker uses a false identity or scenario to trick the victim into revealing confidential information or taking a desired action.

In the example you provided, the social engineer is pretending to be a technical support representative who needs the administrative assistant’s password to troubleshoot a problem with her boss’ account. The social engineer is also using threats to intimidate the administrative assistant into complying with their demands.

Pretexting attacks can be very effective because they rely on the victim’s trust and willingness to help others. Attackers often spend time researching their targets and developing their pretexts so that they are more likely to be successful.

Here are some tips to help protect yourself from pretexting attacks:

Be wary of unsolicited phone calls, emails, and text messages.
Verify the identity of the person contacting you before providing any confidential information.
Be suspicious of requests for urgent action.
If you are unsure whether a request is legitimate, contact the person or organization directly.
If you believe that you have been the victim of a pretexting attack, you should report it to your IT department or a security professional immediately.

Here are some additional tips to help protect your organization from pretexting attacks:

Educate employees about pretexting attacks and how to avoid them.
Implement security policies and procedures that require employees to verify the identity of anyone requesting confidential information or urgent action.
Use strong passwords and multi-factor authentication on all systems and accounts.
Monitor employee activity for suspicious behavior.
By taking these steps, you can help to protect your organization from pretexting attacks and other social engineering threats.

78
Q

What type of social engineering attack targets end users via email messages?

A

The type of social engineering attack that targets end users via email messages is called phishing. Phishing is a type of social engineering attack in which the attacker sends an email to the victim that appears to be from a legitimate source, such as a bank, credit card company, or government agency. The email typically contains a link to a malicious website or an attachment that contains malware.

If the victim clicks on the link or opens the attachment, they may be infected with malware, their personal information may be stolen, or they may be redirected to a malicious website.

Phishing attacks are one of the most common types of cyberattacks, and they can be very effective. Attackers often use sophisticated techniques to make their emails appear legitimate, and they may also use social engineering techniques such as urgency or fear to encourage victims to click on links or open attachments.

Here are some tips to help protect yourself from phishing attacks:

Be careful about what emails you open and what links you click on. Do not open emails or click on links from unknown senders.
If you are unsure whether an email is legitimate, contact the sender directly to verify it.
Keep your software up to date. Software updates often include security patches that can help to protect you from known vulnerabilities.
Use a strong anti-virus and anti-malware program.
Be careful about what attachments you open. Only open attachments from trusted senders.
If you believe that you have been the victim of a phishing attack, you should contact your IT department or a security professional immediately.

Here are some additional tips to help protect your organization from phishing attacks:

Educate employees about phishing attacks and how to avoid them.
Implement security policies and procedures that require employees to verify the identity of the sender before clicking on links or opening attachments.
Use a spam filter to block phishing emails from reaching your employees’ inboxes.
Use a security awareness training program to teach employees about social engineering threats and how to avoid them.
By taking these steps, you can help to protect your organization from phishing attacks and other social engineering threats.

79
Q

What type of phishing attack focuses specifically on senior executives of a targeted organization?

A

The type of phishing attack that focuses specifically on senior executives of a targeted organization is called whaling. Whaling is a type of targeted phishing attack that aims to steal sensitive information or gain unauthorized access to systems and networks by impersonating senior executives.

Whaling attacks are often more sophisticated than other types of phishing attacks, and they may involve the attacker conducting significant research on the target executive and their organization in order to craft a more believable email. The attacker may also use social engineering techniques such as urgency or fear to encourage the target executive to click on links or open attachments.

Whaling attacks can be very damaging to organizations, as they can result in the theft of sensitive information such as trade secrets, financial data, or customer information. They can also lead to unauthorized access to systems and networks, which could allow the attacker to deploy malware, steal data, or disrupt operations.

Here are some tips to help protect your organization from whaling attacks:

Educate senior executives about whaling attacks and how to avoid them.
Implement security policies and procedures that require senior executives to verify the identity of the sender before clicking on links or opening attachments.
Use a security information and event management (SIEM) solution to monitor for suspicious activity on your networks and systems.
Use a security awareness training program to teach employees about social engineering threats and how to avoid them.
By taking these steps, you can help to protect your organization from whaling attacks and other targeted phishing threats.

Here are some additional tips for senior executives to protect themselves from whaling attacks:

Be careful about what emails you open and what links you click on. Do not open emails or click on links from unknown senders.
If you are unsure whether an email is legitimate, contact the sender directly to verify it.
Be suspicious of requests for urgent action or sensitive information.
Use a strong password manager to create and manage strong passwords for all of your accounts.
Enable two-factor authentication on all of your accounts.
By following these tips, senior executives can help to protect themselves from whaling attacks and other phishing threats.

80
Q

what is cvss?

A

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat.

CVSS scores are based on three groups of metrics:

* Base metrics: These metrics measure the inherent severity of the vulnerability, such as the exploitability of the vulnerability and the impact of the vulnerability on the confidentiality, integrity, and availability of systems and data.
* Temporal metrics: These metrics measure how the severity of the vulnerability may change over time, such as the existence of publicly known exploits and the availability of patches.
* Environmental metrics: These metrics measure how the severity of the vulnerability may vary depending on the environment in which the vulnerable system is deployed, such as the target audience for the vulnerability and the presence of compensating controls.
CVSS scores are represented by a number from 0 to 10, with higher scores indicating more severe vulnerabilities. CVSS scores can also be represented by a vector string, which is a compressed textual representation of the values used to derive the score.

CVSS scores are used by a wide variety of organizations, including security vendors, government agencies, and businesses of all sizes. CVSS scores can be used to:

Identify and prioritize vulnerabilities
Make informed decisions about risk management
Communicate the severity of vulnerabilities to stakeholders
Measure the effectiveness of security controls
CVSS is a valuable tool for organizations of all sizes to improve their cybersecurity posture. By using CVSS to assess the severity of vulnerabilities, organizations can allocate resources and develop mitigation strategies to reduce the risk of being successfully attacked.

81
Q

what is scap

A

**The Security Content Automation Protocol (SCAP) is a collection of open standards that enable the automation of security vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization. SCAP is maintained by the National Institute of Standards and Technology (NIST).
**
**SCAP consists of three main components:
**
**The Common Vulnerabilities and Exposures (CVE) dictionary: The CVE dictionary is a standard list of publicly known information security vulnerabilities and exposures.
The Extensible Configuration Checklist Description Format (XCCDF): XCCDF is a language for describing security configuration requirements.
The Open Vulnerability and Assessment Language (OVAL): OVAL is a language for describing and testing security vulnerabilities.
**
SCAP can be used to automate a wide range of security tasks, including:
Vulnerability scanningConfiguration auditing
Compliance checking
Policy enforcement
SCAP is a powerful tool that can help organizations to improve their security posture and reduce the risk of being successfully attacked.

Here are some of the benefits of using SCAP:
Improved security: SCAP can help organizations to identify and remediate security vulnerabilities more quickly and effectively.
Reduced costs: SCAP can help organizations to reduce the costs associated with security management by automating tasks such as vulnerability scanning and configuration auditing.
Increased compliance: SCAP can help organizations to comply with security regulations and standards such as NIST Cybersecurity Framework (CSF) and ISO/IEC 27001.
Improved visibility: SCAP can provide organizations with a better understanding of their security posture by providing detailed reports on vulnerabilities, configurations, and compliance.
SCAP is a valuable tool for organizations of all sizes to improve their cybersecurity posture. By automating security tasks with SCAP, organizations can save time and money, improve security, and increase compliance.

82
Q

how should a cybrsecurity manager analyze scan reports?

A

To analyze scan reports, a cybersecurity manager should follow these steps:

  • Review the executive summary. The executive summary will provide a high-level overview of the scan results, including the number and severity of vulnerabilities discovered.
  • Identify the most critical vulnerabilities. The cybersecurity manager should prioritize the remediation of the most critical vulnerabilities, which are those that pose the greatest risk to the organization.
  • Understand the vulnerabilities. The cybersecurity manager should understand the nature of each vulnerability and its impact on the organization. This information can be used to develop and implement mitigation strategies.
  • Assess the risk of each vulnerability. The cybersecurity manager should assess the risk of each vulnerability based on its severity, exploitability, and impact. This information can be used to prioritize remediation efforts.
  • Develop and implement mitigation strategies. The cybersecurity manager should develop and implement mitigation strategies for each vulnerability. This may involve patching the vulnerability, changing configurations, or implementing compensating controls.
  • Track and monitor remediation progress. The cybersecurity manager should track and monitor remediation progress to ensure that all vulnerabilities are addressed in a timely manner.

In addition to these steps, the cybersecurity manager may also want to consider the following:
Use a vulnerability management tool. A vulnerability management tool can help the cybersecurity manager to analyze scan reports more efficiently and effectively.
Correlate scan results with other data sources. The cybersecurity manager can correlate scan results with other data sources, such as intrusion detection system (IDS) logs and event logs, to identify patterns and trends that may indicate an attack.
Share scan results with other stakeholders. The cybersecurity manager may want to share scan results with other stakeholders, such as the risk management team and the business continuity team, so that they can take appropriate action.
By following these steps, a cybersecurity manager can effectively analyze scan reports and identify and mitigate security vulnerabilities.

Here are some additional tips for analyzing scan reports:

Look for patterns and trends. Attackers often target specific vulnerabilities or combinations of vulnerabilities. By looking for patterns and trends in scan results, the cybersecurity manager can identify vulnerabilities that may be exploited by attackers.
Consider the organization’s environment. The cybersecurity manager should consider the organization’s environment, such as its industry, size, and location, when analyzing scan results. This information can be used to prioritize vulnerabilities and develop mitigation strategies that are appropriate for the organization.
Use threat intelligence. Threat intelligence can be used to identify vulnerabilities that are being actively exploited by attackers. The cybersecurity manager can use this information to prioritize vulnerabilities and develop mitigation strategies.
By following these tips, the cybersecurity manager can more effectively analyze scan reports and protect the organization from cyberattacks.

83
Q

Wireshark is a network traffic analyzer that can be used to capture, view, and analyze network traffic. It is a powerful tool that can be used for a variety of purposes, including:

A

Troubleshooting network problems: Wireshark can be used to troubleshoot network problems, such as slow performance or intermittent connectivity. By capturing and analyzing network traffic, Wireshark can help to identify the source of the problem.
Detecting and investigating security incidents: Wireshark can be used to detect and investigate security incidents, such as malware infections and data breaches. By capturing and analyzing network traffic, Wireshark can help to identify malicious activity and gather evidence of a crime.
Network performance monitoring: Wireshark can be used to monitor network performance and identify areas for improvement. By capturing and analyzing network traffic, Wireshark can identify bottlenecks and other performance issues.
Application development and testing: Wireshark can be used to develop and test network applications. By capturing and analyzing network traffic, Wireshark can help to identify and fix bugs in network applications.
Learning about network protocols: Wireshark can be used to learn about network protocols. By capturing and analyzing network traffic, Wireshark can help users to understand how network protocols work and how they are used in real-world applications.
Wireshark is a free and open-source tool that is available for a variety of platforms, including Windows, macOS, Linux, and Unix. It is a powerful tool that can be used by network administrators, security professionals, application developers, and anyone else who needs to understand and analyze network traffic.

Here are some specific examples of how Wireshark can be used:

A network administrator can use Wireshark to troubleshoot a network performance issue, such as slow file transfers.
A security analyst can use Wireshark to investigate a malware infection.
An application developer can use Wireshark to test a new network application.
A student can use Wireshark to learn about network protocols, such as TCP/IP and UDP.
Wireshark is a valuable tool for anyone who needs to understand and analyze network traffic.

84
Q

Which disaster recovery test involves the actual activation of the DR site?

A

The disaster recovery test that involves the actual activation of the DR site is called a failover test. A failover test is a type of disaster recovery test that simulates a real-world disaster by activating the DR site and running applications and systems on the DR site.

Failover tests are the most comprehensive type of disaster recovery test, as they test the entire disaster recovery plan and process. However, failover tests can also be the most disruptive, as they require the DR site to be activated and applications and systems to be moved from the primary site to the DR site.

Failover tests should be performed on a regular basis to ensure that the DR plan is effective and that the DR site is ready to support production operations in the event of a disaster.

Here are some of the benefits of performing failover tests:

Improved disaster recovery readiness: Failover tests can help organizations to improve their disaster recovery readiness by identifying and addressing any gaps in the DR plan or DR site.
Reduced risk of disruption: Failover tests can help organizations to reduce the risk of disruption in the event of a disaster by ensuring that the DR site is able to support production operations.
Improved confidence in the DR plan: Failover tests can help organizations to improve their confidence in the DR plan by demonstrating that the plan can be executed effectively in the event of a disaster.
Organizations should carefully consider the risks and benefits of performing failover tests before making a decision about whether or not to perform them. Failover tests can be disruptive and expensive, but they can also be very valuable in improving disaster recovery readiness.

Here are some tips for performing failover tests:

Plan carefully: Failover tests should be carefully planned to minimize disruption to production operations.
Communicate with stakeholders: Organizations should communicate with all stakeholders, including employees, customers, and suppliers, about the upcoming failover test.
Test all critical systems and applications: Organizations should test all critical systems and applications to ensure that they are able to operate successfully on the DR site.
Monitor the DR site during the test: Organizations should monitor the DR site during the test to identify and address any problems.
Document the results of the test: Organizations should document the results of the test so that they can learn from any mistakes and improve the DR plan.

85
Q

List the different types of disaster recovery tests?

A

There are three main types of disaster recovery tests:

Plan review: A plan review is a walkthrough of the disaster recovery plan to identify any gaps or inconsistencies. This is typically done by a team of stakeholders, such as the IT department, business continuity team, and senior management.
Tabletop exercise: A tabletop exercise is a simulation of a disaster event that is conducted in a conference room. Participants discuss how they would respond to the event and identify any challenges or gaps in the plan.
Failover test: A failover test is a full-scale test of the disaster recovery plan that involves activating the disaster recovery site and running production applications and systems on the DR site. This is the most comprehensive type of disaster recovery test, but it is also the most disruptive.
In addition to these three main types of tests, there are a number of other types of disaster recovery tests that organizations may conduct, such as:

System tests: System tests are used to test the functionality of individual systems and applications on the disaster recovery site.
Network tests: Network tests are used to test the performance and reliability of the network connection between the primary site and the disaster recovery site.
Security tests: Security tests are used to test the security of the disaster recovery site and the data and applications stored on the DR site.
Organizations should tailor their disaster recovery testing program to their specific needs and requirements. The frequency and type of tests that should be conducted will depend on a number of factors, such as the organization’s industry, size, and risk tolerance.

Here are some tips for conducting effective disaster recovery tests:

Plan carefully: Disaster recovery tests should be carefully planned to minimize disruption to production operations.
Communicate with stakeholders: Organizations should communicate with all stakeholders, including employees, customers, and suppliers, about the upcoming disaster recovery test.
Test all critical systems and applications: Organizations should test all critical systems and applications to ensure that they are able to operate successfully on the disaster recovery site.
Monitor the disaster recovery site during the test: Organizations should monitor the disaster recovery site during the test to identify and address any problems.
Document the results of the test: Organizations should document the results of the test so that they can learn from any mistakes and improve the disaster recovery plan.
By following these tips, organizations can conduct effective disaster recovery tests that will help them to improve their disaster recovery readiness and reduce the risk of disruption in the event of a disaster.

86
Q

what are the different agreements used to define requirements with a vendor?

A

There are a number of different agreements that can be used to define requirements with a vendor. The most common types of agreements include:

Master vendor agreement (MVA): An MVA is a comprehensive agreement that outlines the overall terms and conditions of the relationship between the buyer and the vendor. It typically includes provisions for the scope of work, pricing, payment terms, intellectual property ownership, confidentiality, and dispute resolution.
Statement of work (SOW): An SOW is a document that describes the specific work that the vendor will perform for the buyer. It should be clear, concise, and complete, and it should include all of the requirements that the buyer expects the vendor to meet.
Purchase order (PO): A PO is a document that is used to place an order with a vendor. It typically includes the following information:
The products or services being ordered
The quantity of products or services being ordered
The price of the products or services being ordered
The delivery date
The payment terms
Non-disclosure agreement (NDA): An NDA is a contract between two parties that outlines the confidential information that they will share with each other. It is important to have an NDA in place before sharing any confidential information with a vendor.
In addition to these four types of agreements, there are a number of other agreements that may be used to define requirements with a vendor, such as:

Letter of intent (LOI): An LOI is a document that expresses the buyer’s intent to enter into a contract with the vendor. It is typically used when the buyer and vendor are still negotiating the terms of the contract.
Service level agreement (SLA): An SLA is a contract that defines the level of service that the vendor will provide to the buyer. It typically includes metrics such as uptime, response time, and resolution time.
Acceptance criteria: Acceptance criteria are the criteria that must be met in order for the buyer to accept the vendor’s work. They should be clearly defined and measurable.
The type of agreement that is used to define requirements with a vendor will depend on the specific needs of the buyer and the vendor. It is important to carefully consider the needs of both parties before selecting an agreement type.

Here are some tips for negotiating agreements with vendors:

Understand your needs: Before you start negotiating with a vendor, it is important to have a clear understanding of your needs. What products or services do you need? What are your budget and timeline? Once you understand your needs, you can start to develop a list of requirements.
Research the vendor: Before you start negotiating with a vendor, it is important to research the vendor. What is their reputation? What experience do they have? What kind of customer service do they provide? The more you know about the vendor, the better prepared you will be to negotiate.
Be prepared to walk away: It is important to be prepared to walk away from a negotiation if you are not satisfied with the terms. If you are not willing to walk away, the vendor knows that they have the upper hand.
Get everything in writing: Once you have reached an agreement with the vendor, it is important to get everything in writing. This will help to avoid any misunderstandings or disputes down the road.
By following these tips, you can negotiate agreements with vendors that will protect your interests and ensure that you get the products or services that you need.

87
Q

what is capex and opex?

A

CAPEX stands for capital expenditure, and OPEX stands for operational expenditure.

CAPEX is money spent on acquiring or improving long-term assets, such as buildings, equipment, and software. CAPEX investments are typically expected to generate returns over multiple years.

OPEX is money spent on day-to-day operations, such as salaries, rent, and utilities. OPEX expenses are typically incurred on a regular basis and do not generate direct returns.

The distinction between CAPEX and OPEX is important for businesses because it can impact their financial statements, cash flow, and tax liability. CAPEX expenses are typically capitalized on the balance sheet, which means that they are spread out over the life of the asset. OPEX expenses are typically expensed immediately, which means that they reduce the company’s net income.

CAPEX and OPEX are both important factors to consider when making investment decisions. Businesses should carefully consider the expected returns of CAPEX investments before deciding whether to make them. Businesses should also carefully manage their OPEX expenses to ensure that they are not overspending.

Here are some examples of CAPEX and OPEX expenses:

CAPEX

Purchasing a new building
Building a new factory
Buying new equipment
Developing a new software product
OPEX

Salaries and wages
Rent
Utilities
Marketing and advertising
Insurance
Maintenance and repairs
Businesses can use CAPEX and OPEX information to make informed decisions about their operations and finances. For example, businesses can use CAPEX information to track their investment in long-term assets and to forecast future cash flow needs. Businesses can use OPEX information to identify areas where they can reduce costs and improve efficiency.

88
Q

During which step of the access control process is the individual attempting to prove his identity to the satisfaction of the access control system?

A

The step of the access control process in which the individual is attempting to prove his identity to the satisfaction of the access control system is called authentication.

Authentication is the process of verifying the identity of a user or entity. It is typically done by requiring the user to provide credentials, such as a username and password, or by using a biometric authentication method, such as a fingerprint scan or facial recognition.

Once the user has provided credentials, the access control system will compare them to the credentials stored in its database. If the credentials match, the user is authenticated and granted access to the system.

Authentication is an important step in the access control process because it helps to protect systems and data from unauthorized access. By authenticating users before granting them access, access control systems can help to prevent identity theft, fraud, and other security breaches.

Here are some examples of authentication methods:

Passwords
PINs
Two-factor authentication (2FA)
Multi-factor authentication (MFA)
Biometric authentication (fingerprint scans, facial recognition, etc.)
Organizations should choose authentication methods that are appropriate for the level of security required and the needs of their users.

89
Q

Which process replaces portions of sensitive data with asterisks or another meaningless character?

A

The process of replacing portions of sensitive data with asterisks or another meaningless character is called data masking. Data masking is a technique used to protect sensitive data from being viewed or accessed by unauthorized individuals. It is typically used to protect data such as credit card numbers, social security numbers, and health information.

There are a number of different ways to mask data. One common method is to replace the last four digits of a credit card number with asterisks. Another common method is to replace the middle four digits of a social security number with asterisks.

Data masking can also be used to protect more complex types of data, such as health information. For example, a healthcare organization might mask the names of patients in a medical record or replace the dates of birth of patients with a placeholder value.

Data masking is an important security measure that can help to protect sensitive data from being compromised. Organizations of all sizes should consider using data masking to protect their sensitive data.

Here are some of the benefits of using data masking:

Protects sensitive data: Data masking can help to protect sensitive data from being viewed or accessed by unauthorized individuals.
Reduces the risk of data breaches: Data masking can help to reduce the risk of data breaches by making it more difficult for attackers to steal or exploit sensitive data.
Improves compliance: Data masking can help organizations to comply with regulations that require the protection of sensitive data.
Increases customer confidence: Data masking can help to increase customer confidence by demonstrating that the organization is taking steps to protect their data.
Organizations should carefully consider their needs and requirements when choosing a data masking solution. The type of data masking solution that is right for an organization will depend on the types of data that need to be protected, the level of security required, and the budget of the organization.

90
Q

The easiest way to protect your organization from an account hijacking attack is to employ which security control?

A

The easiest way to protect your organization from an account hijacking attack is to employ multi-factor authentication (MFA).

MFA is a security measure that requires users to provide two or more factors of authentication to verify their identity when logging in to an account or accessing a resource. This can include a password, a code from a mobile app, or a biometric scan.

MFA adds an extra layer of security to accounts and makes it much more difficult for attackers to hijack them. Even if an attacker has a user’s password, they will not be able to log in to the account without also having the second factor of authentication.

MFA is easy to implement and can be used for a variety of accounts, including email, social media, and bank accounts. It is one of the most effective ways to protect your organization from account hijacking attacks.

Here are some tips for implementing MFA in your organization:

Choose a strong MFA solution. There are a variety of MFA solutions available, so it is important to choose one that is right for your organization’s needs. Consider factors such as the cost, ease of use, and security features of the solution.
Make MFA mandatory for all users. MFA should be mandatory for all users, including employees, contractors, and partners. This will help to protect all of your accounts from being hijacked.
Educate users about MFA. It is important to educate users about MFA and how to use it. This will help to ensure that they are using MFA correctly and securely.
Monitor MFA usage. It is important to monitor MFA usage to ensure that all users are using it. You can use a security information and event management (SIEM) solution to monitor MFA usage and identify any suspicious activity.
By following these tips, you can implement MFA in your organization and protect your accounts from being hijacked.

CISM Review 2023 (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions