File Security +

Question 1

What are the properties of a secure information processing system?

Answer 1

Confidentiality, Integrity, and Availability (and Non-repudiation).

Question 2

What term is used to describe the property of a secure network where a sender cannot deny having sent a message?

Answer 2

Non-repudiation

Question 3

A multinational company manages a large amount of valuable intellectual property (IP) data, plus personal data for its customers and account holders. What type of business unit can be used to manage such important and complex security requirements?

Answer 3

A security operations center (SOC)

Question 4

A business is expanding rapidly and the owner is worried about tensions between its established IT and programming divisions. What type of security business unit or function could help to resolve these issues?

Answer 4

Development and Operations (DevOps) is a cultural shift within an organization to encourage much more collaboration between developers and system administrators. DevSecOps embed the security function within these teams as well.

Question 5

Availability

Answer 5

The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need

Question 6

CIA triad

Answer 6

The three principles of security control and management. Also known as the information security triad. Also referred to in reverse order as the AIC triad.

Question 7

CISO

Answer 7

Chief Information Security Officer
Typically the job title of the person with overall responsibility for information assurance and systems security. Sometimes referred to as Chief Information Officer (CIO)

Question 8

Confidentiality

Answer 8

The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.

Question 9

CSIRT (Computer Security Incident Response Team)

Answer 9

Team with responsibility for incident response. The CSIRT must have expertise across a number of business domains (IT, HR, legal, and marketing for instance).

Question 10

DevSecOps

Answer 10

A combination of software development, security operations, and systems operations, and refers to the practice of integrating each discipline with the others.

Question 11

integrity

Answer 11

The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.

Question 12

ISSO (Information Systems Security Officer)

Answer 12

Organizational role with technical responsibilities for implementation of security policies, frameworks, and controls.

Question 13

NIST (National Institute of Standards and Technology)

Answer 13

Develops computer security standards used by US federal agencies and publishes cybersecurity best practices guides and research.

Question 14

Non-Repudiation

Answer 14

The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.

Question 15

SOC (security operations center)

Answer 15

The location where security professionals monitor and protect critical information assets in an organization.

Question 16

You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control?

Answer 16

It is a technical type of control (implemented in software) and acts as a preventive measure.

Question 17

A company has installed motion-activated floodlighting on the grounds its premises. What class and function is this security control?

Answer 17

It would be classed as a physical control and its function is both detecting and deterring.

Question 18

A firewall appliance intercepts a packet that violates policy. It automatically updates its Access Control List to block all further packets from the source IP. What TWO functions is the security control performing?

Answer 18

Preventive and corrective

Question 19

If a security control is described as operational and compensating, what can you determine about its nature and function?

Answer 19

That control is enforced by a person rather than a technical system, and that the control has been developed to replicate the functionality of a primary control, as required by a security standard.

Question 20

If a company wants to ensure it is following best practice in choosing security controls, what type of resource would provide guidance?

Answer 20

A cybersecurity framework and/or benchmark and secure configuration guides.

Question 21

CIS (Center for Internet Security)

Answer 21

A not-for-profit organization (founded partly by SANS). It publishes the well-known “Top 20 Critical Security Controls” (or system design recommendations).

Question 22

Cloud Security Alliance

Answer 22

Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.

Question 23

Compensating Control

Answer 23

A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.

Question 24

Corrective Control

Answer 24

A type of security control that acts after an incident to eliminate or minimize its impact.

Question 25

Detective Control

Answer 25

A type of security control that acts during an incident to identify or record that it is happening.

Question 26

deterrent control

Answer 26

A type of security control that discourages intrusion attempts.

Question 27

GDPR (General Data Protection Regulation)

Answer 27

Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US’s Privacy Sheild requirements.

Question 28

GLBA (Gramm-Leach Bliley Act)

Answer 28

A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual’s financial information that is held by financial institutions.

Question 29

ISO/IEC 27K (Internatinal Organization for Standardization 2700 Series)

Answer 29

A comprehensive set of standards for information security, including best practices for security and risk management, compliance, and technical implementation.

Question 30

ISO/IEC 31K (International Organization for Standardization 31000 Series)

Answer 30

A comprehensive set of standards for enterprise risk management.

Question 31

Managerial Control

Answer 31

A category of security control that gives oversight of the information system.

Question 32

Operational Control

Answer 32

A category of security control that is implemented by people.

Question 33

OWASP (Open Web Application Security Project)

Answer 33

A charity and community publishing a number of secure application development resources.

Question 34

PCI DSS (Payment Card Industry Data Security Standard)

Answer 34

Information security standard for organizations that process credit or bank card payments.

Question 35

Physical Control

Answer 35

A type of security control that acts against in-person intrusion attempts.

Question 36

Security Control

Answer 36

A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality of data, integrity, and availability (CIA) of information.

Question 37

SOX (Sarbanes-Oxley Act)

Answer 37

A law enacted in 2002 that dictates requirements for the storage and retention of documents relating to an organization’s financial and business operations.

Question 38

SSAE SOC (Statements on Standards for Attestation of Engagements Service Organization Control)

Answer 38

Audit specifications designed to ensure that cloud/hosting providers meet professional standards. A SOC2 Type II report is created for a restricted audience, while SOC3 reports are provided for general consumption.

Question 39

Technical Control

Answer 39

A category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls.

Question 40

Which of the following would be assessed by likelihood and impact: vulnerability, threat, or risk?

Answer 40

Risk. To assess likelihood and impact, you must identify both the vulnerability and the threat posed by a potential exploit.

Question 41

True or false? Nation state actors primarily only pose a risk to other states

Answer 41

False
Nation state actors have targeted commercial interests for theft, espionage, and extortion.

Question 42

You receive an email with a screenshot showing a command prompt at one of your application servers. The email suggests you engage the hacker for a day’s consultancy to patch the vulnerability. How should you categorize this threat?

Answer 42

This is either gray hat (semi-authorized) hacking. If the request for compensation via consultancy is an extortion threat (if refused, the hacker sells the exploit on the dark web), then the motivation is purely financial gain and can be categorized as black hat. If the consultancy is refused and the hacker takes no further action, it can be classes as gray hat.

Question 43

Which type of threat actor is primarily motivated by the desire for social change?

Answer 43

Hacktivist

Question 44

Which three types of threat actor are most likely to have high levels of funding?

Answer 44

State actors, criminal syndicates, and competitors.

Question 45

You are assisting with writing an attack surface assessment report for a small company. Following the CompTIA syllabus, which two potential attack vectors have been omitted from the following headings in the report? Direct access, Email, Remote and wireless, Web and social media, Cloud.

Answer 45

Removable media and supply chain.

Question 46

APT (advanced persistent threat)

Answer 46

An attackers ability to obtain , maintain and diversify access to network systems using exploits and malware.

Question 47

Attack Surface

Answer 47

The points at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.

Question 48

Attack Vector

Answer 48

A specific path by which a threat actor gains unauthorized access to a system. Also referred to as a vector.

Question 49

Black Hat

Answer 49

A hacker operating with malicious intent.

Question 50

Criminal Syndicates

Answer 50

A type of threat actor that uses hacking and computer fraud for commercial gain. Also referred to as organized crime.

Question 51

Gray Hat

Answer 51

A hacker who analyzes networks without seeking authorization, but without many overtly malicious intent.

Question 52

Hacker

Answer 52

Often used to refer to someone who breaks into computer systems or spreads viruses, Ethical Hackers prefer to think themselves as experts on and explorers of computer security systems.

Question 53

Hacktivist

Answer 53

A threat actor that is motivated by social issue or political cause.

Question 54

Insider Threat

Answer 54

A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.

Question 55

Intentional Threat

Answer 55

A threat actor with a malicious purpose.

Question 56

Script Kiddie

Answer 56

An inexperienced, unskilled attacker that typically uses tools or scripts created by others.

Question 57

Shadow IT

Answer 57

Computer hardware, software, or services used on a private network without authorization from the system owner.

Question 58

State Actor

Answer 58

A type of threat actor that is supported by the resources of its host country’s military and security services. Also referred to as a nation state actor.

Question 59

Supply Chain Attack

Answer 59

An attack that targets the end-to-end process of manufacturing, distributing, and handling goods and services.

Question 60

Threat

Answer 60

The potential for an entity to exercise a vulnerability (that is, to breach security).

Question 61

Threat Actor

Answer 61

The person or entity responsible for an event that has been identified as a security incident or as a risk.

Question 62

Unintentional Threat

Answer 62

A threat actor that causes a vulnerability or exposes an attack vector without malicious intent.

Question 63

Vulnerability

Answer 63

A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.

Question 64

White Hat

Answer 64

A hacker engaged in authorized penetration testing or other security consultancy.

Question 65

You are consulting on threat intelligence solutions for a supplier of electronic voting machines. What type of threat intelligence source would produce the most relevant information at the lowest cost?

Answer 65

For critical infrastructure providers, threat data sharing via an Information Sharing and Analysis Center (ISAC) is likely to be the best option.

Question 66

Your CEO wants to know if the company’s threat intelligence platform makes effective use of OSINT. What is OSINT?

Answer 66

Open-source intelligence (OSINT) is cybersecurity-relevant information harvested from public websites and data records. In terms of threat intelligence specifically, it refers to research and data feeds that are made publicly available.

Question 67

You are assessing whether to join AIS. What is AIS and what protocol should your SIEM support in order to connect to AIS servers?

Answer 67

Automated Indicator Sharing (AIS) is a service offered by the Department of Homeland Security (DHS) for participating in threat intelligence sharing. AIS uses the Trusted Automated eXchange of Indicator Information (TAXII) protocol as a means of transmitting CTI data between servers and clients.

Question 68

AI

Answer 68

Artificial intelligence
The science of creating machines with the ability to develop problem solving and analysis strategies without significant human direction or intervention.

Question 69

AIS

Answer 69

Automated Indicator Sharing
Threat intelligence data feed operated by the DHS.

Question 70

Closed-Source Intelligence

Answer 70

Information that is obtained through private sources and disseminated through paid-for subscription or membership services.

Question 71

CTI

Answer 71

Cyber Threat Intelligence
The process of investigating, collecting, and disseminating information about emerging threats and threat sources.

Question 71

CVE

Answer 71

Common Vulnerabilities and Exposures
Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.

Question 72

Dark Web

Answer 72

Resources on the Internet that are distributed between anonymized nodes and protected from general access by multiple layers of encryption and routing.

Question 73

IoC (indicator of compromise)

Answer 73

A sign that an asset or network has been attacked or is currently under attack.

Question 74

ISAC

Answer 74

Information Sharing and Analysis Center
Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members.

Question 75

ML

Answer 75

Machine Learning
A component of AI that enables a machine to develop strategies for solving a task given a labeled data set where features have been manually identified but without further explicit instructions.

Question 76

OSINT

Answer 76

Open-Source Intelligence
Publicly available information plus the tools used to aggregate and search it.

Question 77

Reputation Data

Answer 77

Block lists of known threat sources, such as malware signatures, IP address ranges, and DNS domains. Also referred to as reputational threat intelligence.

Question 78

STIX

Answer 78

Structured Threat Information eXpression
A framework for analyzing cybersecurity incidents.

Question 79

TAXII

Answer 79

Trusted Automated eXchange of Indicator Information
A protocol for supplying codified information to automate incident detection and analysis.

Question 80

Threat feed

Answer 80

Signatures and pattern-matching rules supplied to analysis platforms as an automated feed.

Question 81

Threat Map

Answer 81

Animated map showing threat sources in near real-time.

Question 82

TTP

Answer 82

Tactics, techniques, and procedures
Analysis of historical cyber-attacks and adversary actions.