General Flashcards
1
Q
What are two ways to measure risk?
A
Quantitative and Qualitative
2
Q
Which risk response is also included when risk mitigation is performed?
A
Acceptance
3
Q
This describes the probability of a threat being realized.
A
Likelihood
4
Q
This describes the amount of loss during a one-year timespan.
A
Annualized Loss Expectancy (ALE)
5
Q
This phase of the risk management life cycle identifies effective means by which identified risks can be reduced.
A
Control
6
Q
A ____________ should include detailed descriptions of the necessary steps required to successfully complete a task.
A
Process
7
Q
This function of the NIST CSF defines capabilities needed for the timely discovery of security incidents.
A
Detect
8
Q
A formal mechanism designed to measure performance of a program against desired goals.
A
Key Performance Indicator (KPI)
9
Q
Which cloud service type represents the lowest amount of responsibility for the customer?
A
SaaS
10
Q
This describes when a customer is completely dependent on a vendor for products or services.
A
Vendor lock-in
11
Q
This describes when a copy of vendor-developed source code is provided to a trusted third party, in case of disaster.
A
Source code escrow
12
Q
This describes all of the suppliers, vendors, and partners needed to deliver a final product.
A
The Supply Chain
13
Q
A set of cybersecurity standards developed by the United States Department of Defense (DoD) and designed to help fortify the DoD supply chain.
A
CMMC
14
Q
True or False. The use of cloud service providers always reduces risk.
A
False
15
Q
Which type of data can be used to identify an individual and includes information about past, present, or future health?
A
Protected Health Information (PHI)
16
Q
Which type of data describes intangible products of human thought and ingenuity?
A
Intellectual Property (IP)
17
Q
Which data destruction method is focused on the sanitization of the key used to perform decryption of data?
A
Crypto erase
18
Q
Which concept identifies that the laws governing the country in which data is stored have control over the data?
A
Data sovereignty
19
Q
A non-regulatory agency in the United States that establishes standards and best-practices across the entire science and technology field is known as:
A
NIST
20
Q
What regulation enforces rules for organizations that offer services to entities in the European Union (EU) or that collect and/or analyze data on subjects located there?
A
GDPR
21
Q
Which U.S. federal law is designed to protect the privacy of children?
A
COPPA
22
Q
Which process is designed to provide assurance that information systems are compliant with federal standards?
A
Certification and Accreditation
23
Q
This describes the identification of applicable laws depending on the location of the organization, data, or customer/subject.
A
Jurisdiction
24
Q
What concept is often linked to the “prudent man rule”?
A
Due care
25
This describes when an organization's legal team receives notification instructing them to preserve electronically stored information.
Legal Hold
26
What type of agreement is often described as an "umbrella" contract that establishes the agreement between two entities to conduct business?
Master Services Agreement (MSA)
27
Which agreement governs services that are both measurable and repeatable and also generally include enforcement mechanisms that result in financial penalties for non-compliance?
Service Level Agreement (SLA)
28
What is the last step in a business continuity plan?
Maintenance
29
NIST defines this as "An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption."
Business Impact Analysis
30
This generally defines the amount of data that can be lost without irreparable harm to the operation of the business.
Recovery Point Objective
31
Which type of assessment seeks to identify specific types of sensitive data so that its use and handling can be properly disclosed?
Privacy Impact Assessment
32
Using other branch locations to manage a disaster response is referred to as:
Alternate Operating Facilities
33
Which type of DR site has lowest operating expense and complexity?
Cold Site
34
This type of site is one that can be activated and used within minutes.
Hot Site
35
This term describes when cloud service offerings are used for DR capabilities.
DRaaS, DR as a Service
36
True or False. Incident response should only involve the information technology department.
False
37
True or False. BCDR is a technical capability and so senior leadership involvement is not required.
False
38
True or False. BCDR plans should not be tested as doing so may break production systems.
False
39
Which type of simulation test includes a meeting to review the plans and analyze their effectiveness against various BCDR scenarios?
Walk-through
40
Which type of simulation test is used to determine whether all parties involved in the response know what to do and how to work together to complete the exercise?
Tabletop Exercise
41
When performing this type of test, issues and/or mistakes could cause a true DR situation:
Full Interruption
42
What are the two main components of a VPN?
Creating a tunnel and protecting data via encryption
43
Identify some ways a VPN might help an adversary avoid detection.
Answers will vary but should include a description of hiding data/activities and geographic location.
44
Describe a solution designed to validate the health of an endpoint prior to allowing access.
Network Access Control (NAC)
45
This is a passive technology used to provide visibility into network traffic within a switch.
Test Access Port or TAP
46
What version of SNMP should be used whenever possible?
Version 3
47
Which type of environment is characterized by having hosts and networks available for use by visitors, such as the public or vendors?
Guest
48
This describes a specially configured, highly hardened, and closely monitored system used to perform administrative tasks.
Jump Box
49
This type of network segmentation differs from a traditional network segmentation approach as it provides much higher levels of security, granularity, and flexibility.
Microsegmentation
50
What type of architecture adopts the approach of "never trust, always verify"?
Zero Trust Architecture
51
This implementation creates a software-defined network by utilizing existing physical network equipment.
SDN Overlay
52
This describes improving performance by adding additional resources to an individual system, such as adding processors, memory, and storage to an existing server.
Scaling Vertically
53
A ______________________________________ leverages the global footprint of cloud platforms by distributing and replicating the components of a service to improve performance to all the key service areas needing access to the content.
Content Delivery Network (CDN)
54
What design strategy often conflicts with information technology management approaches that look to consolidate platforms and reduce product portfolios?
Heterogeneity/Diversity
55
Which type of virtualization allows the client to either access an application hosted on a server or stream the application from the server to the client for local processing?
Application Virtualization
56
This non-profit organization provides guidance and best practices on the development and protection of web applications.
OWASP
57
What are some of the functions that can be performed via a Container API?
Some examples include list logs generated by an instance; issue commands to the running container; create, update, and delete containers; and list capabilities.
58
What environment is used to merge code from multiple developers to a single master copy and subject it to unit and functional tests?
Test or Integration Environment
59
Which type of application testing is frequently performed using scanning tools such as OWASP's Zed Attack Proxy (ZAP)?
Dynamic Application Security Testing (DAST)
60
This describes middleware software designed to enable integration and communication between a wide variety of applications throughout an enterprise.
Enterprise Service Bus (ESB)
61
True or False. Traditional software development models incorporate security requirements throughout all phases.
False
62
Which type of software testing ensures that a particular block of code performs the exact action intended and provides the exact output expected?
Unit Testing
63
Which type of testing verifies that individual components of a system are tested together to ensure that they interact as expected?
Integration Testing
64
What development model includes phases that cascade with each phase starting only when all tasks identified in the previous phase are complete?
Waterfall
65
What development model incorporates Security as Code (SaC) and Infrastructure as Code (IaC)?
SecDevOps
66
Storing passwords using this method should be disabled as it provides marginal improvements in protection compared to simply storing passwords in plaintext.
Reversible Encryption
67
What is the term used to describe when credentials created and stored at an external provider are trusted for identification and authentication?
Federation
68
Which access control model is a modern, fine-grained type of access control that uses a type of markup language call XACML?
Attribute-Based Access Control (ABAC)
69
What authentication protocol is comparable to RADIUS and associated with Cisco devices?
TACACS+
70
What authentication scheme uses an HMAC built from a shared secret plus a value derived from a device and server's local timestamps?
Time-Based One Time Password (TOTP)
71
In which stage of the data life cycle is data shared using various mechanisms, such as email, network folders, websites, or cloud storage?
Use
72
Describe some of the critical elements included in data management.
Answers will vary but should include descriptions of data inventory, data mapping, backups, quality assurance, and integrity controls.
73
Identify some practical DLP example use-cases.
Blocking use of external media, print blocking, Remote Desktop Protocol (RDP) blocking, clipboard privacy controls, restricted virtual desktop infrastructure (VDI) implementation, data classification blocking.
74
What is the name of the data obfuscation method that replaces sensitive data with an irreversible value?
Tokenization
75
What data obfuscation method is designed to protect personally identifiable information so that data can be shared?
Anonymization
76
Which type of virtualization platform supports microservices and server-less architecture?
Containerization
77
_____________________________ is assigned to cloud resources through the use of tags and is frequently exploited to expose configuration parameters which may reveal misconfigured settings.
Metadata
78
Which type of cloud service model can be described as virtual machines and software running on a shared platform to save costs and provide the highest level of flexibility?
Multi-tenant
79
After powering-up a virtual machine after performing maintenance, the virtual machine is no longer accessible by applications previously configured to connect to it. What is a possible cause of this issue?
The IP address was reassigned to another instance.
80
Which type of storage model supports large amounts of unstructured data and is commonly used to store archives and backup sets?
Blob Storage
81
Which technology uses a ledger distributed across a peer-to-peer (P2P) network?
Blockchain
82
___________________ reality emulates a real-life environment through computer-generated sights and sounds.
Augmented/Virtual
83
This term describes computer-generated images or video of a person that appear to be real but are instead completely synthetic and artificially generated.
Deep Fake
84
______________ computers use information represented by spin properties, momentum, or even location of matter as opposed to the bits of a traditional computer.
Quantum
85
Which technology allows the crafting of components on-demand, and potentially eliminates the need to share designs or plans that may lead to intellectual property theft?
3D Printing
86
Identify two types of certificates commonly used to implement access controls for mobile devices.
Trust (device) and user certificates
87
Which standard is associated with the Simultaneous Authentication of Equals (SAE)?
WPA3 (Wi-Fi 6)
88
Which type of device attack allows complete control of a device without the target device being paired with the attacker?
BlueBorne
89
Identify some reasons why DoH poses a security threat in an enterprise setting.
Answers may vary. DoH, if approved, must be configured to use a trusted provider. DoH encapsulates DNS traffic within https traffic making it harder to identify. DoH can bypass external DNS query restrictions configured on firewalls.
90
Identify how Bluetooth can be used for physical reconnaissance.
Answers may vary. Bluetooth devices are discoverable using freely available tools, meaning an attacker can locate out-of-sight devices and also collect information about the hardware and vendor.
91
Identify some reasons why EOL software and hardware are concerning.
Responses will vary but should include a description regarding the lack of vendor support and vendor-supplied security patches.
92
True or False. Operating System instances running in the cloud are patched automatically by the cloud provider.
False
93
Which types of attacks on the Android OS can bypass the protections of mandatory access control?
Inter-app communication attacks
94
Which control is designed to prevent a computer from being hijacked by a malicious OS?
Answers may vary but secure boot, measured boot, or attestation services all apply.
95
Which type of host protection should provide capabilities that directly align to the NIST Cybersecurity Framework Core?
Endpoint Protection and Response
96
True or False. Operating in a public cloud removes the need for BCDR plans due to the fact that cloud platforms are so reliable.
False
97
What name is given to the practice of splitting encrypted data outputs into multiple parts which are subsequently stored in disparate storage locations?
Bit Splitting or Cryptographic Splitting
98
Which cloud computing practice eliminates the use of traditional virtual machines to deliver cloud services?
Serverless Computing
99
What is a critical component dictating the implementation of logging capabilities in the cloud?
Legal and regulatory compliance
100
What is the primary source of data breach in the cloud?
Misconfiguration
101
Which component integrates practically all the components of a traditional chipset including GPU?
System on a Chip, or SoC
102
Which type of industrial computer is typically used to enable automation in assembly lines and is programmed using ladder language?
Programmable Logic Controller, or PLC
103
Which type of availability attack are industrial computers most sensitive to?
Denial of Service, or DoS
104
An ________ ________ describes the method by which ICS are isolated from other networked systems.
Air Gap
105
What makes attacks against ICS uniquely concerning?
Answers will vary, but essentially because ICS control systems that interact with the real world and can cause humanitarian and/or environmental disasters when breached or attacked.
106
What is the name of the algorithm used by SHA-3?
Kekkack
107
Which MAC method is commonly paired with Salsa20 on hardware that does not have integrated AES support?
Poly1305
108
Describe the key distribution problem.
Answers will vary. Should identify that it is associated with symmetric encryption and that sharing the key between two parties can be risky if not performed carefully.
109
Is Salsa20 a stream or block cipher?
Stream
110
How are modes of operation related to symmetric encryption?
Answers will vary. Modes of operation are like "techniques" used to make symmetric block ciphers operate in a way that is comparable to stream ciphers.
111
What symmetric encryption problem is asymmetric encryption uniquely equipped to solve?
Key distribution
112
What is the bulk encryption method used in the following cipher suite? ECDHE-RSA-AES128-GCM-SHA256
AES
113
What encryption scheme is generally associated with protecting email?
Secure/Multipurpose Internet Mail Extensions (S/MIME)
114
What issue related to the use of authentication header (AH) makes it difficult/problematic to implement?
It does not work across NAT gateways.
115
Which implementation of Elliptic Curve Cryptography (ECC) is no longer recommended for use by the NSA?
P256
116
True or False. Private keys are contained within digital certificates.
False. Public keys are contained within digital certificates.
117
Which of the following would be best suited to protecting data stored on a removable disk: IPSec, TLS or AES?
AES is a symmetric block cipher and best suited to this. IPSec and TLS are associated with transport encryption.
118
Which device used to provide strong authentication stores a user's digital certificate, private key associated with the certificate, and a personal identification number (PIN)?
Smart card
119
How do device certificates help security operations?
Answers will vary. A description of using device certificates to identify authorized endpoints is appropriate.
120
What is the purpose of a bridge CA?
Answers will vary. A bridge CA allows the interoperability and shared trust between multiple, otherwise independent, PKIs. Bridge CAs enable cross-certification.
121
_________________ ___________________ is the entity responsible for issuing and guaranteeing certificates.
Certificate Authority
122
True or False. A website protected with a valid digital certificate is guaranteed to be safe.
False. The digital certificate provides assurance that the site is genuine, but it could still be rogue in nature.
123
What is another term to describe the requirement for both client and server devices to use certificates to verify identity?
Mutual authentication
124
What is the name of the response header configured on a web server to notify a browser to connect to the requested website using HTTPS only?
HTTP Strict Transport Security (HSTS)
125
The error message "your connection is not private" is displayed when accessing a known website. What is a possible cause of this error?
The website is configured to use a weak signing algorithm.
126
Which threat assessment approach is described as emulating known TTPs to mimic the actions of a threat in a realistic way, without emulating a specific threat actor?
Threat emulation
127
Which defensive approach describes a team of specialists working with the viewpoint of "assume breach"?
Threat Hunting
128
Which threat actor group includes adversaries such as Anonymous, WikiLeaks, or LulzSec?
Hacktivists
129
Developed by Lockheed Martin, this describes the steps/actions an adversary must complete in order to achieve their goals.
Cyber Kill Chain
130
True or False. CPE is a list of records where each item contains a unique identifier used to describe publicly known vulnerabilities.
False. The description is for CVE.CPE uses a syntax similar to Uniform Resource Identifiers (URI), CPE is a standardized naming format used to identify systems and software.
131
What vulnerability assessment analysis approach requires the evaluation of a system or software while it is running?
Dynamic assessment
132
What testing method uses specialty software tools designed to identify problems and issues with an application by purposely inputting/injecting malformed data to it?
Fuzzing or fuzz testing
133
This describes the actions of an attacker using one exploited system to access another within the same organization.
Pivoting
134
What document describes the manner in which a pen-test may be performed?
Rules of Engagement (RoE)
135
Which category of tool describes the Metasploit tool?
An exploit framework
136
Which type of deceptive technology is generally less complicated to deploy than other deceptive technologies but can serve a similar purpose?
Simulator
137
Honeytoken and canary files are types of _______________ files.
Decoy
138
An ___________________________ system is one that is "unchangeable."
Immutable
139
______________________________ describes the set of configuration changes made to improve the security of an endpoint from what the default configuration provides.
Hardening
140
In Linux, ________________ describe self-contained software applications which include all the necessary components and libraries they need to be able to operate on an immutable system.
Flatpaks
141
Which type of vulnerability is caused by processes operating under the assumption that a critical parameter or piece of information has not changed?
TOCTOU
142
When reviewing the operation of a web application, the following is observed: https://www.foo.com/products/jsessionid=8858PNRX949WM26378/?item=bigscreen-tv.
What is problematic with this?
The session ID is included in the URL, meaning that anyone with access to the jsessionid information could perform an authentication bypass attack for the identified user.
143
Which approach describes how software can be analyzed for open-source components?
Software Composition Analysis
144
True or False. JSON is not dependent upon web technologies.
False. JSON is designed to leverage common web technologies as part of its operation.
145
What type of attack is most closely associated with the use of characters such as ' OR 'x' = 'x' -- ?
Authentication Bypass, a type of SQL injection attack.
146
True or False. By default, switches provide packet capture utilities full visibility into all traffic flows for connected devices.
False. A switch must be configured to mirror traffic or utilize a tap in order to provide full visibility for packet capture. Switches natively isolate traffic.
147
Two alerts are generated by an IDS, one with a priority value of 1 and the other with a priority value of 10. Which should be investigated first?
The one with a priority value of 1, which represents a more concerning event type.
148
Which security product is most likely to support the use of YARA rules?
Antivirus
149
In what ways does the support of security incidents differ from traditional tickets/requests in IT?
Answers will vary. The answer should describe how security incidents must be handled based on severity rather than order received.
150
What is most concerning regarding false negatives?
They represent legitimate security incidents that do not generate an alert.
151
What term describes evidence handling from collection through presentation in court?
Chain of custody
152
Which utility can be used to extract data from binary files and can display the contents in hexadecimal, decimal, octal, or ASCII formats
hexdump
153
Which tool can be used to identify interactions between processes and the Linux kernel?
strace
154
________________________ is a popular command line utility used to analyze memory dumps.
volatility
155
Which command line utility is designed to display real-time information about system memory, running processes, interrupts, paging, and I/O statistics?
vmstat
156
Risk management
The cyclical process of identifying, assessing, analyzing, and responding to risks.
157
enterprise risk management (ERM)
The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.
158
Risk Management Framework (RMF) or ISO 31000
A comprehensive set of standards for enterprise risk management.
159
Risk
Likelihood and impact (or consequence) of a threat actor exercising a vulnerability.
160
Likelihood
In risk calculation, the chance of a threat being realized, expressed as a percentage.
161
Impact
The severity of the risk if realized by factors such as the scope, value of the asset, or the financial impacts of the event.
162
Single Loss Expectancy (SLE)
The amount that would be lost in a single occurrence of a particular risk factor.
163
Annual Loss Expectancy (ALE)
The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).
164
Annual Rate of Occurrence (ARO)
In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.
165
Asset Value (AV)
The value of an asset, such as a server or even an entire building.
166
Exposure Factor (EF)
In risk calculation, the percentage of an asset's value that would be lost during a security incident or disaster scenario.
167
Total Cost of Ownership (TCO)
Associated costs of an asset including acquisition costs and costs to maintain and safely operate the asset over its entire lifespan.
168
Return on Investment (ROI)
A metric to calculate whether an asset is worth the cost of deploying and maintaining it.
169
Mean Time To Recovery (MTTR)
Metric representing average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.
170
Mean Time Between Failures (MTBF)
Metric for a device or component that predicts the expected time between failures.
171
Gap Analysis
An analysis that measures the difference between current state and desired state in order to help assess the scope of work included in a project.
172
Risk avoidance
In risk mitigation, the practice of ceasing activity that presents risk.
173
Risk acceptance
The response of determining that a risk is within the organization's appetite and no countermeasures other than ongoing monitoring is needed.
174
Risk mitigation
The response of reducing risk to fit within an organization's risk appetite.
175
Risk transference
In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.
176
attack vectors
A specific path by which a threat actor gains unauthorized access to a system.
177
residual risk
Risk that remains even after controls are put into place.
178
Risk appetite
A strategic assessment of what level of residual risk is tolerable for an organization.
179
Key Performance Indicators (KPI)
A formal mechanism designed to measure performance of a program against desired goals.
180
Key Risk Indicators (KRI)
The method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occuring.
181
Scalability
Property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.
182
Reliability
The fundamental security goal of ensuring that an information processing system is trustworthy.
183
Availability
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
184
Risk tolerance
Determines the thresholds that separate different levels of risk.
185
Tradeoff analysis
Comparing potential benefits to potential risks and determining a course of action based on adjusting factors that contribute to each area.
186
Separation of duties
Security policy concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.
187
Job rotation
The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person's duties.
188
Mandatory vacation
The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.
189
Least privilege
Basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.
190
Cloud Service Provider (CSP)
A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an "as a service" subscription-based, cloud-centric offering.
191
Shared responsibility model
Identifies that responsibility for the implementation of security as applications, data and workloads are transitioned into a cloud platform are shared between the customer and the cloud service provider (CSP.)
192
Software as a Service (SaaS)
Cloud service model that provisions fully developed application services to users.
193
Platform as a Service (PaaS)
Cloud service model that provisions application and database services as a platform for development of apps.
194
Infrastructure as a Service (IaaS)
Cloud service model that provisions virtual machines and network infrastructure.
195
Vendor Lock-in
A customer is dependent on a vendor for products or services because switching is either impossible or would result in substantial complexity and costs.
196
Vendor Lockout
A vendor's product is developed in a way that makes it inoperable with other products, the ability to integrate it with other vendor products is not a feasible option or does not exist.
197
Vendor Viability
A vendor that has a viable and in-demand product and the financial means to remain in business on an ongoing basis.
198
Source Code Escrow
A copy of vendor-developed source code provided to a trusted third party in the event the vendor ceases business.
199
Support Availability
Verifying the type and level of support to be provided by the vendor in support of their product or service.
200
Meeting Client Requirements
Formally defining what functionality is required of a product or service, and taking steps to verify that a vendor's service or product provides at least this level of functionality.
201
supply chain
The end-to-end process of supplying, manufacturing, distributing, and finally releasing goods and services to a customer.
202
Supply Chain Visibility (SCV)
The capacity to understand how all vendor hardware, software, and services are produced and delivered as well as how they impact an organization's operations or finished products.
203
Cloud Security Alliance (CSA)
Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.
204
Security Trust and Risk (STAR)
A framework of security best practices for Cloud service providers that is developed and maintained by the Cloud Security Alliance (CSA).
205
System and Organization Controls (SOC)
Use of standards established by the American Institute of Certified Public Accountants (AICPA) to evaluate the policies, processes, and procedures in place and designed to protect technology and financial operations.
206
International Organization for Standardization (ISO)
Develops many standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27K series) and risk management (31K series).
207
Cybersecurity Maturity Model Certification (CMMC)
A set of cybersecurity standards developed by the United States Department of Defense (DoD) and designed to help fortify the DoD supply chain by requiring suppliers to demonstrate that they have mature cybersecurity capabilities.
208
virtual local area networks (VLAN)
A logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.
209
Protected Health Information (PHI)
Data that can be used to identify an individual and includes information about past, present, or future health, as well as related payments and data used in the operation of a healthcare business.
210
Personal Identifiable Financial Information (PIFI)
Personal information about a consumer provided to a financial institution that can include account number, credit/debit card number, name, social security number and other information.
211
Intellectual property (IP)
Data that is of commercial value and can be granted rights of ownership, such as copyrights, patents, and trademarks.
212
data owner
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.
213
Data classification
The process of applying confidentiality and privacy labels to information.
214
Data retention
The process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations.
215
Data sovereignty
In data protection, the principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.
216
data subject
An individual that is identified by privacy data.
217
attestation of compliance (AOC)
A set of policies, contracts and standards identified as essential in the agreement between two parties.
218
Certification and accreditation (C&A)
A process executed in four distinct phases: initiation and planning, certification, accreditation, and continuous monitoring.
219
Information System Security Officer (ISSO)
Organizational role with technical responsibilities for implementation of security policies, frameworks, and controls.
220
Certifying Authority
The entity responsible for reviewing the results of a certification and accreditation package, including audits reports, and making the final decision regarding accreditation status.
221
Authority to Operate (ATO)
A formal letter of accreditation provided to the system owner granting them permission to operate a system.
222
Common Criteria (CC)
A set of standards developed by a group of governments working together to create a baseline of security assurance for a trusted operating system (TOS).
223
Due care
Organizational security policies are (to some extent) driven by legislation introduced as a response to the growing appreciation of the threat posed by computer crime. Legislation can cover many aspects of security policy but the key concepts are due diligence (demonstrating awareness of security issues) and due care (demonstrating responses to identified threats). Security policy is also driven by adherence to industry codes of practice and standards.
224
due diligence
A legal principal that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system.
225
legal hold
A process designed to preserve all relevant information when litigation is reasonably expected to occur.
226
e-Discovery
Procedures and tools to collect, preserve, and analyze digital evidence.
227
Cold Site
Predetermined alternate location where a network can be rebuilt after a disaster.
228
warm site
Alternate processing location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.
229
hot site
Fully configured alternate processing site that can be brought online either instantly or very quickly after a disaster.
230
after action report (AAR)
An analysis of events that can provide insight into how to improve response processes in the future.
231
Firewalls
Software or hardware device that protects a system or network by blocking unwanted network traffic.
232
Routers
An intermediate system working at the Network layer capable of forwarding packets around logical networks of different layer 1 and layer 2 types.
233
Load Balancer
Type of switch, router, or software that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.
234
Virtual Private Cloud (VPC)
A private network segment made available to a single cloud consumer on a public cloud.
235
elastic IP address
A public IPv4 address that can be assigned to any instance or network interface in a VPC within an AWS account.
236
social engineering
Activity where the goal is to use deception and trickery to convince unsuspecting users to provide sensitive data or to violate security guidelines.
237
virtual appliance
A preconfigured, self-contained virtual machine image ready to be deployed and run on a hypervisor.
238
MX records
A special type of DNS record used to identify the email servers used by a domain.
239
Distributed Denial of Service
Attack that involves the use of infected Internet-connected computers and devices to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.
240
Rate Limiting
An approach that protects the attack from consuming all available bandwidth and impacting other servers and services on the network. It reduces the amount of throughput available to the server or service being attacked.
241
Web Application Firewall (WAF)
A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.
242
Blackhole Routing
Retrieves all the traffic intended for an endpoint and drops both legitimate and malicious traffic.
243
Cloud Service Providers
A cloud service provider is any third-party organization providing infrastructure, application and/or storage services via an "as a service" subscription-based, cloud-centric offering.
244
DDoS Mitigation Software/Appliance
Reflects the methods used to reduce the impact of a distributed denial of service (DDoS) attack. DDoS mitigation can be implemented through the use of special software or by deploying a virtual appliance designed to provide DDoS protection.
245
unified threat management (UTM)
All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.
246
Content Filtering
A security measure performed on email and internet traffic to identify suspicious, malicious and/or inappropriate content in accordance with an organization’s policies.
247
MIME (Multi-Purpose Internet Mail Extensions)
A protocol specifying Internet mail message formats and attachments.
248
Data Loss Prevention (DLP)
Software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
249
SPAM
Junk messages sent over email (or instant messaging, which is called spim). It can also be utilized within social networking sites.
250
SPAM Block Lists (SBL)
Identifies known bad senders. Security companies typically provide this as a service to organizations to reduce SPAM messages.
251
Antivirus
Inspecting traffic to locate and block viruses.
252
caching engines
A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.
253
non-transparent proxy
A server that redirects requests and responses for clients configured with the proxy address and port.
254
transparent proxy
A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.
255
SQL injection
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.
256
cross-site scripting (XSS)
A malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones.
257
cross-site request forgery (XSRF)
A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser.
258
file inclusion
A web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor.
259
directory traversal
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
260
