Lessons 20-24

Question 1

SCRIPTING TOOLS

Answer 1

1. python- A high-level, versatile programming language. ( Writing scripts, building websites, data analysis, automation, machine learning.)
2. Powershell- A task automation and configuration management framework from Microsoft, consisting of a command-line shell and scripting language. ( Managing Windows systems, automating administrative tasks.)
3. Bash- A Unix shell and command language. ( Running commands and scripts on Unix/Linux systems, automating tasks.)
4. Macro- A set of instructions that automate repetitive tasks within software applications. (Automating tasks in applications like Microsoft Excel or Word.)

Question 1

SCRIPTING

Answer 1

A set of instructions used to automate a sequence of repetitive tasks

Question 2

VBA ATTACK

Answer 2

Visual Basic for Applications) attack is a type of cyber attack that exploits the VBA programming language used in Microsoft Office applications like Excel, Word, and Access. Attackers embed malicious VBA code into Office documents, and when the document is opened and macros are enabled, the code executes, potentially compromising the user’s system.

Question 3

Security orchestration automation and response (SOAR)-

Answer 3

an automation tool that reduces response times, improves consistency and amplifies the productivity of incident response teams.

Question 4

INCIDENT MANAGEMENT

Answer 4

Is Inclusive of roles and responsibilities, strategies, and procedures for preparing for, responding to, and managing security incidents

Question 5

Security incident-

Answer 5

an event or action that endangers the confidentiality, integrity, or availability of information or information systems.

Question 6

Data breach

Answer 6

when data is exfiltrated or extracted, or there is a loss of control. A data breach may trigger reporting and notification requirements.

Question 7

Incident prevention & Incident preparation-

Answer 7

1. threat modeling, risk assessment, controls implementation, monitoring, and assurance activities.
2. planning, documenting, assigning responsibilities, training, and practicing response capabilities.

Question 8

Incident detection & Incident response

Answer 8

1. monitoring incident reporting, analysis, and participation in threat intelligence and information-sharing activities.
2. validation, containment, mitigation, eradication, recovery, and evaluation activities.

Question 9

INCIDENT PLAYBOOK

Answer 9

Is a set of instructions for planning for, and responding to, a specific type of event, attack or scenario

Question 10

Categorization

Answer 10

the process of classifying incidents based on severity.

Question 11

Escalation thresholds

Answer 11

the point at which an incident or issue requires a higher level of attention or response.

Question 12

INCIDENT RESPONSE TEAM
IRT

Answer 12

a group of experts who are responsible for managing and responding to cybersecurity incidents within an organization.

Question 13

Walkthrough

Answer 13

personnel or departments review (walkthrough) their plans and procedures for completeness. Accuracy is the objective

Question 14

Tabletop

Answer 14

scenario-based group workshop focuses on the application of plans and procedures as well as participant readiness. Objectives are familiarity, coordination, and accuracy.

Question 15

Simulation-

Answer 15

a localized scenario that simulates an actual event. A pre-planned simulation is scheduled, and attendees are invited. Surprise simulation, attendees are notified “at the moment” objective: readiness

Question 16

VALIDATION

Answer 16

Determine whether an incident has occurred and, if so, the type, extent, and magnitude of the problem

Question 17

Indicator-

Answer 17

tells us that something is happening or has happened

Question 18

PRIORITIZATION

Answer 18

The process of determining the order of importance or urgency. It is the most critical decision point in the incident handling process.

Question 19

CONTAINMENT

Answer 19

A short-term approach to limiting or reducing the impact of an incident

Question 20

ERADICATION

Answer 20

Is inclusive of the steps taken to correct and or eliminate the root cause (not just the symptoms) that led to the incident

Question 21

Root cause analysis (RCA)

Answer 21

a method of problem-solving used to investigate known problems and identify what happened and the underlying causes
The main goal of RCA is to prevent the problem from recurring by eliminating the root cause

Question 22

CYBER INVESTIGATIONS

Answer 22

Can be triggered by a variety of incidents. (intrusion, extortion, insider activity)

3 types of investigations: criminal, civil, and internal (administrative)
Evidence collection is the first step of the investigation.

Question 23

Direct evidence

Answer 23

supports the truth of an assertion directly

Question 24

Circumstantial evidence

Answer 24

relies on inference to connect it to a conclusion of fact.

Question 25

E-DISCOVERY

Answer 25

Refers to any process in which digital data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal law case.

Question 26

A legal hold

Answer 26

an order that suspends the modification, deletion, or destruction of records or media. Can be issued to avoid evidence spoliation

Question 27

evidence spoliation

Answer 27

the intentional, reckless, or negligent withholding, hiding, altering, fabricating, or destroying evidence.

Question 28

EVIDENCE COLLECTION

Answer 28

Collection of digital evidence is the first step of a forensic investigation.

Governed by 2 main rules
Admissibility of evidence- whether the evidence can be used in court
Weight of evidence- the quality and completeness of the evidence

There is tension between response(find and fix) teams and evidence collectors.

Question 29

VOLATILITY

Answer 29

The acquisition of evidence before it disappears is overwritten or is no longer useful

The goal is to create a snapshot of the environment as it existed at the time of the attack or incident

Question 30

Persistent data-

Answer 30

data that does not change and is preserved when the device is turned off

Question 31

Volatile data

Answer 31

data that easily degrade and can be lost when the device is turned off.

Question 32

chain of custody

Answer 32

is chronoligiacl documentation that records the collection, control, transfer, analysis, and disposition of evidence.

Question 33

Factual witness

Answer 33

a person who is knowledgeable about the facts of the case through direct participation or observations

Question 34

Expert witness

Answer 34

a person who has knowledge beyond that of an ordinary person. Experts can give opinions

Question 35

DIGITAL FORENSICS

Answer 35

The application of science to the identification, collection, examination, and analysis of data (evidence) while preserving the integrity of the information.

Question 36

CHECKSUM INTEGRITY

Answer 36

A checksum is a single value derived from a block of digital data to detect errors that may have been introduced during its transmission or storage

Checksums are like hashes as they are used to verify data integrity however, they use simpler algorithms and are smaller than hashes.

Question 37

FILE RECOVERY TERMINOLOGY

Answer 37

Cluster- a fixed length block of disk space indexed in a file allocation table or equivalent

Slack space- The space between the end of a file and the end of a cluster. Slack spaces can contain data from RAM or segments of deleted files

Unallocated (free) space- are clusters that are not allocated to a file. Clusters can contain deleted file fragments.

Carving is the process by which deleted files or fragments are recovered

Metadata- data about data

Question 38

write blocker

Answer 38

used to intercept inadvertent drive writes

Question 39

clone

Answer 39

exact copy of the entire physical hard drive.

Question 40

DATA BREACH

Answer 40

an incident where unauthorized individuals or entities gain access to legally protected or confidential information stored by an organization, resulting in the potential misuse, loss, theft, or exposure of that data.

Question 41

THE DARK WEB

Answer 41

Is part of the internet that in not indexed by search engines and is known for its anonymity. Compromised data often ends up on the dark web after a data breach occurs.

Question 42

Disclosure

Answer 42

the requirements to reveal the situation

Question 43

Notification

Answer 43

the act of informing affected parties

Question 44

INFORMATION SHARING

Answer 44

Describes a means of conveying information or experience from one trusted party to another

Question 45

An information sharing and analysis center (ISAC)

Answer 45

is a trusted sector-specific entity that facilitates sector-specific and or geographic-specific information sharing about vulnerabilities, threats, and incidents

Question 46

Structured threat information expression STIX-

Answer 46

is a standardized language developed by MITRE and the OASIS cyber threat intelligence (CTI) technical committee for describing cyber threat information. STIX is structured to describe a threat in terms of motivations, abilities, capabilities, and response.

Question 47

Trusted automated exchange of intelligence information TAXII

Answer 47

defines how cyber threat information can be shared via services and message exchanges by defining an API. it is designed specifically to support STIX information.

Question 48

three principal models for TAXII include:

Answer 48

1. Hub and spoke- one single source of information
2. source/subscriber- one single source of information
3. Peer-to-peer- multiple groups share information

Question 49

downstream liability

Answer 49

is responsibility for damages that result from a security compromise in your business

Question 50

DATA SOURCES

Answer 50

Incident investigation often requires analysis of several data sources in order to draw a defensible conclusion

Question 51

log data

Answer 51

log data is a record of events or activities that occur within a computer system, network, or application.

Question 52

METADATA

Answer 52

Data about data; it is machine-readable and searchable

Question 53

PACKET CAPTURE

Answer 53

The process of intercepting and logging traffic for analysis

Question 54

Protocol analyzer (sniffer)

Answer 54

a tool used to capture and analyze network packets( data can also be imported for analysis)

Question 55

A port mirror

Answer 55

captures network traffic from one or several ports of a switch and forwards a copy of the traffic to an analysis device

Question 56

Network tap

Answer 56

a dedicated hardware device that is inserted between network devices, like a switch and routers, and makes copies of the traffic and forwards to an analysis device.

Question 57

ENTERPRISE GOVERNANCE

Answer 57

The system by which entities are directed, controlled, and held to account

Question 58

SECURITY LEADERSHIP AND GOVERNANCE

Answer 58

As applied to information/cybersecurity, governance is the responsibility of leadership to determine and articulate the organization’s desired (future) state of security.

Question 59

A role

Answer 59

is a specific position or job title that an individual occupies within an organization or group

Question 60

Stewardship

Answer 60

is a responsible oversight and protection of something entrusted to one’s care

Question 61

Responsibility

Answer 61

refers to the specific duties or tasks that an individual is expected to fulfill within a given role

Question 62

Strategy-

Answer 62

determine the desired (future) state of information/cybersecurity. Codify in strategy and policy. Provide funding

Question 63

Due care

Answer 63

a legal construct defined as exercising the standard of care that a prudent person would have exercised under the same or similar conditions.

Question 64

Fiduciary-

Answer 64

a person or organization who holds a position of trust. Being a fiduciary requires being bound both legally and ethically to act in the trustor’s best interest.

Question 65

Oversight

Answer 65

oversight and authorization of organizational activities

Question 66

Privacy Officer

Answer 66

is responsible for developing, implementing, and administering all aspects of an organization’s privacy program

Question 67

Compliance officer-

Answer 67

responsible for identifying applicable statutory, regulatory, and contractual requirements, as well as ensuring compliance with thereof

Question 68

Physical security officer-

Answer 68

responsible for ensuring that appropriate physical security procedures have been established and controls implemented.

Question 69

Internal audit-

Answer 69

responsible for providing independent, objective assurance services.

Question 70

Owners, Custodians & Users-

Answer 70

1. are responsible for oversight and decisions related to classification access control, and protection
2. are responsible for advising, implementing, managing, and monitoring data protection controls
3. are responsible for treating data and interacting with information systems in accordance with organizational policy and handling standards

Question 71

POLICY

Answer 71

The objective of a policy is to communicate and codify management requirements, and to provide direction.

Question 72

Information security policies

Answer 72

codify the high-level requirements for protecting information and information assets, and ensuring confidentiality, integrity, and availability.

Question 73

Agreements-

Answer 73

are used to enforce policies and related governance publications legally.

Question 74

Standards & Baselines & Guidelines

Answer 74

1. serve as precise specifications for the implementation of policy and dictate mandatory requirements. Standards must be unambiguous
2. are the aggregate of standards for a specific category or group such as a platform device type, ownership, or location
3. help people understand and conform to a standard. Guidelines are customized to the intended audience and are not mandatory.

Question 75

Policy

Answer 75

multifactor authentication is required for access to data and systems classified as confidential

Question 76

Standard-

Answer 76

multifactor authentication requirements for data and systems classified as confidential. Factor 1: 8-digit numeric PIN, no repeating characters, changed every 90 days. Factor 2: biometric fingerprint

Question 77

ACCEPTABLE USE POLICY (AUP)

Answer 77

Details user community obligations about information and information systems
An AUP contains rules that specifically pertain to acceptable behavior, activities that are required, and actions that are prohibited

Question 78

RISK

Answer 78

Is broadly defined as uncertainty of outcome.

Question 79

Low-risk volatility

Answer 79

means that the level of risk is relatively stable and predictable over time

Question 80

High-risk volatility

Answer 80

means that the level of risk is likely to fluctuate significantly over time

Question 81

RISK VELOCITY

Answer 81

Measures how fast an exposure can impact an organization

Is the time that passes between the occurrence of an event and the point at which the organization first feels its effects

Question 82

CASCADING RISK

Answer 82

Is the principle that, often, risks are linked, and failing to address one risk could cause a chain reaction

The cascading risk is divided into 3 categories
Parallel risk
Serial risk
Mixed risk

Question 83

RISK APPETITE

Answer 83

The level of risk that an organization is comfortable engaging in

Question 84

RISK MANAGEMENT

Answer 84

Implies that actions are being taken to either mitigate the impact of an unfavorable outcome and or enhance the likelihood of a positive outcome

Question 85

RISK ASSESSMENT

Answer 85

A structured method of understanding risk

Question 86

RISK ANALYSIS

Answer 86

The process by which the likelihood, impact, and level of risk are determined

Inherent risk- the level of risk before controls or safeguards have been implemented

Residual risk- the level of risk after controls or safeguards have been implemented

Question 87

QUALITATIVE RISK ANALYSIS

Answer 87

Uses well-defined descriptive terminology to indicate likelihood, impact, and residual risk.

Question 88

Qualitative

Answer 88

uses narrative to describe likelihood and impact. outcome is a descriptor.

Question 89

Quantitative-

Answer 89

assigns numeric and monetary values to likelihood and impact. Outcome is monetary

Question 90

ALE annualized loss expectancy

Answer 90

the financial impact on an annualized basis

Question 91

ARO annualized rate of occurrence

Answer 91

how many times in a single year the event is expected to occur

Question 92

SLE single loss expectancy t

Answer 92

the financial impact of a single event

Question 93

Risk response

Answer 93

the responsibility to determine how to respond to the outcome of a risk analysis

Question 94

Risk treatment-

Answer 94

to select one or more options for addressing an identified risk.

Question 95

Risk tolerance

Answer 95

tactical and specific to the target being evaluated.

Question 96

Risk appetite

Answer 96

a strategic construct broadly defined as the level of risk an entity is willing to accept in pursuit of its mission

Question 97

Risk exception

Answer 97

a formal acknowledgment that a risk has been identified, but it is not feasible or practical to implement standard risk treatment or control measures. Workarounds may be implemented

Question 98

Expectation handling-

Answer 98

the process of approving an exception on either a temporary or permanent basis

Question 99

Risk exemption-

Answer 99

a formal decision not to address risk at all. Generally implemented when the potential impact of a risk is low, and the cost and effort required to mitigate the risk are disproportionate to the potential impact.

Question 100

Risk monitoring

Answer 100

a continuous activity that is used to identify trends, failures, or opportunities and respond in an efficient and appropriate manner

Question 101

Risk reporting

Answer 101

the process of communicating real-time risk and performed data to stakeholders.

Question 102

Risk register

Answer 102

a dynamic, central repository for all risk-related documentation, tracking, and accountability including acceptance exceptions and exemptions.

Question 103

Heat maps

Answer 103

a visualization tool to convey likelihood and impact

Question 104

Dashboards

Answer 104

a visualization tool to convey security posture.

Question 105

Metrics

Answer 105

predefined measures usually in the form of Key Risk Indicators KRIs.

Question 106

KEY RISK INDICATORS KRIs

Answer 106

Are predictors (early warning signs) of unfavorable events that can adversely impact an organization

Question 107

A leading indicator

Answer 107

looks forward at future outcomes and events. Leading KRIs are measures that are considered predictive in nature. They are derived from metrics that can help to forecast future occurrences.

Question 108

Lagging indicator-

Answer 108

looks back at what happened. Lagging KRIs are metrics based on historical measures and are used to identify trends.

Question 109

BUSINESS IMPACT ANALYSIS

Answer 109

Characterize the system components, supporting business processes, and interdependencies.

Question 110

MAXIMUM TOLERABLE DOWNTIME MTD

Answer 110

Represents the amount of time the system owner is willing to accept for a service/process outage or disruption and includes all impact considerations.

Question 111

Service delivery objective (SDO)-

Answer 111

the acceptable level of operations in alternate processing mode

Question 112

RPO

Answer 112

recovery point objective is the acceptable data loss. This translates to the point in time, prior to the disruption that data can be recovered.

Question 113

RTO

Answer 113

recovery time objective is the amount of time allocated for system recovery before negatively impacting other systems

Question 114

MTTR

Answer 114

mean time to repair is the average time it takes to repair a failed component or device

Question 115

MTBF

Answer 115

mean time between failures is a measure of reliability (usage stated in hours)