Module 1 - 02-2

Question 1

Define Asset

Answer 1

An item perceived as having value to an organization

Question 2

Define Threat

Answer 2

Any circumstance or event that can negatively impact assets

Question 3

Define Social Engineering

Answer 3

A manipulation technique that exploits human error to gain private information, access, or valuables

Question 4

Define Phishing

Answer 4

A technique that is used to acquire sensitive data, such as user names, passwords, or banking information

Question 5

True or False?
Phishing exploits human error to acquire sensitive data and private information.

Answer 5

True

Phishing exploits human error to acquire sensitive data and private information. It is one method of social engineering.

Question 6

Define Risk

Answer 6

Anything that can impact the confidentiality, integrity, or availability of an asset

Question 7

How would an organization rate risks at different levels (3)?

Answer 7

low, medium, and high, depending on possible threats and the value of an asset

Question 8

Define Low-Risk Asset

Answer 8

Information that would not harm the organization’s reputation or ongoing operations, and would not cause financial damage if compromised

Question 9

What are examples of Low-Risk Asset (2)?

Answer 9

public information such as website content, or published research data

Question 10

Define Medium-Risk Asset

Answer 10

Information that’s not available to the public and may cause some damage to the organization’s finances, reputation, or ongoing operations

Question 11

What is an example of Low-Risk Asset (2)?

Answer 11

The early release of a company’s quarterly earnings could impact the value of their stock

Question 12

Define High-Risk Asset

Answer 12

Information protected by regulations or laws, which if compromised, would have a severe negative impact on an organization’s finances, ongoing operations, or reputation

Question 13

What are examples of High-Risk Asset (4)?

Answer 13

This could include leaked assets with SPII, PII, or intellectual property

Question 14

Define Vulnerability

Answer 14

A weakness that can be exploited by a threat

Question 15

What two factors must be present for there to be a risk?

Answer 15

Both a Vulnerability and a Threat must be present for there to be a Risk

Question 16

What are examples of Vulnerabilities (4)?

Answer 16

An outdated firewall, software, or application;
Weak passwords;
Unprotected confidential data;
People

Question 17

Define Ransomware

Answer 17

A malicious attack where threat actors encrypt an organization’s data then demand payment to restore access

Question 18

What are the Layers of the Web (3)?

Answer 18

• Surface Web
• Deep Web
• Dark Web

Question 19

What is the Top Layer of the Web?

Answer 19

Surface Web

Question 20

What is the Middle Layer of the Web?

Answer 20

Deep Web

Question 21

What is the Bottom Layer of the Web?

Answer 21

Dark Web

Question 22

Define Surface Web

Answer 22

The surface web is the layer that most people use.
It contains content that can be accessed using a web browser.

Question 23

Define Deep Web

Answer 23

The deep web generally requires authorization to access it.
An organization’s intranet is an example of the deep web, since it can only be accessed by employees or others who have been granted access.

Question 24

Define Dark Web

Answer 24

Lastly, the dark web can only be accessed by using special software.
The dark web generally carries a negative connotation since it is the preferred web layer for criminals because of the secrecy that it provides.

Question 25

What are the three key impacts of threats, risks, and vulnerabilities?

Answer 25

1. Financial
2. Identity theft
3. Reputation

Question 26

Explain the Financial Impact on how it relates to threats, risks, and vulnerabilities

Answer 26

o When an organization’s assets are compromised by an attack, such as the use of malware, the financial consequences can be significant for a variety of reasons.
o These can include interrupted production and services, the cost to correct the issue, and fines if assets are compromised because of non-compliance with laws and regulations.

Question 27

Explain the impact on how Identity Theft relates to threats, risks, and vulnerabilities

Answer 27

o Organizations must decide whether to store private customer, employee, and outside vendor data, and for how long.
o Storing any type of sensitive data presents a risk to the organization.
o Sensitive data can include personally identifiable information, or PII, which can be sold or leaked through the dark web.
o That’s because the dark web provides a sense of secrecy and threat actors may have the ability to sell data there without facing legal consequences.

Question 28

Explain the impact on how Reputation relates to threats, risks, and vulnerabilities

Answer 28

o A solid customer base supports an organization’s mission, vision, and financial goals.
o An exploited vulnerability can lead customers to seek new business relationships with competitors or create bad press that causes permanent damage to an organization’s reputation.
o The loss of customer data doesn’t only affect an organization’s reputation and financials, it may also result in legal penalties and fines.

Question 29

What does NIST stand for?

Answer 29

National Institute of Standards and Technology (NIST)

Question 30

What is does National Institute of Standards and Technology (NIST) provide?

Answer 30

Frameworks that are used by security professionals to manage risks, threats, and vulnerabilities

Question 31

What does RMF stand for?

Answer 31

Risk Management Framework (RMF)

Question 32

What does NIST RMF stand for?

Answer 32

National Institute of Standards and Technology’s Risk Management Framework (NIST RMF)W

Question 33

What are the seven (7) steps in the NIST RMF?

Answer 33

1. Prepare
2. Categorize
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor

Question 34

What is the first (1st) step in the NIST RMF?

Answer 34

1. Prepare

Question 35

What is the second (2nd) step in the NIST RMF?

Answer 35

2. Categorize

Question 36

What is the third (3rd) step in the NIST RMF?

Answer 36

3. Select

Question 37

What is the fourth (4th) step in the NIST RMF?

Answer 37

4. Implement

Question 38

What is the fifth (5th) step in the NIST RMF?

Answer 38

5. Assess

Question 39

What is the sixth (6th) step in the NIST RMF?

Answer 39

6. Authorize

Question 40

What is the seventh (7th) step in the NIST RMF?

Answer 40

7. Monitor

Question 41

Define the NIST RMF Step 1: Prepare

Answer 41

Activities that are necessary to manage security and privacy risks before a breach occurs.

As an entry-level analyst, you’ll likely use this step to monitor for risks and identify controls that can be used to reduce those risks.

Question 42

Define the NIST RMF Step 2: Categorize

Answer 42

Used to develop risk management processes and tasks.

Security professionals then use those processes and develop tasks by thinking about how the confidentiality, integrity, and availability of systems and information can be impacted by risk.
As an entry-level analyst, you’ll need to be able to understand how to follow the processes established by your organization to reduce risks to critical assets, such as private customer information.

Question 43

Define the NIST RMF Step 3: Select

Answer 43

Choose, customize, and capture documentation of the controls that protect an organization.

An example of the select step would be keeping a playbook up-to-date or helping to manage other documentation that allows you and your team to address issues more efficiently.

Question 44

Define the NIST RMF Step 4: Implement

Answer 44

Implement security and privacy plans for the organization.

Having good plans in place is essential for minimizing the impact of ongoing security risks.
For example, if you notice a pattern of employees constantly needing password resets, implementing a change to password requirements may help solve this issue.

Question 45

Define the NIST RMF Step 5: Assess

Answer 45

Determine if established controls are implemented correctly.

An organization always wants to operate as efficiently as possible.
So it’s essential to take the time to analyze whether the implemented protocols, procedures, and controls that are in place are meeting organizational needs.
During this step, analysts identify potential weaknesses and determine whether the organization’s tools, procedures, controls, and protocols should be changed to better manage potential risks.

Question 46

Define the NIST RMF Step 6: Authorize

Answer 46

Being accountable for the security and privacy risks that may exist in an organization.

As an analyst, the authorization step could involve generating reports, developing plans of action, and establishing project milestones that are aligned to your organization’s security goals.

Question 47

Define the NIST RMF Step 7: Monitor

Answer 47

Be aware of how systems are operating.

Assessing and maintaining technical operations are tasks that analysts complete daily.
Part of maintaining a low level of risk for an organization is knowing how the current systems support the organization’s security goals.
If the systems in place don’t meet those goals, changes may be needed.