Module 1 - Introduction to Security Flashcards

Question 1

Q

What are the 3 reasons that a legacy platform has not been updated?

Answer

A

1) limited hardware capacity
2) an application only operates on a specific OS version
3) neglect

Question 2

Q

What category of threat actors use advanced persistent threats (APTs)?

Answer

A

state actors

typically governments are increasingly employing their own state-sponsored attackers for launching cyber attacks against their foes, state actors are often involved in multiyear intrusion campaigns targeting highly sensitive economic, proprietary, or national security information

Question 3

Q

What category of threat actors have the lowest level of technical knowledge?

Answer

A

script kiddies

are individuals who want to perform attacks yet lack the technical knowledge to carry them out; they do their work by downloading freely available automated attack software (scripts) and use it to perform malicious acts

Question 4

Q

Complete this definition of information security: that which protects the integrity, confientiality, and availability of information….

Answer

A

through products, people and procedures on the devices that store, manipulate, and transmit the information

information security is first protection; secondly information security is intended to protect information that provides value to people and enterprises; thirdly information security is to protect the integrity, confidentiality, and availability of information on devices that store, manipulate, and transmit information

Question 5

Q

Which type of attacker will probe a system for weaknesses and then privately provide that information back to the organization?

Answer

A

white hat hackers

Question 6

Q

Which component of the CIA triad ensures that only authorized parties can view protected information?

Answer

A

availability

information has value if the authorized parties who are assured of its integrity can access the information; availability ensures that data is accessible to only authorized users and not to unapproved individuals

Question 7

Q

The first cyber attacks were mainly performed for what purpose?

Answer

A

Fame

the very first cyber attacks were mainly for the threat actors to show off their technology skills; however that soon gave way to threat actors with the focused goal of financial gain (fortune)

Question 8

Q

What is NOT true regarding the goal/outcome of security?

Answer

A

security is a war that must be won at all costs

the goal is not achieving complete victory but instead maintaining equilibrium as attackers take advantage of a weakness in a defense; defenders must respond with an improved defense; information security is an endless cycle between attacker and defender

Question 9

Q

What term is not used to describe those who attack computer systems?

Answer

A

hacker

in the past, hacker referred to a person who used advanced computer skills to attack computers; because that title often carried a negative connotation, it has been qualified in an attempt to distinguish between different types of attackers

Question 10

Q

Which component of the CIA triad ensures that information is correct and no unauthorized person has altered it?

Answer

A

integrity

integrity ensures that the information is correct and no unauthorized person or malicious software has altered the data

Question 11

Q

What is true regarding the relationship between security and convenience?

Answer

A

security and convenience are inversely proportional

the more secure something is, the less convenient something may become to use

Question 12

Q

After Bella earned her security certification, she was offered a promotion. She saw that in this position she will report to the CISO and supervise a group of security technicians. Which security position has she been offered?

Answer

A

security manager

the security manager reports to the CISO and supervises techs, admins, and security staff; typically a security manager works on tasks identified by the CISO and resolves issues identified by technicians; this position requires an understanding of configuration and operation but not necessarily technical mastery

Question 13

Q

What is the term used to describe the connectivity between an organization and a third party?

Answer

A

system integration

typically part of third party where a company needs to connect with a separate company’s network in order to perform business functions/transactions; some of the time the two company’s networks do not integrate seamlessly and require “work-arounds” which can lead to vulnerabilities

Question 14

Q

How do vendors decide which should be the default settings on a system?

Answer

A

those settings that provide the means by which the user can immediately begin to use the product

Question 15

Q

What is the category of threat actors that sell their knowledge of vulnerabilities to other attackers or governments?

Answer

A

brokers

individuals who uncover weaknesses do not report it to the software company but instead sell the vulnerability to the highest bidder

Question 16

Q

List some recognized attack vectors.

Answer

A

1) email - 94% of all malware is delivered via email
2) wireless - can be intercepted
3) removable media - plugging in random thumb drive embedded with malware
4) direct access
5) social media
6) supply chain - very difficult to defend given the nature of the global economy

Question 17

Q

What is typically not an issue with patching?

Answer

A

patches addressing zero-day vulnerabilities

1) firmware is difficult to patch, if at all
2) outside of major OS updates, patches for apps are uncommon
3) delays in patching - when an update is available the update may cause an app to not run properly so a business delays updating until it can tweak the business app to work with the new update

Question 18

Q

What are vulnerabilities associated with legacy platforms?

Answer

A

a legacy platform is no longer in widespread use, often because it has been replaced by a updated version of the earlier technology; although legacy hardware introduces some vulnerabilities, more often vulnerabilities result from legacy software, such as an OS or program

for a variety of reasons - limited hardware capacity, an application that only operates on a specific OS version or even neglect - an OS may not be updated, thus depriving it of these security fixes

Question 19

Q

What are vulnerabilities associated with improper or weak patch management?

Answer

A

as important as patches are they can create vulnerabilities

difficulty patching firmware (software embedded into hardware); updating firmware can often be difficult and requires specialized steps
few patches for application software outside of major OS updates apps are not updated after
delays in patching OS - companies with system apps will delay deploying a patch if the patch causes the app to not function properly

Question 20

Q

What are vulnerabilities associated with data storage?

Answer

A

data storage can be considered a 3rd party vulnerability because many organizations rely on 3rd party data storage; this helps to reduce the capital expenditures associated with purchasing, installing and managing new storage hardware and software but also can provide remote access to employees from almost any location

Question 21

Q

What are vulnerabilities associated with outsourced code?

Answer

A

outsourced code development serves as a 3rd party vulnerability because organization who outsource code development cannot closely monitor the code development and/or do not have the required technical knowledge to identify potential malware in the delivered code

Question 22

Q

What are some vulnerabilities associated with supply chain?

Answer

A

supply chains serves as 3rd party vulnerabilities; the fact that products move through many steps in the supply chain while some steps are not closely supervised, this has opened the door for malware to be injected into products during their manufacturing or storage ie. supply chain infections

Question 23

Q

What are some vulnerabilities associated with vendor management?

Answer

A

vendor management is the process organizations use to monitor and manage the interactions with all of their external 3rd parties

system integration is the connectivity between the organization and a 3rd party vendor; this can cause vulnerability because the systems are often not compatible and require work-arounds; another vulnerability can arise because not all organizations are equipped with the expertise to handle the system integration (lack of vendor support)

the principle of the weakest link often is the major risk in working with 3rd parties

Question 24

Q

List and explain the seven weak configurations that can lead to vulnerabilities.

Answer

A

default settings: are predetermined for usabliity and ease of use so the user can use the product immediately ex) route comes with default password that is widely known
open ports and services: devices and services are often configured to allow the most access so that the user can close ports that are specific to that organization ex) firewall comes with FTP ports 20 & 21 open
unsecured root accounts: a root account can give unfettered access to all resources
open permissions: open permissions are user access over files that should be restricted
unsecure protocols: configuration uses protocols for telecommunications that don’t provide adequate protections
weak encryption: users choosing a known vulnerable encryption mechanism
errors: human mistakes in selecting one setting over another without considering the security implications

Question 25

Q

What is zero-day vulnerability?

Answer

A

zero-day vulnerabilities are considered extremely dangerous because systems are open to attack with no specific patches available

this happens when a threat actor finds a vulnerability before the developer has been made aware of the vulnerability

Question 26

Q

What are some of the vulnerabilities associated with On-Premises Platforms versus Cloud Platforms?

Answer

A

for on-premise platforms vulnerabilities include misconfiguration of resources due to the addition of new servers, software added during growth along with numerous entry points (USB drives, wireless network transmissions, mobile devices, and email)

for cloud platforms the vulnerabilities are most often based on misconfigurations by company personnel; cloud resources are accessible from virtually everywhere putting them under constant threat

Question 27

Q

What are the 7 attack vectors covered in the book?

Answer

A

1) email
2) wireless
3) removable media
4) direct access
5) social media
6) supply chain
7) cloud

Question 28

Q

What are COMPETITORS in reference to threat actors?

Answer

A

a category of threat actor where employees become frustrated with the slow pace of acquiring technology so they purchase and install their own equipment or resources in violation of company policies

can cause weaknesses in the network because the equipment may not be configured properly

Question 29

Q

What are BLACK, WHITE, and GRAY HAT hackers?

Answer

A

a BLACK HAT HACKER is a threat actor who violates computer security for personal gain or to inflict malicious damage

a WHITE HAT HACKER is a threat actor who attempts to probe a system for weaknesses and then privately provide that information back to the organization

a GRAY HAT HACKER is a threat actor who attempts to break into a computer system without the organizations permission but not for their own advantage; instead they publicly disclose the attack in order to shame the organization into taking action

Question 30

Q

What are script kiddies?

Answer

A

script kiddies are a category of threat actor who want to perform attacks yet lack the technical knowledge to carry them out

they do their work by downloading freely available automated attack software (scripts) and use it to perform malicious acts

Question 31

Q

What are hacktivists?

Answer

A

a category of threat actor that are strongly motivated by ideology

types of attacks include changing contents of a website to make a political statement

today many hacktivists work through disinformation campaigns by spreading fake news and supporting conspiracy theories

Question 32

Q

What is a state actor?

Answer

A

a category of threat actor that are sponsored by government for launching cyber-attacks

many security researchers believe state actors might be the deadliest category of threat actor

they are highly skilled and have much more resources than the other categories of threat actors

Question 33

Q

What is an insider threat?

Answer

A

a category of threat actor that comes from a company’s own employees, contractors, and business partners

Question 34

Q

What are the principles of social engineering?

Answer

A

social engineering if effective because of 7 principles:

1) authority - to impersonate an authority figure or falsely cite their authority
2) intimidation - to frighten and coerce by threat
3) consensus - to influence by what others do
4) scarcity - to refer to something in short supply
5) urgency - to demand immediate action
6) familiarity - to give the impression the victim is well known and well received
7) trust - to inspire confidence

Question 35

Q

What are influence campaigns and give two examples.

Answer

A

influence campaigns are a social engineering attack use to sway attention and sympathy in a particular direction

ex1) social media influence campaign
ex2) hybrid warfare influence campaign

probably the most well known social influence campaign was the 2016 presidential election

Question 36

Q

What is impersonation in reference to information security?

Answer

A

a type of social engineering where a threat actor masquerades as a real of fictitious character and then playing the role of that person with the victim

Question 37

Q

What is typo-squatting?

Answer

A

a type of social engineering where a threat actor purchases the domain names of sites that are spelled similarily to actual sites

an example is a threat actor purchasing the domain name www.gooogle.com (too many “o’s”)

Question 38

Q

What is a hoax in reference to information security?

Answer

A

a hoax is a false warning often contained in an email message claiming to come from the IT department; threat agents can use hoaxes as a first step in an attack

an example is an email seemingly from the IT department that a virus is circulating through the internet and that the victim should erase specific files or change security settings

Question 39

Q

What is a watering hole attack?

Answer

A

a type of social engineering attack that is directed toward a smaller group of specific individuals such as executives; an attacker who wants to target these individuals tries to determine the common website that they frequent and then infects the site with malware that will make its way on to the groups computers

Question 40

Q

What is an Advanced Persistent Threat (APT)?

Answer

A

a category of threat actor that use innovative tools (advanced) and once a system is compromised, they silently extract data over an extended period of time (persistent)

APTs are most commonly associated with state actors

Question 41

Q

What is reconnaissance?

Answer

A

a social engineering technique where a threat actor gathers information about a potential victim; the more information that can be gathered the more likely the threat actor will appear genuine

Question 42

Q

What is credential harvesting?

Answer

A

a part of reconnaissance in social engineering where a threat actor gathers information on a victim, usually through social media and the internet so that the threat actor can appear genuine

Question 43

Q

What are invoice scams?

Answer

A

a type of phishing attack where the attack sends a fake invoice for a late payment to a victim and the victim, in haste, makes/ authorizes the payment

Question 44

Q

What is Identity Fraud?

Answer

A

also known as impersonation, is a type of social engineering where a threat actor masquerades as a real or fictitious character and then playing that role with a victim

an example is a threat actor impersonating a help desk technician who calls a victim and pretends there is a problem with the network and elicits information from the victim

Question 45

Q

What is prepending?

Answer

A

a social engineering technique which tries/attempts to influence the subject before the event occurs

an example is a preview of a soon-to-be-released movie that begins with the state, “The best film you will see this year!”

Question 46

Q

What is whaling?

Answer

A

a type of spear phishing that targets wealthy individuals

Question 47

Q

What is eliciting information?

Answer

A

means to gather information by relying on the weaknesses of individuals; is a part of social engineering

Question 48

Q

What is tailgating?

Answer

A

occurs when an authorized person opens a door to enter a secure facility and one or more individuals follows behind and also enters

Question 49

Q

What is pharming?

Answer

A

a redirection technique where an attacker attempts to exploit how a URL is converted into its corresponding IP address; a threat actor may install malware on a user’s computer that redirects traffic away from its intended target to a fake website

Question 50

Q

What is shoulder surfing?

Answer

A

is an alternative to tailgating; shoulder surfing is a technique that can be used in any setting that allows an attacker to casually observe someone entering secret information by standing behind and looking over the victim’s shoulder

Question 51

Q

What is dumpster diving?

Answer

A

a type of social engineering that involves digging through trash receptacles to find information that can be useful in an attack

Question 52

Q

What is spear phishing?

Answer

A

whereas phishing involves sending millions of generic email messages to users, spear phishing targets specific users; the emails used in spear phishing are customized to the recipients, including their names and personal information to make the messages appear legitimate

Question 53

Q

What is Spam Over Internet Messaging (SPIM)?

Answer

A

SPIM is spam sent/delivered through instant messaging instead of email

Question 54

Q

What is SPAM?

Answer

A

SPAM is unsolicited email that is sent to a large number of recipients

Question 55

Q

What is Vishing?

Answer

A

instead of using email to contact a potential victim, the threat actor uses a phone call

Question 56

Q

What is Smishing?

Answer

A

smishing is variation of vishing that uses short message service (SMS) text messages and callback recorded phone messages

Question 57

Q

What is Phishing?

Answer

A

Phishing is send an email message or displaying a web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information or taking action

it is one of the most common forms of social engineering

Question 58

Q

What are the 3 key objectives of cybersecurity programs?

Answer

A

confidentiality, integrity and availability

Question 59

Q

Explain ‘confidentiality’ in regards to the CIA triad.

Answer

A

Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information. Cybersecurity professionals develop and implement security controls, including firewalls, access control lists, and encryption, to prevent unauthorized access to information.

Question 60

Q

Explain ‘integrity’ in regards to the CIA triad.

Answer

A

Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally. Integrity controls, such as hashing and integrity monitoring solutions, seek to enforce this requirement.

Question 61

Q

Explain ‘availability’ in regards to the CIA triad.

Answer

A

Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them. Availability controls, such as fault tolerance, clustering, and backups, seek to ensure that legitimate users may gain access as needed.

Question 62

Q

What are the 3 key threats to cybersecurity efforts?

Answer

A

disclosure, alteration and denial

Question 63

Q

Explain ‘disclosure’ in regards to the DAD triad.

Answer

A

Disclosure is the exposure of sensitive information to unauthorized individuals, otherwise known as data loss. Disclosure is a violation of the principle of confidentiality.

Question 64

Q

Explain ‘alteration’ in regards to the DAD triad.

Answer

A

Alteration is the unauthorized modification of information and is a violation of the principle of integrity.

Answer 65

A

Denial is the disruption of an authorized user’s legitimate access to information. Denial events violate the principle of availability.

Answer 66

A

The requirements an organization wishes to achieve by analyzing the organizations risk environment. Technical and business leaders determine the level of protection required to preserve the confidentiality, integrity and availability of their information and systems. The control objectives are statements of a desired seccurity state but do not actually carry out security activities.

Answer 67

A

are the specific measures that fulfill the security objectives of an organization.

Answer 68

A

Technical - enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.

Operational - include the processes that we put in place to manage technology in a secure manner. These include user access reviews, log monitoring, and vulnerability management.

Managerial - are procedural mechanisms that focus on the mechanics of the risk management process. Examples of administrative managerial controls include periodic risk assessments, security planning exercises, and the incorporation of security into the organization’s change management, service acquisition, and project management practices.

Physical - are security controls that impact the physical world. Examples of physical security controls include fences, perimeter lighting, locks, fire suppression systems, and burglar alarms.

Answer 69

A

Preventive controls - intend to stop a security issue before it occurs. Firewalls and encryption are examples of preventive controls.

Deterrent controls - seek to prevent an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences are examples of deterrent controls.

Detective controls - identify security events that have already occurred. Intrusion detection systems are detective controls.

Corrective controls - remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a corrective control.

Compensating controls - are controls designed to mitigate the risk associated with exceptions made to a security policy.

Directive controls - inform employees and others what they should do to achieve security objectives. Policies and procedures are examples of directive controls.

Answer 70

A

Managerial

D. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Threat assessment is an example of one of these activities.

Answer 71

A

Compliance

The breach of credit card information may cause many different impacts on the organization, including compliance, operational, and financial risks. However, in this scenario, Jade’s primary concern is violating PCI DSS, making his concern a compliance risk.

Answer 72

A

Integrity

The defacement of a website alters content without authorization and is, therefore, a violation of the integrity objective. The attackers may also have breached the confidentiality or availability of the website, but the scenario does not provide us with enough information to draw those conclusions.

Answer 73

A

Deterrent

Deterrent controls are designed to prevent an attacker from attempting to violate security policies in the first place. Preventive controls would attempt to block an attack that was about to take place. Corrective controls would remediate the issues that arose during an attack. Detective controls detect issues or indicators of issues.

Answer 74

A

Network-based

In this case, Greg must use a network-based DLP system. Host-based DLP requires the use of agents, which would not be installed on guest systems. Greg may use watermarking and/or pattern recognition to identify the sensitive information, but he must use network-based DLP to meet his goal.

Answer 75

A

Data in transit

Data being sent over a network is data in transit. Data at rest is stored data that resides on hard drives, tapes, in the cloud, or on other storage media. Data in processing, or data in use, is data that is actively in use by a computer system.

Answer 76

A

Technical control

Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.

Answer 77

A

Allocation

The three primary goals of cybersecurity attackers are disclosure, alteration, and denial. These map directly to the three objectives of cybersecurity professionals: confidentiality, integrity, and availability.

Answer 78

A

Strategic

The risk that Tony is contemplating could fit any one of these categories. However, his primary concern is that the company may no longer be able to do business if the risk materializes. This is a strategic risk.

Answer 79

A

Frequent flyer number

Although it is possible that a frequent flyer account number, or any other account number for that matter, could be used in identity theft, it is far more likely that identity thieves would use core identity documents. These include drivers’ licenses, passports, and Social Security numbers.

Answer 80

A

Control objectives

As an organization analyzes its risk environment, technical and business leaders determine the level of protection required to preserve the confidentiality, integrity, and availability of their information and systems. They express these requirements by writing the control objectives that the organization wishes to achieve. These control objectives are statements of a desired security state.

Answer 81

A

Data encryption

Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems. Encrypted data is unintelligible to anyone who does not have access to the appropriate decryption key, making it safe to store and transmit encrypted data over otherwise insecure means.

Answer 82

A

Preventive

The use of full-disk encryption is intended to prevent a security incident from occurring if a device is lost or stolen. Therefore, this is a preventive control gap.

Answer 83

A

HIPAA

Although a health-care provider may be impacted by any of these regulations, the Health Insurance Portability and Accountability Act (HIPAA) provides direct regulations for the security and privacy of protected health information and would have the most direct impact on a health-care provider.

Answer 84

A

Confidentiality

The disclosure of sensitive information to unauthorized individuals is a violation of the principle of confidentiality.

Answer 85

A

Nonrepudiation

The three primary objectives of cybersecurity professionals are confidentiality, integrity, and availability.

Answer 86

A

Tokenization

Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can’t be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.

Answer 87

A

Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement

PCI DSS compensating controls must be “above and beyond” other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.

Brainscape's Knowledge GenomeTM

Module 1 - Introduction to Security Flashcards

Brainscape's Knowledge Genome^TM