Section 2: Cybersecurity Concepts

Question 1

The following are generally the approaches to implementing cybersecurity except:

a. Compliance-based
b. Risk-based
c. Ad hoc
d. Periodic

Answer 1

d. Periodic

In reality, most organizations with mature security programs use a combination of risk-based and compliance-based approaches.

Question 2

Also known as standards-based security approach.

Answer 2

Compliance-based approach to implementing cybersecurity

Question 3

This approach relies on regulations or standards to determine security implementations.

Answer 3

Compliance-based approach to implementing cybersecurity

Question 4

This approach implements controls regardless of applicability or necessity and often leads to a “checklist” attitude toward security.

Answer 4

Compliance-based approach to implementing cybersecurity

Question 5

This approach relies on identifying the unique risk the organization faces and designing and implementing security controls to address that risk.

Answer 5

Risk-based approach to implementing cybersecurity

Question 6

This approach simply implements security with no particular rationale or criteria.

Answer 6

Ad-hoc approach to implementing cybersecurity

Question 7

The combination of the probability of an event and its consequence.

Answer 7

Risk

Question 8

Anything that is capable of acting against an asset in a manner that can result in harm.

Answer 8

Threat

Question 9

A potential cause of an unwanted incident.

Answer 9

Threat (as defined by ISO/IEC 13335)

Question 10

The actual process or agent attempting to cause harm.

Answer 10

Threat source

Question 11

The result or outcome of a threat agent’s malicious activity.

Answer 11

Threat event

Question 12

Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation.

Answer 12

Asset

Question 13

A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.

Answer 13

Vulnerability

Question 14

The remaining risk after management has implemented a risk response.

Answer 14

Residual risk

Question 15

The risk level or exposure without taking into account the actions that management has taken or might take.

Answer 15

Inherent risk

Question 16

When assessing a threat, cybersecurity professionals often analyze the threat’s _____ and _____ in order to rank and prioritize it among other existing threats.

Answer 16

Likelihood and impact

Question 17

To measure risk, the following criteria is considered except:

a. Risk tolerance
b. Size and scope of environment in question
c. Amount of data available
d. System tools used

Answer 17

d. System tools used is not one of the criteria in measuring risk.

Question 18

A threat agent that is known to breach security boundaries and perform malicious acts to gain a competitive advantage.

Answer 18

Corporations

Question 19

A threat agent that often targets government and private entities with a high level of sophistication to obtain intelligence or carry out other destructive activities.

Answer 19

Nation states

Question 20

A threat agent that often acts independently and targets specific individuals or organizations to achieve various ideological ends

Answer 20

Hacktivist

Question 21

A threat agent characterized by their willingness to use violence to achieve their goals and frequently target critical infrastructures and government groups

Answer 21

Cyberterrorists

Question 22

A threat agent that is motivated by the desire for profit and involved in fraudulent financial transactions

Answer 22

Cybercriminals

Question 23

A threat agent that is often likened to hacktivists

Answer 23

Cyberwarriors

Question 24

A threat agent that is also referred to as cyberfighters

Answer 24

Cyberwarriors

Question 25

A threat agent that are usually nationally motivated citizens who may act on behalf of a political party or against another political party that threatens them

Answer 25

Cyberwarriors

Question 26

Young individuals who are learning how to hack

Answer 26

Script kiddies

Question 27

A threat agent that is skilled in social engineering and is frequently involved in cyberbullying, identity theft, and collection of other confidential information or credentials.

Answer 27

Online social hackers

Question 28

A threat agent that typically have fairly low-tech methods and tools

Answer 28

Employees

Question 29

The actual occurrence of a threat

Answer 29

Attack

Question 30

The activity by a threat agent (or adversary) against an asset

Answer 30

Attack

Question 31

The path or route used to gain access to the target (asset)

Answer 31

Attack vector

Question 32

What are the two types of attack vectors?

Answer 32

1. Ingress (or intrusion)

2. Egress (or data exfiltration)

Question 33

Method used to deliver the exploit

Answer 33

Attack mechanism

Question 34

The container that delivers the exploit to the target

Answer 34

Payload

Question 35

The following are attack attributes except:

a. Attack vector
b. Payload
c. Vulnerability
d. Risk

Answer 35

d. Risk is not part of attack attributes.

The following are the attack attributes:

a. Attack vector
b. Payload
c. Exploit
d. Vulnerability
e. Target (Asset)

Question 36

A threat event that is made by a human threat agent

Answer 36

Adversarial threat event

Question 37

A threat event that is usually the result of an error, malfunction or mishap of some sort.

Answer 37

Non-adversarial threat event

Question 38

Rearrange the following to describe the common/generalized attack process most adversarial threat events follow:

\_\_\_ Create attack tools
\_\_\_ Coordinate a campaign
\_\_\_ Deliver malicious capabilities
\_\_\_ Exploit and compromise
\_\_\_ Perform reconnaissance
\_\_\_ Conduct an attack
\_\_\_ Maintain a presence or set of capabilities
\_\_\_ Achieve results

Answer 38

1. Perform reconnaissance
2. Create attack tools
3. Deliver malicious capabilities
4. Exploit and compromise
5. Conduct an attack
6. Achieve results
7. Maintain a presence or set of capabilities
8. Coordinate a campaign

Question 39

The following are examples of non-adversarial threat events except:

a. Pervasive disk errors
b. Fire, flood, hurricane, windstorm or earthquake
c. Incorrect privilege settings
d. Mishandling of critical vulnerabilities into software products

Answer 39

d. Other common examples of non-adversarial threat events are:

• Mishandling of critical or sensitive information by authorized users
• Introduction of vulnerabilities into software products

Question 40

A software designed to gain access to targeted computer systems, steal information or disrupt computer operations.

Answer 40

Malware (or malicious software)

Question 41

A computer worm discovered in 2010 that was used to compromise Iranian nuclear systems and software

Answer 41

Stuxnet

Question 42

A malware discovered in 2012 that was used to record keyboard activity and network traffic as well as screenshots, audio and video communications such as Skype.

Answer 42

Flame (or Flamer or Skywiper)

Question 43

A piece of code that can replicate itself and spread from one computer to another and requires intervention or execution to replicate and/or cause damage

Answer 43

Virus

Question 44

A variant of the computer virus which is essentially a piece of self-replicating code designed to spread itself across computer networks and does not require intervention or execution to replicate

Answer 44

Network worm

Question 45

A piece of malware that gains access to a targeted system by hiding within a genuine application

Answer 45

Trojan horse

Question 46

A large, automated and distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks as denial-of-service.

Answer 46

Botnet

Question 47

A class of malware that gathers information about a person or organization without the knowledge of that person or organization

Answer 47

Spyware

Question 48

Designed to present advertisements (generally unwanted) to users

Answer 48

Adware

Question 49

A class of extortive malware that locks or encrypts data or functions and demands a payment to unlock them

Answer 49

Ransomware

Question 50

A class of malware that secretly records user keystrokes and, in some cases, screen content

Answer 50

Keylogger

Question 51

A class of malware that hides the existence of other malware by modifying the underlying operating system

Answer 51

Rootkit

Question 52

Complex and coordinated attacks directed at a specific entity or organization

Answer 52

Advanced persistent threats

Question 53

A means of regaining access to a compromised system by installing software or configuring existing software to enable remote access under attacker-defined conditions.

Answer 53

Backdoor

Question 54

An attack made by trying all possible combinations of passwords or encryption keys until the correct one is found.

Answer 54

Brute force attack

Question 55

Occurs when a program or process tries to store more data in a buffer than it was intended to hold

Answer 55

Buffer overflow

Question 56

A type of injection in which malicious scripts are injected into otherwise benign and trusted websites

Answer 56

Cross-site scripting (XSS)

Question 57

Occurs when an attacker uses a web application to send a malicious code, generally in the form of a browser side script, to a different end user

Answer 57

Cross-site scripting (XSS)

Question 58

An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate

Answer 58

Denial-of-service (Dos) attack

Question 59

An attack strategy in which the attacker intercepts the communication stream between two parts of the victim system and then replaces the traffic between the two components with the intruder’s own, eventually assuming control of the communication

Answer 59

Man-in-the-middle attack

Question 60

Any attempt to exploit social vulnerabilities to gain access to information and/or systems

Answer 60

Social engineering

Question 61

A type of email attack that attempts to convince a user that the originator is genuine but with the intention of obtaining information for use in social engineering

Answer 61

Phishing

Question 62

An attack where social engineering techniques are used to masquerade as a trusted party to obtain important information such as passwords from the victim

Answer 62

Spear phishing

Question 63

Faking the sending address of a transmission in order to gain illegal entry into a secure system

Answer 63

Spoofing

Question 64

Results from failure of the application to appropriately validate input

Answer 64

SQL injection

Question 65

A vulnerability that is exploited before the software creator/vendor is even aware of its existence

Answer 65

Zero-day exploit

Question 66

True or false: Access control policies are a primary element of cybersecurity and governance.

Answer 66

False: Information security policies are a primary element of cybersecurity and governance.

Question 67

True or false: Most organizations should create security policies prior to developing a security strategy.

Answer 67

True

Question 68

Policies, standards, and procedures that outline the actions that are required or prohibited.

Answer 68

Compliance documents

Question 69

Defined as the way that compliance documents relate to and support each other

Answer 69

Policy framework

Question 70

Compliance document type that communicate required and prohibited activities and behaviors

Answer 70

Policies

Question 71

Compliance document type that interpret policies in specific situations

Answer 71

Standards

Question 72

Compliance document type that provide details on how to comply with policies and standards

Answer 72

Procedures

Question 73

Compliance document type that provide general guidance on issues such as “what to do in particular circumstances”

Answer 73

Guidelines

Question 74

True or false: The number and type of policies an organization chooses to implement varies based on the organization’s size, culture, assets, regulatory requirements and complexity of operations.

Answer 74

False: The number and type of policies an organization chooses to implement varies based on the organization’s size, culture, RISK, regulatory requirements and complexity of operations.

Question 75

The following topics are covered in access control policy except:

a. Log retention of super users
b. Physical and logical access provisioning
c. Least privilege/need to know
d. Segregation of duties

Answer 75

a. Log retention of super users

Access control policy should cover the following topics:

1. Physical and logical access provisioning life cycle
2. Least privilege/need to know
3. Segregation of duties
4. Emergency access

Question 76

The following topics are covered in security incident response policy except:

a. Statement of how incidents will be handled
b. Incident documentation and closing
c. Segregation of duties
d. Definition of information security incident

Answer 76

c. Segregation of duties is covered in access control policy, not in security incident response policy.

Question 77

Refers to a register of users who have permission to use a particular system resource.

Answer 77

Access control list (ACL)

Question 78

True or false: Change management is a standalone process that requires a comprehensive knowledge of enterprise operations and infrastructure to be implemented effectively.

Answer 78

False: Change management is NOT a standalone process; it draws upon a number of other processes and controls.

Question 79

Defined as solutions to software programming errors.

Answer 79

Patches

Question 80

True or false: Failure to apply patches to known security vulnerabilities is the most common cause of security breaches.

Answer 80

True

Question 81

The following are benefits of implementing a configuration management process except:

a. Verification of impact on related items
b. Ability to inspect different lines of defense for potential weaknesses
c. Assessment of a proposed change’s risk
d. Redundancy of the version control repository

Answer 81

d. Redundancy of the version control repository is dependent on the backup policy and not one of the benefits of configuration management process.