Security+ Acronyms

Question 1

PCI DSS

Answer 1

PCI DSS - Payment Card Industry Data Security Standards

Defines how to manage credit/debit card data

Specific controls, there are 12, but usually discuss these
Company must annually have a security test/audit
All user accounts must be unique
Never store the CVV code of the card

lesson 1

Question 2

NIST

Answer 2

National Institute for Standards and Technology

USGov agency that makes standards and guidelines

Describes/Defines cybersecurity framework as 5 functions:
Identify
Protect
Detect
Respond
Recover

lesson 1

Question 3

GDPR

Answer 3

GDPR - General Data Protection Regulation

EU law regarding privacy protections in and out of EU

Must have informed consent to be able to use someones personal data

Exam? - usually has international implications

lesson 1

Question 4

ISO 31000

Answer 4

ISO - International Organization of Standardization

31000 - Specification which lists enterprise risk managements (ERM) best practices

lesson 1

Question 5

Security Control Functional Types

Answer 5

Type 1:
Preventative - before attack - physical or logical
Detective - during attack - record successful or failed attacks - security guard monitoring camera
Corrective - after attack - responds to and/or fixes an incident - security guard response

Type 2:
Deterrent - psychological - unmonitored camera
Physical - gates, fences, locks, camera, signs
Compensating - substitute for principle control as recommended by security standard

lesson 1

Question 6

NIST CSF

Answer 6

National Institute of Standards and Technology Cybersecurity Framework

A list of activities and objectives undertaken to mitigate risks

lesson 1

Question 7

ISO 27001

Answer 7

International Organization of Standardization

27001 - information security rules and regulations (compliance/regulations)

lesson 1

Question 8

ISO 27701

Answer 8

ISO - International Organization of Standards
27701 - focuses on personal data and privacy rules

lesson 1

Question 9

ISO 27702

Answer 9

ISO - International Organization of Standardization

27702 - Information Security best practices

lesson 1

Question 10

ISO 22301

Answer 10

ISO - International Organization of Standardization

22301 - Security & resilience, business continuity management

lesson 1

Question 11

SSAE SOC2, SOC3

Answer 11

SSAE - Statements on Standards for Attestation Engagements
-are audit specifications to assure consumers of service providers (cloud or 3rd party) meet professional standards

SOC - Service Organization Control
SOC2 - evaluates internal controls (relative to the CIA triad) of the service provider, internal report between auditor, regulator, and provider; detailed reports
SOC3 - less detailed reports certifying compliance with SOC2 results freely distributed

lesson 1

Question 12

CSA
CSPs
ERA
Cloud Control Matrix

Answer 12

CSA - Cloud Security Alliance

an organization to define cloud frameworks to assist CSPs in setting up and delivering secure cloud platforms; useful for consumers in selecting CSPs

CSPs - Cloud Service Providers

ERA - Enterprise Reference Architecture, best practices for architecting cloud solutions

Cloud Control Matrix - lists of specific controls and assessment guidelines for CSPs; baseline level of security a CSP should meet

lesson 1

Question 13

CIS

Answer 13

Center for Information Security

known for the 20 CIS controls

produces benchmarks for different aspects of cybersecurity (PCI DSS, ISO 2700, etc)

lesson 1

Question 14

STIGs

Answer 14

STIGs - Security Technical Implementation Guides, a DOD Cyber Exchange guideline for hardening hw and sw

example of OS/Vendor guidelines

lesson 1

Question 15

OWASP

Answer 15

Open Web Application Security Project

organization publishes the top 10 most critical app security risks

develops resources (Zed Attack Proxy and Juice Shop) to help investigate and understand pen testing and app security issues

lesson 1

Question 16

SOX

Answer 16

Sarbanes-Oxley Act

Due diligence - responsible persons have not been negligent in discharge of this duties
US regulation/legislation mandating implementation of risk assessments, internal controls and audit procedures

lesson 1

Question 17

Computer Security Act

Answer 17

Requires federal agencies develop security policies for computer systems which process confidential information

lesson 1

Question 18

FISMA

Answer 18

Federal Information Security Management Act

governs the security of data processed by federal gov agencies

lesson 1

Question 19

GLBA

Answer 19

Gramm-Leach-Bliley Act

Financial services legislation

lesson 1

Question 20

HIPAA

Answer 20

Health Insurance Portability and Accountability Act

Health information protection legislation

lesson 1

Question 21

Security Control Categories

Answer 21

Managerial
-controls that give oversight of the system

Operational
-controls that depend on a person for implementation

Technical
-controls implemented in operating systems, sw, and security appliances

lesson 1

Question 22

CIA Triad

Answer 22

Secure information has 3 properties:

C - Confidentiality
-certain info should only be known to certain people

I - Integrity
-data is stored and transferred as intended, modifications are authorized

A - Availability
-information is accessible to those authorized to view or modify it

Non-repudiation
-a subject cannot deny doing something, such as creating, modifying, or sending a resource

Question 23

ACL

Answer 23

Access Control List
very all encompassing term, could mean lots of things
used in firewalls and on file system objects (permissions)
is an example of a preventative security control

lesson 1

Question 24

Shadow IT

Answer 24

IT systems deployed by others outside of central IT department as work around to short comings of the implemented IT system

example: installing an access point in your office

aka Rogue IT, Fake IT, Stealth IT

lesson 2

Question 25

Vulnerability

Answer 25

Any weakness of a system which could cause a security breach, intentionally or unintentionally
Asset value
Ease of exploit

lesson 2

Question 26

Threat

Answer 26

Potential for a vulnerability to be exploited
Internal/External
Malicious/accidental
Threat actor
Threat vector

lesson 2

Question 27

Risk

Answer 27

likelihood and impact of a threat actor exploiting a vulnerability
Risk = vulnerability + threat

Risk(likelihood * impact)

lesson 2

Question 28

Hats - white, black, grey

Answer 28

white hat - attacks performed for good, authorized/planed attacks
black hat - attacks performed with malicious intent, unauthorized
grey hat - mix of white and black hats, similar to fixing lock by breaking in and then fixing it with a note that it was fixed

lesson 2

Question 29

Script kiddies

Answer 29

untrained attackers, usually just using a script found on internet, etc.

lesson 2

Question 30

hacktivists

Answer 30

hacking to prove a point, not necessarily for malicious intent or for gain monetarily

lesson 2

Question 31

APT

Answer 31

Advanced Persistent Threat

refers to the ongoing ability of an adversary to compromise network security to obtain and maintain access using a variety of tools and techniques

used by State Actors who have nation backing, high amount of resources

lesson 2

Question 32

State Actor

Answer 32

state or nation backed attackers, usually military/secret services
highly sophisticated
use APT
purpose of espionage and strategic advantage
deniability
false flag operations

lesson 2

Question 33

Insider threat actor

Answer 33

malicious has access (employees, contractors, partners)

• wanting to sabotage, or for financial gain, business advantage
• unintentional due to
• weak policies/procedures and/or weak adherence to policy;
• lack of training
• Shadow IT

lesson 2

Question 34

Attack surface

Answer 34

points where attacker can discover/exploit vulnerabilities in a network or application

lesson 2

Question 35

Attack Vectors

Answer 35

how to access system
direct access
removable media
email
remote and wireless
supply chain
web and social media
cloud

lesson 2

Question 36

TTP

Answer 36

Tactics, techniques, and procedures

a threat research source

attempts to tell you how you are being attacked, identifies attackers

describes what and how an attacker acts

lesson 2

Question 37

Honeypot

Honeynet

Answer 37

honeypot - a distraction system to trick attackers to attack
honeynet - a network of honey pots

intention is to learn about attackers and how they operate on give nssytem

lesson 2

Question 38

Honeypot

Honeynet

Answer 38

honeypot - a distraction system to trick attackers to attack
honeynet - a network of honey pots

intention is to learn about attackers and how they operate on give nssytem

A form of threat research

lesson 2

Question 39

ISACs

Answer 39

Intelligence Sharing and Analysis Centers

shares threat intelligence and promote best practices

lesson 2

Question 40

OSINT

Answer 40

Open source intelligence threat data sources

a threat resource

lesson 2

Question 41

Threat Research Sources

Answer 41

is a counter intelligent gathering effort to discover tactics , techniques, and procedures (TTP) of attackers
sources:
security solution providers - companies to assist in this effort
dark net
dark web
honeypot/nets

Question 42

IOC

Answer 42

Indicator of Compromise
a residual sign that an asset or network has been successfully attacked or is continuing to be attacked
or
evidence of a TTP

describes how to recognize what attack actions might look like

examples:
unauthorized sw and files
suspicious emails
suspicious registry and file system changes
unknown port and protocol usage
excessive bandwidth
rogue hw
service disruption and defacement
suspicious or unauthorized account usage

lesson 2

Question 43

STIX

Answer 43

Structured Threat Information eXpression

threat data feed framework, syntax for describing Cyber Threat Intel (CTI)

lesson 2

Question 44

TAXII

Answer 44

Trusted Automated eXchange of Indicator Information

a protocol for transmitting Cyber Threat Intel (CTI) data between server and clients

lesson 2

Question 45

AIS

Answer 45

Automated Indicator Sharing

A service offered by Dept of Homeland Security (DHS) for companies to participate in threat intelligence sharing

lesson 2

Question 46

Threat Map

Answer 46

animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform

lesson 2

Question 47

CVSS

Answer 47

Common Vulnerability Scoring System

lesson 3

Question 48

CVE

Answer 48

Common Vulnerabilities and Exposures

a threat feed, a database of these items maintained by Mitre

Information about vulnerabilities is codified as signatures and scanning scripts that can be supplied as feeds to automated vulnerability scanning software

lesson 2

Question 49

SIEM

Answer 49

Security Information and Event Management

threat intel provider platform

utilized AI to correlate CTI data with observed data from customer networks

lesson 2

Question 50

SOAR

Answer 50

Security Orchestration, Automation and Response

a designed as a solution to the problem of the volume of alerts overwhelming analysts’ ability to respond

Can be combined with SIEM

scan the organization’s store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting

lesson 2