Security Part 1

Question 1

What is Defense in Depth?

Answer 1

It is a cybersecurity risk management strategy that is based on the idea that systems can never be completely secure

It encompasses 3 categories of controls:
- Physical
- Technical
- Administrative

Question 2

What is layered security?

Answer 2

• It is a part of the defense in depth technical controls
• It is a approach that creates overlapping protective layers so that if 1 security measure fails, deeper layers will stop or slow an attack
• Under this ideology, individual system components can never be completely secure

Question 3

What are stakeholders in IT?

Answer 3

• Systems analysts
• Internal end users
• Internal managers
• External companies (customers)
• Stakeholders are any individual/organization with an interest in/affected by an information system

Question 4

What is a cybercriminal?

Answer 4

They conduct ransomware attacks to extort money

Question 5

What is a cyberterrorist?

Answer 5

They interrupt critical systems to spread hear or create civil unrest

Question 6

Why would a company communicate social media policies to employees as part of a security awareness training program?

Answer 6

They would do that to reduce the risk of aiding cyberattack reconnaissance

Question 7

What is RECONNAISSANCE?

Answer 7

• The attacker will scan public sources to gather planning information
• Employees who are not cyber aware may post something on social media that attackers can use for malicious purposes
• Ex: Employee may post on instagram where they work and attackers can use that info for malicious purposes

Question 8

What is a replay attack?

Answer 8

• The threat agent intercepts info while it is being transmitted and resubmits it to trick another system into providing more info
• Ex: if an encrypted bank password is intercepted, the attacker may later resubmit it to transfer funds
• In this case, the attacker would appear as the original sender because the encrypted password would match

Question 9

What is a preventitive control in a replay attack?

Answer 9

It would be to add time/session stamps to all encrypted messages

Question 10

What is an attack surface?

Answer 10

• It is the sum of all the points where an attacker can try to gain unauthorized access to an organization’s environment
• Adding more IoT devices expands the attack surface, creating additional weaknesses

Question 11

What are some common authentication techniques?

Answer 11

• Iris reader
• Fingerprint reader
• Facial recognition
• Smart card reader

Question 12

What is a digital signature?

Answer 12

• It is something that uses data encryption to record a unique identifier, and other info such as the date, time, and location of the signature
• This stamp protects electronic documents from unauthorized alteration and records signers’ identity
• It would NOT prevent unauthorized access to a company payroll file because it is not used to grant entry into a system

Question 13

What is the Internet of Things?

Answer 13

• It is a network of physical objects with embedded sensors, software used to connect and exchange data via the internet
• IoT devices use unencrypted communication channels, leaving the data transmitted between the devices vulnerable to attacks

Question 14

What is Man in the Middle?

Answer 14

It is an attack where attackers can intercept, read, and alter data in transit from one person to another person

Question 15

What is a buffer overflow attack?

Answer 15

It is an attack that exploits hardware memory limitations

Question 16

What is a buffer?

Answer 16

It is a temporary storage area used to hold data for processing/transmission

Question 17

What do software coding errors create?

Answer 17

They create vulnerabilities that attackers can use to overwhelm a system

Question 18

What is a covert channel attack?

Answer 18

It is a cyberattack technique where an unauthorized intrasystem channel adds small bits of data to the stream without being detected

Question 19

What is a race condition attack?

Answer 19

• It is a cyberattack technique that exploits a brief gap in time during a processing sequence
• Ex: The moment between when a user logs in and when the login is verified in a database

Question 20

What is a SQL injection attack?

Answer 20

It is an attack where a SQL query is injected into an application through a data input field

Question 21

Organizations use what kind of controls to lessen the risks associated with cyberattacks?

Answer 21

• Preventitive
• Detective
• Corrective

Question 22

What is virus quarantining?

Answer 22

It corrects a detected incident in which files were infected with spyware, ransomware, malware

Question 23

What is firewall redundancy?

Answer 23

• It is a preventitive control
• Firewalls mitigate the risk of unauthrorized access

Question 24

What is network analysis?

Answer 24

• It is a detective control associated with computer-generated logging
• Ex: An event log records network traffic and usage, like logins, failed passwords

Question 25

What is software hardening?

Answer 25

• It is a preventitive control
• Hardening refers to implementing additional security measures, such as encryption/obfuscation (the act of making something unclear) to protect code from reverse engineering (code that is deconstructed)

Question 26

What does the SERVICE AUDITOR do in order to assess the suitability of the design of controls in a SOC 2 Type 2 examination?

Answer 26

• Understand management’s process for identifying risks that threaten the achievement of the service organization’s principal service commitments and system requirements
• Assess the completeness of management’s risk assessment
• Perform an independent risk assessment
• Determine whether management has implemented the controls

Question 27

When performing procedures, what can a service auditor request?

Answer 27

• Ad hoc computer-generated reports from the service organization’s databases
• To see if the retrieved data is relevant, the service organization personnel must input the query into the database

Question 28

What are the 5 components of the COSO ERM framework?

Answer 28

• Governance and culture (Ex of culture-building activities: security awareness training, creating operating structures, defining an entity’s desired cyber culture)
• Strategy and objective setting (Ex: Formulating business objectives)
  Performance
• Review and revision (Ex: Assessing changes)
• Information, communication, reporting

Question 29

What is least privilege?

Answer 29

This principle states that the system administrator should grant users only the minimum level of access rights necessary to perform an operation for the minimum time

Question 30

What is the need to know principle?

Answer 30

This principle states that users should only have access to info needed for the job function

Question 31

What is whitelisting?

Answer 31

It is a principle that involves using pre-approved lists to determine if an application can be installed, for example

Question 32

What is zero-trust?

Answer 32

It is a principle associated with intrusion detection systems nd treats all network data as suspicious

Question 33

Who are hacktivists?

Answer 33

They are people who conduct attacks to create an awareness of political or social causes

Question 34

What is the 1st step in threat modeling?

Answer 34

• To prepare a DETAILED INVENTORY LIST of all infrastructure components, including mobile devices that access the organization’s network
• Without a detailed inventory, it would be tough to identify if mobile activity originated from a legitimate insider vs a threat agent

Question 35

What is the 2nd step in threat modeling?

Answer 35

Preparing an inventory and mapping network connections

Question 36

What is the 3rd step in threat modeling?

Answer 36

Estimating the type, likelihood, and severity of threats

Question 37

What is the 4th step in threat modeling?

Answer 37

Reviewing policies that mitigate risk

Question 38

Security assessment reporting is a risk advisory engagement that applies what standard?

Answer 38

Statements on Standards for Consulting Services

Question 39

What is Statements on Standards for Attestation Engagement?

Answer 39

Apply to SOC compliance, review, agreed-upon procedure engagements

Question 40

What is Statements on Auditing Standards?

Answer 40

GAAS apply to financial statement audits

Question 41

What is a data container?

Answer 41

• It is a separately encrypted storage site on a mobile device
• CONTAINERIZATION is a security control that allows for storage of critical business data apart from personal data on the same device

Question 42

What are 2 preconditions to a SOC 2 Type 2 examination?

Answer 42

1) Management takes responsibility for identify risks
2) Suitability of design and operating effectiveness of controls

Question 43

Intrusion PREVENTION system is

Answer 43

Installed on the organization’s network, between the external internet and the organization’s internal internet

Question 44

Intrusion DETECTION system is

Answer 44

installed on the user’s device (laptop) and protects external network access points by identifying and notifying admin of suspicious data requests

Question 45

What is log analysis?

Answer 45

It is a detective control that involves reviewing logs for errors or exceptions, which can help organizations find cybersecurity incidents AFTER they OCCUR

Question 46

What’s the purpose of TRUST SERVICES CRITERIA?

Answer 46

It’s used to benchmark controls in attestation and risk advisory engagements that evaluate the trust services categories of security, availability, processing integrity, confidentiality, or privacy

Question 47

What are the 3 types of trust services criteria?

Answer 47

1) Common Criteria
2) Supplemental Criteria
3) Additional category-specific criteria

Question 48

What is a digital certificate?

Answer 48

• It is an electronic file that allows organizations to send data securely over the internet
• They help the receiver of electronic communication verify the identity of the sender of such communication

Question 49

What is spear phishing?

Answer 49

• It is an attack that targets a specific individual
• It requires the attacker to research potential targets to gather credible info
• This info is used by the attacker to disguise themselves as a friend or colleague

Question 50

What is whaling?

Answer 50

It is a form of spear phishing that targets high-ranking individuals (Bob Harrison example) in an organization

Question 51

What is 1 way to prevent data leakage through mobile apps?

Answer 51

• To revoke user granted permissions
• Mobile users sometimes voluntarily give apps permissions to access their personal data without knowing if the app is secure

Question 52

What are the 5 stages in the vulnerability management cycle?

Answer 52

Risk assessment
Threat prioritization
Risk responses
Reassessment
Improvement

Question 53

What is another word for piggybacking?

Answer 53

Tailgating

Question 54

What is pass back?

Answer 54

It is where an individual with access permissions gives their access card to an unauthorized person

Question 55

What are some examples of risk assessment procedures?

Answer 55

Reperformance, inquiry, inspection, observation, and walkthroughs

Question 56

What is an exploit?

Answer 56

It is code/malicious software that is used to carry out an attack after a vulnerability has been identified

Question 57

During a risk advisory engagement to provide a security assessment report, what would a CPA do?

Answer 57

• They would perform vulnerability scans
• Vulnerability scans evaluate hardware, software, networks for security weaknesses

Question 58

What is electronic data interchange (EDI)?

Answer 58

It is the transfer of data or documents from one computer system to another

Question 59

What is discretionary access control?

Answer 59

• Under this control, the owner of the file (Excel for example) decides what the authorization and permissions are.
• Ex: Spreadsheet owner can grant permission (view, comment, edit) to other firm members

Question 60

What is a distributed denial of service attack?

Answer 60

• It is an attack where multiple bots send a surge of false requests to overwhelm a network
• These false requests slow down network traffic

Question 61

What are the 6 stages in a cyberattack?

Answer 61

Reconnaissance
Gaining access
Escalation of privileges
Maintaining access
Network exploitation
Covering tracks

Question 62

What is network spoofing?

Answer 62

• It occurs when a hacker impersonates a Wi-Fi network to trick users into providing sensitive data
• Public hotspot users should avoid making transactions or logging into important sites. Instead, you should use your own cell phone hotspot to stay safe

Question 63

What are the different types of malware?

Answer 63

• Ransomware (prevents access to a system until money is paid)
• Spyware (tracks browsing history and keystrokes)
• Adware (directs users to different websites via pop-up ads)
• Malware (infects using viruses, worms, trojan horses)

Question 64

What does SEGREGATION prevent?

Answer 64

• It prevents a customer for example, from accessing proprietary product info
• Customers interact with a separate network that doesn’t interface with internal company systems

Question 65

Inspecting documentation showing the database table relationships and inquiring if the service organization follows a data security framework, and reperforming calcualtions are examples of:

Answer 65

The service auditor’s risk assessment

Question 66

What is return-oriented programming attack?

Answer 66

This attack changes the return addresses within existing executable memory instruction sequences

Question 67

What are mandatory access controls?

Answer 67

• Used in situations where sensitive information is held
• Permission settings are configured by the system administrator

Question 68

What is a Business Impact Analysis?

Answer 68

• This analysis addresses ALL SITUATIONS (natural disasters, fires, cyberattacks, etc) that can disrupt business functions

Question 69

What are the “Statements on Standards for Attestation Engagements”?

Answer 69

These attestation standards apply to examinations (SOC, compliance), reviews, and agreed-upon procedure engagements

Question 70

What are “Statements on Standards for Consulting Services”?

Answer 70

Security assessment reporting is a RISK ADVISORY engagement that applies these statements

Question 71

What is an administrative control in a defense-in-depth strategy?

Answer 71

• Security awareness training
• This is because these administrative controls will control access to the system and train employees

Question 72

What is a host-based intrusion detection system?

Answer 72

It checks for system files missing from data leaving a host device

Question 73

What is a protocol-based intrusion detection system?

Answer 73

They safeguard web servers by examining data going to and from a user front end

Question 74

What is an application protocol-based intrusion detection system?

Answer 74

It defends application servers by examining data sent between application servers

Question 75

What is a network-based intrusion detection system?

Answer 75

It is used to identify threats that create unusual traffic and policy violations

Question 76

What is cross site scripting?

Answer 76

It is a cyberattack where attackers inject malicious script into a website. The script then executes in a victim’s browser, enabling the attackers to access and use data stored by the browser

Question 77

What is clickjacking?

Answer 77

It is a way to hijack web traffic by tricking users into clicking a malicious link or initiating an unintended action like taking them to a different webpage

Question 78

What is return oriented programming?

Answer 78

It bypasses security defenses by manipulating return addresses. These attacks alter the flow of instructions rather than injecting harmful code

Question 79

What are the 4 logical control concepts?

Answer 79

• Principle of Least Privilege
• Need-to-know principle
• Whitelisting
• Zero-trust

Question 80

What does authentication do?

Answer 80

It confirms a user’s identity

Question 81

What does authorization do?

Answer 81

It determines what a user is privileged to do within a system

Question 82

What is script injection?

Answer 82

• It delivers and executes malicious code
• These scripts can damage systems, access data, or steal money

Question 83

What is Discretionary Access Control?

Answer 83

• It is where the object owner can extend access to any user
• All users granted access to the object can grant privileges to other subjects, limiting the organization’s ability to restrict its personnel’s purchase requisition approval level

Question 84

What is mandatory access control?

Answer 84

Resource objects are given a security label and category that define the department or role that may be granted access

Question 85

What is the “Statements on Standards for Consulting Services”?

Answer 85

It is a standard in which a CPA firm applies in an engagment to provide a security assessment report that involves documenting issues, findings, and recommendations

Question 86

What is a buffer overflow attack?

Answer 86

It exploits unpatched vulnerabilities in the code of an application

Question 87

What is cross site scripting?

Answer 87

It targets web applications through browsers