Security+ Test Study (4.5 - 5.6) Flashcards
What is URL scanning?
Universal Resource Locator Scanning: Allowing or restricting websites based upon the site’s URL. Usually managed by URL category rather than individual URLs.
What is an agent based content filter?
To check if a device is in compliance, a software agent is usually installed onto a device before it is given out. It’s then always on and checking to see if the device is within compliance. Agent devices continuously have to be updated and are usually managed from a single console, but the local agent makes the filtering decisions.
What is a proxy content filter?
A user makes a request for a web page, and the request travels through a proxy. The proxy asks the internet for the web page, and the internet gives the web page to the proxy. The proxy then decides whether or not to give the web page to the user based upon the filtering rules set up inside of it.
What are block rules?
Rules that allow or deny websites or website categories. You can make your block rules be specific (by URL) or by general category (Educational, Gambling, Government, etc).
In terms of web filtering, what is reputation?
Content filters sometimes block or allow URLs based upon the website’s “reputation”, or the perceived risk of what accessing that site would be.
What is DNS filtering?
Allowing or blocking websites based upon their IP address.
What is active directory?
A database of everything on the network. Computers, user accounts, printers, file shares, etc.
What is group policy?
Security policies (what users and computers can and can’t do) set up in Active Directory.
What is SELinux?
Security Enhanced Linux. Allows a Linux administrator to assign least privilege to users.
In terms of securing protocols, what is protocol selection?
Use secure protocols that utilize encryption if at all possible. Don’t compromise on this.
In terms of securing protocols, what is port selection?
Use secure ports for your networking. HTTPS over HTTP, port 443 over port 80, for example.
What is transport method?
You may want to encrypt all of your traffic regardless of whether your ports and protocols are encrypting it or not. You can do this by utilizing a VPN concentrator at your endpoint, or using WPA3 on your wireless network.
What is DMARC?
Domain-Based Message Authentication Reporting and Conformance. An extension of SPF and DKIM. If a message sent to a third-party using DKIM or SPF does not properly validate, DMARC can give the receiver the option of what to do with these invalidated messages (Accept all, send to spam, or reject mail). Also added to DNS as a TXT record. Can be queried and reports can be made to see what type of messages you’re getting.
What is DKIM?
Domain Keys Identified Mail. Allowing your mail server to automatically digitally sign emails going out to a third-party. Validated from a TXT record in your DNS.
What is SPF?
Sender Policy Framework. A protocol that defines which email servers are authorized to send mail on the users behalf. Mail domain is added to your DNS as a TXT record.
What is a mail gateway?
A device within a screened subnet that blocks emails at the gateway and evaluates the source of inbound email messages. Device can be on-site or cloud based.
What is FIM?
File Integrity Monitoring. Some files should never change. FIMs check and make sure the files that shouldn’t be changing aren’t changing. Windows has one built in called SFC (system file checker). Linux has one called Tripwire.
What is DLP?
Data Loss Prevention. Looks for and stops running data you don’t want running on your network. If someone sends their social security number over the network, DLP stops it. Also prohibits USB access and blocks sensitive information in inbound and outbound emails, if you set it up that way.
What is an endpoint?
The device used by the user.
What is the edge?
Where the inside of the network meets the outside (the internet). Where firewalls are usually placed.
What is NAC?
Network Access Control. Rules put in place that limit a device’s access to certain types of data, either someone on the outside trying to get in, or someone inside trying to get out. Rules based on user, group, location, application, etc. Think ACLs.
What is a posture assessment?
An assessment that’s performed on a user’s own personal device and given a health check to see if it’s clean before connecting it to the network.
What is EDR?
Endpoint Detection and Response. A lightweight endpoint agent that’s like an antivirus on steroids. It takes a look at things like behavioral analysis, machine learning, and process monitoring, in addition to bad signatures and analyzes all of these things to see if they’re potential threats. Responses to threats are automated.
What is XDR?
Extended Detection and Response. EDR but it’s an Ascended Sayian.
What are user behavior analytics?
A large amount of correlated user activity data observed by XDR and used to build a baseline for what “normally” happens on the network, so that outlying activity stands out and can be stopped.
What is IAM?
Identity and Access Management. Giving the right permissions to the right people at the right time.
What is provisioning and deprovisioning user accounts?
Creating, moving and disabling (or deleting) an account in either AD or some other Access Control software. Usually happens during onboarding and offboarding.
What are permission assignment and implications?
Making sure everyone in your organization gets just enough to do their job and nothing more. Everyone is limited in some way.
What is identity proofing?
Verifying that a user is who they actually say they are. Putting in a password, answering security questions, etc.
What is SSO?
Single sign-on. The process where you login one time to the network and then you have access from that point forward. No need to login again. Windows and ClassLink is this. Once you login you have access to your stuff.
What is LDAP?
Lightweight Directory Access Protocol. Protocol used for reading and writing directories over an IP network.
What is OAuth?
Open Authorization. Mobile friendly authentication. An authentication framework that determines what resources a user will be able to access once they login (usually with a gmail account or something similar).
What is SAML?
Security Assertions Markup Language. The authentication of a user to a third-party database. You don’t keep track of the users logging in, they do. A user attempts to access a resource server, the server sends a SAML request to the authentication server and redirects the user to the authentication server. The user logs in, and the authentication server sends a SAML token to the user, allowing them access to the resource server.
What is federation?
Allows network access without using a local authentication database, for example, logging into something using your third-party facebook or twitter account instead of making a completely new account to login with.
What is interoperability?
Looking at all of the different login possibilities and deciding which is best and which ones can communicate with your authentication server.
What is authorization?
The process of ensuring only authorized rights are exercised for users.
What is least privilege?
Setting the rights and permissions of users to the bare minimum of what they can do on a device in your network to prevent possible exploits.
What is MAC?
Mandatory Access Control. MAC assigns a label to each resource a user needs access to and the administrator of the MAC gets to decide who gets access to what based on the label.
What is DAC?
Discretionary Access Control. The user who creates the data has control over who can access it. Not based upon a label or an administrator assigning rights, it’s up to the creator of the data.
What is role-based access control?
Access control based upon the role a user has in an organization. A Manager group has different rights and permissions than a Director group or a Team Lead group.
What is rule-based access control?
The System Administrator makes and sets the rules for how each user functions within the organization. Rules are made by the Admin and then assigned to a user or group.
What is attribute-based access control?
Complex rule sets that determine whether certain types of data are accessible or not. Takes into account user IP addresses, time of day, desired action, user’s relationship with data, etc. to determine if access will be granted.
What are time-of-day restrictions?
Access is restricted based upon time of day…duh.
What are biometrics?
Mathematical representation of your fingerprint, voice print, iris scan, etc.
What is a hard authentication token?
A random set of numbers generated on a separate device that allows access.
What is a soft authentication token?
A random set of numbers generated on the software of the device you’re trying to access.
What are security keys?
A USB flash drive that contains login information allowing you access on a device.
What are the four multifactor authentication factors?
Something you know
Something you have
Something you are
Somewhere you are
What is “Something you know”?
Like a password or a secret phrase, PIN number or pattern. Very common.
What is “Something you have”?
Like a smart card, phone, USB security key, or hardware/software token.
What is “Something you are”?
Biometrics.
What is “Somewhere you are”?
A login allowed or denied based upon where the login took place. Could be based on IP address or GPS location services.
What are the password best practices?
Length: The longer your password, the harder it is to brute-force.
Complexity: The more special characters you use, the harder it is to brute-force.
Reuse: Sometimes a password manager will remember that you’ve used a password before, and won’t let you reuse it again until you’ve changed it to something else first.
Expiration: A password has become too old and needs to be recreated into something else.
Age: How long since the password was modified. After it reaches a threshold, it expires, and you have to make a new one.
What are password managers?
Software that keeps track of your current passwords, and old passwords. Built into browsers and OSs.
What does it mean to be passwordless?
Not using a password to login. Instead, using things like security keys and facial recognition.
How do just-in-time permissions work?
Granting admin access for a limited time on a specific set of time sensitive credentials.
What is password vaulting?
Primary credentials are stored in a password vault, and the vault controls who gets access to credentials.
What are ephemeral credentials?
Temporary credentials that allow admin access for only a limited amount of time.
What is scripting?
The automation of functions that would normally have to be performed manually. It’s fast, can do mundane tasks, saves time, and enforces baselines. It can be set up with standard infrastructure configurations that can set up default configurations for routers and switches. Can automatically scale your infrastructure.
What are the seven steps to the incident response process?
Preparation
Detection
Analysis
Containment
Eradication
Recovery
Lessons Learned
In terms of the incident response process, what is preparation?
Having a list of resources, policies and procedures, communication methods and contact information of people who need to know about the incident. Have a “go bag” that contains hardware and software ready to address any type of incident. Have a clean OS image ready to go in case the worst happens.
In terms of the incident response process, what is detection?
Know how to look for incidents when they occur and don’t get distracted by possible false positives.
In terms of the incident response process, what is analysis?
Comparing a baseline of your monitoring logs to the incident when it occurs.
In terms of the incident response process, what is containment?
Stopping the attack as quickly as possible by isolating it.
In terms of the incident response process, what is eradication?
Getting rid of the attack.
In terms of the incident response process, what is recovery?
Getting things back to normal. Replacing software, re-imaging, disabling compromised accounts, fixing vulnerabilities, recovering the OS, etc.
In terms of the incident response process, what are lessons learned?
Understand what happened and make sure it doesn’t happen again. Ask yourself if your plans worked or if they need revision. Did your monitoring systems work?
In terms of incident planning, what is testing?
You can better prepare to handle an incident through a tabletop exercise or running a simulation. Remember to use the well-defined rules of engagement before simulating a test.
In terms of incident planning, what is root cause analysis?
Determining the ultimate cause of an incident. Asking, “Why did this happen?” or “What was the first domino to fall in this chain of incidents?” Gathering of facts to draw a reasonable conclusion.
In terms of incident planning, what is threat hunting?
Finding the attacker before they find you. Upgrading your defenses so that threats can be caught before they get in.
What is digital forensics?
Collecting data when a security event occurs, and using that data for future use.
What is legal hold?
A type of data acquisition request that is usually initiated by a lawyer, informing you of what type of data needs to be stored and how much needs to be available. Usually stored in an ESI (Electronically Stored Information) repository.
What is chain of custody?
Information must maintain its unmodified status for the duration of its necessary use, thus a process is in place to see who has access to the information. Hashes and digital signatures allow us to know how the data has been stored and whether or not it has been tampered with.
In terms of digital forensics, what is acquisition?
The gathering of data and how it is obtained, via disk, RAM, firmware, OS files, etc. Data could be on multiple systems that need to be accessed.
In terms of digital forensics, what is reporting?
Documenting how the data was acquired and stored.
In terms of digital forensics, what is preservation?
How the data acquired is stored, isolated, and protected.
In terms of digital forensics, what is E-Discovery?
Electronic Discovery. The process of collecting, preparing, reviewing, interpreting and producing electronic documents to be utilized by a third-party. Think of the audits for GoGuardian requested at Alvord.
What are security log files?
Detailed security-related information, including blocked and allowed traffic flows, exploit attempts, blocked URL categories, and DNS sinkhole traffic.
What are firewall logs?
Traffic flows through a firewall. Usually contains source and destination IPs, port numbers, and what the firewall does with this traffic. NGFW log the applications used, URL filtering categories, and anomalies and suspicious data.
What are application logs?
Log files specific to an application. You can find this in the application log in Event Viewer in Windows.
What are endpoint logs?
Log files specific to devices that are endpoints, such as phones, laptops, tablets, desktops, and servers.
What are OS-specific security logs?
The log files specific to the OS that are associated with security events. Good at finding disabled services and brute-force attacks. Lots of data here, so be sure to filter it.
What are IPS/IDS logs?
Log files specific to IPSs and IDSs. They contain information about predefined vulnerabilities, such as known OS vulnerabilities and generic security events.
What are network logs?
Log files from APs, switches, and routers.
What is metadata?
Data that describes other data sources, so, for example, in a picture taken on your phone, you can pull up all sorts of data about the picture, such as when and where it was taken and how large it is, things like that.
What are vulnerability scans?
Show you if your devices are lacking security controls like no firewall, no anti-virus, and no anti-spyware, misconfigurations, and vulnerabilities.
What are automated reports?
Reports automatically compiled by a SIEM or a third-party program reading a SIEM that tells you about events and vulnerabilities on your network.
What are dashboards?
Real-time summaries of statuses on a single screen (GoGuardian Admin Dashboard). Shows only the most important data.
What are packet captures?
Using a utility like Wireshark to get details on packets sent across your network. Detailed information about traffic flows at the packet level. Everything is captured.
What are security policy guidelines?
What rules are you following to provide CIA (Confidentiality, Integrity, and Availability)? Answers to broad questions like, what data storage requirements do you have to follow and what are your security event procedures? Also, answers to smaller, more detailed security questions like, what’s the appropriate wi-fi usage and what’s required for remote access? Answers to what and why.
What are information security policies?
The big list of all security-related policies, and a centralized resource for all the processes. Usually compliance requirements, not opinions. Contains detailed security procedures, and a list of roles and responsibilities.
What is an AUP?
Acceptable Use Policy. A policy that describes what a user can and cannot do with company assets, those being internet use, phones, computers, mobile devices, etc. Limits legal liability for the organization.
What is business continuity?
What to do when the devices and systems you use every day just stops working. How you continue on with business as planned without having your primary technology up and running.
What is a disaster recovery plan?
What to do if a disaster happens. Very comprehensive.
What is an incident response plan?
Incident response plan. What to do if there is an IT specific breach of the network. An incident response team may be necessary in the response.
What is SDLC?
Software Development Lifecycle. Moving through the idea phase of developing software, all the way to the successful launch of an application. There’s the waterfall method and the agile method.
What is change management?
Change management includes the frequency (how often changes are made), duration (the time frame in which changes can be made), installation process (the time it takes for the actual change to be implemented), and fallback procedures (to employ in case something goes wrong during the change) of a change being made on the network.
What are security standards?
A formal definition for using security technologies and processes. Everyone understands the expectations, and complete documentation of this reduces security risk.
In terms of security standards, what are the best practices to have for passwords?
Your organization should have a standard definition of what makes a good, complex password, and should have documentation that everyone knows about and follows. Acceptable authentication methods should be defined in this documentation as well, along with the policies for password resets.
In terms of security standards, what are the best practices to have for access control?
Your organization should have a standard definition of how the organization accesses data, who can access it, what can they access, what time can they access, and under which circumstances. It should detail whether discretionary access is allowed or not. How users get access and how access is removed.
In terms of security standards, what are the best practices to have for physical security?
Your organization should have a standard definition of rules and policies regarding physical security controls, such as doors and building access. It should detail how users are granted physical access (whether they’re employees or visitors).
In terms of security standards, what are the best practices to have for encryption?
Your organization should have a standard definition of what and how data should be encrypted. How passwords are stored, what hashing algorithm is used, and the minimum amount of encryption required at all of data’s different states.
What are the steps in the change management procedures?
The Change Management procedure is: Determine the scope of the change, Analyze the risk associated with the change, Create a plan, Get end-user approval, Present the proposal to the change control board, Have a back out plan if the change doesn’t work, and Document the changes.
What is onboarding/offboarding?
A policy that describes how a user comes onboard the network and how they leave the network. Accounts are created (or disabled) for them, documents are signed, they’re provided with (or give back) company technology, etc.
What are playbooks?
Conditional steps to follow in the case of a particular event. For example, a checklist of what happens if, say, there’s a data breach, or you need to recover a device from ransomware. Can sometimes be implemented into a SOAR platform (Security Orchestration, Automation, and Response), and automated.
In terms of security procedures, how should you approach monitoring and revision?
Technology is always changing, and because of that, processes and procedures have to change also. For example, you might at some point need to update your security posture and have tighter change control, or update your playbooks.
What are three examples of governance structures?
Boards, committees, and government entities?
What are boards?
A panel of specialists that set the tasks or series of requirements for a committee to follow. Usually very broad objectives.
What are committees?
Subject-matter experts that consider the input from a board and work on putting the next steps together to meet particular goals and objectives set by the board. Once completed, they present what they’ve done to the board.
What are government entities?
Government employees that meet publicly that attempt to move forward with objectives while being concerned with legal issues, administrative requirements, and political issues.
What is the difference between centralized and decentralized governance?
Centralized governance is located in one location with a group of decision makers. Decentralized governance spreads the decision-making process around to other individuals or locations.
What are regulatory security considerations?
The common, foundational security practices and mandates done by every organization, including logging, data storage, data protection, and retention.
What are legal security considerations?
The processes and procedures for holding data required for legal proceedings, reporting illegal activities, and mandates for the timely reporting of security breaches.
What are industry security considerations?
The security processes and procedures for specific industry requirements, depending on what that industry is. For example, the security procedures for maintaining electrical power and public utilities.
What are the three levels of geographic security considerations?
Local/regional, national, and global.
In terms of data roles and responsibilities, who are owners?
The person who is broadly responsible for data being stored and is accountable for specific data, for example, a VP of sales owns the customer relationship data, a treasurer owns the financial information of a company, etc.
In terms of data roles and responsibilities, who are controllers?
The person who manages the purposes and means by which the data is processed. Manages how the data will be used, for example, the payroll department defines payroll amounts and timeframes.
In terms of data roles and responsibilities, who are processors?
The person who processes and uses the data on behalf of the data controller. Often a third-party or different group, for example, a payroll company that processes and stores employee information.
In terms of data roles and responsibilities, who are custodians/stewards?
The person responsible for data accuracy, privacy, and security. Works directly with the data.
What is risk management?
Broadly looking at security and understanding potential risks. Allows an organization to identify where risks might be and be able to address them before they become a much larger problem.
What are the four types of risk assessment?
Ad hoc
Recurring
One-time
Continuous
What is an ad hoc risk assessment?
A risk assessment designed to look at only one specific threat.
What is a recurring risk assessment?
A risk assessment repeatedly done on a standard schedule.
What is a one-time risk assessment?
A risk assessment specifically designed to assess a one-time project.
What is a continuous risk assessment?
A risk assessment of a continuous process such as change control.
What is qualitative risk analysis?
Looks at different risk factors and the criteria for each of the risk factors in broad terms.
What is quantitative risk analysis?
A statistical measurement of how exactly risky something is based upon data.
What is SLE?
Single Loss Expectancy. The monetary loss received if one single event occurs. AV x EF = SLE
What is ALE?
Annualized Loss Expectancy. The monetary loss received over the course of a year. ARO x SLE = ALE
What is ARO?
Annualized Rate of Occurrence. How often a risk will occur in a single year.
What is AV?
Asset Value. The value or importance of a particular asset to an organization.
What is probability?
A quantitative measurement of risk (a statistical measurement based upon historical data).
What is likelihood?
A qualitative measurement of risk (is it rare, possible, almost certain, etc.)
What is exposure factor?
The percentage of the value of an asset lost due to an incident.
In terms of risk analysis, what is impact?
List of considerations for a company, including life, property, safety, and finance.
What is a risk register?
A document that identifies the risk associated with each step of a project, and offers possible solutions to those risks.
What are key risk indicators?
The individual risks listed out on the Risk Register.
Who is the risk owner?
The person responsible for managing the key risk indicators on the risk register.
What is risk threshold?
The balance of time and money spent by the risk owner to manage the key risk indicators on the risk register.
What is risk appetite?
A broad description of risk-taking deemed acceptable. The amount of accepted risk before taking any action to reduce that risk. For example, the government set the speed limit to 55 mph. This limit is deemed an acceptable balance between safety and convenience.
What is risk tolerance?
An acceptable variance (usually larger) from the risk appetite. For example, drivers are ticketed for going over the speed limit, but it’s usually for going 20 mph over and not 5 mph over. The tolerance is larger than the appetite.
What are the four risk management strategies?
Transfer
Accept
Avoid
Mitigate
What is the transfer risk management strategy?
Move the risk to another party, or buy some cybersecurity insurance, for example.
What is the accept risk management strategy?
The company takes the risk and accepts the responsibility for that risk.
What is the accept with exemption risk management strategy?
The company takes the risk, and they exempt their existing policies by doing so.
What is the accept with exception risk management strategy?
The company takes the risk, and even though they’re taking the risk, their policies for whatever they’re accepting are still valid. For example, not accepting a bad patch to software even though policies say you need to.
What is the avoid risk management strategy?
A company says nope and stops participating in risky activity.
What is the mitigate risk management strategy?
A company attempting to decrease a risk level.
What is a risk reporting document?
A formal document that identifies the risks of a project so that the company knows what they’re getting into.
What is RTO?
Recovery Time Objective. The amount of time it takes to get your systems up and running to a particular service level.
What is RPO?
Recovery Point Objective: How much data needs to be available to adequately say we’re back up and running.
What is MTTR?
Mean Time To Repair. Basically, the average time required to fix a particular problem.
What is MTBF?
Mean Time Between Failures. The average time between one outage or break and the next.
What is vendor assessment?
Analyzing how good, trustworthy, reliable, and safe a vendor is so your company may utilize them.
What is penetration testing?
Simulating an attack to exploit vulnerabilities.
What is a right-to-audit clause?
A legal agreement to have the option to perform a security audit on a third-party vendor at any time.
In terms of third party risk assessment, what are the evidences of internal audits?
The security details summarized by a different third-party performing an audit on the security details between you and a third-party vendor.
In terms of third party risk assessment, independent assessments?
Bringing in an expert or team of experts from outside of your company to evaluate security and provide recommendations.
What is supply chain analysis?
A security analysis of the entire system involved in creating a product within the supply chain. An understanding of this entire chain and tweaking it in case there are any weaknesses.
What is due diligence?
Investigating a company before doing business with them.
What is conflict of interest?
Something that compromises the judgment on either side of the business relationship.
What is a SLA?
Service Level Agreement. An agreement between customers and service providers that details the terms for services provided. Includes things like uptime, response time, etc. It keeps everyone on the same page.
What is a MOA?
Memorandum of Agreement. The step above an MOU. Both sides conditionally agree to the objectives lined out and can be considered a legal document, but doesn’t have to contain all of the legal language.
What is a MOU?
Memorandum of Understanding. An informal letter of intent that outlines the basic services provided to a customer. Similar to an SLA, but not signed and less formal. MOUs can lead to SLAs.
What is a MSA?
Master Service Agreement. A legal contract that sets the terms between both organizations, and sets up a framework to be used to add additional work to the contract in the future.
What is a WO?
Work Order (or Statement of Work). Specific list of items to be completed used in conjunction with the MSA that details the scope of the job, the location, acceptance criteria, etc.
What is a NDA?
Non-disclosure Agreement. A confidential agreement between parties containing information that is not disclosed. If you know what’s in the NDA, you can’t talk about it with people outside of the agreement. Always formal and signed, but can either be unilateral or bilateral.
What is a BPA?
Business Partners Agreement. A document outlining that you’re going into business with another company. Describes the financial contract, what owners have what stake in what parts of the business, and who is making what business decisions.
What is vendor monitoring?
Ongoing management of the vendor relationship after a contract is signed. “I’m watching you, Wzouski!”
What are questionnaires?
A part of due diligence and ongoing vendor monitoring by getting answers directly from the vendor by asking them a series of security related questions.
What are rules of engagement?
An important document used during a pen test that defines the pen test’s parameters and what’s going to be simulated in the attack.
What is internal compliance reporting?
An organization performing their own internal compliance, where they monitor and report on organizational compliance efforts. Headed by a CCO. This information is used to provide details to customers or potential investors.
What is external compliance reporting?
A third-party comes to your organization and evaluates your compliance with the rules.
Name some consequences of non-compliance.
Fines, sanctions, reputational damage, loss of license, and contractual impacts.
What is compliance monitoring?
Ensuring compliance in day-to-day operations through various methods. Can be performed internally, externally and (in large companies) automatically.
In terms of compliance monitoring, what is due diligence/care?
A duty to act honestly and in good faith. Investigating and verifying if things are in compliance. Due diligence is you checking yourself, due care is a third party checking on you.
In terms of compliance monitoring, what is attestation and acknowledgement?
Someone signing off that the compliance is in good standing. Also the guy responsible if documentation is incorrect.
What is the data subject?
Any information relating to an identified or identifiable natural person with personal data. BarrYou.
Who is the data owner?
The person who is broadly responsible for data being stored and is accountable for specific data, for example, a VP of sales owns the customer relationship data, a treasurer owns the financial information of a company, etc.
Who is the data controller?
The person who manages the purposes and means by which the data is processed. Manages how the data will be used, for example, the payroll department defines payroll amounts and timeframes.
Who is the data processor?
The person who processes and uses the data on behalf of the data controller. Often a third-party or different group, for example, a payroll company that processes and stores employee information.
What is data inventory and retention?
Specific data that your organization stores and an inventory of that data (a listing of all managed data).
What is the right to be forgotten?
The user having the power, control, and decision of where their data goes and can request the removal of that data from search engines if they so choose.
What is attestation and acknowledgement?
Someone signing off that the compliance is in good standing. Also the guy responsible if documentation is incorrect.
What is compliance?
Following the rules and regulations set up. Duh.
What is an audit committee?
A committee of people that oversees risk management activities. They determine whether audits start or not.
What are self-assessments?
Having the organization perform their own checks, and then consolidating the self-assessments into ongoing reports.
What are external audits?
Audits done by a third-party.
What is a regulatory audit?
An independent third-party performing an audit based upon an individual organization’s regulations and frequency requirements.
In terms of external audits, what are examinations?
Hands-on researching in which records are viewed, reports are compiled, and details are gathered. (Leo Bloom).
In terms of external audits, what are assessments?
The third-party’s results of the examination (“You could make more money with a flop than with a hit”)
What is an independent third-party audit?
An audit performed by an external third-party that has no connection to the organization
In terms of penetration tests, what makes them physical?
Making a device’s OS operate the way you want it to by physically modifying it, so lock your stuff up. A physical pen test is literally someone trying to physically gain access to your stuff.
What are offensive penetration tests?
A pen test where your systems are attacked and vulnerabilities are looked for to exploit (The Red Team).
What are defensive penetration tests?
A pen test where a group (The Blue Team) attempts to identify pen test attacks in real-time and tries to prevent unauthorized access.
What are integrated penetration tests?
Red Vs Blue going together.
In terms of pen tests, what is a known environment?
Full disclosure. The pen test attacker is given all of the information about the systems before the test begins.
In terms of pen tests, what is a partially known environment?
Partial disclosure. The pen test attacker is given only some information about the systems before the test begins. Focused on only certain systems.
In terms of pen tests, what is an unknown environment?
Blind. The pen test attacker is given no information about the systems before the test begins.
What is passive reconnaissance?
Information needed before an attack that is gathered by learning as much as you can from open sources. Social media, websites, online forums, and social engineering, for example.
What is active reconnaissance?
Information needed before an attack that is gathered by going into the devices and systems themselves. Ping scans, port scans, DNS queries, etc. for example.
In terms of security awareness, what is anomalous behavior?
Evidence of modifying host files, uploading sensitive files, replacing core OS files, logins from other countries, increased data transfers, etc.
What is an insider threat?
Someone in your organization attacking you. Defend against it by adding multiple approvals for critical processes, monitor your files and systems as much as possible, and make it difficult for anyone to make an unauthorized change.
What are the best practices to tell your team when it comes to security training?
Have guidance and training provided for members of your organization and third-parties through various means, including policy handbooks, and training on situational awareness.
Maintain password management.
Don’t leave cords and USBs laying around.
Alert your people to social engineering.
Let your people know what data attackers are looking for (operational security).
Don’t let anyone other than the specified person access their systems if they’re working from home.
What is a phishing campaign?
Testing your team by sending out a phishing test and recording the results.
