Week 1

Question 1

C in CIA triad

Answer 1

confidentiality

Question 2

I in CIA triad

Answer 2

integrity

Question 3

A in CIA triad

Answer 3

availability

Question 4

confidentiality

Answer 4

ensuring that data which should be confidential is confidential

Question 5

integrity

Answer 5

ensuring that data is only changed in authorized ways

Question 6

availability

Answer 6

ensuring that data can be accessed when it is needed

Question 7

McCumber cube [1991]

Answer 7

expansion of CIA triad that tries 2 show how CIA is applied to info processing and what controls are used to 2 enforce them

Question 8

organizational policy

Answer 8

outlines an organization’s security rules, regulations and strategies 4 maintaining the CIA of critical data

Question 9

vulnerability

Answer 9

a flaw, bug or misconfiguration in the system that permits the CIA triad 2 be attacked [often accidentally created and attacked]

Question 10

threat actor

Answer 10

a person or a group that might attack a system [i.e. hacker]

Question 11

threat

Answer 11

something bad a threat actor could do after a successful attack

Question 12

risk

Answer 12

a measurement based on the damage inflicted by a TA carrying out a threat and the likelihood of the threat being realized

Question 13

exploit

Answer 13

a way 2 make use of a vulnerability 2 attack the system’s CIA

Question 14

payload

Answer 14

what the attacker uses the exploit 2 do, such as install malware

Question 15

M in MICE [attacker motivation]

Answer 15

money

Question 16

I in MICE [attacker motivation]

Answer 16

ideology

Question 17

C in MICE [attacker motivation]

Answer 17

coercion

Question 18

E in MICE [attacker motivation]

Answer 18

ego

Question 19

R in RASCLS [attacker motivation]

Answer 19

reciprocation

Question 20

1st S in RASCLS [attacker motivation]

Answer 20

scarcity

Question 21

A in RASCLS [attacker motivation]

Answer 21

authority

Question 22

C in RASCLS [attacker motivation]

Answer 22

commitment

Question 23

L in RASCLS [attacker motivation]

Answer 23

liking

Question 24

2nd S in RASCLS [attacker motivation]

Answer 24

social proof

Question 25

threat models

Answer 25

a formal framework for group threats into discrete categories

Question 26

what are threat models used for

Answer 26

planning security controls

Question 27

S in STRIDE [threat models]

Answer 27

spoofing

Question 28

spoofing

Answer 28

pretending to be someone else [authentication]

Question 29

T in STRIDE [threat models]

Answer 29

tampering

Question 30

tampering

Answer 30

changing data to be inaccurate [integrity]

Question 31

R in STRIDE [threat models]

Answer 31

repudiation

Question 32

repudiation

Answer 32

denying that you did a thing you did [accountability]

Question 33

I in STRIDE [threat models]

Answer 33

information disclosure

Question 34

information disclosure

Answer 34

revealing information that shouldn’t be otherwise disclosed [confidentiality]

Question 35

D in STRIDE

Answer 35

denial of service

Question 36

denial of service

Answer 36

trying to stop someone else from using a system controls [availability]

Question 37

E in STRIDE

Answer 37

elevation of privilege

Question 38

elevation of privilege

Answer 38

trying to get a higher level of access than you are currently assigned [authorization]

Question 39

ISC^2 control categorization

Answer 39

security controls –> 2 dimensions –> function and mechanism

Question 40

ISC^2 function

Answer 40

directive, deterrent, penetrative, detective, corrective, recovery compensating

Question 41

ISC^2 mechanism

Answer 41

technical, administrative, physical

Question 42

NIST cybersecurity framework

Answer 42

recover, identify, protect, respond, recover

Question 43

what does ISC^2 do that NIST doesn’t

Answer 43

distinguishes function and mechanism

Question 44

“defense in depth”

Answer 44

all controls [multiple layers] keep our “castle” safe