Cybersecurity

Question 1

RMF Step 1: Categorize

Answer 1

In the step

• Selecting a baseline of security controls for protecting the information system and the organization
• Uses the three security objectives (confidentiality; integrity; and availability) with one impact value (low; moderate; or high) for each of the security objectives
• Initiates the System Security Plan (SSP) to document the categorization of the system
• Registers the system with the DoD Component Cybersecurity Program

Question 2

What does DoD IT entail?

Answer 2

All DoD-owned IT or DoD-controlled IT that receives; processes; stores; displays; or transmits DoD information

Question 3

What IT regs for SAP?

Answer 3

JSIG

Question 4

What is Reciprocity?

Answer 4

• Common processes, security controls, testing activities and outcomes, as well as, a common lexicon among organization
• Reduce costs related to the activities associated with system authorization.

Question 5

What groups does DoD use to categorize IT?

Answer 5

Information Systems
Platform IT
IT products
IT services

Question 6

RMF Step 2: Select Security Controls

Answer 6

In this step

• Security and common controls are identified and selected (Security Control Baseline)
• Overlays are selected and applied
• Controls are tailored, as needed
• System-level continuous monitoring (CONMON) strategy developed, reviewed and approved internally
• SSP is developed, reviewed and approved internally

Question 7

What are common controls?

Answer 7

Controls inherited from the hosting environment (physical, personnel) that are typically controlled by personnel outside of the cyber team. Example: Ensuring the facility the network is housed in has emergency lighting and exits.

Question 8

RMF Step 3: Implement Controls

Answer 8

In this step

• Controls implemented consistent with the SSP and DoD policy (critically important step that can affect the security and risk of the entire organization)
• SSP updated

Question 9

RMF Step 4: Assess Controls

Answer 9

In this step

• Security Assessment plan developed
• Self assessment conducted to determine if controls are implemented correctly, operating as intended and producing the desired outcome
• Remediation actions, as necessary, based on findings -SSP revised
• Security Control Assessor (SCA) develops, reviews and approves a plan to assess the security controls
• Authorizing Official (AO) approves the Security Assessment Plan

Question 10

RMF Step 5: Authorize System

Answer 10

In this step

• Preliminary review of documentation of the documentation by the Security Controls Assessor (SCA)
• Plan of Action and Milestones (POAM) created by the SCA to document any vulnerabilities in the system and a plan and timeline to mitigate each vulnerability
• SCA prepares a Security Assessment Report (SAR) and makes an authorization recommendation, but the ultimate authorization decision must be issued by the AO
• AO reviews the security authorization package (all paperwork) and issues an Approval to Operate (ATO) or Denial of Approval to Operate (DATO)

Question 11

Security Assessment Report (SAR)

Answer 11

Provides authorizing officials with the information needed for understanding the current security state of the organization’s information systems and supporting infrastructure and the current risk posture of the system and therefor the organization

Question 12

RMF Step 6: Monitor Controls

Answer 12

In this step

• Ensure system is operating at an acceptable level of risk to maintain its authorization
• Periodic self assessments conducted as part of continuous monitoring (CONMON)
• Periodic system assessments by DCSA
• Ensure security relevant changes trigger a full reassessment of the system and the AO must reauthorizes the system
• Reassessment and reauthorization upon expiration of the ATO (typically 3 yrs from the date of issuance)
• Analyze and document any posed or actual changes to the information system due to continuous monitoring

Question 13

What is the objective of Continuous Monitoring?

Answer 13

To determine if the security controls in the information system continue to be effective over time in light of the inevitable changes to hardware, software and firmware that occur in the system, as well as changes in the environment in which the system operates

Question 14

Email Phishing Indicators Indicators

Answer 14

• Bad grammar, misspellings and/or generic greetings
• Maliciously-crafted attachments with varying file extension or links to a malicious website
• Appear to be from a position of authority or legitimate company: your employer, bank or credit card company, online payment provider or government organization

Question 15

Examples of types of information adversaries target

Answer 15

• Sensitive company documents and proprietary information
• Export controlled/classified information and technology
• Information on DoD-funded contracts
• Sensitive technological specification documents
• User login IDs and passwords
• Personal Identifying Information (SSN; date of birth; address)
• Contact rosters and phone directories

Question 16

Targeted Technology and Information Threats

Answer 16

Insiders
Hackers
Cyber Criminals
Terrorists
Organized Crime
Foreign Intelligence Entities

Question 17

Most Targeted Technologies

Answer 17

• Information systems
• Aeronautics, including technology related to unmanned aerial vehicles (UAVs)
• Lasers and optics
• Sensors
• Marine systems, positioning, navigation and time
• Electronics
• Militarily Critical Technologies List (MCTL) technology
• Armaments

Question 18

What is malicious code?

Answer 18

Software that does damage and/or creates unwanted behaviors

Question 19

Examples of malicious code

Answer 19

Viruses
Trojan horses
Worms
Keyloggers
Spyware
Rootkits
Backdoors

Question 20

Examples of vessels of malicious code

Answer 20

E-mail attachments
Removable media
Downloaded files
Infected websites

Question 21

Counters against malicious code in emails

Answer 21

• View e-mail messages in plain text
• Do not view e-mail using the preview pane
• Use caution when opening e-mail
• Scan all attachments
• Delete e-mail from senders you do not know
• Turn off automatic downloading

Question 22

Counters against malicious code in websites

Answer 22

• Block malicious links / IP addresses
• Block all unnecessary ports at the Firewall and Host
• Disable unused protocols and services
• Stay current with all operating system service packs and software patches

Question 23

Best philosophy for creating passwords?

Answer 23

• Change passwords frequently

- Combination of numbers, letters and special characters

Question 24

Indicators of weak passwords

Answer 24

• Words found in the dictionary
• Readily available information significant to you (names; dates; cities; etc.)
• Lack of character diversity (e.g.; all lower case letters)

Question 25

Countermeasures for password compromise

Answer 25

- Combine letters, numbers and special characters - Do not use personal information - Do not use common phrases or words - Do not write down your password, memorize it - Change password according to your organization’s policy - Enforce account lockout for end-user accounts after a set number of retry attempts - Do not save your passwords or login credentials

Question 26

Reportable cyber activity subject to punitive action

Answer 26

- Actual or attempted unauthorized access into U.S. automated information systems and unauthorized transmissions of classified or controlled unclassified information - Password cracking, key logging, encryption cracking, steganography, privilege escalation or account masquerading - Network spillage incidents or information compromise - Use of DoD account credentials by unauthorized parties - Tampering with or introducing unauthorized elements into information systems - Unauthorized downloads or uploads of sensitive data - Unauthorized use of Universal Serial Bus, removable media or other transfer devices - Downloading or installing non-approved computer applications - Unauthorized network access - Unauthorized e-mail traffic to foreign destinations

Question 27

Reportable cyber activity not subject to punitive action

Answer 27

- Denial of service attacks or suspicious network communications failures - Excessive and abnormal intranet browsing beyond the individual's duties and responsibilities of internal file servers or other networked system contents - Any credible anomaly, finding, observation or indicator associated with other activity or behavior that may also be an indicator of terrorism or espionage - Data exfiltrated to unauthorized domains; - Unexplained storage of encrypted data; - Unexplained user accounts - Hacking or cracking activities - Social engineering, electronic elicitation, e-mail spoofing or spear phishing - Malicious codes or blended threats such as viruses, worms, trojans, logic bombs, malware, spyware or browser hijackers

Question 28

Examples of cyber intrusion

Answer 28

- Port and services scanning from consistent or constant addresses - Hacking into the system - Placing malware hacking tools into the system - Passive efforts (e.g.; unsolicited emails containing malware or internet sites that entice users to download files that contain embedded malware) - Exploitation of knowledgeable

Question 29

Contractors must report cyber intrusions against classified information systems that indicate:

Answer 29

Espionage Sabotage Terrorism Subversive activity

Question 30

Why does software need to be patched and updated regularly?

Answer 30

To provide fixes for vulnerabilities and opportunities for adversaries to access information systems

Question 31

Countermeasures for software with vulnerabilities

Answer 31

- Comply with the measures in your organization’s policies, including the Technology Control Plan (TCP) - Stay current with patches and updates - Conduct frequent computer audits (daily - ideally, weekly - minimum) - Do not rely on firewalls to protect against all attacks - Report intrusion attempts

Question 32

What is a Technology Control Plan?

Answer 32

- Stipulates how a company will control access to its export-controlled technology - Outlines the specific information that has been authorized for release - May be required by the National Industrial Security Program Operating Manual (NISPOM) and the International Traffic in Arms Regulations (ITAR) under certain circumstances

Question 33

What does a Technology Control Plan (TCP) protect?

Answer 33

- Classified and export-controlled information - Control access by foreign visitors - Control access by employees who are foreign persons

Question 34

What is removable media?

Answer 34

Any type of storage device that can be added to and removed from a computer while the system is running

Question 35

Countermeasures to guard against removable media vulnerabilities

Answer 35

- Do not use flash media unless operationally necessary and government-owned - Do not use any personally owned/non-Government removable flash media on DoD systems - Do not use Government removable flash media on non-DoD/personal systems - Encrypt all data stored on removable media - Encrypt in accordance with the data's classification or sensitivity level - Use only removable media approved by your organization - Store in GSA approved storage containers at the appropriate level of classification

Question 36

Confidentiality

Answer 36

Assurance that information is not disclosed to unauthorized individuals, processes or devices

Question 37

Integrity

Answer 37

Assurance that information is not modified or destroyed via unauthorized means

Question 38

Availability

Answer 38

Assurance that information is available to users in a timely manner

Question 39

Non-repudiation

Answer 39

Assurance that electronic messages are authentic

Question 40

Authentication

Answer 40

Assurance that the identity of users has been verified prior to allowing access to an information system

Question 41

POAM

Answer 41

Plan of Action and Milestones (POA&M) - Outlines the severity of vulnerabilities - Provides a plan and timeline for mitigating the problem

Question 42

SAR

Answer 42

Security Assessment Report (SAR) -Prepared by the SCA who makes an authorization recommendation, but the ultimate authorization decision must be issued by the AO

Question 43

SSP

Answer 43

System Security Plan (SSP) | -Identifies the protection measures to safeguard information being processed in a classified environment

Question 44

ATO

Answer 44

Approval to Operate (ATO) - Granted after the information system is determined to be in compliance by a successful onsite validation to ensure the system is properly configured and protected - Represents the AO’s acceptance of the information technology system - Confirmation that the information system is operating at an acceptable level of risk

Question 45

DATO

Answer 45

Denial of Approval To Operate (DATO) - Represents the AO’s determination that a contractor information system cannot operate due to inadequate design, failure to adequately implement assigned controls or other lack of adequate security - Halts operation of the system if it is already operational

Question 46

Authorizing Official (AO)

Answer 46

Ultimate approving responsibility and authority for systems and networks

Question 47

Security Relevant Challenges

Answer 47

- Any changes/actions affecting the availability, integrity, authentication, confidentiality or non-repudiation of an information system or its environment - Examples include changes to: - identification and authentication - auditing - malicious code detection - sanitization - operating system - firewall - router tables and intrusion detection systems (IDS) of a system - any changes to its location or operating environment

Question 48

Decommisionning

Answer 48

- Occurs when the information system is no longer needed, such as at the end of a contractor program or when the AO withdraws the system’s ATO - The contractor decommissions the information system according to the planned strategy in the SSP

Question 49

What does RMF protect against?

Answer 49

- Threats from outside users - Threats from insider or authorized users - Vulnerabilities in information systems - Information leaks - Malicious software and virus attacks - Hackers