Exam2

Question 1

An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.

Answer 1

Service Level Agreement (SLA)

Question 2

Expresses an understanding between two or more parties indicating their intention to work together toward a common goal

Answer 2

Memorandum of Understanding (MOU)

Question 3

Evaluates the processes and tools used to make measurements. Uses various methods to identify variations within a measurement process that can result in invalid results.

Answer 3

Measurement System Analysis (MSA)

Question 4

A written agreement that details the relationship between business partners, including their obligations toward the partnership.

Answer 4

Business partnership Agreement (BPA)

Question 5

Refers to the date when a product will no longer be offered for sale

Answer 5

End of Life (EOL)

Question 6

Indicates the date when you expect a lack of vendor support because vendors no longer create patches or upgrades to resolve vulnerabilities for the product.

Answer 6

End of Service Life (EOSL)

Question 7

Used between two entities to ensure that proprietary data is not disclosed to unauthorized entities.

Answer 7

NDA

Question 8

System of organizing data according to its sensitivity. Common classifications include public, confidential, secret, and top secret.

Answer 8

Data Classification

Question 9

Refers to the processes an organization uses to manage, process, and protect data.

Answer 9

data governance

Question 10

Identifies how long data is retained and sometimes specifies where it is stored

Answer 10

Data Retention Policy

Question 11

• An account on a computer associated with
  a specific person
• The computer associates the user with a specific
  identification number
• Storage and files can be private to that user
• Even if another person is using the same computer
• No privileged access to the operating system
• Specifically not allowed on a user account
• This is the account type most people will use
• Your user community

Answer 11

Credential policies: personnel

Question 12

• Access to external third-party systems
• Cloud platforms for payroll, enterprise resource planning, etc.
• Third-party access to corporate systems
• Access can come from anywhere
• Add additional layers of security
• 2FA (two factor authentication)
• Audit the security posture of third-parties
• Don’t allow account sharing
• All users should have their own account

Answer 12

Credential policies: Third-party

Question 13

• Access to devices
  
  • Mobile devices
• Local security
  
  • Device certificate
  • Require screen locks and unlocking standards
  • Manage through a Mobile Device Manager (MDM)
• Add additional security
  
  • Geography-based
  • Include additional authentication factors
  • Associate a device with a user

Answer 13

Credential policies: Devices

Question 14

• Used exclusively by services running on a computer
• No interactive/user access (ideally)
• Web server, database server, etc.
• Access can be defined for a specific service
• Web server rights and permissions will be
  different than a database server
• Commonly use usernames and passwords
• You’ll need to determine the best policy for
  password updates

Answer 14

Credential policies: service accounts

Question 15

• Elevated access to one or more systems
  
  • Super user access
• Complete access to the system
  
  • Often used to manage hardware, drivers, and
    software installation
• This account should not be used for normal
  administration
  
  • User accounts should be used
• Needs to be highly secured
  
  • Strong passwords, 2FA
  • Scheduled password changes

Answer 15

Credential policies: Administrator/Root Accounts

Question 16

Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability.

Answer 16

Change Management

Question 17

The procedures used to identify, document, approve, and control changes to the project baselines

Answer 17

Change Control

Question 18

The process of tracking valuable assets throughout their life cycles

Answer 18

Asset management

Question 19

Any risks from outside an organization. This includes and threats from external attackers It also includes and natural threats, such as hurricanes, earthquakes, and tornadoes. Sometimes predictable, often not.

Answer 19

Risk types: External

Question 20

Any risks from within an organization. This includes employees and all the hardware and software used within the organization. These risks are generally predictable and can be mitigated with standard security controls.

Answer 20

Risk Types: Internal

Question 21

occur when an organization contracts with an external organization for goods or services. If the third-party suffers an attack it may expose the contracting organization to additional threats.

Answer 21

Risk Types: Multiparty

Question 22

• Acceptance
• Avoidance
• Transference
• Mitigation

Answer 22

Risk Management Strategies

Question 23

When the cost of a control outweighs the risk, an organization will often accept the risk.

Answer 23

Acceptance

Question 23

An organization can avoid a risk by not providing a service or not participating in a risky activity.

Answer 23

Avoidance

Question 24

The organization transfers the risk to another entity or at least shares the risk with another entity. The most common method is by purchasing insurance.

Answer 24

Transference

Question 25

The primary risk is that vendors do not support these systems. If vulnerabilities become known, the vendor doesn't release patches, and anyone using the system is at risk.

Answer 25

Risk Types: Legacy Systems

Question 26

Intellectual Property (IP) includes things like copyrights, trademarks, patents, and trade secrets. Intellectual Property is valuable to an organization and IP theft represents a significant risk.

Answer 26

Risk Types: IP theft

Question 27

If individuals or organizations use software without buying a license, the development company loses money. Similarly, an organization can lose money if it buys licenses but does not protect them.

Answer 27

Risk Types - Software Compliance/Licensing

Question 28

The organization implements controls to reduce risks. These controls either reduce the vulnerabilities or reduce the impact of the threat.

Answer 28

Mitigation

Question 29

helps protect businesses and individuals from losses related to cybersecurity incidents such as data breaches and network damage.

Answer 29

Cybersecurity Insurance

Question 30

identifies potential issues that could negatively impact an organization's goals and objectives.

Answer 30

Risk Analysis

Question 31

Encryption, antivirus, IDS/IPS, firewalls

Answer 31

Technical controls

Question 32

Risk assessment, vulnerability assessment, pen testing

Answer 32

Administrative controls

Question 32

Security guards etc

Answer 32

Physical controls

Question 33

Hardening, Security training, and security guards, change management

Answer 33

Preventative controls

Question 34

Log monitoring, trend analysis, security audits, cctv (can also act as deterrent control)

Answer 34

Detective controls

Question 35

IPS detects attack and then modify environment to stop attack. Backups and system recovery allows recovery from incidents or failure.

Answer 35

Corrective controls: attempt to reverse impact of incident.

Question 35

Cable and hardware locks deter thieves.

Answer 35

Deterrent controls (can also be described as preventative controls)

Question 36

Alternate controls used instead of primary ones, when they are not available

Answer 36

Compensating controls

Question 37

Time-based one-time password, uses a timestamp instead of a counter, and expire within 30 sec.

Answer 37

TOPT

Question 38

remains active until it is used, so someone can shoulder surf and steal it.

Answer 38

HOPT

Question 39

Network authentication protocol within a microsoft windows active directory, providing mutual authentication to prevent man in the middle and replay attacks (attacker attempts to impersonate user after intercepting data).

Answer 39

Kerberos

Question 40

You can use the same account that has been created with google/fb etc, so you can do things like pay a website with paypal.

Answer 40

OAuth

Question 41

Works with OAuth 2.0, and allows verification without handling credentials.

Answer 41

OpenID Connect