S3

Question 2

What are the highest security concerns for senior executives?

Answer 2

Breaches of data, theft, service interruptions, and regulatory non-compliance

These concerns are critical for IT governance.

Question 3

What occurs during a data breach?

Answer 3

Information is compromised and utilized without the authorization of the owner.

Question 4

Define service disruptions.

Answer 4

An unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time.

Question 5

What can result from failing to comply with cybersecurity regulations?

Answer 5

Fines and financial penalties.

Question 6

What is a cyberattack?

Answer 6

Any kind of malicious activity that targets computer information systems, infrastructures, networks, or devices.

Question 7

What is a threat agent?

Answer 7

An internal or external attacker that could negatively impact data security.

Question 8

List types of threat agents.

Answer 8

• Attacker, Threat Actor, or Hacker
• Adversary
• Government-Sponsored/State-Sponsored Actors
• Hacktivists
• Insiders
• External Threats

Question 9

What are network-based attacks?

Answer 9

Attacks that target the infrastructure of a network to gain unauthorized access or disrupt operations.

Question 10

Name examples of network-based attacks.

Answer 10

• Backdoors and trapdoors
• Covert channels
• Denial-of-service (DoS)
• Distributed denial-of-service (DDoS)
• Man-in-the-middle (MITM)
• Ransomware

Question 11

What do application-based attacks target?

Answer 11

Specific software or applications to gain unauthorized access or disrupt functionality.

Question 12

Provide examples of application-based attacks.

Answer 12

• SQL injection
• Cross-site scripting (XSS)
• Race condition
• Malicious mobile code

Question 13

What is a social engineering attack?

Answer 13

Attacks that use psychological manipulation to get employees to divulge sensitive information.

Question 14

Name some examples of social engineering attacks.

Answer 14

• Phishing
• Spear phishing
• Business email compromise (BEC)
• Pretexting
• Catfishing

Question 15

What are the stages in a cyberattack?

Answer 15

• Reconnaissance
• Gaining Access
• Escalation of Privileges
• Maintaining Access
• Network Exploitation and Exfiltration
• Covering Tracks

Question 16

What is cloud computing?

Answer 16

A way for organizations to store, use, process, and share data without needing to own or manage the resources.

Question 17

List risks specific to cloud computing.

Answer 17

• Additional industry exposure
• Cloud malware injection attacks
• Compliance violations
• Loss of control
• Theft of intellectual property

Question 18

What are the risks related to mobile devices?

Answer 18

• Application malware
• Lack of updates
• Lack of encryption
• Physical threats
• Unsecured Wi-Fi networks

Question 19

Define threat modeling.

Answer 19

The process of identifying, analyzing, and mitigating threats to a network, system, or application.

Question 20

What is the CIA Triad?

Answer 20

Confidentiality, Integrity, and Availability.

Question 21

List the phases of threat modeling.

Answer 21

• Identify assets
• Identify threats
• Perform reduction analysis
• Analyze the impact of an attack
• Develop countermeasures and controls

Question 22

What does COSO stand for?

Answer 22

Committee of Sponsoring Organizations.

Question 23

What are the five components of the COSO internal control framework?

Answer 23

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring Activities

Question 24

What is an acceptable use policy (AUP)?

Answer 24

A control document created to regulate and protect technology resources.

Question 25

What does a BYOD policy allow?

Answer 25

Employees to use their personally owned devices for work-related activities.

Question 26

What is network segmentation?

Answer 26

A method to isolate different parts of a network to enhance security.

Question 27

Define vulnerability management.

Answer 27

A proactive security practice designed to prevent the exploitation of IT vulnerabilities.

Question 28

What is the purpose of layered security?

Answer 28

To protect an organization using a diversified set of security tactics.

Question 29

What are preventive controls?

Answer 29

Controls designed to thwart malicious activity from ever occurring.

Question 30

What is the purpose of detective controls?

Answer 30

To detect a threat event while it is occurring.

Question 31

What is corrective control intended for?

Answer 31

To fix known vulnerabilities as a result of recent security incidents.

Question 32

What does the NIST framework for risk management include?

Answer 32

* Risk framework * Assess risk * Respond to risk * Monitor risk

Question 33

What is the first step in a security assessment engagement?

Answer 33

Defining assessment procedures.

Question 34

What are Security Assessment Reports (SARs)?

Answer 34

Reports issued as evidence of the security assessment findings.

Question 35

What are the four components of risk management?

Answer 35

Risk framework, assess risk, respond to risk, monitor risk

Question 36

What is the first step in a security assessment engagement?

Answer 36

Defining assessment procedures

Question 37

What does an assessment object identify?

Answer 37

Items being assessed as part of a specific control

Question 38

What are the methods used in security assessments?

Answer 38

* Examination * Interviewing * Testing

Question 39

What is a Security Assessment Report (SAR)?

Answer 39

A report documenting the findings and recommendations for correcting identified issues

Question 40

What key elements do SARs generally include?

Answer 40

* Summary of findings * Systems overview * Assessment methodology * Security assessment findings * Recommendations * Action plans

Question 41

Who plays a role in protecting a company's digital and physical assets?

Answer 41

All employees

Question 42

What is critical to minimize cyber risk and damages from cyberattacks?

Answer 42

Education and training programs

Question 43

What are the three relevant categories of personnel in security awareness?

Answer 43

* Management * Specialized IT personnel * All other employees

Question 44

What components may be included in a successful security awareness program?

Answer 44

* Phishing simulations * Security program champions * Employee engagement

Question 45

What is the difference between confidentiality and privacy?

Answer 45

* Privacy: Protects individual rights and control over shared information * Confidentiality: Protects unauthorized access to company information

Question 46

What should organizations develop to protect the confidentiality of personal identifiable information (PII)?

Answer 46

Policies and procedures

Question 47

What is one method organizations can use to protect confidential data during data processing?

Answer 47

De-identifying personal information

Question 48

How can organizations control access to personal information?

Answer 48

Through access control policies and enforcement mechanisms

Question 49

What are two types of encryption methods?

Answer 49

* Symmetric Encryption * Asymmetric Encryption

Question 50

What does Data Loss Prevention (DLP) enable organizations to do?

Answer 50

Detect and prevent unauthorized transfers of sensitive information

Question 51

What are the two common types of DLP systems?

Answer 51

* Network-based DLP systems * Endpoint-based DLP systems

Question 52

What is the purpose of conducting walk-throughs of security policies?

Answer 52

To enhance the execution of security, confidentiality, and privacy strategies

Question 53

What are the steps involved in performing a walk-through?

Answer 53

* Plan and prep * Obtain an understanding * Perform the walk-through * Create documentation * Test * Evaluate and report

Question 54

What is the purpose of an Incident Response Plan (IRP)?

Answer 54

To document procedures for detecting, responding to, and limiting cyberattack consequences

Question 55

What are some key elements that an IRP should contain?

Answer 55

* Mission * Strategies and goals * Senior management approval * Purpose and objectives * Scope of the policy

Question 56

What is a critical component of an IRP related to human resources?

Answer 56

The designated human capital for incident response

Question 57

What are the seven steps in responding to incidents?

Answer 57

* Preparation * Detection * Containment * Eradication * Reporting * Recovery * Learning

Question 58

What is the function of cyber insurance policies?

Answer 58

To provide financial relief in the event of a successful cyberattack

Question 59

What types of losses are typically covered by cyber insurance?

Answer 59

* Business interruption losses * Cyber extortion losses * Incident response costs * Replacement costs for information systems * Litigation and attorney fees * Reputational damage * Information or identity theft