1
Q
what is cybersecurity?
A
practice of protecting an organization’s IT infrastructure and critical data from bad actors by deploying technologies, internal control processes, and best practices
2
Q
what are the 4 highest security concerns of those charged with IT governance?
A
breaches of data
theft of data
service interruptions
regulatory noncompliance
3
Q
what are 4 examples of data breaches?
A
ransomware
phishing
malware
compromised passwords
4
Q
what is a service disruption?
A
unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time
5
Q
what are 4 examples of service disruptions?
A
malware
distributed denial of service (DDoS) attacks
SQL injections
password attacks
6
Q
what 2 things should organizations do to combat cybersecurity threats?
A
1) discuss various programs to mitigate risks
2) constantly update security measures
7
Q
what is a cyberattack?
A
any kind of malicious activity that:
- targets computer information systems
- attempts to collect, disrupt, deny, destroy, etc. information systems
8
Q
what are the 6 methods a cybersecurity attack can be grouped into?
A
network based attacks
host based attacks
social engineering attacks
application based attacks
physical attacks
supply chain attacks
9
Q
what is a threat agent?
A
an internal or external attacker that could negatively impact data security
10
Q
what are 6 examples of threat agents?
A
- attacker, threat actor, hacker
- adversary
- government/state sponsored actors
- hacktivists
- insiders
- external threats
11
Q
what are the 12 types of network based attacks?
A
backdoors and trapdoors
covert channels
buffer overflows
denial of service (DoS)
distributed denial of service (DDoS) attacks
man in the middle (MITM) attacks
port scanning
ransomware
reverse shell
replay attacks
return oriented
spoofing
12
Q
what is a covert channel?
A
mechanism used to transmit data using methods not originally intended for data transmission
13
Q
what are 2 types of covert channels?
A
storage channels
timing channels
14
Q
what is a storage channel?
A
data is transmitted to a storage location allowing another party with lower security permission to access the data
15
Q
what is a timing channel?
A
use the delay (or gaps) in transmitting data packets to hide the transmission of data
16
Q
what is a buffer overflow?
A
attacker overloads a program’s buffer (temporary storage) with more input than it is designed to hold
17
Q
what is a DoS attack?
A
attacker floods a system’s network by congesting it with large volumes of traffic that is greater than the bandwidth it was designed to handle
18
Q
what is a DDoS attack?
A
multiple attackers are working in unison to flood an organization’s network with traffic
19
Q
what is the difference between DoS and DDoS attack?
A
DDoS requires MULTIPLE attackers and coordination amongst them
20
Q
what is a MITM attack?
A
attacker acts as an intermediary between two parties intercepting communications
21
Q
what is a port scanning attack?
A
attackers scan networks for open ports to find vulnerabilities to gain unauthorized access to a network
22
Q
what is a reverse shell attack?
aka as inside out attack or connect-back shells
A
victim initiates communication with an attacker from behind a company’s firewall so that the attacker can bypass the firewall to remotely control the victim’s machine
23
Q
what is a replay attack?
A
type of MITM attack in which a cybercriminal eavesdrops on a secure network communication, intercepts it, and then “replays” the message at a later time to the intended target to gain access to the network
24
Q
what is a return oriented attack?
A
sophisticated technique that utilizes pieces of legitimate original system code (each a gadget) in a sequence to perform operations useful to the attacker
25
what is spoofing?
act of impersonating someone or something to obtain unauthorized system access by using falsified credentials or imitating a legitimate person or entity by using fake IP addresses, domains, or email addresses
26
what are 2 types of spoofing?
DNS spoofing
hyperlink spoofing
27
what are 4 types of application based attacks?
SQL injection
cross site scripting (XSS)
race condition
mobile code
28
what is a SQL injection
attacker injects malicious SQL code into existing SQL code on a company's website to gain unauthorized access to a company's data
29
what is an XSS attack?
similar to SQL injection but these attacks inject code to a company's website that attacks users visiting the company's website
30
what is the main difference between SQL injection and XSS attack?
the main target of the attack
- SQL targets database
- XSS targets the company's website
31
what is a race condition attack?
attacker exploits a system or application that relies on a specific sequence of operations by forcing the application to perform two or more operations out of order or simultaneously
32
what is a mobile code attack?
malicious mobile code known as a virus that is designed to move from one computer to the next infecting each one
33
what are 5 types of viruses?
overwrite virus (deletes or overwrites info in the file infected)
multi partite virus (mixture of infection methods)
parasitic virus (launches when an application with the virus launches)
polymorphic virus (mutates by changing its structure to avoid detection)
resident virus (installs a copy of itself on a computer's memory)
34
what are 4 types of host based attacks?
brute force attacks
keystroke logging
malware
rogue mobile apps
35
what are brute force attacks?
password cracking scheme in which an attacker uses an automated program that attempts to guess a password
36
what is keystroke logging?
scheme involving tracking the sequence of keys pressed by a user on a keyboard to collect confidential data
37
how are keystroke logging attacks usually delivered?
as trojan horses
38
what is malware?
software or firmware intended to perform an unauthorized process that has an adverse impact on the security/availability of the system
ex. viruses, worms, trojan horses, adware, spyware, etc.
39
what is a rogue mobile app attack?
involves use of a malicious app that appears legit but was installed by an attacker to steal information and gain unauthorized access
40
what is typosquatting?
cybercrime where attackers register domain names that are similar to legitimate websites but contain common typographical errors that users might make when entering URLs
41
what is a social engineering attack?
involves use of psychological manipulation or deception to get employees to divulge info, provide unauthorized access, or assist an attacker in committing fraud
42
what are 7 types of social engineering attacks?
phishing
spear phishing
business email compromise (BEC)
pretexting
catfishing
pharming
vishing
43
how is spear phishing different than regular phishing?
it targets a specific employee in a corporate entity by posing as a legit department or employee
44
what are BEC attacks?
aka whaling
a form of phishing that targets executive and other high ranking individuals that gets them to transfer money through a wire, pay fake suppliers, or send sensitive data
45
what is pretexting?
involves creating a fake identity or scenario so the employee has a sense of urgency to act
46
what is pharming?
starts with phishing and involves a victim entering personal info into a website or portal that imitates a legit website
47
what is vishing?
involves fraudulent schemes using the telephonic system Voice over Internet Protocol (VoIP)
48
what are 5 types of physical (on-premise) attacks?
intercepting discarded equipment
piggybacking
targeted by attackers
tampering
theft
49
what is piggybacking?
attacker uses an authorized person's access to gain entrance to a physical location or electronic access
50
what is tampering? what are some examples?
involves gaining physical access to a company's IT infrastructure and modify the way its network collects, stores, processes, or transmits data
- physically rewire cabling, plug directly into network, or add an unauthorized device to the network
51
what are supply chain attacks?
attacks that use cyber tactics to target the production and distribution of goods within a supply chain so there are larger disruptions in the normal operations
52
what are 5 types of supply chain attacks?
embedded software code
foreign sourced attacks
pre installed malware on hardware
vendor attacks
watering hole attacks
53
what is a watering hole attack?
attackers identify websites of suppliers, customers, or regulators that are known to be used by several companies and then they look for weaknesses to deliver malware, steal data, or obtain unauthorized access
54
what are the 6 stages in a cyberattack?
reconnaissance
gaining access
escalation of privileges
maintaining access
network exploitation and exfiltration
covering tracks
55
SOC 2 audits are an independent audit of what 2 things?
- management's attestation regarding the cloud service provider's controls
- other claims made by mgmt regarding security over their customer's data, privacy, and confidentiality
56
what are 8 examples of cloud computing risks that companies should be aware of?
1) additional industry exposure
2) cloud malware injection attacks
3) compliance violations
4) loss of data
5) loss of control
6) loss of visibility
7) multi cloud and hybrid mgmt issues
8) theft or loss of intellectual property
57
what are 6 risks related to mobile technologies?
application malware
lack of updates
lack of encryption
physical threats
unsecured wifi networks
location tracking
58
what are 8 risks related to the internet of things (IoT)?
device mismanagement (insufficient password controls)
device spoofing (attacker creates illegitimate device)
escalated cyberattacks
expanded footprint
information theft
outdated firmware
malware
network attacks
59
what is threat modeling?
the process of identifying, analyzing, and mitigating threats to a network, system, or application
60
what are 4 things that should be considered when evaluating threat landscape?
different attack vectors or methods
magnitude of impact of threat
existing vulnerabilities
types of threats
61
what are the 6 phases of threat modeling?
1) identify assets
2) identify threats
3) perform reduction analysis
4) analyze impact of an attack
5) develop countermeasures and controls
6) review and evaluate
62
what is a reduction analysis in threat modeling?
decomposing the asset being protected from the threat to understand how the asset interacts with potential threats
63
what are the 3 common threat methodologies?
PASTA
VAST
STRIDE
64
what is goal of PASTA model?
to prioritize the value of assets being protected
65
what are the 7 stages of PASTA model?
1) definition of the objections (DO) for the analysis of risks
2) definition of technical scope (DTS)
3) application decomposition and analysis (ADA)
4) threat analysis (TA)
5) weakness and vulnerability analysis (WVA)
6) attack modeling and simulation (AMS)
7) risk analysis and management (RAM)
66
what is the goal of the VAST model?
integrate threat management into a programming environment on scalable basis
67
what is goal of STRIDE model?
assess threats related to applications and operating systems
68
what are the 3 objectives on the COSO cube?
ORC
Operational
Reporting
Compliance
69
what are the 5 internal controls on the COSO cube?
CRIME
Control environment
Risk assessment
Control activities (Existing)
Information and communication
Monitoring activities
70
what are the 4 areas of the organization on the COSO cube the internal controls must be used?
EDOF
Entity level
Division
Operating unit
Function (everyday functions)
71
reporting/communication objectives for COSO must be done in what?
FACT
fair, accurate, complete, timely
72
what is the control environment often referred to as?
the tone at the top and sets ethical values for an organization
73
looking at cyber risk through a COSO lens can allow mgmt to better communicate what 2 things?
risk tolerance levels
objectives for the business
74
what are 3 areas domain specific security policies can be divided into?
user policies
regulatory policies
system based policies
75
what is an acceptable use policy (AUP)?
control document that is created by an organization to regulate and protect technology resources by:
- assigning varying levels of responsibilities to job roles
- listing acceptable employee behavior
- specifying consequences
76
what is a bring your own device (BYOD) policy?
allows employees to use their personally owned devices for work related activities and for connecting directly to a company's network
77
what are 3 risks associated with a BYOD policy?
leak of sensitive data
breaking compliance with regulations
providing another inlet for bad actors to access company data
78
what are 2 things security standards might do?
define a minimum level of performance
provide recommendations on how to implement security policies
79
what are security standard operating procedures (SOPs)?
lowest level of documentation that provide detailed instructions on how to perform specific security tasks or controls
80
a network allows users to do what 3 things?
send data
receive data
store data
81
what is an access point (AP) in a network?
wireless connection point for users to directly connect to a wired network using wireless enabled devices
82
what is bridge in a network?
connects separate networks that use the SAME protocol
- operates at data link layer
83
what is difference between a bridge and a gateway?
bridge connects networks with SAME protocol while gateway can connect networks with DIFFERENT protocols
84
what is a hub in a network?
connection point that links multiple systems and devices using the same protocol within a single network
85
what is a switch in a network?
routes traffic to target destinations connecting various devices within a network
- more robust than hubs with more ports
86
what is a proxy in a network?
form of a gateway that acts a mediator that performs functions on behalf of another network that blocks hackers from entry into a private network
87
what are 8 network security methods companies can use to defend against cyberattacks?
network segmentation or isolation
firewall
service set identifier (SSID)
virtual private network (VPN)
wifi protected access (WPA)
endpoint security
system hardening
media access control (MAC) filtering
88
what is network segmentation or isolation?
controlling network traffic so that is either inaccessible or separated from outside communication or other segments within the org.
89
what is an SSID? how do you make it secure
name assigned to a wireless network
can make it secure by disabling SSID broadcasting
90
what is a wifi protected access (WPA)?
security protocol that encrypts wireless internet connections between routers, switches, and mobile devices
91
what is tunneling?
one protocol is encrypted in another to create a "tunnel" of protection
92
what is endpoint security?
notion that every device, called hosts, connected to a network should have some form of local security that is separate from any other security measure in place on the network
93
what is system hardening?
reducing risk by minimizing the number of access points through which a company could be attacked
94
what are 4 examples of system hardening?
database hardening
endpoint hardening
network hardening
server hardening
95
what is MAC filtering?
form of filtering in which an access point blocks access to unauthorized devices using a list of approved MAC addresses
96
what are 4 cybersecurity practices organizations should implement to help thwart evolving threats?
zero trust
least privilege
need to know principle
whitelisting (allowlisting)
97
what is zero trust architecture (ZTA) designed to do?
prevent data breaches and limit internal lateral movement by implementing:
- set of system design principles
- coordinated cybersecurity and system mgmt strategy
98
what is least privilege?
notion that users and systems are granted the minimum authorization and system resources needed to perform their job
99
what is different in focus on need to know and least privilege?
need to know: data
least privilege: access
100
what is allowlisting (whitelisting)?
process of identifying a list of applications that are authorized to run on an organization's systems and only allowing those programs to execute
101
what is denylisting (blacklisting)?
process used to identify a list of applications that are not authorized on a network and prevent those from running
102
what are 8 types of authentication technologies?
context aware authentication
digital signatures
single sign on (SSO)
multifactor authentication (MFA)
personal identification number (PIN)
smart cards
token
biometrics
103
what is context aware authentication?
identify mobile device users by using contextual data points like time, location, point of access, or IP address
104
what is a token?
devices that generate fixed digit passcodes that are carried with users as a form of MFA
105
what is a synchronous token? asynchronous?
- synchronous: time based and require token and server to be entered at same time
- asynchronous: tokens that are not time based by create passcodes based on same algorithm
106
what is hashing?
process of converting passwords into illegible text using hash algorithms
107
what is provisioning?
process in identity management when an organization creates a user's account and provisions it with privileges based on their job role
108
is vulnerability management proactive or reactive?
proactive
109
what are vulnerability scanners?
applications that test a company's systems for known security risks
110
how do scanners work?
(4 steps)
scan for open network ports that can be exploited
analyze data packets transmitting across systems
identify protocols being used
fingerprinting
111
what is fingerprinting?
identify the operating systems and applications running on the system
112
what is a common vulnerabilities and exposures (CVE) dictionary?
database of security vulnerabilities that provides unique identifiers for different vulnerabilities and risk exposures to standardize them
113
what is the purpose of layered security?
protect an organization by using a diversified set of security tactics so that a single cyberattack or security vulnerability does not compromise an entire system
114
layered approaches typically combines what 3 controls?
physical access controls
logical and technical controls
administrative controls
115
what is defense in depth?
type of layered security that does not rely on technology alone but combines multiple systems/layers to protect the organization
116
what are the 5 layers of a defense in depth strategy?
personnel
policies
technology
physical access controls
logical access controls
117
redundancy in layered security can be administered through what 4 terms?
layering processes
isolating processes
concealing data
segmenting hardware
118
how does layering processes add redundancy?
breaks up an operation into smaller chunks that can be managed by different people, performed by a machine/computer, or isolated from other parts of the process
119
what is abstraction in terms of layered security?
process of hiding the complexity of certain tasks so that only the relevant information is presented to specific people to limit access
120
what is the difference between abstraction and concealment main focus?
concealment's primary focus is to hide data while abstraction's focus is to remove underlying data/simplify it
121
what are the 3 categories cybersecurity controls can be grouped into?
preventative
detective
corrective
122
what are the 6 types of access controls?
discretionary
mandatory
role based
rule based
policy based
risk adaptive
123
what are discretionary access controls (DAC)?
decentralized control that allows data owners to manage their own access and others access to the data or object they own or created it
124
what are mandatory access controls?
nondiscretionary controls that allow administrators to centrally manage and enforce rules consistently across an environment
125
what are role based access controls?
administer access based on a users job role instead of individually assigning permissions
126
what are rule based access controls?
administrators set up a predetermined set of rules or access permissions independent of the user's role
127
what are the 5 steps to rule based access controls?
1) rules are created by admin
2) rules are integrated in the system
3) user presents their access credentials
4) control mechanism checks credentials
5) user is granted or denied access
128
what are policy based access controls (PBAC)?
combo of user roles and policies consisting of rules to maintain and evaluate user access dynamically that can change
- more flexible, look at people individually
129
what are risk based access controls?
apply controls based on risk level of asset, identify of the user, the user's intentions, and security risk that exists of asset being accessed
130
what is an access control list (ACL)?
list of rules that outlines which users have permission to access certain resources
131
what are the 2 ways ACL lists are set up?
- broad and filter all of an orgs network traffic
- focused and filter access to specific files or directories for different users
132
what are the 2 types of ACLs? define them
- filesystem ACL: grants or denies privileges in an OS by restricting access to certain files
- networking ACL: regulate type of network traffic that is allowed to flow across a network
133
how are ACLs and firewalls different?
- ACLs are generally used to manage user access and permissions
- firewalls are intended to protect an organization from attacks (ACL can be used like that)
134
what is a stateful ACL?
tracks the status of network connections and distinguishes between legit and illegitimate packets just like a firewall
135
what are 5 detective controls?
network intrusion detection systems (NIDS)
antivirus software monitoring
network monitoring tools
log analysis
intrusion detection systems (IDS)
136
what do NIDS do?
matches elements of traffic to a library of known attacks and then sends alerts when events meet predefined criteria
137
what is an IDS?
security solution that scans the environment to monitor and analyze network or system events to find and provide real time warning of attempts of a security breach
138
what are 7 corrective controls?
reconfigurations
upgrades or patches
revised policies and procedures
updated employee training
virus quarantining
recovery and continuity plans
antivirus software removal of malicious viruses
139
what are the 4 main components of risk management framework?
FARM
establish a risk Framework
Assessing risk
Responding to risk
Monitoring risk
140
risk framework requires companies identify what 4 things?
risk assumptions
risk constraints
risk tolerance
priorities and trade offs
141
what is the difference between vulnerability assessment and security assessments?
vulnerability assessments focus on technical weaknesses in a system
security assessments focus on comprehensive eval of the overall security of a system
142
what are 3 assessment methods in security assessment engagements?
examination
interviewing
testing
143
what is a security assessment report (SARs)
report that provides a disciplined and structured approach for documenting the findings of the assessor and recommendations for correcting any issues/vulnerabilities
144
what are the 6 general items/topics included in a SAR?
summary of findings
system overview
assessment methodology
security assessment findings
recommendations
action plan
145
what are 6 types of security assessment evaluators?
system auditors
developers
assessors
inspectors general
system integrators
other system owners
146
security assessment evidence helps an assessor determine the effectiveness of what 3 security functions and activities?
privacy and security controls
change management practices
compliance with policies, regulations, and standards
147
what are the 3 methods/options of communicating relevant security awareness training?
fully outsourced
managed solely in house
hybrid
148
what are the 3 relevant categories of personnel in IT security awareness training?
management
specialized IT personnel
all other employees
149
what are 5 examples of metrics used in phishing simulations?
click rate
re-click rate
report rate
non-responder rate
reply rate
150
what is the difference between privacy and confidentiality?
- privacy: protects the rights of an individual and gives them decision of what info they want to share
- confidentiality: protects unauthorized access to info gathered by the company
151
what is personable identifiable information (PII)?
all data that can be used to identify any individual
152
what is obfuscation?
process of replacing production data or sensitive information with data that is less valuable to unauthorized users
153
what are the 3 most common obfuscation techniques?
encryption
tokenization (removes real data with fake data)
masking (swaps data with other like data, ex. using *)
154
what is the difference between tokenization and encryption in terms of obfuscation?
tokenization does NOT change the length or type of characters whereas encryption does
155
ciphertext can only be decoded by what?
a key with the mathematically encoded algorithm
156
what are the 2 most common encryption methods?
symmetric encryption
asymmetric encryption
157
what is symmetric encryption?
involves a single shared or private key for encryption and decryption used by all members in the group
158
what are 2 drawbacks of symmetric encryption?
- does not facilitate non-repudiation because any person with the shared key can encrypt and decrypt
- hard to scale
159
what is asymmetric encryption?
involves a public key to encrypt the message and private key to decrypt it, or vice versa
160
what is a drawback of asymmetric encryption?
slower process of operation to encrypt/decrypt
161
what is the difference between hashing and encryption?
- hashing is a one-way scramble of text
- encryption is two-way
- hashing focuses on integrity of data
- encryption focuses on confidentiality of data
162
what are ciphers?
result of applying encryption algorithms that encode unencrypted messages into an encrypted form
163
what are 2 types of ciphers? what are they?
- substitution ciphers (replace each character of plaintext with another character)
- transposing ciphers (rearrange letters of message to make it unreadable)
164
what does data loss prevention (DLP) enable organizations to do?
detect and prevent attempts by employees or unauthorized users to transfer sensitive information out of the organization
165
what are the 6 main objectives and best practices of DLP?
1) implement a centralized DLP program
2) define and create enterprise data usage policies
3) evaluate different forms of data
4) monitor the use of sensitive data
5) enforce security policies
6) implement employee education programs
166
what are 4 ways to remove and destroy confidential information at the end of its life cycle?
physical destruction
overwriting
deleting
purging
167
what is a read-through? what 2 things does it let an org. do?
involves distributing security, confidentiality, and privacy procedures to team members
lets an org...
- informs personnel of these procedures
- review plans for obsolete information
168
what is a walk-through?
one step beyond read-through in which you actually walk around the facility to role play a privacy breach scenario
169
what is a fire drill?
one step beyond walk-through in which you actually act in real time acting like the breach was occurring
170
what are the 6 steps of a walk-through?
1) plan and prep
2) obtain an understanding
3) perform walk-through
4) create documentation
5) test
6) evaluate and report
171
what 2 things does a service auditor do in a SOC 2 engagement?
- evaluate results of all procedures performed
- conduct quantitative and qualitative analysis of operating effectiveness of the controls
172
what is the most critical component of an incident response plan (IRP)?
human capital designated to respond to an incident
173
what are the 3 models NIST recommends for an IRP team?
centralized incident response team (single incident team)
distributed incident response team (multiple teams responsible for different areas)
coordinating team (dispatching team to coordinate with other departments)
174
what are the 5 factors NIST recommends when selecting appropriate structure and staffing models for incident response teams?
24/7 availability
full time vs. part time team members
employee morale
cost
staff expertise
175
what are 3 areas of additional duties incident response teams may need to be responsible for?
education and awareness
advisory distribution (cyber briefings/newsletters)
information sharing
176
what 2 things must an IRP distinguish between?
how to recognize and respond to an event vs. an incident
177
what is an event in terms of an IRP?
observable occurrence in a system or network
178
what is a computer security incident in terms of an IRP?
computer security related caused by MALICIOUS human intent, not environmental or indirect human factors
179
what are the 7 general steps in responding to an incident?
1) preparation
2) detection
3) containment
4) eradication
5) reporting
6) recovery
7) learning
180
what are the 6 different phases of the SANS institute IRP?
1) preparation
2) identification
3) containment
4) eradication
5) recovery
6) lessons learned
181
SANS IRP guidance is given on applying different commands to identify what 3 unusual things?
processes
files
registry keys
182
what are the 4 steps of the NIST IRP?
1) preparation
2) detection and analysis
3) containment, eradication, recovery
4) post incident activity
183
what is the goal of NIST IRP?
create detailed plans of action based on different scenarios
184
what are the 6 steps of the International Organization for Standardization (ISO) IRP?
1) evaluate event criteria and define an incident
2) monitor and detect events by human or automated means
3) manage incidents to the end of their lifecycle
4) coordinate with authorities and handle evidence properly
5) perform a root cause analysis
6) report on all incident mgmt activities
185
what are 3 other IRP organizations and frameworks to be familiar with?
information technology infrastructure library (ITIL)
United States computer emergency readiness team (US-CERT)
payment card industry data security standard (PCI-DSS)
186
what are 7 common IRP metrics?
mean time to detect (MTTD)
mean time to acknowledge (MTTA)
mean time to contain (MTTC)
mean time to repair (MTTR)
mean time between failures (MTBF)
system availability or downtime
service level agreement compliance
187
what are 7 common insurable losses from cyber insurance?
business interruption losses
cyber extortion losses
incidence response costs
replacement costs for information systems
litigation and attorney fees
reputational damage
information or identity theft
188
what are the 10 cyber insurance requirements for applicants?
background checks
compliance with regulations
disaster recovery plan
employee training
company policies in place
independent risk assessment
incident response plans
IT controls in place
mandatory pen testing
loss history
