M2 - Mitigation

Questions and Answers

Which component of the COSO framework emphasizes the importance of leadership direction and company culture?

Control Environment (correct)

Risk Assessment

Info & Communication

Monitoring

What is the primary purpose of an Acceptable Use Policy in an organization?

To regulate acceptable behaviors regarding technology use (correct)

To monitor employee performance

To ensure data encryption during transmission

To manage device ownership and personal liability

Which of the following describes the concept of Network Segmentation?

Monitoring network actions on personal devices

Controlling network traffic to enhance security (correct)

Reducing risks by minimizing access points

Encrypting wireless internet connections

In the context of cybersecurity, what does 'System Hardening' aim to achieve?

Minimize vulnerabilities by securing existing access points

What is a key function of a Virtual Private Network (VPN)?

To encode data for internet usage

Which policy defines personal liability for data on employee devices?

Bring Your Own Device Policy

What is the main focus of the Risk Assessment component of the COSO framework?

To analyze the likelihood of cyber risks

What does WiFi Protected Access aim to achieve?

Encrypting wireless communication between devices

What is the primary goal of Zero Trust security?

Continuously verify a user's identity and access.

Which of the following best describes Whitelisting?

A list of applications permitted to run on a system.

What does Multi-Factor Authentication involve?

Employing two or more methods to validate identity.

Which access control method allows data owners the authority to manage their own data?

Discretionary Access Control

Which of the following is an example of detective controls?

Network Intrusion Detection System

In the context of cybersecurity, what does the Need to Know principle refer to?

Data access limited to those requiring it for their tasks.

What type of authentication uses physical characteristics to verify identity?

Biometric authentication

What is the primary purpose of a Common Vulnerabilities and Exposures (CVE) dictionary?

To identify and standardize the naming of security vulnerabilities.

Which password management recommendation includes changing passwords every 45-90 days?

SP800-63B guidelines.

Which of the following is a component of layered security?

Administrative, logical, and technical controls.

What feature primarily differentiates Role-Based Access Control from other access control types?

Access permissions are dependent on a user’s job role.

What does the term 'defense in depth' primarily refer to in cybersecurity?

A comprehensive approach that combines multiple layers of security.

What is a key characteristic of context aware authentication?

Considers various data points such as location and time.

Which type of access control is managed consistently by administrators?

Mandatory (Non-Discretionary) Access Control

Study Notes

COSO - Business Objectives

• Operations (O): Focuses on efficiency and effectiveness of business processes.
• Record Keeping (R): Must be FAIR (fair, accurate, complete, timely).
• Compliance (C): Adherence to governmental laws and regulations (NIST, HIPAA, GDPR).

COSO - Five Components of Internal Control

• Control Environment (C): The "tone at the top" – organizational culture and values.
• Risk Assessment (R): Analysis of cyber risks and their likelihood.
• Information and Communication (I&C): Sharing information about cyber threats, detection, and response.
• Monitoring (M): Activities like penetration testing and vulnerability scanning.
• Existing Control Activities (E): Policies and procedures already in place.

Security Policies

• Comprehensive guides for implementing an organization's security framework.
• Secure information during storage, transmission, and processing.

Acceptable Use Policy

• Controls technology resources and assigns responsibilities.
• Outlines acceptable behaviors and consequences.
• Often signed by new employees.

Bring Your Own Device (BYOD) Policy

• Allows employees to use personal devices.
• Monitors activities on devices.
• Defines ownership of data on devices.
• Defines personal liability for data on devices.
• Restricts activities and downloads.

Network Segmentation/Isolation

• Controls network traffic to separate it from external communications.

Network/Wireless Security

• Service Set Identifier (SSID): Name assigned to a wireless network (Wi-Fi).
• Virtual Private Network (VPN): Secure communications using encryption protocols.
  • Tunneling: Encapsulating one protocol within another.
  • IPsec: Uses cryptography.
• WiFi Protected Access (WPA): Encrypts wireless connections.
• System Hardening: Reduces attack surfaces.
  • Database Hardening: Different privilege levels for admin users.
  • Endpoint Hardening: Limits user rights on devices.
  • Network Hardening: Removing unused ports and protocols.
  • Server Hardening: Securing server placement.
• Media Access Control (MAC) Filtering: Filters unauthorized devices using hardware addresses.

Practices Related to Authorization and Authentication

• Zero Trust: Assumes network risk even after authentication. Requires continuous authentication.
• Need-to-Know: Access to only necessary data.
• Least Privilege: Access only essential for the job.
• Whitelisting: Authorizing only specific applications.

Authentication Technologies

• Context-Aware Authentication: Uses location, time, and access point.
• Digital Signatures: Verifies identity and authenticity.
• Single Sign-On (SSO): One authenticator for multiple resources.
• Multi-Factor Authentication (MFA): Uses multiple factors for identity validation.
• Personal Identification Numbers (PIN): Numeric codes.
• Smart Cards: Microprocessor-embedded plastic cards.
• Tokens: Generate passcodes (synchronous and asynchronous).
• Biometrics: Uses physical characteristics (e.g., facial recognition).
• Multimodal Biometrics: Combining different biometric data.

Password Management

• SP800-63B Recommendations: Strong passwords meeting character requirements, regular changes, avoiding personal information.

Provisioning

• Creating user accounts and granting role-based privileges.

NIST Cybersecurity Framework

• Identify: Finding vulnerabilities in systems, data, assets.
• Protect: Creating safeguards against vulnerabilities.
• Detect: Quickly identifying vulnerabilities.
• Respond: Reacting to found vulnerabilities.
• Recover: Returning to a state where vulnerabilities are mitigated.

Common Vulnerabilities and Exposures (CVE)

• Maintained by MITRE.
• Standardizes vulnerability identification and naming.

Layered Security

• Combines physical, logical, and administrative controls.
• Defense-in-Depth: Layers of personnel, policies, technology, etc. to protect.
• Process Layering and Isolation: Dividing operations into controlled chunks.

Abstraction vs. Concealment

• Abstraction: Hiding complex tasks to reveal only relevant information.
• Concealment: Hiding data primarily.

Access Control

• Preventative Controls: Protecting from access (access controls, passwords, training, updates, hardening, encryption, firewalls).
• Discretionary Access Control (DAC): Data owners control access.
• Mandatory Access Control (MAC): Administrators enforce access rules for all data.
• Role-Based Access Control (RBAC): Access based on user roles.
• Rule-Based Access Control: Administrator-set criteria for access.
• Policy-Based Access Control: Combination of roles and policies.
• Risk-Based Access Controls: Controls based on risk level.
• Access Control List (ACL): Rules for user permissions (file, folder, directory).
  • Filesystem ACL: File/folder/directory access restrictions.
  • Networking ACL: Controls network traffic.

Detective and Corrective Controls

• Detective Controls: Detect security issues. (Network Intrusion Detection System, antivirus monitoring, log analysis)
• Corrective Controls: Fixing issues after detection. (reconfigurations, updates, revised policies, employee training, virus removal, plans for recovery)