M2 - Mitigation

Questions and Answers

Which component of the COSO framework emphasizes the importance of leadership direction and company culture?

• Control Environment (correct)
• Risk Assessment
• Info & Communication
• Monitoring

What is the primary purpose of an Acceptable Use Policy in an organization?

• To regulate acceptable behaviors regarding technology use (correct)
• To monitor employee performance
• To ensure data encryption during transmission
• To manage device ownership and personal liability

Which of the following describes the concept of Network Segmentation?

• Monitoring network actions on personal devices
• Controlling network traffic to enhance security (correct)
• Reducing risks by minimizing access points
• Encrypting wireless internet connections

In the context of cybersecurity, what does 'System Hardening' aim to achieve?

Minimize vulnerabilities by securing existing access points (D)

What is a key function of a Virtual Private Network (VPN)?

To encode data for internet usage (D)

Which policy defines personal liability for data on employee devices?

Bring Your Own Device Policy (A)

What is the main focus of the Risk Assessment component of the COSO framework?

To analyze the likelihood of cyber risks (A)

What does WiFi Protected Access aim to achieve?

Encrypting wireless communication between devices (C)

What is the primary goal of Zero Trust security?

Continuously verify a user's identity and access. (A)

Which of the following best describes Whitelisting?

A list of applications permitted to run on a system. (D)

What does Multi-Factor Authentication involve?

Employing two or more methods to validate identity. (B)

Which access control method allows data owners the authority to manage their own data?

Discretionary Access Control (C)

Which of the following is an example of detective controls?

Network Intrusion Detection System (D)

In the context of cybersecurity, what does the Need to Know principle refer to?

Data access limited to those requiring it for their tasks. (A)

What type of authentication uses physical characteristics to verify identity?

Biometric authentication (C)

What is the primary purpose of a Common Vulnerabilities and Exposures (CVE) dictionary?

To identify and standardize the naming of security vulnerabilities. (D)

Which password management recommendation includes changing passwords every 45-90 days?

SP800-63B guidelines. (C)

Which of the following is a component of layered security?

Administrative, logical, and technical controls. (B)

What feature primarily differentiates Role-Based Access Control from other access control types?

Access permissions are dependent on a user’s job role. (A)

What does the term 'defense in depth' primarily refer to in cybersecurity?

A comprehensive approach that combines multiple layers of security. (C)

What is a key characteristic of context aware authentication?

Considers various data points such as location and time. (A)

Which type of access control is managed consistently by administrators?

Mandatory (Non-Discretionary) Access Control (B)

Flashcards

Security Policy

A document that outlines the organization's approach to safeguarding information during storage, transmission, and processing.

Acceptable Use Policy

A policy specifying acceptable uses of technology resources, including employee responsibilities, acceptable behaviors, and consequences for violations.

Bring Your Own Device (BYOD) Policy

A policy allowing employees to use their personal devices for work, while setting guidelines for security and data protection.

Network Segmentation

A security measure that separates network traffic to prevent unauthorized access or data leakage.

Service Set Identifier (SSID)

The name assigned to a wireless network, like the 'SSID' of your home WiFi.

Virtual Private Network (VPN)

A secure communication method that encrypts data transmitted over the internet, creating a private tunnel.

System Hardening

A security measure that reduces attack vulnerabilities by minimizing access points.

Database Hardening

A security measure that restricts user privileges in databases, limiting access based on roles.

Authentication Technology

A security practice aimed at protecting sensitive data, applications, and networks by using a combination of technologies and techniques.

Multi-factor Authentication

A method of authentication that uses multiple forms of verification, such as a password and a security token.

Zero Trust

A security strategy that assumes an organization's network is always at risk, even after users have been authenticated.

Least Privilege

A security practice that restricts user access to only the data and resources they need to perform their job duties.

Whitelisting

A security control that allows only authorized applications to run on an organization's systems.

Multimodal Biometrics

An authentication method that uses multiple forms of biometric data, such as fingerprints and facial recognition.

MAC Filtering

A security technique that filters traffic based on the Media Access Control (MAC) address of devices.

Layered Security

Combining various security measures, such as physical access controls, logical controls, and administrative controls, to enhance overall security.

Abstraction

A security principle that emphasizes hiding the complexity of tasks or systems, presenting only essential information.

Common Vulnerabilities and Exposures (CVE) Dictionary

A database maintained by the MITRE Corporation containing a standardized list of security vulnerabilities.

Concealment

A security principle that emphasizes hiding data to prevent unauthorized access.

Network Intrusion Detection System (NIDS)

A security control that monitors network activity for suspicious patterns and alerts administrators of potential threats.

Provisioning

The process of creating user accounts and assigning privileges based on their job role.

NIST Cybersecurity Framework

A framework developed by NIST to guide organizations in managing cybersecurity risks.

Role-Based Access Control

An access control method where access permissions are based on the user's job role.

Study Notes

COSO - Business Objectives

• Operations (O): Focuses on efficiency and effectiveness of business processes.
• Record Keeping (R): Must be FAIR (fair, accurate, complete, timely).
• Compliance (C): Adherence to governmental laws and regulations (NIST, HIPAA, GDPR).

COSO - Five Components of Internal Control

• Control Environment (C): The "tone at the top" – organizational culture and values.
• Risk Assessment (R): Analysis of cyber risks and their likelihood.
• Information and Communication (I&C): Sharing information about cyber threats, detection, and response.
• Monitoring (M): Activities like penetration testing and vulnerability scanning.
• Existing Control Activities (E): Policies and procedures already in place.

Security Policies

• Comprehensive guides for implementing an organization's security framework.
• Secure information during storage, transmission, and processing.

Acceptable Use Policy

• Controls technology resources and assigns responsibilities.
• Outlines acceptable behaviors and consequences.
• Often signed by new employees.

Bring Your Own Device (BYOD) Policy

• Allows employees to use personal devices.
• Monitors activities on devices.
• Defines ownership of data on devices.
• Defines personal liability for data on devices.
• Restricts activities and downloads.

Network Segmentation/Isolation

• Controls network traffic to separate it from external communications.

Network/Wireless Security

• Service Set Identifier (SSID): Name assigned to a wireless network (Wi-Fi).
• Virtual Private Network (VPN): Secure communications using encryption protocols.
  • Tunneling: Encapsulating one protocol within another.
  • IPsec: Uses cryptography.
• WiFi Protected Access (WPA): Encrypts wireless connections.
• System Hardening: Reduces attack surfaces.
  • Database Hardening: Different privilege levels for admin users.
  • Endpoint Hardening: Limits user rights on devices.
  • Network Hardening: Removing unused ports and protocols.
  • Server Hardening: Securing server placement.
• Media Access Control (MAC) Filtering: Filters unauthorized devices using hardware addresses.

Practices Related to Authorization and Authentication

• Zero Trust: Assumes network risk even after authentication. Requires continuous authentication.
• Need-to-Know: Access to only necessary data.
• Least Privilege: Access only essential for the job.
• Whitelisting: Authorizing only specific applications.

Authentication Technologies

• Context-Aware Authentication: Uses location, time, and access point.
• Digital Signatures: Verifies identity and authenticity.
• Single Sign-On (SSO): One authenticator for multiple resources.
• Multi-Factor Authentication (MFA): Uses multiple factors for identity validation.
• Personal Identification Numbers (PIN): Numeric codes.
• Smart Cards: Microprocessor-embedded plastic cards.
• Tokens: Generate passcodes (synchronous and asynchronous).
• Biometrics: Uses physical characteristics (e.g., facial recognition).
• Multimodal Biometrics: Combining different biometric data.

Password Management

• SP800-63B Recommendations: Strong passwords meeting character requirements, regular changes, avoiding personal information.

Provisioning

• Creating user accounts and granting role-based privileges.

NIST Cybersecurity Framework

• Identify: Finding vulnerabilities in systems, data, assets.
• Protect: Creating safeguards against vulnerabilities.
• Detect: Quickly identifying vulnerabilities.
• Respond: Reacting to found vulnerabilities.
• Recover: Returning to a state where vulnerabilities are mitigated.

Common Vulnerabilities and Exposures (CVE)

• Maintained by MITRE.
• Standardizes vulnerability identification and naming.

Layered Security

• Combines physical, logical, and administrative controls.
• Defense-in-Depth: Layers of personnel, policies, technology, etc. to protect.
• Process Layering and Isolation: Dividing operations into controlled chunks.

Abstraction vs. Concealment

• Abstraction: Hiding complex tasks to reveal only relevant information.
• Concealment: Hiding data primarily.

Access Control

• Preventative Controls: Protecting from access (access controls, passwords, training, updates, hardening, encryption, firewalls).
• Discretionary Access Control (DAC): Data owners control access.
• Mandatory Access Control (MAC): Administrators enforce access rules for all data.
• Role-Based Access Control (RBAC): Access based on user roles.
• Rule-Based Access Control: Administrator-set criteria for access.
• Policy-Based Access Control: Combination of roles and policies.
• Risk-Based Access Controls: Controls based on risk level.
• Access Control List (ACL): Rules for user permissions (file, folder, directory).
  • Filesystem ACL: File/folder/directory access restrictions.
  • Networking ACL: Controls network traffic.

Detective and Corrective Controls

• Detective Controls: Detect security issues. (Network Intrusion Detection System, antivirus monitoring, log analysis)
• Corrective Controls: Fixing issues after detection. (reconfigurations, updates, revised policies, employee training, virus removal, plans for recovery)