Cybersecurity Roles and Responsibilities

Questions and Answers

What does the acronym "CISO" stand for?

Chief Information Security Officer

Which of the following is NOT a typical function performed by a cybersecurity analyst?

Auditing security processes and procedures

Implementing and configuring security controls

Managing IT infrastructure and hardware (correct)

Conducted risk assessments

What are the two key features of a good cybersecurity analyst?

Creative thinkers and problem solvers

A SOC (Security Operations Center) typically exists for smaller companies.

False

Which of these is NOT a key requirement for a successful SOC?

Integration of business processes

What is the purpose of a security control?

To mitigate vulnerabilities and risk, ensuring the confidentiality, integrity, availability, non-repudiation, and authentication of data and information.

Which document defines the Security and Privacy Controls for Federal Information Systems and Organizations?

NIST Special Publication 800-53

The NIST Special Publication 800-53 is a proprietary framework that requires payment to use.

False

Which of these is NOT a classification of control families presented in older versions of NIST Special Publication 800-53?

Administrative

What is the difference between a 'technical control' and an 'operational control'?

A technical control is implemented through hardware, software, or firmware, while an operational control is implemented through people and procedures.

The three control families, Technical, Operational, and Managerial, are still included in the latest versions of NIST Special Publication 800-53.

False

Which of the following would BEST be considered an example of a 'managerial control'?

Performing a risk assessment

What is the purpose of 'defense in depth' in cybersecurity?

To create a layered security approach, using multiple controls to protect against different types of attacks and prevent attackers from reaching sensitive information.

A security camera is considered a 'corrective control' because it records an intruder's actions.

False

What is the main goal of a 'corrective control'?

To reduce the impact of a successful intrusion by mitigating damage or restoring the system to its original state.

Explain the difference between a 'deterrent control' and a 'preventive control'?

A deterrent control discourages an intrusion attempt by signaling a possible consequence to a potential attacker, but it doesn't necessarily prevent access. A preventive control is actively in place to stop access or prevent an attack from being successful.

What is a 'compensating control' and why is it used?

A compensating control is a substitute for a principle control when the principle control is too expensive or difficult to implement. It provides an alternative way to achieve a similar level of security.

An IDS (Intrusion Detection System) is an example of a 'responsive control' because it monitors network traffic and can react to suspicious activity.

True

What is the primary goal of using CIA (Confidentiality, Integrity, Availability) when selecting security controls?

To ensure that the chosen security controls adequately protect the confidentiality, integrity, and availability of sensitive data and information.

Which security control primarily upholds the tenet of 'integrity' for data?

Digital signatures

Using cloud elasticity is an effective control for ensuring the 'confidentiality' of data.

False

What are the two security controls that could be added to a database backup system to uphold all the tenets of CIA?

Access control system and encryption.

Which of these is NOT a key component of the security intelligence cycle?

Implementation and configuration

How can threat intelligence be used to improve incident response?

Threat intelligence provides tactical information about the attacker's location within the network, their activities, and their techniques, aiding in containing the attack and mitigating its impact.

Threat intelligence is primarily used for strategic decision-making, focusing on long-term security measures.

False

What is the main difference between security intelligence and cyber threat intelligence?

Security intelligence focuses on internal data and insights about the security of your own systems, whereas cyber threat intelligence focuses on external data and insights from the broader threat landscape.

The use of SIEMs (Security Information and Event Management Systems) falls under the 'collection and processing' phase of the security intelligence cycle.

True

Why is it important to use automation and analysis tools like AI and machine learning in the 'analysis' phase of the intelligence cycle?

The volume of data collected in modern networks is vast. Automation and AI tools help sift through massive datasets, detect anomalies, and identify suspect activities that would be difficult for humans to manually process in a timely manner.

Which of the following is NOT a level of intelligence disseminated during the 'dissemination' phase of the security intelligence cycle?

Analytical

What is the primary purpose of the 'feedback' phase in the security intelligence cycle?

To continuously improve the intelligence gathering process by identifying what worked well, what didn't work well, and how to refine future efforts based on lessons learned and changing threat landscapes.

What is an ISAC (Information Sharing and Analysis Center)?

An ISAC is a non-profit organization that provides a forum for sharing sector-specific threat intelligence and security best practices among its members within a particular industry.

Which sector DOES NOT have a dedicated ISAC?

Education

Organizations in the critical infrastructure sector are not typically concerned with threats against ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition) systems.

False

What is the main purpose of threat intelligence sharing within an organization?

To proactively disseminate threat intelligence to relevant teams and personnel, enabling them to take appropriate actions to mitigate risks and improve organizational security posture.

Threat intelligence is most effective when it is only shared internally within an organization.

False

How can threat intelligence be used to enhance vulnerability management?

By leveraging threat intelligence, organizations can identify potential vulnerabilities that may not have been uncovered by traditional vulnerability scanning. This helps prioritize remediation efforts and focus on the most critical vulnerabilities based on current threat landscape trends.

Threat intelligence primarily focuses on 'unknown threats,' as those pose the greatest risk.

False

What is a 'zero-day exploit,' and why is it so problematic?

A zero-day exploit is a vulnerability in software or hardware that is unknown to developers or security researchers. It exposes the flaw before a patch or mitigation is available, allowing attackers to exploit it before defenses can be implemented.

The use of obfuscation techniques allows attackers to transform 'unknown threats' into 'known threats,' making them more difficult to detect.

False

Explain the concept of 'recycled threats' in the context of malware.

Recycled threats are created by combining and modifying portions of existing malware code to generate new, unique variants that bypass signature-based detection. The malware is essentially 're-engineered' to create a new, undetected threat.

Which of the following is NOT a classification of malware threats based on the 'known/unknown' concept?

Unknown knowns

What are 'known unknowns' in the context of malware?

Known unknowns are threats that are known to exist but have not been fully characterized or have not yet been developed into specific detection mechanisms. These threats may have been observed in the wild but are poorly understood or lacked countermeasures.

What is the role of a cybersecurity analyst in an organization?

A cybersecurity analyst is responsible for protecting sensitive information and preventing unauthorized access to electronic data and the systems that protect it. They work to harden and protect networks, servers, laptops, desktops, and smartphones.

What is a Security Operations Center (SOC)?

A SOC is a location where security professionals monitor and protect critical information assets within an organization. It acts as a single point of contact area where data comes in for analysis by security analysts.

Smaller companies usually have their own SOCs to monitor their networks.

False

What is the primary function of a Computer Security Incident Response Team (CSIRT)?

A CSIRT is responsible for responding to data breaches and other cybersecurity incidents that occur within an organization.

What is the role of the Chief Information Security Officer (CISO) in an organization?

The CISO is a senior-level position responsible for overseeing the security of an organization's information systems and assets. They lead and provide governance for the organization's cybersecurity efforts.

What are the three main categories of security controls discussed in the provided text?

Technical, Operational, Managerial

What is a technical control, also known as a logical control?

A technical control is a security control that is implemented through the use of hardware, software, or firmware.

What is an operational control?

An operational control is a security control that is implemented primarily by people, rather than technology.

What is a managerial control?

A managerial control provides oversight and governance for information systems. They involve processes like risk identification, vulnerability assessment, and control selection.

The three categories of technical, operational, and managerial controls are still included in the NIST Special Publication 800-53.

False

What is an administrative control?

An administrative control is a hybrid control category that combines elements of both operational and managerial controls.

What is a preventative control?

A preventative control is a security control that aims to reduce the likelihood of a successful attack.

What is a detective control?

A detective control is a security control that identifies and records attempted or successful intrusions, even if it doesn't prevent them.

What is a physical control?

A physical control is a security control that acts against in-person intrusion attempts.

What is a compensating control?

A compensating control is a substitute for a primary control that may not be feasible or affordable to implement.

What is a responsive control?

A responsive control proactively monitors for potential vulnerabilities and attacks, taking action to mitigate them before they cause damage.

What are the two primary forms of cyber threat intelligence?

Narra ve reports and data feeds

Organizations should rely on only one type of cyber threat intelligence – either narra ve reports or data feeds – for the best security.

False

What is the purpose of the security intelligence cycle?

The security intelligence cycle is a structured process for collecting, processing, analyzing, dissemina ng, and reviewing security intelligence to improve the effectiveness of security efforts.

What is the purpose of the requirements phase of the security intelligence cycle?

The requirements phase sets the goals and objectives for intelligence gathering, ensuring that the process is focused on collecting relevant data.

What is the purpose of the collection and processing phase of the security intelligence cycle?

The collection and processing phase involves gathering data from various sources and converting it into a standard format suitable for analysis.

What is the purpose of the analysis phase of the security intelligence cycle?

The analysis phase involves examining collected data and applying use cases to identify potential threats and vulnerabilities.

What is the purpose of the dissemination phase of the security intelligence cycle?

The dissemination phase involves communicating the results of security intelligence analysis to relevant stakeholders who need to take action.

What is the purpose of the feedback and review phase of the security intelligence cycle?

The feedback and review phase involves evaluating the effectiveness of the entire security intelligence cycle and identifying areas for improvement.

What is an Information Sharing and Analysis Center (ISAC)?

An ISAC is a not-for-profit organization that provides sector-specific threat intelligence and best practices among its members within a particular industry.

Which of the following is NOT a critical infrastructure sector as defined by the Department of Homeland Security?

Educa on

What is the difference between a known threat and an unknown threat?

A known threat can be identified using basic signature or pattern matching, while an unknown threat cannot.

What is a zero-day exploit?

A zero-day exploit is an unknown vulnerability in software or hardware that is exploited before a patch or fix is available.

What is obfuscated malware code?

Obfuscated malware code is malicious code whose execution is hidden through techniques like compression, encryption, or encoding to make it difficult to analyze.

What is behavior-based detection?

Behavior-based detection is a malware detection method that analyzes an object's intended actions before it executes to determine if it is malicious.

What is a recycled threat?

A recycled threat is a new threat created by combining and modifying parts of existing exploit code, making detection by signature-based methods more difficult.

What is the difference between a known unknown and an unknown unknown?

A known unknown is a malware that includes obfuscation techniques to avoid signature detection, while an unknown unknown is entirely new malware with novel attack vectors and exploits.

Study Notes

Cybersecurity Roles and Responsibilities

• Cybersecurity Analyst: A senior role responsible for protecting sensitive information and preventing unauthorized access. They harden networks, servers, and devices. Junior analysts typically have 2-4 years experience as a specialist/technician first. Analysts work under senior analysts and report to the CISO. Their responsibilities include implementing and configuring security controls (firewalls, intrusion detection systems), working in a SOC or CSIRT, auditing security processes and procedures for third-party vendors, training employees, performing risk assessments, vulnerability assessments, penetration tests, and maintaining threat intelligence. Analyst work within a team, with 5-10 junior analysts and 1-2 senior analysts. They report to the CISO. Analysts need strong problem-solving and creative thinking skills, and excellent communication to explain issues and proposed solutions to non-technical audiences.
• Specialist/Technician: Performs hands-on system configurations under the direction of a cybersecurity analyst. Covered by the Security+ exam.
• Cybercrime Investigators: Work in digital forensic areas. Covered in the course.
• Incident Response Analysts: Respond to data breaches and cyberattacks. Covered in the course.
• Penetration Tester: Breaks into systems with permission to identify vulnerabilities. A role a cybersecurity analyst may fill.
• Manager/Engineer: Focuses on building security tools and techniques to design systems for the organization. Analysts operate the daily systems.
• CISO (Chief Information Security Officer): Senior C-level position, providing governance and leadership. Oversees the analyst team and other security personnel.

Security Operations Center (SOC)

• A SOC is a central security monitoring point for critical information assets. It's a single point of contact for all incoming security data; junior analysts monitor logs/network information for Indicators of Compromise (IOCs).
• Indicators of Compromise (IOCs): Like fingerprints of malicious activity. Junior analysts look for them.
• Senior analysts oversee junior analysts and guide incident response.
• SOCs are often used by larger organizations, governments, and healthcare due to high costs.
• Smaller companies may outsource SOC services.
• Key requirements for a successful SOC: authority, motivated and skilled professionals, integrated security processes, incident response capabilities, internal protection (of the SOC), separating signal from noise (analyzing data through the use of automation), and collaboration with other SOCs for threat intelligence sharing.

Security Control Categories

• Security controls are technologies or procedures mitigating vulnerabilities and risks, ensuring confidentiality, integrity, availability, non-repudiation, and authentication (CIA Triad).
• Historical approach was reactive – implementing controls after threats emerged. Not a sustainable model.
• Security controls are now selected strategically using a risk management framework for a layered defense approach (defense in depth).
• NIST Special Publication 800-53: A US government publication on security and privacy controls for IS. A crucial resource. Memorization is not required, but review is recommended.
• Control categories (technical, operational, managerial): While less relevant today, the technical, operational, and managerial classification remains useful concepts for categorizing controls. These were removed from newer NIST publications but remain on the CySA+ exam.
• Hybrid controls, like vulnerability management, often blend categories (operational and managerial).
• Functional categories of controls: preventative, detective, corrective
• Additional categories: physical, deterrent, compensating, and responsive controls.

Threat Intelligence

• Security intelligence focuses on internal network security posture.
• Cyber threat intelligence focuses on external threats (attacker groups, malware, vulnerabilities).
• Threat intelligence comes in narrative reports (analysis) and data feeds (provides tactical information to make decisions).
• Organizations subscribe to intelligence feeds from companies like FireEye, McAfee, etc. to defend against emerging threats.

Information Sharing and Analysis Centers (ISACs)

• ISACs (and the UK's CSIP): Sector-specific, not-for-profit information sharing groups.
• Focus on sharing threat intelligence and security best practices within a particular industry.
• Multiple ISAC types exist (critical infrastructure, government, healthcare, financial, aviation).
• Critical Infrastructure: Vital physical or virtual systems critical to a country’s economy and safety. Examples include 16 critical sectors identified by the Department of Homeland Security (chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, transportation systems, and water and wastewater systems).

Threat Classification

• Known threats: Easily identified using signature matching (e.g., malware, documented exploits).
• Unknown threats: Cannot be identified by signature matching. Examples include: zero-day exploits, obfuscated malware, behavior-based attacks, recycled threats, known-unknowns, unknown-unknowns.

Security Intelligence Cycle

• Five phases: Requirements/Planning, Collection/Processing, Analysis, Dissemination, Feedback
• Requirements/Planning: Defining goals and constraints (legal restrictions, organizational factors).
• Collection/Processing: Standardizing data into usable formats.
• Analysis: Using automated analysis, AI, and machine learning to filter data (categorizing data as known good, known bad, unsure).
• Dissemination: Communicating analyzed information to stakeholders (strategic, operational, tactical).
• Feedback: Evaluating process effectiveness to identify improvements.

Description

Explore various roles in the cybersecurity field, including the responsibilities of analysts, specialists, and chief information security officers. This quiz will help you understand the critical functions within an organization that protect sensitive information and respond to cyber incidents.