S3

Questions and Answers

Which of the following is NOT a practice related to Authorization and Authentication?

• Least Privilege
• Whitelisting
• Need to Know
• Firewall (correct)

What is the primary difference between Need to Know and Least Privilege principles?

• Need to Know applies to data, while Least Privilege applies to access to a system. (correct)
• Need to Know is a more restrictive principle than Least Privilege.
• Need to Know is used during the provisioning stage, while Least Privilege is implemented after the user has been provisioned.
• Need to Know is used for physical security, while Least Privilege is used for logical security.

What is the primary goal of Whitelisting?

• Identifying and removing malicious software from a system.
• Creating a list of trusted users who are allowed to access a system.
• Allowing only approved applications to run on a system. (correct)
• Blocking unauthorized users from accessing a system.

Which of the following authentication technologies is considered a form of multi-factor authentication?

Biometrics (A)

What is the main purpose of Context Aware Authentication?

Using user location and other data points to validate user identity. (B)

What is the main purpose of a digital signature?

To ensure the integrity of a message by verifying the sender's identity. (B)

Which of the following is NOT a component of the NIST Cybersecurity Framework?

Maintain (B)

What is the primary purpose of the Common Vulnerabilities and Exposures (CVE) Dictionary?

To provide a standardized way of identifying and reporting cybersecurity vulnerabilities. (B)

Which of the following is NOT a type of security control?

Directive (C)

What is the main difference between Discretionary Access Control and Mandatory Access Control?

Discretionary Access Control is more flexible than Mandatory Access Control. (D)

Which access control method allows administrators to set permissions based on specific criteria defined by rules?

Rule-Based Access Control (D)

Which of the following is a network security tool used to identify suspicious activity and alert administrators?

Intrusion Detection System (B)

Which of the following is NOT a corrective control?

Security Audits (C)

What is the concept of 'Defense in Depth' in cybersecurity?

Using multiple layers of security to protect systems and data. (C)

Which of the following is NOT a recommended practice for password management, as per NIST SP800-63B?

Passwords should be based on personal information like names or birthdays. (D)

What is the purpose of the 'Protect' function within the NIST Cybersecurity Framework?

Developing and implementing safeguards to prevent vulnerabilities from being exploited. (A)

Which of the following is an example of a preventative control?

Encryption (C)

What is the most critical component of an incident response plan?

Human capital (D)

Which model of incident response teams is best suited for geographically widespread organizations?

Distributed Incident Response Team (A)

During which phase of the General Incident Response Plan does the organization ensure no further damage occurs?

Containment (D)

What type of event is defined as any intentional or unintentional event with negative consequences on systems?

Adverse Event (B)

Which of the following is NOT a testing method for incident response plans?

User Training Sessions (C)

What does the Mean Time to Repair metric measure in incident response?

Time taken to actually fix the problem (D)

Which organization is known for creating various recovery frameworks besides NIST?

ISO (A)

Which of the following losses would be covered by a cyber insurance policy?

Cyber extortion losses (A)

Which of the following is NOT considered a threat agent in cybersecurity?

Algorithmians (B)

What is the main purpose of a Denial of Service (DoS) attack?

To disrupt network operations by flooding the system (C)

Which of the following attacks involves injecting malicious SQL code to manipulate a database?

SQL Injection (B)

How does a Reverse Shell attack initiate communication?

By sending a malicious email that bypasses the firewall (A)

Which of the following is a characteristic of a brute-force attack?

Systematic testing of all possible passwords (D)

What type of malware installs a copy on a computer's memory and can remain active even after a reboot?

Resident Virus (B)

Which attack uses methods not originally intended for data transmission to communicate?

Covert Channels (A)

What is the main goal of a Social Engineering attack?

To manipulate individuals into divulging confidential information (B)

Which type of attack aims to manipulate application behavior by forcing operations to execute out of order?

Race Condition (B)

Which of the following is an example of spoofing in cybersecurity?

Creating a fake email address to impersonate an organization (B)

Which of the following correctly describes the primary goal of Data Loss Prevention (DLP)?

To detect and prevent attempts to transfer sensitive info out of the organization electronically. (D)

What is the main difference between privacy and confidentiality?

Privacy gives individuals control over personal data while confidentiality protects unauthorized access to that data. (B)

In which way does obfuscation protect sensitive information?

By replacing sensitive data with less valuable data. (A)

What type of encryption uses both a public key for encryption and a private key for decryption?

Asymmetric encryption (C)

What is the purpose of conducting a walk-through in a security context?

To evaluate program logic and simulate disaster scenarios. (C)

Which of the following is NOT a part of a Security Assessment Report (SAR)?

Detailed cost analysis (D)

What does the 're-click rate' measure in phishing simulations?

Percentage of employees who click on multiple phishing emails. (C)

Which type of Data Loss Prevention (DLP) system focuses on endpoint devices?

Endpoint-Based DLP (B)

Which encryption method is often considered the highest form of data protection?

Encryption in general (B)

Which of the following best describes the role of a Security Program Champion?

A team member who champions security efforts across departments. (C)

What is the name of the security protocol that encrypts wireless internet connections between routers, switches, and mobile devices?

WiFi Protected Access (WPA) (B)

Which of the following is NOT a commonly used methodology for threat modeling?

NIST (B)

What is the primary goal of 'system hardening' in cybersecurity?

Reducing the number of access points attackers can exploit (D)

Which of the following cyberattacks targets specific employees within an organization?

Spear phishing (A)

Which of the following is NOT a risk related to cloud computing?

Device mismanagement (B)

What is the primary purpose of a Bring Your Own Device (BYOD) policy?

To allow employees to access company data from their personal devices (A)

Which of the following is a type of social engineering attack that uses a phone call to deceive a victim?

Vishing (D)

What is the purpose of 'Network Segmentation' in cybersecurity?

To isolate different parts of the network from each other (B)

Which of the following is NOT a key component of the COSO Internal Control Framework?

Threat Modeling (C)

Which of the following is a common example of "Device Spoofing" in the context of IoT (Internet of Things) security?

Using a fake IoT device to gain access to a network (D)

What is the primary purpose of "Reconnaissance" in the stages of a cyberattack?

Collecting information about the target (B)

What is the main focus of the "STRIDE" threat modeling methodology?

Identifying potential threats and vulnerabilities (A)

Which of the following is NOT a characteristic of a "Watering Hole Attack"?

Adding malicious code to prepackaged software (D)

What is the main difference between "Phishing" and "Spear Phishing"?

Phishing attacks are less sophisticated and less targeted than spear phishing attacks (A)

Which of the following is a core principle of "Database Hardening"?

Assigning different privilege levels between admin users (C)

What is the primary aim of "Endpoint Hardening" in cybersecurity?

Minimizing the attack surface on individual devices (A)

Flashcards

Hacker

An attacker who exploits system vulnerabilities for malicious purposes.

Adversary

A threat agent that is financially or politically motivated to gain unauthorized access to systems or data.

Denial of Service (DoS)

A type of attack that floods a network with overwhelming traffic, making it unable to respond to legitimate requests.

Man-in-the-Middle (MITM)

An attack where a malicious actor intercepts communication between two parties, impersonating one of them.

Return-Oriented Programming (ROP)

An attack that utilizes existing legitimate code within a system to perform unauthorized actions, often exploiting vulnerabilities.

SQL Injection

A type of attack where an attacker injects malicious SQL code into a website input form to access and manipulate sensitive data.

Cross-Site Scripting (XSS)

A cyberattack where an attacker injects malicious script code into a website to steal user data or hijack their browser.

Mobile Code

A type of malicious code that spreads from computer to computer, infecting applications and potentially causing damage.

Overwrite Virus

A type of mobile code that overwrites or deletes data on a victim's computer.

Multi-Partite Virus

A type of mobile code that uses multiple methods to spread and infect systems.

Worm

A type of malware that spreads to other computers without user interaction, often through email attachments or file-sharing networks.

Trojan Horse

A malicious program disguised as legitimate software, often used to steal personal information or gain access to a system.

Adware

Software designed to display unwanted advertisements on a user's computer.

Spyware

Software that secretly gathers information about a user's activities and transmits it to a third party.

Phishing

A type of social engineering attack that uses fake emails or websites to trick users into revealing sensitive information.

Spear Phishing

A type of phishing attack that targets specific individuals or organizations, using personalized emails or messages.

Business Email Compromise (BEC)

A type of phishing attack that targets high-level executives, attempting to acquire sensitive financial information or authorize fraudulent transactions.

Pharming

A technique that redirects users to fake websites, often to steal their login credentials.

Vishing

A social engineering attack that uses voice calls to deceive victims into revealing sensitive information.

Network Segmentation

The process of controlling network traffic so that it is separated from outside communications.

WiFi Protected Access (WPA)

A security protocol that encrypts wireless internet connections between routers, switches, and mobile devices.

System Hardening

A security measure that reduces risks by minimizing the number of access points a company can be attacked through.

Acceptable Use Policy

A control document that regulates and protects technology resources by assigning varying levels of responsibilities, listing acceptable behaviors, and specifying consequences.

Bring Your Own Device (BYOD) Policy

A policy that allows employees to bring their personal devices (e.g., smartphones, laptops) to work.

Virtual Private Network (VPN)

A secure communications method using encryption protocols to create a virtual private network.

Network Hardening

Securing a network by removing unused ports and blocking unnecessary protocols.

Server Hardening

Securing servers by physically isolating them in a secure facility.

MAC Filtering

Filtering network traffic based on Media Access Control (MAC) addresses, allowing only authorized devices. It uses a list of approved physical or hardware addresses.

Zero Trust

A security principle that assumes no user or device can be trusted by default, even if authenticated.

Least Privilege

Granting users only the minimum level of access required to perform their job, nothing more.

Need to Know

Only providing access to data that an individual requires to perform their job.

Whitelisting

A list of pre-approved applications that are allowed to run on a system. Any application not on the list is blocked.

Context Aware Authentication

Authentication that considers factors like location, time, and device used to access a system.

Digital Signatures

An electronic signature that binds a document to the sender's identity, proving authenticity.

Single Sign-On (SSO)

A single authentication process that allows users to access multiple resources or devices with one set of credentials.

Multi-Factor Authentication

Authentication requiring two or more factors to validate identity, such as a password and a fingerprint scan.

Personal Identification Number (PIN)

A numeric code used for authentication, often associated with a smart card.

Smart Cards

A physical card containing a microprocessor that can process data or execute activities.

Token

A device that generates passcodes for authentication, usually synchronized with time or using an algorithm.

Biometrics

Authentication that uses unique human characteristics, like facial recognition or fingerprints.

Security Assessment - Examination

A systematic process of examining, observing, and reviewing security assessment objectives. It involves scrutinizing documents, analyzing configurations, and assessing the effectiveness of security controls.

Security Assessment - Interviewing

A method used in security assessments to gather information through individual or group discussions with relevant personnel. It helps understand perspectives, practices, and potential risks.

Security Assessment - Testing

A way to determine how a system or device performs compared to its intended security posture. It involves simulating attacks, analyzing logs, and testing security controls against predefined scenarios.

Security Assessment Report (SAR)

A formal document produced after a security assessment, detailing the findings, recommendations, and action plans for addressing security gaps and deficiencies. It serves as evidence of compliance or non-compliance with security objectives.

Determination Statement (SAR)

A statement within a Security Assessment Report (SAR) that clearly conveys whether a particular security control or objective has been met or not. It indicates either 'satisfied' or 'other than satisfied'.

Incident Response Team (SAR)

A dedicated team responsible for responding to security incidents reported in a Security Assessment Report (SAR). They analyze the findings, take appropriate actions, and implement remediation plans.

Phishing Simulation

A simulation designed to educate employees on recognizing and avoiding phishing attacks. This technique involves sending emails that mimic real phishing attempts to gauge employee awareness levels.

Security Program Champions

Individuals within an organization who actively promote and champion security awareness initiatives. They act as ambassadors for security best practices, encouraging employee engagement and understanding.

Tokenization

The process of replacing sensitive data with non-sensitive surrogate values. This helps protect data without compromising functionality, ensuring that sensitive information is not exposed.

Encryption

A technique for protecting data by converting it into an unreadable format. This is a common method for securing data at rest and in transit, making it difficult for unauthorized access.

Incident Response Plan (IRP)

A set of procedures, people, and information used to detect, respond to, and limit the consequences of a cyberattack on an organization.

Incident Response Timeline

A chart that visually represents the timeline of an IRP, showing key events and actions, such as detection, containment, eradication, and recovery.

Tabletop Exercise

A planned event simulating a real-world cyberattack to test an organization's incident response procedures and capabilities.

IRP Metrics

A measurable factor used to evaluate the performance of an IRP, such as the time it takes to detect, contain, and repair a cyberattack.

Cyber Insurance

A type of insurance policy designed to cover financial losses resulting from a cyberattack, such as business interruption, ransom payments, and legal fees.

Containment

The process of identifying and isolating the source of a cyberattack to prevent its spread and further damage.

Eradication

The process of permanently removing the threat and restoring systems to their original state after a cyberattack.

Reporting

Communicating the details of a cyberattack and its resolution to relevant stakeholders, including management, security teams, and law enforcement.

Study Notes

Cybersecurity Threats and Attacks

• Cybersecurity protects organizational IT infrastructure and data from malicious actors through technology, internal controls, and best practices.
• Threat agents include attackers, hackers, adversaries (with incentives to hack), government/state-sponsored actors, hacktivists (for social/political causes), insiders, and external threats.

Types of Cyberattacks

• Network-Based Attacks: Exploit network infrastructure to disrupt operations. Examples include:
  • Backdoors/trapdoors
  • Covert channels
  • Buffer overflows
  • Denial-of-service (DoS) attacks (including DDoS)
  • Man-in-the-middle (MITM) attacks
  • Port scanning
  • Ransomware
  • Reverse shell attacks
  • Replay attacks
  • Return-oriented programming (ROP) attacks
  • Spoofing (including ARS, DNS, and hyperlink spoofing)
• Application-Based Attacks: Target applications. Examples include:
  • SQL injection
  • Cross-site scripting (XSS)
  • Race conditions
  • Mobile code attacks (overwrite, multi-partite, parasitic, polymorphic, resident viruses)
• Host-Based Attacks: Focus on individual hosts (laptops, servers, mobile devices). Examples include:
  • Brute-force attacks
  • Keylogger attacks
  • Malware (viruses, worms, Trojans, adware, spyware)
  • Rogue mobile apps
• Social Engineering Attacks: Manipulate individuals to gain access. Examples include:
  • Phishing (including spear phishing, business email compromise/whaling, and pharming)
  • Pretexting
  • Catfishing
  • Vishing
• Physical Attacks (On-Premises): Target physical hardware. Examples include:
  • Intercepting discarded equipment
  • Piggybacking
  • Tampering (e.g., rewiring cabling, adding unauthorized devices)
  • Theft
• Supply Chain Attacks: Target vulnerabilities in software or hardware supply chains. Examples include:
  • Embedded malware
  • Foreign-sourced attacks
  • Pre-installed malware
  • Vendor attacks
  • Watering hole attacks

Stages of a Cyberattack

• Reconnaissance: Information gathering about target.
• Gaining Access: Entering targeted system through vulnerabilities.
• Escalation of Privileges: Increasing access levels.
• Maintaining Access: Remaining in the system.
• Network Exploitation/Exfiltration: Malicious activity, data theft.
• Covering Tracks: Removing evidence of intrusion.

Risks Related to Different Technologies

• Cloud Computing: Additional industry exposure, malware injection, compliance violations, data loss, loss of control/visibility, multi-cloud/hybrid management, IP theft.
• Mobile Technologies: Application malware, lack of updates/encryption, physical threats, unsecured Wi-Fi, location tracking.
• Internet of Things (IoT): Device mismanagement (changing defaults), device spoofing, expanded attack surface, cyberattacks, information theft, outdated firmware, malware/network attacks.

Threat Modeling Methodologies

• PASTA (Process for Attack Simulation and Threat Analysis): Structured approach to simulations.
• VAST (Visual, Agile, and Simple Threat): Scalable threat analysis.
• STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial-of-Service, Elevation of Privilege): Common threat categories.

Security Mitigation Strategies

• COSO Framework: Business objectives (Operations, Record Keeping, Compliance). Five components of Internal Control (Control environment, Risk Assessment, Information & Communication, Monitoring, Control Activities).
• Security Policies: Comprehensive guidelines for security implementation. Examples include Acceptable Use Policy, Bring Your Own Device (BYOD) policy, Network Segmentation/Isolation.
• Security Technologies: VPNs, SSID use, system hardening, MAC filtering.
• Authentication/Authorization: Zero trust, least privilege, need-to-know, whitelisting. Authentication methods include context-aware, digital signatures, SSO, MFA, PIN, smart cards, tokens, biometrics.
• Password Management: Recommendations like complexity (length, character types), frequency of changes, and avoiding personal information.
• Vulnerability management: NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover). CVE Dictionary.
• Layered Security: Combining physical, logical, and administrative controls for defense in depth.

Security Assessment Methods

• Security Assessment Reports (SARs): Document findings, including summary, methodology, findings, recommendations, and action plans.
• Security Awareness: Training and awareness programs. Phishing simulations, champions, engagement, materials.

Confidentiality and Privacy

• Confidentiality vs. Privacy: Confidentiality protects unauthorized access/disclosure of information, privacy protects individual rights; individuals control it.
• Obfuscation, Tokenization, Masking, Encryption: Techniques for protecting sensitive data.
• Data Loss Prevention (DLP): Prevents unauthorized data transfer. Types include network-based, cloud-based, endpoint-based.
• Safeguards for data at rest: Physical, Digital, Access Controls, Change Management, Backups.
• Walk Throughs: Understanding security/privacy procedures. Types such as Read, Structured, and Fire Drills.

Incident Response

• Incident Response Plan (IRP): Procedures, people, and info for detecting, responding to, and reducing consequences of attacks.
• Incident Response Timeline: IRP showing incident occurrence, detection, containment, eradication, recovery to normal operations.
• NIST Response Team Models: Centralized, Distributed, Coordinating.
• General Incident Response Plan (PDCERRL): Preparation, Detection, Containment, Eradication, Reporting, Recovery, Learning.
• Testing IRP Plans: Simulations, metrics, post-incident reviews, periodic audits, continuous monitoring.
• Insurable Losses: Business interruption, extortion, response costs, system replacement, legal fees, reputation damage, information/identity theft.

Description

This quiz explores various types of cybersecurity threats and attacks, including network-based and application-based attacks. Understand the different threat agents and their motivations, as well as the specific tactics used in these cyberattacks. Test your knowledge on how to protect organizational IT infrastructure.