Domain 7

Question 1

Allowed Listing

Answer 1

These systems also alert designated IT security personnel if the attempt involves a resource not on a pre-approved list. Standalone security tools and integrated systems which provide these capabilities are now starting to incorporate anti-malware processes as part of their offerings; similarly, In this course, “blocked list” and “allowed list” replace “blacklist” and “whitelist.” Anti-malware products have begun to incorporate these blocked listing /allowed listing management and use capabilities.

Question 2

Alternate Site

Answer 2

A general term for a contingency or continuity of operations (COOP) site used to assume system or organizational operations in the event that the primary site is not usable for a period of time.

Question 3

Backup

Answer 3

A copy of files and programs made to facilitate recovery, if necessary.

Question 4

Baseline

Answer 4

The total inventory of all of a system’s components, including hardware, software, data, administrative controls, documentation or user instructions. Types of baselines include: Enumerated baselines, which are inventory lists generated by systems cataloging, discovery and enumeration Build Security baselines associate the minimum acceptable set of security controls for each CI within a configuration baseline. Modification, update or patch baselines, which are subsets of a total system baseline. These would contain only those CIs which have been modified. or deployment baselines, which are configuration baselines for instances of a system being built for a specific purpose (such as security assessment) or environment (such as production or delivery to end users). tools. Configuration baselines, which have a revision or version identifier associated with each configuration item (CI).

Question 5

Baselining

Answer 5

Creating a total inventory of a system, component by component, part by part.

Question 6

Blocked Listing and Allowed Listing

Answer 6

Use of lists of blocked or allowed identities, whether as users, URLs, URIs, web addresses, IP addresses, geographic regions, hardware addresses, files or programs, as a means of controlling (prohibiting or permitting) their access, use or attempt to load and execute.

Question 7

Change Management

Answer 7

The formal process an organization uses to transition from the current state to a future state. This typically includes mechanisms to request, evaluate, approve, implement, verify and learn from the change.

Question 8

Configuration Item

Answer 8

An aggregation of information system components that is designated for configuration management and treated as a single entity in the configuration management process. Item or aggregation of hardware, software, or both, which is designated for configuration management and treated as a single entity in the configuration management process.

Question 9

Configuration Management (CM)

Answer 9

A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing and monitoring the configurations of those products and systems throughout the system development lifecycle.

Question 10

Cyber Forensics

Answer 10

The practice of gathering, retaining and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.

Question 11

Disaster Recovery

Answer 11

The ability to provide IT services following an interruption, often at an alternate location.

Question 12

Disruption

Answer 12

An unplanned event that causes an information system to be inoperable for a length of time (e.g., minor or extended power outage, extended unavailable network or equipment or facility damage or destruction).

Question 13

Egress Monitoring

Answer 13

Monitoring the flow of information out of an organization’s control boundaries.

Question 14

Entity

Answer 14

Any form of user, such as a hardware device, software daemon, task, processing thread or human, which is attempting to use or access systems resources. Endpoint devices, for example, are entities that human (or nonhuman) users make use of in accessing a system. Should be subject to access control and accounting. See also User and Entity Behavior Analysis.

Question 15

Eradication

Answer 15

In incident response, the activities which remove the cause of the incident from the environment. This often requires the use of a formal root cause analysis process.

Question 16

Event

Answer 16

Any observable occurrence in a network or system.

Question 17

False Positive

Answer 17

Incorrectly classifying a benign activity, system state or configuration as malicious or vulnerable

Question 18

Forensics, Cyber Forensics

Answer 18

The examination of evidence related to suspected criminal activity. Cyber forensics refers to investigations of such activities involving information systems.

Question 19

Full Backup

Answer 19

Copies the entire system to backup media.

Question 20

Hackback

Answer 20

Actions taken by a victim of hacking to compromise the systems of the alleged attacker.

Question 21

Hardening

Answer 21

A reference to the process of applying secure configurations (to reduce the attack surface) and locking down various hardware, communications systems and software, including operating system, web server, application server, application. Hardening is normally performed based on industry guidelines and benchmarks such as those provided by the Center for Internet Security (CIS).

Question 22

Heuristics

Answer 22

A method of machine learning, which identifies patterns of acceptable activity so that deviations from the patterns will be identified.

Question 23

Honeypots/ Honeynets

Answer 23

Machines that exist on the network, but do not contain sensitive or valuable data; they are meant to distract and occupy malicious attackers or unauthorized intruders, as a means of delaying their attempts to access production data/assets. A number of machines of this kind, linked together a network or subnet, are referred to as a honeynet.

Question 24

Hot Site

Answer 24

A fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption.

Question 25

Incident

Answer 25

An event which actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.

Question 26

Incident Response

Answer 26

The mitigation of violations of security policies and recommended practices.

Question 27

Indicator

Answer 27

A technical artifact or observable occurrence that suggests an attack is imminent or is currently underway, or that a compromise may have already occurred.

Question 28

Indicators of Compromise (IoC)

Answer 28

A signal that an intrusion, malware or other predefined hostile or hazardous set of events is occurring or has occurred.

Question 29

Information Security Continuous Monitoring (ISCM)

Answer 29

Maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions. [Note: The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency to systems, networks and cyberspace, by assessing security control implementation and organizational security status in accordance with organizational risk tolerance, and within a reporting structure designed to make real-time, data-driven risk management decisions. sufficient to support risk-based security decisions to adequately protect organization information.] Ongoing monitoring sufficient to ensure and assure effectiveness of security controls related

Question 30

Information Sharing and Analysis Center (ISAC)

Answer 30

Any entity or collaboration created or employed by public- or private-sector organizations, for purposes of gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems, to ensure their availability, integrity and reliability.

Question 31

Intrusion

Answer 31

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so.

Question 32

Intrusion Detection System (IDS)

Answer 32

A security service that monitors and analyzes network or system events for the purpose of finding and providing real time or near real-time warning of, attempts to access system resources in an unauthorized manner.

Question 33

Intrusion Prevention Systems (IPS)

Answer 33

A security service that uses available information to determine if an attack is underway; it then sends alerts, but also blocks the attack from reaching its intended target.

Question 34

Log

Answer 34

A record of actions and events that have taken place on a computer system.

Question 35

Patch

Answer 35

A software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component.

Question 36

Patch Management

Answer 36

The systematic notification, identification, deployment, installation and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes and service packs.

Question 37

Precursor(s)

Answer 37

Signals from events that suggest a possible change of conditions (internal or external to the organization) may alter the current threat landscape. An increase in tensions in the local political or social environment, or complaints or grievances by employees or customers going viral in social media, are examples of precursors.

Question 38

Provisioning

Answer 38

Taking a particular configuration baseline, making additional or modified copies of it, then taking steps as necessary to properly place those copies into the environments they should belong in.

Question 39

Ransom Attack

Answer 39

Any form of attack, which threatens the destruction, denial or unauthorized public release or remarketing of private information assets. Usually involves encrypting these assets and withholding the decryption key until the ransom is paid by the victim.

Question 40

Ransomware

Answer 40

Malware used for the purpose of facilitating a ransom attack.

Question 41

Recovery

Answer 41

The process of jointly addressing business resiliency and restoration of critical infrastructure and functionality after a disruption.

Question 42

Regression Testing

Answer 42

Testing of a system to ascertain whether recently approved modifications have changed its performance of other approved functions or has introduced other unauthorized behaviors.

Question 43

Remediation

Answer 43

Changes to a system’s configuration to immediately limit or reduce the chance of reoccurrence of an incident. This might include updating the sensitivities, thresholds or alarm settings on any number of security controls, or instituting a rapid reset of access controls information such as passwords and security challenge responses.

Question 44

Request for Change (RFC)

Answer 44

The documentation of a proposed change in support of change management activities.

Question 45

Root Cause Analysis

Answer 45

A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks or incidents.

Question 46

Sandbox

Answer 46

A testing environment that is logically, physically or virtually isolated from other environments, and in which applications or systems can be evaluated. Sandboxes can be used as part of development, integration or acceptance testing (so as to not interact with the production environments), as part of malware screening, or as part of a honeynet.

Question 47

Threat Intelligence

Answer 47

Threat information that has been aggregated, transformed, analyzed, interpreted or enriched to provide the necessary context for decision-making processes.

Question 48

User and Entity Behavior Analytics (UEBA)

Answer 48

Analysis of behaviors and activities of human and nonhuman users, and of the software and hardware entities associated with those users and activities, as a way of detecting inappropriate or unauthorized activity, including fraud detection, malware and insider attacks.

Question 49

Vulnerability Management

Answer 49

The activities necessary to identify, assess, prioritize and remediate information system weaknesses.