Foundations

Question 1

is the process of **adhering to internal standards and external regulations **and enables organizations to avoid fines and security breaches.

Answer 1

Compliance

Question 2

are guidelines used for building plans to help mitigate risks and threats to data and privacy.

Answer 2

Security frameworks

Question 3

are safeguards designed to reduce specific security risks. They are used with security frameworks to establish a strong security posture.

Answer 3

Security controls

Question 4

an organization’s ability to manage its defense of critical assets and data and react to change.

Answer 4

Security posture

Question 5

is any person or group who presents a security risk. This risk can relate to computers, applications, networks, and data.

Answer 5

threat actor

Question 6

can be a current or former employee, an external vendor, or a trusted partner who poses a security risk. At times, it’s accidental. For example, an employee who accidentally clicks on a malicious email link would be considered an accidental threat. Other times, the internal threat actor intentionally engages in risky activities, such as unauthorized data access.

Answer 6

internal threat

Question 7

is the practice of keeping an organization’s network infrastructure secure from unauthorized access. This includes data, services, systems, and devices that are stored in an organization’s network.

Answer 7

Network security

Question 8

is the process of ensuring that assets stored in the cloud are properly configured, or set up correctly, and access to those assets is limited to authorized users. The cloud is a network made up of a collection of servers or computers that store resources and data in remote physical locations known as data centers that can be accessed via the internet. Its a growing subfield of cybersecurity that specifically focuses on the protection of data, applications, and infrastructure in the cloud.

Answer 8

Cloud security

Question 9

is a process that can be used to create a specific set of instructions for a computer to execute tasks. These tasks can include:

Answer 9

Programming

Question 10

is the use of digital communications to trick people into revealing sensitive data or deploying malicious software.

Answer 10

Phishing

Question 11

A threat actor sends an email message that seems to be from a known source to make a seemingly legitimate request for information, in order to obtain a financial advantage.

Answer 11

Business Email Compromise (BEC)

Question 12

A malicious email attack that targets a specific user or group of users. The email seems to originate from a trusted source.

Answer 12

Spear phishing

Question 13

A form of spear phishing. Threat actors target company executives to gain access to sensitive data.

Answer 13

Whaling

Question 14

The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source.

Answer 14

Vishing

Question 15

The use of text messages to trick users, in order to obtain sensitive information or to impersonate a known source.

Answer 15

Smishing

Question 16

software designed to harm devices or networks. There are many types. The primary purpose of is to obtain money, or in some cases, an intelligence advantage that can be used against a person, an organization, or a territory.

Answer 16

Malware

Question 17

Malicious code written to interfere with computer operations and cause damage to data and software. It needs to be initiated by a user (i.e., a threat actor), who transmits the it via a malicious attachment or file download. When someone opens the malicious attachment or download, it hides itself in other files in the now infected system. When the infected files are opened, it allows it to insert its own code to damage and/or destroy data in the system.

Answer 17

Virus

Question 18

Malware that can duplicate and spread itself across systems on its own. In contrast to a virus, it does not need to be downloaded by a user. Instead, it self-replicates and spreads from an already infected computer to other devices on the same network.

Answer 18

Worms

Question 19

A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access.

Answer 19

Ransomware

Question 20

Malware that’s used to gather and sell information without consent. It can be used to access devices. This allows threat actors to collect personal data, such as private emails, texts, voice and image recordings, and locations.

Answer 20

Spyware

Question 21

a manipulation technique that exploits human error to gain private information, access, or valuables. Human error is usually a result of trusting someone without question. It’s the mission of a threat actor, acting, to create an environment of false trust and lies to exploit as many people as possible.

Answer 21

Social engineering

Question 22

A threat actor collects detailed information about their target from social media sites. Then, they initiate an attack.

Answer 22

Social media phishing

Question 23

A threat actor attacks a website frequently visited by a specific group of users.

Answer 23

Watering hole attack

Question 24

A threat actor strategically leaves a malware USB stick for an employee to find and install, to unknowingly infect a network.

Answer 24

USB baiting

Question 25

A threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location.

Answer 25

Physical social engineering

Question 26

An item perceived as having value to an organization

Answer 26

Asset

Question 27

The idea that data is accessible to those who are authorized to access it

Answer 27

Availability

Question 28

The idea that only authorized users can access specific assets or data

Answer 28

Confidentiality

Question 29

A model that helps inform how organizations consider risk when setting up systems and security policies

Answer 29

Confidentiality, integrity, availability (CIA) triad

Question 30

A person who uses hacking to achieve a political goal

Answer 30

Hacktivist

Question 31

A U.S. federal law established to protect patients’ health information

Answer 31

Health Insurance Portability and Accountability Act (HIPAA)

Question 32

The idea that the data is correct, authentic, and reliable

Answer 32

Integrity

Question 33

A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Answer 33

National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF

Question 34

The act of safeguarding personal information from unauthorized use

Answer 34

Privacy protection

Question 35

Information that relates to the past, present, or future physical or mental health or condition of an individual

Answer 35

Protected health information (PHI)

Question 36

A type of security design composed of multiple components, such as tools and processes, that are used to protect an organization from risks and external threats

Answer 36

Security architecture

Question 37

Safeguards designed to reduce specific security risks

Answer 37

Security controls

Question 38

Guidelines for making appropriate decisions as a security professional

Answer 38

Security ethics

Question 39

Guidelines used for building plans to help mitigate risk and threats to data and privacy

Answer 39

Security frameworks

Question 40

Practices that help support, define, and direct security efforts of an organization

Answer 40

Security governance

Question 41

A specific type of PII that falls under stricter handling guidelines

Answer 41

Sensitive personally identifiable information (SPII)

Question 42

4 Core components Security Frameworks

Answer 42

Goals, Guidelines, Processess, communication

Question 43

An item perceived as having value to an organization

Answer 43

Asset

Question 44

The idea that data is accessible to those who are authorized to access it

Answer 44

Availability

Question 45

The process of adhering to internal standards and external regulations

Answer 45

Compliance

Question 46

The idea that only authorized users can access specific assets or data

Answer 46

Confidentiality

Question 47

A model that helps inform how organizations consider risk when setting up systems and security policies

Answer 47

Confidentiality, integrity, availability (CIA) triad

Question 48

A person who uses hacking to achieve a political goal

Answer 48

Hacktivist

Question 49

A U.S. federal law established to protect patients’ health information

Answer 49

Health Insurance Portability and Accountability Act (HIPAA)

Question 50

The idea that the data is correct, authentic, and reliable

Answer 50

Integrity

Question 51

A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Answer 51

National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF)

Question 52

The act of safeguarding personal information from unauthorized use

Answer 52

Privacy protection

Question 53

Information that relates to the past, present, or future physical or mental health or condition of an individual

Answer 53

Protected health information (PHI)

Question 54

A type of security design composed of multiple components, such as tools and processes, that are used to protect an organization from risks and external threats

Answer 54

Security architecture

Question 55

Safeguards designed to reduce specific security risks

Answer 55

Security controls

Question 56

Guidelines for making appropriate decisions as a security professional

Answer 56

Security ethics

Question 57

Guidelines used for building plans to help mitigate risk and threats to data and privacy

Answer 57

Security frameworks

Question 58

Practices that help support, define, and direct security efforts of an organization

Answer 58

Security governance

Question 59

A specific type of PII that falls under stricter handling guidelines

Answer 59

Sensitive personally identifiable information (SPII)

Question 60

A record of events that occur within an organization’s systems

Answer 60

Log

Question 61

A tool designed to capture and analyze data traffic within a network

Answer 61

Network protocol analyzer (packet sniffer

Question 62

A sequence outlining the order of data that must be preserved from first to last

Answer 62

Order of volatility

Question 63

A process that can be used to create a specific set of instructions for a computer to execute tasks

Answer 63

Programming

Question 64

The process of properly working with fragile and volatile digital evidence

Answer 64

Protecting and preserving evidence

Question 65

An application that collects and analyzes log data to monitor critical activities in an organization

Answer 65

Security information and event management (SIEM)

Question 66

A query language used to create, interact with, and request information from a database

Answer 66

SQL (Structured Query Language)

Question 67

Security and Risk Management

Answer 67

Security, Risk, compliance, law regulations, business continuity

Question 68

Asset Security

Answer 68

Protecting security of assets

Question 69

Security Engineering

Answer 69

Engineering and management of security

Question 70

Communications and Newtork Security

Answer 70

Designing and protecting network security

Question 71

Identity and Access Managment

Answer 71

controlling access and managing idenitity

Question 72

Security Assessement and Testing

Answer 72

Desiging, performing, and analyzing security testing

Question 73

Security Operations

Answer 73

Foundational concepts, investigations, incident management,

Question 74

Software Develpment Security

Answer 74

understanding, applying and enforcing software security